Privacy Policy

This Privacy Policy describes how Cottonworks LLC [LEGAL REVIEW: confirm entity] ("Cottonworks," "we," "us") collects, uses, shares, and protects personal information when you:

• Visit our marketing website at cottonworks.us;
• Subscribe to Cottonworks or request a demo;
• Use the product at app.cottonworks.us;
• Communicate with us by email, phone, or in-product messaging.

This policy does not apply to third-party websites linked from Cottonworks. It also does not apply to the agency business records that your employer (the Customer agency) stores inside Cottonworks; those records are governed by your employer's privacy practices, with Cottonworks acting as the data processor under Section 19 below.

• "Personal data" (or "personal information") means information that identifies you, relates to you, or could reasonably be linked to you.
• "Processing" means anything done with personal data — collecting it, storing it, using it, sharing it, or deleting it.
• "Controller" is the entity that decides why and how personal data is processed. For records inside the product, Customer is the controller; for marketing-site interactions, Cottonworks is the controller.
• "Processor" is the entity that processes personal data on the controller's behalf. Cottonworks acts as a processor when handling agency business records inside the product.
• "Sensitive personal information" means data categories that get extra protection under applicable law (government IDs, precise geolocation, biometric data, health data, etc.). Cottonworks does not knowingly collect sensitive personal information from individual visitors or Authorized Users in the marketing or accounts contexts.

The categories below describe data about you as an individual. Customer business records (assets, work orders, contracts, etc.) are addressed separately in Section 19.

• Contact information you provide. Your name, work email, role/title, employer (agency name), phone number, and any optional notes you type into a subscribe, demo-request, or contact form. Source: you provide this directly.
• Account information. The email address you authenticate with, the agency workspace you belong to, your role within that workspace (owner / admin / member), invitation status, last-sign-in timestamp, two-factor authentication enrollment status. Source: created when an Authorized User first signs in.
• Billing information. Card numbers, ACH bank account numbers, and routing numbers go directly to Stripe — we never see them and they are not stored in Cottonworks systems. Cottonworks sees and stores: the Stripe customer ID Stripe assigns to your billing relationship, the billing email and contact details you give Stripe, subscription status (active / past-due / canceled), invoice history (amounts and dates, not card data), and payment-method type (card vs. ACH vs. PO/check). Source: Stripe and Customer's billing workflow.
• Product activity logs. Server-side records of which features you used and when, retained for 90 days for security, debugging, and audit purposes. Includes: request timestamps, requested feature, response status, IP address, user agent. Source: automatically collected by the application server.
• Audit trail. Inside the product, every consequential action (creating a record, deleting an asset, exporting data, changing a setting, inviting a user) is logged with the actor, timestamp, and action. This audit trail is part of the Customer Data that your agency owns and uses for its own compliance. Source: automatically collected from Authorized User actions.
• Device and technical data. Browser type and version, operating system, screen resolution, locale, referring URL. Used to render the Service correctly and to detect anomalous activity. Source: standard browser headers.
• Marketing-site visits. Standard server logs (IP address, user agent, referrer, requested URL, response status, timestamp), retained for 30 days. The marketing site does not run third-party analytics, advertising trackers, or cross-site cookies.
• Communications. Email exchanges between you and Cottonworks support or sales, including any attachments you send us. Retained for as long as the support / sales relationship is active plus a reasonable archival window [LEGAL REVIEW: specify the archival window, e.g., 3 years].

What we don't collect. We do not knowingly collect sensitive personal information (e.g., precise geolocation, biometric data, health data, government IDs, children's data) from individual users for purposes of marketing or account management. If your agency uploads such data into the product as part of its lawful business operations, the agency is responsible for that data under Section 19.

We collect personal data in three ways:

• Directly from you. When you fill out a form, send us an email, sign up for a subscription, or otherwise communicate with us.
• Automatically. When you visit our websites or use the product, our servers automatically log technical data (IP, user agent, requested URLs) and activity data (clicks, feature usage).
• From third parties. When you pay through Stripe, Stripe shares billing identifiers and payment status with us. When your agency invites you to a Cottonworks workspace, the agency shares your email address with us in order to send the invitation.

