Columbia Cloudworks

Last updated: October 23, 2025

Columbia Cloudworks LLC (“Columbia Cloudworks”, “we”, “us”) provides EquipQR, a SaaS for equipment tracking, work orders, and field scanning. This policy explains what we collect, why, and how we handle it.

1) What we collect

Account & Organization

  • Name, email, organization name at sign-up (sent to Supabase Auth; hCaptcha token required).
  • Organization membership/roles are stored in Postgres with row-level security (“RLS”).

Product Data (you control)

  • Equipment records, notes, images and work orders. These are in Postgres tables with RLS (e.g., equipment, equipment_notes, work_orders, related tables) and protected policies.
  • Optional scan location (when a user grants browser permission). When granted, we record latitude/longitude text (“lat, lng”) and the method (location_kind such as “manual” when coordinates aren’t provided).
  • Optional map/geocoding: we resolve addresses via a serverless function that calls the Google Geocoding API and caches normalized results per organization in geocoded_locations (only service role can insert/update; org members can read their own).

Images & Files

  • Work order and equipment note images are stored in Supabase Storage buckets (e.g., work-order-images, equipment-note-images) and referenced in tables with RLS; cleanup code removes storage objects on deletion.

Payments

  • Subscription events are handled by Stripe webhooks; Stripe event data is logged in secure tables (user access to stripe_event_logs is denied by policy).

Product Telemetry

  • The app may capture Web Vitals locally (e.g., CLS/LCP/FID) for performance debugging; the provided code path logs to console, not to third-party analytics by default.

2) How we collect data

  • Browser UI: forms, file uploads, QR scanner (camera via getUserMedia) with user consent.
  • Geolocation: only when granted by the user; we store coordinates and optional manual addresses.
  • Serverless functions: geocoding, Stripe webhooks, invitation emails, map key proxying.

3) Where we store data

  • Primary datastore: Supabase Postgres with RLS enforced across domain tables (equipment, notes, scans, work orders, etc.).
  • File storage: Supabase Storage buckets for images referenced by work_order_images / equipment_note_images tables.
  • Hosting layer: front-end deployed with platform configs (e.g., Vercel), including security headers in vercel.json. Edge functions run on Supabase.

4) Who we share data with (sub-processors)

ServicePurposeData categories
Supabase (DB, Storage, Edge)App data, file storage, serverless functionsApp content, images, minimal auth metadata (RLS policies restrict per-org access)
StripeBilling, subscription webhooks, event logsCustomer billing identifiers, subscription events (access to stripe_event_logs is denied to end-users)
Resend (email)Invitation emailsRecipient email, org context for invite flow
Google MapsGeocoding & map tilesCoordinates/address requests (via serverless function + public maps key endpoint)
Typesense (optional parts search)High-speed search of a parts indexPart metadata only (collection schema is purely parts data)

5) Cookies / Local storage

We use browser storage solely for app state, e.g., current org/team IDs and onboarding flags—not for advertising. Keys include currentOrganizationId, lastTeamId, onboardingCompleted (see session persistence helpers).

6) Security

  • RLS enabled and scoped across tables to authenticated users within their organizations.
  • Specific policies protect scans, work order images/notes, and more (examples linked).

7) Data retention & deletion

  • You control retention. Org admins can delete records (e.g., equipment) and related data is removed (notes, scans, images, and objects in Storage via cleanup code).
  • Work orders deletions also cascade through images/notes/costs/PM/history.

8) Children

Our service is B2B and not directed to children under 16.

9) Your rights

  • Access, export (CSV and PDF exports exist in code paths), correction, deletion.

10) Changes & Contact

We’ll post changes here. Questions? privacy@columbiacloudworks.com.

Terms of Service

Last updated: October 23, 2025

1) Agreement

By accessing EquipQR, you agree to these Terms.

2) Accounts & Sign-Up

  • You must provide accurate info. Sign-up requires successful hCaptcha verification and email confirmation through Supabase Auth.
  • You are responsible for safeguarding credentials.

