Privacy Policy
Effective Date: June 27, 2026
1. Introduction
This Privacy Policy (“Policy”) describes how Superlab LLC dba ContentsOps (“Company,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information through our ContentsOps platform, including the web application at contentsops.com, the administrative dashboard, and the ContentsOps mobile application (collectively, the “Service”).
ContentsOps is a field operations management platform designed for contents restoration companies. This Policy applies to all users of the Service, including business customers (“Subscribers”), their employees, contractors, and field personnel (“Authorized Users”), and the homeowners, property managers, insurance adjusters, and other individuals whose information is entered into the Service (“End Customers”).
By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you are an Authorized User, your Subscriber's agreement with us governs the processing of data you enter into the Service, and your Subscriber is responsible for ensuring you are informed about how your personal information is handled.
The Service is intended for use by businesses and their personnel located in the United States and Canada. It is not directed to individuals in the European Economic Area, the United Kingdom, or other jurisdictions, and we do not offer the Service to such individuals.
2. Data Controller and Processor Roles
ContentsOps operates in a dual capacity depending on the type of data involved:
Data Controller: We act as the data controller for information we collect directly from Subscribers during account creation, billing, and platform administration, as well as usage data generated by the Service.
Data Processor / Service Provider: We act as a data processor (or “service provider” under the California Consumer Privacy Act) on behalf of our Subscribers for all End Customer data, employee data, and operational data that Subscribers and their Authorized Users enter into the Service. Our Subscribers determine the purposes and means of processing this data, and we process it only in accordance with their instructions and our Terms of Use.
If you are an End Customer whose information has been entered into ContentsOps by a restoration company, please direct any privacy inquiries to that company. We will assist them in responding to your requests as required by applicable law.
3. Information We Collect
3.1 Account and Profile Information
When a Subscriber creates an account or invites Authorized Users, we collect:
- Full name, email address, and phone number
- Job title or role within the organization
- Profile photograph (optional)
- Organization name and office address(es)
- Authentication credentials (passwords are hashed and never stored in plaintext)
For Authorized Users, the Service also stores employment and workforce information used for scheduling, time tracking, approvals, and labor-cost calculations:
- Employment type (employee, contractor, or temporary worker) and, for external workers, contractor company affiliation and skills/qualification notes
- Hire date and termination date (the latter is also used to restrict access)
- Supervisor and approver assignments (reporting relationships used for timesheet and time-off approval routing)
- Hourly pay rate, where provided by the Subscriber, used for labor-cost and payroll calculations. We treat pay-rate information as sensitive and restrict access to authorized finance and people-management roles
3.2 End Customer and Property Information
Subscribers and Authorized Users may enter the following End Customer information into the Service:
- Homeowner or property manager name, phone number, and email address
- Property address, including street address, city, state, and ZIP code
- Property type (residential or commercial) and property coordinates (latitude/longitude for geofencing and navigation)
- Insurance carrier and adjuster contact details, and claim numbers
- Loss type (water damage, fire, mold, storm, or similar categories)
- Additional contact information for adjusters, contractors, or secondary contacts
- Notes and communication history related to restoration work
The Service also stores contact information for the Subscriber's vendors and service providers (such as company name, contact name, role, phone, and email) to support coordination of restoration work.
3.3 Location and Geofencing Data
The ContentsOps mobile application collects precise geolocation data from Authorized Users' mobile devices when the user has granted location permissions and has an active work session.