We process personal data for the purposes below. For users in jurisdictions that require a stated legal basis (EU/UK GDPR, Switzerland, etc.), the legal basis is listed alongside the purpose.

• Provide the Service to you. Authenticate you, deliver the features your subscription pays for, send transactional email (sign-in links, billing notices). Legal basis: performance of a contract with you or your agency, and our legitimate interest in operating the Service.
• Process payments and prevent fraud. Bill you for the subscription, prevent payment-fraud abuse. Legal basis: performance of a contract; legal obligation; legitimate interest in preventing financial loss.
• Provide customer support. Respond to your emails, debug issues you report, restore data on request. Legal basis: performance of a contract; legitimate interest in customer service.
• Secure the Service. Detect and prevent unauthorized access, abuse, malware, spam, and other security risks. Legal basis: legitimate interest in security; legal obligation in some jurisdictions.
• Comply with law. Respond to subpoenas, court orders, and other legal process; maintain records required by tax, accounting, and corporate law. Legal basis: legal obligation.
• Improve the Service. Analyze aggregated, de-identified usage patterns to plan capacity, identify bugs, and prioritize roadmap. Legal basis: legitimate interest in product improvement.
• Communicate about the Service. Send you product updates, security notices, terms changes, and incident notifications. Legal basis: performance of a contract; legitimate interest in keeping you informed.

What we don't do. We do not: (a) sell personal data; (b) share personal data with advertisers or marketers; (c) use personal data to train AI or machine-learning models that operate outside Customer's own workspace; (d) make decisions about you based solely on automated processing that produce legal or similarly significant effects. [LEGAL REVIEW: keep this synchronized with any AI-feature additions to the product. If any future feature uses automated profiling with material effects, add disclosures here.]

We share personal data only in the limited circumstances described below.

• Subprocessors. We share data with the third-party providers listed in Section 7 to the extent needed for each to deliver its slice of the Service.
• Your agency. If you are an Authorized User of a Customer agency's workspace, your name, email, role, last-sign-in, and activity within the workspace are visible to other Authorized Users of that agency. Your agency is the controller of that information.
• Professional advisors. We may share personal data with our accountants, lawyers, and auditors when necessary for their professional services, under their professional duty of confidentiality.
• Legal process. We may disclose personal data in response to subpoenas, court orders, or other legal process, or where disclosure is necessary to: (a) comply with applicable law; (b) protect our rights or property; (c) protect the safety of any person; or (d) investigate fraud or security incidents. We will notify the affected user where legally permitted.
• Business transfer. If Cottonworks is involved in a merger, acquisition, asset sale, or bankruptcy, personal data may be transferred as part of the transaction. The acquirer will be bound by this Privacy Policy (or provide notice of any successor policy).
• With your consent. We may share personal data for other purposes with your prior consent.

No "sale" or "share". Cottonworks does not "sell" personal information for monetary or other valuable consideration as those terms are defined under the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA). Cottonworks does not "share" personal information for cross-context behavioral advertising as that term is defined under the CPRA.

Cottonworks uses the following third-party providers to deliver the Service. Each is contractually bound to use personal data only as needed to deliver the slice of the Service they provide, to keep it confidential, and to implement reasonable security measures.

Data Processing Agreements. Cottonworks has signed Data Processing Agreements (DPAs) or equivalent contractual safeguards with each Subprocessor, requiring them to process personal data only on documented instructions, maintain confidentiality, implement security measures, and assist with data-subject requests.

Subprocessor changes. If we add or change a Subprocessor in a way that materially affects how personal data is handled, we'll provide at least 30 days' advance notice via email to account owners and an in-product banner. During the notice period, affected customers may object per the Terms of Service.

All Cottonworks data — including personal data — is stored in the United States. Our hosting providers operate data centers in U.S. regions. Cottonworks does not replicate or routinely transfer Customer Data outside the United States.

For EU/UK/Swiss customers. If you are in the EU/UK/Switzerland and Cottonworks transfers your personal data to the US, the transfer relies on Standard Contractual Clauses (SCCs) published by the European Commission and the UK Addendum, supplemented by any additional measures required by the relevant data-protection authorities. The SCCs are incorporated by reference into our Data Processing Agreement, available on request. [LEGAL REVIEW: confirm SCC module selection and any supplementary measures with counsel before treating this as legally exhaustive.]

