Introduction
Punch List is a mobile app for construction professionals made by Rojao, Inc. ("Rojao," "we," "us," or "our"), a California S-corporation. This Privacy Policy explains what Personal Data we collect when you use the Punch List iOS app, Punch List Android app, the mypunchlistapp.com website, and related services (together, the "Service"), why we collect it, how we process it, and the rights you have with respect to it.
We have written this Policy in plain English where possible, without sacrificing the precision the law requires. If anything is unclear, contact us at privacy@mypunchlistapp.com.
Definitions
- Personal Data: any information relating to an identified or identifiable individual.
- Processing: any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
- Controller: the party that determines the purposes and means of Processing.
- Processor / Service Provider: a party that Processes Personal Data on behalf of a Controller under a written contract.
- Sale and Share: as defined in the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA). "Share" includes disclosing Personal Data to a third party for cross-context behavioral advertising, whether or not money changes hands.
- Sensitive Personal Information (SPI): the categories defined in Cal. Civ. Code §1798.140(ae), including account login credentials combined with required access information.
Quick reference
| What we collect | Why | Who collects it |
|---|---|---|
| Your project content and photos | So you can build and manage punch lists | Stored only on your device; never transmitted unless you export |
| Pseudonymous app usage and crash data | To improve reliability and fix bugs | Firebase Analytics and Firebase Crashlytics (Google) |
| App install attribution | To measure advertising effectiveness | Meta Facebook SDK (with prior consent for EEA/UK users) |
| Purchase confirmation | To give you access to premium features | Apple StoreKit, Google Play Billing, or Stripe |
| Email and account identifiers | To let you sign in and manage your subscription | Clerk (authentication), Stripe (billing), Resend (email) |
| Server logs | Basic site operation and security | Vercel |
| Website analytics | To understand how the site is used | Google Analytics 4 (only after you accept the cookie banner) |
Data we collect from the mobile apps
On-device only
Your punch lists, items, photos, project content, and in-app settings are stored locally on your device. We never transmit this content to our servers. It is shared only when you explicitly export or share, for example when you email a PDF report or send a .pnch file to a colleague.
Firebase Analytics (Google)
We use Firebase Analytics to understand how the app is used: which features are popular, where users encounter friction, and how the app performs on different devices. Firebase Analytics collects:
- Screen views and event parameters you trigger by interacting with the app.
- A pseudonymous Firebase App Instance ID assigned by Google to your app installation. This ID persists until you uninstall the app or reset advertising identifiers in your device settings.
- Device model, operating system version, language, and region.
This data is classified as linked to you (pseudonymous, not anonymous) for the purposes of Apple's App Privacy nutrition label and Google Play's Data Safety form. It is processed by Google on our behalf under Google's Firebase Data Processing Terms.
Firebase Crashlytics (Google)
When the app crashes, Firebase Crashlytics collects a stack trace, device state at the time of the crash, and the same pseudonymous Firebase App Instance ID described above, so we can diagnose and fix the problem. No punch-list content is included in crash reports.
Meta Facebook SDK: app install attribution
We use the Meta Facebook SDK to measure whether advertising campaigns we run on Meta platforms (Facebook, Instagram) successfully convert to app installs. The SDK reports install events and, if you interacted with a Meta ad before installing, the ad-attribution signal.
For users in the European Economic Area (EEA) and the United Kingdom (UK), the Meta SDK does not initialize until you provide affirmative consent through our in-app consent dialog. If you decline, the SDK is not loaded and no install-attribution event is sent.
On iOS, we do not request App Tracking Transparency permission by default; IDFA is disabled. If we ever enable IDFA-based attribution, we will prompt you with the system ATT permission dialog first.
Apple StoreKit and Google Play Billing
Subscription purchases made inside the iOS app are processed by Apple under Apple's Terms; those made inside the Android app are processed by Google under Google's Terms. We receive only a receipt or purchase token and your subscription status. We do not receive your payment card number, billing address, or tax information.
Data we collect from the website and account services
Account data (Clerk)
When you create an account to subscribe on the web, we collect your email address and (if you provide them) your name and the authentication method you chose (email / Google / Apple). Clerk assigns you an internal user identifier. Your login credentials are Sensitive Personal Information under Cal. Civ. Code §1798.140(ae)(1)(C) and are used solely to authenticate you.
Subscription data (Stripe)
Stripe processes your payment on its own PCI-DSS-compliant systems. We receive and store: your Stripe customer ID, subscription status, plan (monthly or annual), billing cycle, the last four digits and brand of the card (for display only), and the country associated with your billing address (for tax purposes). We never store your full card number.