What We Collect
- Precise GPS coordinates (latitude and longitude) from the mobile device
- Location status changes (such as arriving at a job site, departing, driving to a location, or present at a warehouse or storage facility)
- Geofence entry and exit events when an Authorized User enters or leaves a defined work zone
- GPS signal accuracy and quality metrics (used in real time to validate geofence transitions; not retained in the location history)
When Location Data Is Collected
- Location tracking begins only after the Authorized User initiates a “Start Day” action in the mobile app
- Location tracking is paused when the user activates a lunch break
- Location tracking stops when the user initiates an “End Shift” action
- No location data is collected when the user is off duty, signed out, or has not started a work session
- Location polling frequency adapts to device battery level: approximately every 45 seconds at normal battery levels (above 30%), every 60 seconds at low battery (15–30%), and every 120 seconds at critical battery levels (below 15%)
How Location Data Is Used
- To automatically log time entries when Authorized Users arrive at or depart from job sites, warehouses, and storage facilities
- To determine work status (on site, in transit, at warehouse) for scheduling and dispatch purposes
- To verify time and attendance records for payroll processing
- To provide navigation assistance to job sites
Who Can Access Location Data
- Users the Subscriber has granted team-management permission at the office level or above (such as owners, administrators, and office or operations managers) can view location status and time entry records for the Authorized Users in their scope
- Individual Authorized Users can view their own location-derived time entries
- We do not sell, share, or disclose location data to third parties for advertising or marketing purposes
- We do not track real-time location for surveillance purposes outside of work session hours
Geofence Clock Policies
Subscribers may configure one of three geofence policies for each Authorized User:
- Strict: The user must be within a defined geofence zone to clock in or out
- Assisted: The user may override geofence requirements by providing a written reason, which is logged for audit purposes
- Manual: No geofence requirement for clocking in or out
Data Retention for Location Data
Location status change logs are retained indefinitely as part of the time tracking audit trail. We do not store continuous GPS breadcrumb trails; only status transition events (arrival, departure, and similar changes) are recorded.
3.4 Photographs and Files
The Service allows Authorized Users to capture and upload photographs and documents related to restoration work. This may include:
- Before, after, and progress photographs of restoration projects
- Document images such as receipts, inventory lists, and inspection records
- File metadata including file name, size, MIME type, upload timestamp, and the identity of the uploader
- Photographs taken with the in-app camera have device EXIF metadata removed at the time of capture. Photographs selected from the device photo library may retain EXIF metadata (which can include date, time, and GPS coordinates) when small enough not to be resized on upload; larger library photos are resized and typically have EXIF metadata removed
Photos are stored in encrypted cloud storage (Supabase Storage) and organized by customer. Access to photos is restricted to Authorized Users within the same organization. Each uploaded file is limited to approximately 10 megabytes and to supported image and document formats.
Electronic Signatures
Where a Subscriber uses our electronic-signature feature, we (through our e-signature provider, DocuSeal) collect and store the signer's name, email address, and phone number; the signed document and signature; signing status and timestamps; any reason a signer provides for declining; and a hashed record of the signer's IP address and device/browser, retained as part of the signing audit trail.
3.5 Time Tracking and Labor Data
The Service collects detailed time and labor information, including:
- Automatic time entries generated by geofence detection (source marked as “geofence”)
- Manual time entries created by Authorized Users (source marked as “manual”)
- Activity type categorization (such as job site work, driving, warehouse work, cleaning, inventory and packing, and other restoration-specific activities)
- Submission, review, and approval records for timesheet workflows
- Restoration-specific metadata such as boxes used, items processed, and inventory counts (stored as structured data within time entries)
- Daily session records including start time, end time, and break periods
- Customer attribution for time entries, allowing time to be tracked against specific customers even when not linked to a scheduled event
3.6 Push Notification Data
When Authorized Users enable push notifications on the mobile app, we collect:
- Device push notification tokens (Expo push tokens) for delivering notifications
- Notification preference settings
Push notifications are used for operational alerts such as new event assignments, schedule changes, reminders, timekeeping prompts, and other workflow notifications related to the Subscriber's operations. We do not use push notifications for marketing or advertising.