3) Use of the Service

  • You may use the service to manage equipment, work orders, images, and scans for your business.
  • You must not upload unlawful content, attempt to bypass access controls, or interfere with others.
  • Camera and geolocation access are opt-in and device-controlled.

4) Data Ownership

  • You own your data (equipment, notes, images, work orders, scans). We host/process it on your behalf with per-organization access controls enforced by RLS.

5) Payment & Subscriptions

  • Paid features are billed via Stripe. Subscription events are handled by webhooks; usage and event logs are kept server-side, and sensitive Stripe event logs are not exposed to end-users.

6) Availability & Support

  • Service is provided on a commercially reasonable efforts basis; we may perform maintenance or updates. (Your front-end is deployed with a modern host and serverless back-end functions; see repo config.)

7) Content Moderation & Removals

  • We can remove content that violates these Terms or applicable law.

8) Termination

  • You can stop using the service at any time. Org admins can export and delete data (cascade deletions remove associated images/notes/scans).

9) Third-Party Services

  • We integrate with Stripe (payments), Resend (email), Google Maps (geocoding/maps), and Typesense (optional search). Their use is limited to the functions described in our Privacy Policy.

10) Disclaimers & Limitation of Liability

  • The service is provided “as is” without warranties of any kind. To the fullest extent permitted by law, Columbia Cloudworks is not liable for indirect or consequential damages.

11) Governing Law

  • Illinois, USA

12) Contact

Data Processing Addendum (DPA)

Last updated: October 23, 2025

This DPA forms part of the agreement between Customer (Controller/Business) and Columbia Cloudworks LLC (Processor/Service Provider) for EquipQR.

1) Scope & Roles

  • Subject matter: processing Customer Data to provide EquipQR.
  • Duration: for the term of your subscription.
  • Nature & Purpose: storage, retrieval, display, search, and transmission of Customer Data (equipment, work orders, images, scans, geocoding, billing events).

2) Categories of Data & Subjects

  • Data subjects: your employees, contractors, customers (as you input).
  • Data categories: names/emails for accounts; equipment/work-order content; images; optional device camera streams for in-browser scanning (not stored by default); optional coordinates/address lookups; subscription/billing metadata.

3) Processing Instructions

We process Customer Data only per your documented instructions via the app UI, API, and organization settings. Access is restricted to org members via RLS and related policies.

4) Security Measures

  • Row-Level Security (RLS) across core tables (equipment, scans, work orders, images, members).
  • Service-role isolation for serverless mutations (e.g., geocoding cache inserts/updates limited to service role).
  • Stripe logs isolated (deny user access policy).
  • Performance & security hygiene monitored in project docs (security fixes & best practices).

5) Sub-Processors

You authorize the following, limited to described purposes:

  • Supabase (database, storage, edge functions).
  • Stripe (billing).
  • Resend (transactional email).
  • Google Maps Platform (geocoding + map tiles via functions/key proxy).
  • Typesense Cloud (optional) (parts index only—no customer PII).

We will add or replace sub-processors with notice and provide a way to object for reasonable grounds.

6) Data Subject Requests (DSRs)

We will assist you to respond to DSRs (access/rectification/erasure/export).

  • Export: supported via CSV/PDF export functions in the app.
  • Erasure: cascade deletion removes related rows and storage files (where applicable).

7) Data Retention

We retain Customer Data only while your account is active, or as needed to provide the service. Admins can remove data at any time; we follow your deletion in our systems.

8) International Transfers

Our sub-processors may store/process data in their chosen regions. We will support execution of appropriate transfer mechanisms (e.g., SCCs) on request.

9) Confidentiality

Personnel accessing Customer Data are bound by confidentiality obligations.

10) Incident Response

We’ll notify your admin contact without undue delay after becoming aware of a confirmed security incident affecting Customer Data, and will provide details and mitigation steps as information becomes available.

11) Return/Deletion at Termination

Upon termination, you may export your data; we will delete Customer Data within a reasonable period, subject to lawful retention obligations.

12) Audits

On reasonable notice, we’ll make available information necessary to demonstrate compliance with this DPA (e.g., policy excerpts, architecture docs) and cooperate with supervisory authorities as required.