Transactional email (Resend)
We use Resend to send account and billing emails: welcome messages, receipts, subscription notices, and similar. Resend Processes your email address and the message content on our behalf.
Database of record (Neon)
Subscription records, enterprise licenses, and enterprise device registrations are stored in a PostgreSQL database hosted by Neon in the United States.
Server logs (Vercel)
Vercel, our hosting provider, records standard server logs for operations and security: IP address, user-agent, requested route, status code, and timestamp. These logs are retained by Vercel for 30 days by default.
Website analytics (Google Analytics 4)
We load Google Analytics 4 only after you click "Accept" in the cookie banner. If you decline, no analytics script is loaded and no analytics cookies are set. When loaded, GA4 collects pseudonymous session data such as pages visited, approximate region, and device type.
Cookies and similar technologies
- Strictly necessary: a Clerk session cookie (to keep you signed in) and a cookie-consent-decision cookie (to remember your choice).
- Analytics: Google Analytics 4 cookies, only after consent.
- Advertising: none. We do not use advertising or cross-site tracking cookies on the website.
How we use your data
We use Personal Data for the following purposes:
- Provide the Service. Let you sign in, pay, receive receipts, and use premium features.
- Process payments. Fulfill subscriptions and prevent payment fraud.
- Operate and improve the apps. Diagnose crashes, measure feature usage, and fix bugs.
- Measure advertising. Attribute installs to campaigns (only where permitted, including the EEA/UK consent gate described above).
- Communicate with you. Send transactional email (receipts, account notices, support replies).
- Comply with law. Retain tax records, respond to lawful requests, and enforce our Terms of Service.
We do not use your Personal Data to train artificial intelligence or machine learning models, and we do not sell your data.
Legal bases for processing (GDPR / UK GDPR)
For users in the EU and UK, we process Personal Data on the following legal bases:
- Contract necessity (Art. 6(1)(b)). For account creation, subscription management, payment processing, and delivery of the Service.
- Legitimate interest (Art. 6(1)(f)). For the limited purposes below. For each, we have conducted a Legitimate Interest Assessment and concluded:
- Crash diagnostics (Firebase Crashlytics): we rely on our legitimate interest in diagnosing app crashes to improve reliability. We have assessed that this interest is not overridden by user rights because the data is pseudonymous, retained for a limited period, and cannot be used to identify an individual without additional information.
- Usage analytics (Firebase Analytics in-app): we rely on our legitimate interest in understanding product usage to improve the Service. We have assessed that this interest is not overridden by user rights because the data is pseudonymous and not combined with directly identifying Personal Data.
- Security and fraud prevention: we rely on our legitimate interest in protecting the Service and our users. We have assessed that this interest clearly outweighs the minimal privacy impact of processing short-term server logs.
- Consent (Art. 6(1)(a)). For website analytics cookies and for EEA/UK initialization of the Meta Facebook SDK. You may withdraw consent at any time using the mechanism by which it was given.
- Legal obligation (Art. 6(1)(c)). For tax and accounting retention.
Sharing your data
Service providers and sub-processors
We share Personal Data with the following Service Providers / Processors, each bound by a written contract to process Personal Data only on our instructions:
| Processor | Purpose | Data shared | Region |
|---|---|---|---|
| Clerk, Inc. | Authentication | Email, name, user ID, auth method | US |
| Stripe, Inc. | Payment processing | Stripe customer ID, billing info | US |
| Resend | Transactional email | Email address, message content | US |
| Neon, Inc. | Database of record | Subscription records | US |
| Vercel Inc. | Hosting, server logs | IP, user-agent, route | US / global edge |
| Google LLC (Firebase) | Analytics, crash reports | Pseudonymous App Instance ID, events, stack traces | US / global |
| Meta Platforms, Inc. | App install attribution | Install events, ad-attributed installs (with EEA/UK consent) | US / global |
We commit to verifying each sub-processor's EU-US Data Privacy Framework certification status before reliance and to reviewing it annually. See the International Transfers section below.
Legal and safety
We may disclose Personal Data when required by law, court order, or to investigate and prevent fraud, security incidents, or violations of our Terms of Service.
Business transfers
If Rojao, Inc. is acquired, merged, or its assets are sold, Personal Data may be transferred to the successor entity, subject to this Policy or a successor policy at least as protective.