For customers with state- specific residency requirements. If your agency has a contractual or statutory requirement to keep certain records within a specific US state, contact team@cottonworks.us before signing up — we will tell you honestly whether we can meet that requirement on our current infrastructure.

We retain personal data only as long as needed for the purposes described above. Specific retention windows:

• Account information: for the duration of the subscription, plus the 90-day post-termination access window, plus an additional 30 days for permanent deletion from active systems.
• Customer business records inside the product: per the Terms of Service — 90 days post-termination read access, then permanent deletion within 30 days, then backups rotated within an additional 90 days.
• Product activity logs: 90 days.
• Marketing-site request logs: 30 days.
• Communications (email, support): active period plus 3 years archival, then deletion.
• Billing records (invoices, payment receipts): 7 years from the date of issuance, to comply with US tax and corporate recordkeeping requirements.
• Backups: nightly snapshots retained ~30 days; weekly/monthly retained up to 90 days; then overwritten on a rolling basis.

These windows may be extended for an individual record where: (a) we are required to retain it by applicable law (e.g., active litigation hold, regulatory investigation); or (b) we have a legitimate need (e.g., a pending security investigation). When the legal hold or legitimate need ends, the standard retention window resumes.

First-party cookies only. The Service and the marketing site use first-party cookies only. We do not use third-party advertising cookies, retargeting pixels, or cross-site analytics. The marketing site (cottonworks.us) does not set any cookies unless you sign in or otherwise interact with an authenticated feature.

Cookie inventory. The following cookies (or similar storage mechanisms) may be set when you use the Service:

• Authentication session cookie (set on app.cottonworks.us when you sign in; expires when you sign out or after a reasonable inactivity period; strictly necessary for authentication).
• CSRF token cookie (anti-forgery protection; strictly necessary).
• Preference cookies (e.g., remembered UI layout choices; not used for tracking).

Do Not Track. We honor the Do Not Track (DNT) browser signal by not loading any optional tracking or analytics that we might add in the future. Since we currently run no third-party analytics on the marketing site, DNT has no additional effect today.

Mobile and offline storage. The Service may use localStorage or IndexedDB inside your browser to cache UI state and improve responsiveness. That data is local to your device and never transmitted to Cottonworks unless required to perform a feature you requested.

We use industry-standard technical and organizational measures appropriate to the sensitivity of the data we process. Specifics:

• Encryption in transit. All connections to Cottonworks services are encrypted using modern TLS (1.2 or higher). HTTPS is enforced; non-HTTPS requests are redirected.
• Encryption at rest. Customer Data and personal data are encrypted at rest on the storage layer of our hosting providers using AES-256 or equivalent.
• Access controls. Production data is accessible only to a small number of Cottonworks personnel under least-privilege, role-based access controls. Administrative access is logged and audited.
• Authentication for staff. Cottonworks staff with access to production systems are required to use strong passwords and two-factor authentication.
• Network segmentation. Production environments are isolated from development and testing environments. Customer Data is not used in non-production environments without anonymization.
• Vulnerability management. Dependencies are monitored for security advisories; critical patches are applied within 7 days of disclosure. Cottonworks performs regular internal security review and engages external testing on a recurring basis. [LEGAL REVIEW: confirm the cadence and document the program before publishing as a binding commitment.]
• Backup security. Backups are encrypted with the same standards as live data and stored in access-controlled buckets.
• Personnel. Cottonworks staff and contractors with access to personal data sign confidentiality agreements and receive privacy and security training. Background checks are performed for staff with access to production data, where permitted by applicable law.

Incident response. No system is perfectly secure. If we discover a security incident that affects your personal data — meaning unauthorized access, disclosure, or loss — we will: (a) investigate the incident promptly; (b) notify you within 72 hours of confirming the incident affected your data; (c) provide the information you need to assess and respond to the incident; and (d) cooperate with regulators and law enforcement as required.

