Privacy Policy

1. Introduction

Welcome to ProcureOps ("we," "us," or "our"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our quality management platform and related services (collectively, the "Services").

This Privacy Policy applies to all information collected through our Services, including our website (www.procureops.io), mobile applications, and any related services, sales, marketing, or events.

By using our Services, you consent to the data practices described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our Services.

2. Information We Collect

We collect information that you provide directly to us, information we obtain automatically when you use our Services, and information from third-party sources.

2.1 Information You Provide to Us

• Account Information: Email address, name, company name, job title, phone number, and password when you create an account
• Profile Information: Profile photo, bio, time zone, language preferences, and other optional profile details
• Business Information: Company details, business address, tax information, and organizational data
• Inspection Data: Factory information, supplier details, inspection reports, quality metrics, photos, documents, and notes
• Communication Data: Messages, support tickets, feedback, and other communications with us
• Payment Information: Billing address, payment method details (processed securely by third-party payment processors)

2.2 Information We Collect Automatically

• Usage Data: Pages viewed, features accessed, actions taken, time spent on pages, and navigation paths
• Device Information: IP address, browser type and version, device type, operating system, and device identifiers
• Location Data: General geographic location based on IP address (country, region, city)
• Log Data: Server logs, error reports, and performance metrics
• Cookies and Tracking: Session cookies, preference cookies, analytics cookies, and similar tracking technologies (see Section 10)

2.3 Information from Third Parties

• Authentication Providers: If you sign in using Google or other OAuth providers, we receive basic profile information (name, email, profile photo)
• Business Partners: Information shared by manufacturers, inspectors, or other business partners within the platform
• Public Sources: Publicly available company information for business verification

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: Provide, operate, and maintain our quality management platform and related services
• Account Management: Create and manage user accounts, authenticate users, and provide customer support
• Platform Operations: Facilitate inspections, manage suppliers, generate reports, and coordinate quality management activities
• Communication: Send transactional emails (inspection updates, report availability, account notifications), service announcements, and customer support responses
• Analytics and Improvement: Analyze usage patterns, improve platform features, optimize user experience, and develop new services
• Billing and Payments: Process subscription payments, issue invoices, and manage billing disputes
• Security: Detect and prevent fraud, abuse, and security incidents; protect our Services and users
• Compliance: Comply with legal obligations, enforce our Terms of Service, and respond to legal requests
• Marketing: Send promotional communications about new features, services, and offers (with your consent where required)
• Research: Conduct research and analysis to improve quality management practices and industry insights (using aggregated, anonymized data)

4. How We Share Your Information

We may share your information in the following circumstances:

4.1 Within Your Organization

Information is shared with other users in your organization based on role-based access controls. For example, quality managers can view inspection data for their suppliers.

4.2 Service Providers

We engage third-party service providers to perform functions on our behalf:

• Google Cloud Platform (Firebase): Cloud infrastructure, database, authentication, file storage, and cloud functions
• Google Analytics: Website and application analytics (anonymized usage data)
• Payment Processors: Secure payment processing (we do not store full credit card numbers)
• Email Service Providers: Transactional and marketing email delivery
• Customer Support Tools: Help desk and support ticket management

These service providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.3 Business Partners

With your consent, we may share information with:

• Manufacturers when you conduct inspections at their facilities
• Inspectors assigned to your inspection requests
• Other platform users when you collaborate on quality management activities

4.4 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal requests (subpoenas, court orders, government investigations)
• Protection of our legal rights and property
• Prevention of fraud or security incidents
• Protection of user safety or public safety

4.5 Business Transfers

If we are involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any change in ownership or use of your personal information.

4.6 Aggregated and Anonymized Data

We may share aggregated, anonymized data that does not identify you personally for industry research, analytics, marketing, and other business purposes.

5. Data Security

We implement appropriate technical and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction:

• Encryption: Data in transit is encrypted using TLS/SSL protocols; sensitive data at rest is encrypted using industry-standard encryption
• Access Controls: Role-based access controls, multi-factor authentication, and principle of least privilege
• Infrastructure Security: Secure cloud infrastructure (Google Cloud Platform) with regular security audits and compliance certifications
• Monitoring: Continuous monitoring for security incidents, intrusion detection, and automated threat response
• Regular Updates: Timely security patches, dependency updates, and vulnerability remediation
• Employee Training: Security awareness training for all employees with access to user data
• Incident Response: Documented incident response procedures and breach notification protocols

While we strive to protect your information, no security system is impenetrable. We cannot guarantee absolute security of your data. If you believe your account has been compromised, please contact us immediately at support@procureops.io.