No "sale" and our posture on "share" under CPRA
We do not sell Personal Information for monetary consideration. Certain uses of the Meta Facebook SDK for install attribution may constitute a "share" for cross-context behavioral advertising under CPRA if not processed under a valid service-provider relationship. We operate under Meta's Business Tools terms, which we believe establish a service-provider relationship under Cal. Civ. Code §1798.140(ag); we continue to monitor this posture.
Your Privacy Choices. To exercise your right to opt out of any sale or sharing of your Personal Information, email privacy@mypunchlistapp.com with the subject line "Your Privacy Choices: Opt Out of Sale or Sharing." We will honor your request within 15 business days.
International data transfers
Our Service Providers are primarily located in the United States. For Personal Data originating in the EEA, UK, or Switzerland:
- EU-US Data Privacy Framework (DPF): where a Service Provider is certified under the DPF for the relevant data category, transfers rely on the DPF. Sub-processors' current certifications can be verified at dataprivacyframework.gov.
- Standard Contractual Clauses (SCCs): where a Service Provider is not DPF-certified for the relevant data category, transfers occur under the European Commission's Standard Contractual Clauses (2021) as incorporated into the data processing agreement with that Service Provider.
- UK International Data Transfer Addendum: for UK-origin data, the UK IDTA addendum to the Standard Contractual Clauses applies.
- Swiss FADP Addendum: for Swiss-origin data, the Swiss Federal Data Protection and Information Commissioner's addendum applies.
You may request a list of sub-processors and their current transfer safeguards by emailing privacy@mypunchlistapp.com.
Data retention
We retain Personal Data only for as long as necessary:
| Category | Retention |
|---|---|
| Account data (Clerk user, email) | While your account is active; deleted within 30 days after a verified deletion request (the 30-day window is a grace period, not a separate retention bucket) |
| Subscription records | As required by applicable tax and accounting laws (typically up to 7 years, reflecting IRS substantiation requirements; California sales-and-use tax records are retained for 4 years) |
| Server logs | 30 days (Vercel default) |
| Website analytics | 14 months (Google Analytics 4 default) |
| Crash reports | 90 days |
| Support correspondence | 2 years after resolution |
Backups. Data deleted from our live systems may persist in encrypted backups for up to 35 days before being overwritten on our rolling backup cycle. During this window the data is not accessible to any operational system and cannot be used to identify or contact you.
Security
We take reasonable and appropriate security measures to protect Personal Data:
- All network traffic is encrypted in transit using TLS 1.2 or higher.
- Data is encrypted at rest where supported by our Service Providers.
- Authentication is handled by Clerk, which follows industry-standard password hashing and offers multi-factor authentication.
- Payments are handled by Stripe, which is PCI-DSS Level 1 certified.
- We follow the principle of least privilege for internal access to production systems.
No system is perfectly secure. In the event of a personal data breach, we will notify affected users and applicable regulators as required by law.
Your privacy rights
You can exercise the rights below by emailing privacy@mypunchlistapp.com from the email address associated with your account. We will verify your identity and respond within the statutory deadline applicable to your region. We do not charge a fee, except for manifestly unfounded or excessive requests.
Rights available to everyone
- Access a copy of the Personal Data we hold about you.
- Correct inaccurate Personal Data.
- Delete your Personal Data (subject to legal retention requirements described in Data Retention above).
- Receive a portable copy of your Personal Data in a common format.
- Opt out of Firebase Analytics in your device settings.
EU / UK (GDPR and UK GDPR)
In addition to the rights above, users in the EU and UK have the right to:
- Rectification of inaccurate or incomplete data.
- Erasure ("right to be forgotten").
- Restriction of processing in certain cases.
- Objection to processing based on legitimate interest or direct marketing.
- Data portability in a structured, commonly used, machine-readable format.
- Withdraw consent at any time for processing based on consent.
- Lodge a complaint with your national supervisory authority. A list is available at edpb.europa.eu.
California (CCPA / CPRA)
California residents have the right to:
- Know what categories of Personal Information we collect, the sources, the purposes, and the categories of recipients.
- Delete Personal Information (subject to statutory exceptions).
- Correct inaccurate Personal Information.
- Opt out of sale or sharing. We do not sell Personal Information; regarding "sharing" see the section above. You may exercise this right via the Your Privacy Choices link in our footer.
- Limit use of Sensitive Personal Information. We do not use Sensitive Personal Information for purposes beyond those permitted under Cal. Civ. Code §1798.121(d) without your consent. Authentication credentials are used solely to authenticate you.
- Non-discrimination. We will not deny service, charge a different price, or provide a different level of quality because you exercised a privacy right.