3.7 Communication Data
The Service may process communications in the following ways:
- Inbound emails from customers or leads received through the email intake system (via Resend webhook), including sender name, email address, subject, and message body
- Outbound SMS notifications sent to End Customers (via Telnyx) when a crew is en route, which includes the customer's phone number and a brief status message
- Outbound SMS messages inviting End Customers to complete a post-project satisfaction survey (via Telnyx), which include the customer's phone number and a time-limited survey link. Survey responses are stored in association with the related project
3.8 Role and Permission Data
The Service supports custom, organization-defined roles with scoped permissions. This includes:
- Role assignments and privilege levels for each Authorized User
- Permission scopes that define data visibility (such as self-only, team, office, or organization-wide)
- Changes to user roles and permissions are recorded in the audit log
3.9 Technical and Usage Data
We automatically collect certain technical information when you use the Service:
- Device type, operating system, and app version
- Browser type and version (for web applications)
- IP address. We hash IP addresses stored in our own security-event logs; raw IP addresses may also be processed by our hosting and analytics providers (for example, Vercel) as part of delivering and securing the Service
- Pages visited and features used within the Service
- Error and crash diagnostics (via Sentry), which include device information, app state, and stack traces at the time of an error. For the web and administrative applications, these diagnostics may also include account identifiers (such as your user ID or email address) and limited request context to help us locate and fix the error; the mobile application is configured to minimize the inclusion of personal information in diagnostics. Diagnostic data is processed by Sentry on our behalf and is not used for any other purpose.
- Performance traces (sampled at 10% for web and 20% for mobile in production environments)
- Session replay (via Sentry) on the web and administrative applications: a sample of sessions (approximately 10%, plus sessions in which an error occurs) is recorded to help us diagnose problems. Replays are configured to mask text input and block media, so the content you type and the media you view are not captured
- Aggregate web analytics (via Vercel) on the web application, such as page views, referrers, device and browser type, and approximate (non-precise) geographic region
- Limited use of browser local and session storage to keep you signed in and to remember interface preferences
3.10 Offline Data
The mobile application may temporarily cache data on the device to support offline functionality:
- Pending time entries and data updates are queued locally (up to 500 records, retained for a maximum of 48 hours) and automatically synchronized when connectivity is restored
- Photos awaiting upload are queued locally (up to 50 photos, retained for a maximum of 72 hours)
- Schedule and event details are cached for read-only access while offline
- Locally cached read-only data is scoped to the signed-in user and is cleared upon sign-out. Pending offline queues (time entries and photos awaiting upload) are scoped to the user who created them and remain on the device until they synchronize or expire (within 48–72 hours)
4. How We Use Your Information
We use the information we collect for the following purposes:
- Service Delivery: To provide, maintain, and improve the ContentsOps platform, including scheduling, dispatching, time tracking, invoicing, photo documentation, and customer relationship management.
- Authentication and Security: To verify user identities, manage access controls, enforce role-based permissions, and protect against unauthorized access, fraud, and abuse.
- Time and Attendance: To facilitate accurate time tracking through geofence detection and manual entry, support timesheet review and approval workflows, and enable payroll processing by Subscribers.
- Communication: To send transactional notifications (event assignments, schedule changes, reminders), system alerts, and service-related announcements. We do not send marketing communications without consent.
- Audit and Compliance: To maintain audit logs of changes to sensitive records, support data integrity, and enable Subscribers to meet their regulatory and business compliance requirements.
- Product Improvement: To analyze aggregated and anonymized usage patterns to improve the Service's features, performance, and reliability. We do not use individually identifiable data for product development without consent.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes, and to enforce our Terms of Use.
Automated Time Entry Generation: When enabled by a Subscriber, the Service uses automated geofence detection to generate provisional time entries based on an Authorized User's location relative to defined work zones. These entries are provisional and are subject to review, adjustment, and approval by the Subscriber before they are used for payroll. We do not use this automated processing to make decisions that produce legal or similarly significant effects without the opportunity for human review by the Subscriber. Authorized Users may request correction of automatically generated entries through their Subscriber.
5. How We Share Information
We do not sell personal information. We share information only in the following limited circumstances:
With Subscribers: Authorized User data (including location, time entries, and photos) is shared with the Subscriber organization that employs or engages the user. Subscribers control access to this data through role-based permissions configured within the Service.