Your role. The security of personal data also depends on you using strong passwords, enabling two-factor authentication where offered, not sharing credentials, and promptly reporting suspected unauthorized access to your account.

Regardless of where you live, you have the following rights with respect to your personal data:

• Access. Ask us to confirm whether we process your personal data and provide a copy of it.
• Correction. Ask us to correct inaccurate or incomplete personal data.
• Deletion. Ask us to delete your personal data, subject to legal retention requirements and our legitimate need to retain certain records (e.g., billing records).
• Portability. Receive a machine-readable export of personal data you provided to us, where technically feasible.
• Restriction. Ask us to restrict the processing of your personal data in certain circumstances.
• Objection. Object to processing based on our legitimate interests, where applicable.
• Withdraw consent. Where processing is based on your consent, withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Non-discrimination. We won't deny you service, charge you more, or provide a lower-quality service because you exercised a privacy right.

How to exercise. Email team@cottonworks.us with the subject "Privacy Request" and the specific right you want to exercise. We respond within 30 days (with a possible 60-day extension for complex requests, with notice to you).

Verification. Before fulfilling a privacy request, we may need to verify your identity. For account-holding users, we typically verify by confirming the request comes from your registered email address. For requests we cannot reasonably verify, we may decline to act and will tell you why.

Authorized agents. You may use an authorized agent (e.g., a lawyer, family member) to submit a privacy request on your behalf. The agent must provide written proof of authorization, and we may still ask you to verify your identity directly.

Appeals. If we deny a privacy request, you may appeal our decision by replying to our denial email. We review appeals within 45 days. If we deny the appeal, we will tell you how to file a complaint with the relevant regulator (e.g., your state attorney general, or for EU residents, your supervisory authority).

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information we collect, the sources, the purposes, and the categories of third parties we share it with.
• Right to delete personal information we have collected.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing. Cottonworks does not "sell" or "share" personal information as defined under the CPRA, so there's nothing to opt out of, but the right exists.
• Right to limit use of sensitive personal information. Cottonworks does not process sensitive personal information for purposes that would trigger this right, but the right exists.
• Right to non-discrimination for exercising any of these rights.

Notice at collection. The categories of personal information we collect, the sources, and the purposes are described in Sections 3, 4, and 5 of this policy. We do not collect personal information for purposes other than those listed.

Retention. Retention windows are described in Section 9.

Shine the Light. California Civil Code § 1798.83 permits California residents to request certain information about disclosure of personal data to third parties for direct marketing purposes. Cottonworks does not disclose personal data to third parties for their direct-marketing purposes.

If you are in the EU, UK, or Switzerland, you have the rights listed in Section 12. You also have the following additional rights and information:

• Legal basis for processing. Listed in Section 5 alongside each purpose.
• Right to lodge a complaint. You may lodge a complaint with the data-protection supervisory authority in your country of residence.
• International transfers. If your data is transferred from the EU/UK to the US, the transfer is governed by Standard Contractual Clauses — see Section 8.
• Automated decision-making. We do not engage in automated decision-making (including profiling) that produces legal or similarly significant effects on you. If that ever changes, we will update this policy and provide the disclosures GDPR Article 22 requires.

Data Protection Officer. Cottonworks is not currently required to appoint a Data Protection Officer under GDPR. The point of contact for privacy questions is team@cottonworks.us. [LEGAL REVIEW: revisit if/when EU activity grows enough to trigger the DPO requirement under Article 37.]

EU/UK Representative. [LEGAL REVIEW: GDPR Article 27 may require Cottonworks to appoint an EU representative if we offer services to EU residents. Currently we do not offer the Service in the EU, so this representative is not appointed. Confirm with counsel before targeting EU customers.]

Cottonworks honors the privacy rights listed in Section 12 globally, regardless of where you live. If your jurisdiction grants rights beyond those listed — for example, Virginia's VCDPA, Colorado's CPA, Connecticut's CTDPA, Utah's UCPA, Texas's TDPSA, or comparable laws in other US states or countries — you may exercise those rights using the process in Section 12. We respond to requests under applicable law within the time period that law requires. [LEGAL REVIEW: this catch-all approach is simpler than enumerating each state law, but counsel should confirm it meets each statute's specific notice requirements.]