6. Your Rights (GDPR/CCPA)

Depending on your location, you may have certain rights regarding your personal information:

6.1 GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right to Access: Request a copy of your personal data we hold
• Right to Rectification: Correct inaccurate or incomplete personal data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data under certain circumstances
• Right to Restriction: Request that we restrict processing of your personal data
• Right to Data Portability: Receive your personal data in a structured, machine-readable format
• Right to Object: Object to processing of your personal data for direct marketing or legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where we rely on consent as legal basis
• Right to Lodge a Complaint: File a complaint with your local data protection authority

6.2 CCPA Rights (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about the categories and specific pieces of personal information we have collected about you
• Right to Delete: Request deletion of your personal information (subject to certain exceptions)
• Right to Opt-Out: Opt-out of the "sale" of your personal information (Note: We do not sell personal information)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights

6.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: support@procureops.io
• Subject Line: "Privacy Rights Request"

We will respond to your request within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before processing your request. For security purposes, we may require additional information to confirm your identity.

7. Third-Party Services

Our Services integrate with third-party services that have their own privacy policies:

We are not responsible for the privacy practices of these third-party services. We encourage you to review their privacy policies before providing any information to them.

8. International Data Transfers

ProcureOps is based in the United States, and our service providers may process data in the United States and other countries. If you are accessing our Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where data protection laws may differ from those in your country.

For European users, we rely on the following mechanisms for international data transfers:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our service providers
• Adequacy Decisions: We may transfer data to countries recognized by the European Commission as providing adequate data protection
• Your Consent: In some cases, we may obtain your explicit consent for international data transfers

By using our Services, you consent to the transfer of your information to the United States and other countries as described in this Privacy Policy.

9. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law:

• Account Data: Retained until you delete your account, plus 30 days for recovery
• Inspection Data: Retained for 7 years from inspection date for compliance and audit purposes
• Communication Data: Retained for 3 years from last communication
• Usage Data and Logs: Retained for 26 months (Google Analytics default) or as needed for security investigations
• Payment Records: Retained for 7 years as required by tax and accounting regulations
• Audit Logs: Retained for 7 years for security and compliance purposes (anonymized after account deletion)

After the retention period expires, we will securely delete or anonymize your personal information. Some information may be retained in aggregated, anonymized form for analytical purposes indefinitely.

If you request deletion of your account, we will delete your personal information within 30 days, except where retention is required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements).

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your use of our Services:

10.1 Types of Cookies We Use

• Essential Cookies: Required for authentication, security, and basic platform functionality (cannot be disabled)
• Functional Cookies: Remember your preferences (language, time zone, theme) to enhance user experience
• Analytics Cookies: Help us understand how users interact with our Services (Google Analytics)
• Performance Cookies: Monitor platform performance, error rates, and load times

10.2 Managing Cookies

You can control cookies through your browser settings:

• Most browsers allow you to refuse cookies or delete existing cookies through browser settings
• Disabling essential cookies may prevent you from using certain features of our Services
• To opt-out of Google Analytics, you can install the Google Analytics Opt-out Browser Add-on

10.3 Do Not Track Signals

Some browsers have "Do Not Track" (DNT) features. We currently do not respond to DNT signals because there is no industry consensus on how to interpret these signals.

11. Children's Privacy

Our Services are not intended for individuals under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

If we discover that we have collected personal information from a child under the applicable age without parental consent, we will take steps to delete that information as soon as possible.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this Privacy Policy
• Notify you via email (to the email address associated with your account) at least 30 days before the changes take effect
• Display a prominent notice on our website or within the platform

Your continued use of our Services after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated Privacy Policy, you must stop using our Services and may request deletion of your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For privacy-specific inquiries or to exercise your data rights, please use the subject line "Privacy Rights Request" in your email.

We will respond to all legitimate requests within 30 days (GDPR) or 45 days (CCPA), or as otherwise required by applicable law.