Service Providers: We use the following categories of service providers to operate the Service:
- Supabase (database hosting, authentication, file storage, and serverless functions)
- Expo / Expo Application Services (mobile app build, distribution, and push notification delivery)
- Resend (transactional email delivery and inbound email processing)
- Telnyx (SMS notifications to End Customers, if enabled by Subscriber)
- Sentry (error and performance diagnostics for application reliability; see Section 3.9 for the data included)
- Google Maps Platform (address geocoding and driving-time estimates; property and job-site addresses are sent to Google to provide mapping and navigation features)
- Stripe (subscription billing and payment processing for Subscribers; payment card details are handled directly by Stripe)
- Vercel (hosting of the web and administrative applications, including server logs and basic usage analytics)
- DocuSeal (electronic signature collection for job-related documents, where used by a Subscriber)
These providers process data on our behalf and are contractually obligated to use it only for the services they provide to us. A current, authoritative list of our sub-processors—including the categories of data each receives and where they operate—is maintained at contentsops.com/subprocessors. We provide advance notice of new sub-processors as described there and in our Data Processing Addendum.
Legal Requirements: We may disclose information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of our users, the public, or our company.
Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users of any change in ownership or control of their personal information.
With Consent: We may share information with third parties when we have the user's explicit consent to do so.
6. Data Security
We implement technical and organizational measures designed to protect personal information, including:
- Encryption in transit using TLS/HTTPS for all data transmitted between clients and servers
- Encryption at rest for data stored in our database and file storage systems, using industry-standard encryption (such as AES-256) provided by our infrastructure providers
- Row-Level Security (RLS) policies and organization scoping designed to isolate each organization's data so that users access data belonging to their own organization
- Role-based access controls (RBAC) restricting data visibility based on user roles (field technician, office manager, administrator, and similar designations)
- Multi-factor authentication (MFA) for administrative access, managed through our administrative tools
- Audit logging of changes to key sensitive records (such as customer, contact, profile, and time-entry data), including who made the change, when, and what values were modified
- Hashing of IP addresses and user agents in security event logs
- Secure session management using httpOnly cookies for web applications and token-based authentication for mobile applications
Security Incident Notification. In the event of a confirmed security incident that compromises the security, confidentiality, or integrity of personal information we process for a Subscriber, we will notify the affected Subscriber without undue delay after becoming aware of the incident and will provide information reasonably available to us to help the Subscriber meet its own notification obligations.
While we strive to protect personal information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.
7. Data Retention
We retain personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.
- Account Data: Retained for the duration of the Subscriber's account and for a reasonable period thereafter to comply with legal obligations and resolve disputes.
- Operational Data (events, time entries, photos): Retained for the duration of the Subscriber's account. Subscribers may request deletion of specific records, subject to applicable legal retention requirements.
- Location Status Logs: Retained as part of the time tracking audit trail for the duration of the Subscriber's account.
- Audit and Security Event Logs: Certain audit and security event logs are automatically purged after approximately 90 days; others may be retained longer where required to investigate an incident, maintain data integrity, or comply with law.
- Communication Content: Inbound and outbound message content (such as intake email bodies and notification records) is retained as part of the related project's communication history for the duration of the Subscriber's account, unless deletion is requested.
- Offline Cache Data: Automatically purged from mobile devices after 48–72 hours and upon user sign-out.
When a Subscriber terminates their account, we will delete or anonymize their data within 90 days of completing the termination, except where retention is required by law. Account deletion is currently processed by our team upon request to privacy@contentsops.com rather than through an automated self-service tool.