- Authorized agent. You may designate an authorized agent to submit requests on your behalf. We will require proof of authorization and may separately verify your identity.
- Shine the Light (Cal. Civ. Code §1798.83). California residents may request a list of third parties to whom we have disclosed Personal Information for direct marketing purposes. We have not disclosed any Personal Information for this purpose in the preceding calendar year.
U.S. State Privacy Rights
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, Iowa, Tennessee, Indiana, Florida, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Kentucky, and Rhode Island have substantially overlapping rights under their respective state privacy laws, including the right to:
- Access a copy of their Personal Data.
- Delete their Personal Data.
- Correct inaccurate Personal Data.
- Port their Personal Data.
- Opt out of targeted advertising and of sale of Personal Data (we do not engage in either; see the "No sale and our posture on share" section above).
To exercise any of these rights, email privacy@mypunchlistapp.com with your state of residence. If we deny your request in whole or in part, you have the right to appeal that decision by replying to our response within 45 days; we will reconsider and respond within the statutory appeal deadline applicable to your state.
Canada (PIPEDA)
Canadian residents (outside Quebec) have the right under the Personal Information Protection and Electronic Documents Act to access and correct their Personal Information, and to lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.
Quebec (Law 25)
Residents of Quebec have additional rights under the Act respecting the protection of personal information in the private sector, including the right to:
- Be informed of the existence of automated decision-making that produces legal or similarly significant effects.
- Request that we cease disseminating Personal Information or deindex a hyperlink in certain circumstances.
- Lodge a complaint with the Commission d'accès à l'information (CAI) at cai.gouv.qc.ca.
Person Responsible for the Protection of Personal Information (Privacy Officer): privacy@mypunchlistapp.com.
Australia (Privacy Act 1988)
Australian residents have the rights described in the Australian Privacy Principles, including rights of access, correction, and complaint to the Office of the Australian Information Commissioner at oaic.gov.au.
Account and data deletion
To delete your account, email privacy@mypunchlistapp.com from the address on file, with the subject line "Delete my account." We will process the request within 30 days and confirm by email once complete.
Upon a verified deletion request we remove:
- Your Clerk user record (email, name, auth identifiers).
- Your Neon rows (subscription status, entitlement, device registrations).
- Your Stripe customer record, subject to the tax-retention requirements described in Data Retention above.
On-device data (punch lists, photos, and project content) is deleted when you delete the app from your device.
In-app deletion. In compliance with App Store Review Guideline 5.1.1(v) and Google Play policy, the iOS and Android apps expose an in-app "Delete my account" option that pre-fills an email to the privacy address.
Children
The Service is intended for users 18 years of age or older. We do not knowingly collect Personal Data from anyone under 18. If you believe a child has provided us with Personal Data, contact us at privacy@mypunchlistapp.com and we will delete it without undue delay.
EU and UK representatives
Rojao, Inc. does not currently appoint a representative under GDPR Article 27 or UK GDPR Article 27. We rely on the exemption in Article 27(2) on the basis that our Processing is occasional, does not include the large-scale Processing of special categories of Personal Data or Personal Data relating to criminal convictions, and is unlikely to result in a risk to the rights and freedoms of natural persons. We will reassess this posture as our scale grows.
Third-party services
The Service relies on the following third parties, each with its own privacy policy:
- Apple App Store: apple.com/legal/privacy
- Google Play Store: policies.google.com/privacy
- Firebase (Google): firebase.google.com/support/privacy
- Meta Platforms: facebook.com/privacy/policy
- Stripe: stripe.com/privacy
- Clerk: clerk.com/legal/privacy
- Resend: resend.com/legal/privacy-policy
- Neon: neon.tech/privacy-policy
- Vercel: vercel.com/legal/privacy-policy
Changes to this policy
We may update this Policy to reflect changes to the Service, our Processing, or legal requirements. For material changes we will give at least 30 days' notice by in-app notice or email to the address associated with your account. The "Last updated" date at the top of this Policy reflects the most recent revision.
Contact and Data Protection Officer status
Privacy inquiries and requests: privacy@mypunchlistapp.com.
Mailing address: Rojao, Inc., California, USA. (A full postal address will be published here before any formal legal notice is sent; email remains the fastest route.)
Data Protection Officer. We are not required to appoint a Data Protection Officer under GDPR Article 37 or UK GDPR Article 37 because we do not engage in large-scale systematic monitoring of data subjects and do not carry out large-scale Processing of special categories of Personal Data as defined in GDPR Article 9. Privacy inquiries are handled by the Privacy Officer at the address above.