8. Your Rights and Choices
8.1 All Users
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete personal information
- Deletion: Request deletion of your personal information, subject to legal retention requirements
- Portability: Request a copy of your data in a structured, commonly used, machine-readable format
- Objection: Object to certain processing activities
- Withdrawal of Consent: Withdraw consent at any time where processing is based on consent
To exercise these rights, contact us at privacy@contentsops.com. We will respond within 45 days (or sooner if required by applicable law). We currently handle these requests manually and do not yet offer a self-service tool to export or delete your data. If you are an Authorized User, certain requests will be directed to your Subscriber, who controls your operational data.
8.2 Location Data Controls
Authorized Users can control location data collection in the following ways:
- Revoke location permissions through the device's operating system settings at any time
- Choose not to initiate a “Start Shift” session (location tracking only occurs during active work sessions)
- Use the lunch break feature to pause location tracking during breaks
- Request that the Subscriber set their geofence policy to “Manual” to remove geofence requirements
Disabling location services may affect certain features of the mobile application, including automatic time entry generation and geofence-based clock-in/out.
8.3 Push Notification Controls
You can disable push notifications through your device settings at any time. Disabling push notifications will not affect other functionality of the Service but may cause you to miss event assignment alerts and schedule reminders.
8.4 Account Deletion
Authorized Users may request account deactivation through their Subscriber's administrator. Subscribers may request full account deletion by contacting us at privacy@contentsops.com.
9. California Privacy Rights
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.
9.1 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
- Identifiers (name, email, phone number, IP address)
- Professional or employment-related information (job title, role, employer)
- Geolocation data (precise GPS coordinates during active work sessions)
- Internet or electronic network activity (usage data, device information)
- Audio, electronic, visual, or similar information (photographs, document images)
- Inferences drawn from the above (work status, schedule patterns)
9.2 Your California Rights
As a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and sell or share
- Delete your personal information, subject to certain exceptions
- Correct inaccurate personal information
- Opt out of the sale or sharing of your personal information (we do not sell or share personal information as defined by the CCPA)
- Limit the use of sensitive personal information (including precise geolocation) to purposes necessary for providing the Service
- Non-discrimination for exercising your privacy rights
9.3 How to Submit Requests
You may submit a request by emailing privacy@contentsops.com or by writing to us at the address listed in Section 14. We will verify your identity before processing your request and will respond within 45 days. If you are an Authorized User, we may direct you to your Subscriber to fulfill certain requests, as they are the controller of your operational data.
9.4 Sale and Sharing of Personal Information
We do not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising purposes.
9.5 Opt-Out Preference Signals
Where required by law, we honor recognized universal opt-out mechanisms, such as the Global Privacy Control (GPC), as a valid request to opt out of the sale or sharing of personal information for the browser or device from which the signal is sent. As noted above, we do not sell or share personal information as those terms are defined by applicable law.
10. Additional State and Canadian Privacy Rights
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, and other states with comprehensive privacy laws may have similar rights to those described in Section 9, including rights of access, correction, deletion, portability, and the right to opt out of targeted advertising or profiling. To exercise any of these rights, contact us at privacy@contentsops.com.
10.1 Canadian Residents (PIPEDA)
If you are located in Canada, we handle personal information in a manner consistent with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. You may request access to and correction of your personal information, and you may withdraw consent (subject to legal or contractual restrictions) by contacting us at privacy@contentsops.com. You also have the right to file a complaint with the Office of the Privacy Commissioner of Canada. Personal information may be stored and processed in the United States, where it may be accessible to courts, law enforcement, and governmental authorities under applicable law.
11. Children's Privacy
The Service is not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@contentsops.com.
12. Third-Party Links and Services
The Service may contain links to third-party websites or services (such as map applications for navigation). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you access through the Service.
13. Changes to This Policy
We may update this Policy from time to time. When we make material changes, we will notify Subscribers by email and/or by posting a prominent notice within the Service at least 30 days before the changes take effect. The “Effective Date” at the top of this Policy indicates when it was last revised. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.
14. Contact Us
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us at:
Superlab LLC dba ContentsOps
Attn: Privacy Inquiries
Email: privacy@contentsops.com
Website: https://contentsops.com