Cottonworks is intended for use by public agencies and the adult employees, contractors, and agents who serve them. The Service is not directed at children under 13, and we do not knowingly collect personal information from individuals under 13. If you believe a child under 13 has used Cottonworks or that we have collected personal information from a child under 13, email team@cottonworks.us and we will promptly delete the information and close the account. This policy is intended to comply with the Children's Online Privacy Protection Act (COPPA) and analogous laws.

We send the following emails to people who have signed up to hear from us or who are using the Service:

• Transactional emails (sign-in links, billing notices, security alerts, terms updates). These are necessary to operate the Service and cannot be opted out of while your subscription is active.
• Demo follow-ups if you requested a demo. We send at most three follow-up emails over a 30-day period unless you reply or ask us to stop.
• Product update digests on rare occasions. You can opt out using the unsubscribe link in every digest email.

We do not send promotional emails on behalf of third parties. We do not run drip campaigns beyond the demo-follow-up sequence. If you ever want us to stop emailing you, reply "UNSUBSCRIBE" to any non- transactional message or write to team@cottonworks.us.

Cottonworks does not currently engage in automated decision-making (including profiling) that produces legal or similarly significant effects on individuals. AI-assisted features inside the staff CRM (e.g., draft generation) operate on data the staff member explicitly submits and do not make autonomous decisions affecting customers or end users.

If we ever introduce automated decision-making with material effects, we will: (a) update this policy with the required disclosures; (b) provide meaningful information about the logic involved; and (c) offer affected individuals the right to obtain human intervention, express their point of view, and contest the decision.

Different role. The sections above cover personal data where Cottonworks is the controller. For the agency business records that a Customer agency stores inside the Cottonworks product (assets, projects, work orders, contracts, invoices, inspection logs, etc.), Cottonworks acts as a data processor on the Customer agency's behalf. The Customer is the controller and is responsible for the lawful basis, retention, and disclosure of those records.

Our processor commitments. In our processor role, we will:

• Process Customer Data only on Customer's documented instructions, including as set out in the Terms of Service;
• Ensure persons authorized to process Customer Data are bound by confidentiality;
• Implement the technical and organizational security measures described in Section 11;
• Engage Subprocessors only as listed in Section 7, and bind them to equivalent obligations;
• Assist Customer with data-subject requests directed at Customer Data;
• Assist Customer with security incidents, data protection impact assessments, and consultations with supervisory authorities;
• Delete or return Customer Data on termination per Section 8 of the Terms of Service;
• Make available the information necessary to demonstrate compliance and allow for audits, subject to reasonable confidentiality protections.

Data Processing Agreement. For Customers subject to GDPR, CPRA, or analogous regimes, Cottonworks offers a Data Processing Agreement ("DPA") that formalizes the processor relationship and supplements these privacy and terms documents. Request the DPA at team@cottonworks.us.

Public-records considerations. If a member of the public submits a public-records request to Cottonworks for records that constitute Customer Data, we will redirect the requester to the Customer agency's public-records officer and notify the Customer of the request. Cottonworks does not respond to public-records requests on behalf of the Customer agency.

We update this policy as the product evolves and as our counsel or regulators ask us to. For non-material clarifications, we publish the updated policy at this URL with an updated effective date. For material changes, we'll provide at least 30 days' advance notice via email to the account owner and an in-product banner. We'll keep prior versions of this policy available on request so you can see what changed.

Continuing to use the Service after the announced effective date of an update means you accept the updated policy. If you object to a material change, you can cancel under the Terms of Service.

Privacy questions, complaints, requests to exercise your rights, or concerns about how we handle your data:

• Email: team@cottonworks.us with the subject line "Privacy Request" or "Privacy Question."
• Postal mail: Cottonworks LLC, Attn: Privacy, [LEGAL REVIEW: insert postal address].

We respond to all privacy-related inquiries same business day during US business hours, with substantive responses within 30 days (or as required by applicable law). If you're not satisfied with how we've handled a privacy concern, you may file a complaint with your local data-protection authority (in the EU/UK, your supervisory authority; in California, the California Privacy Protection Agency; in other US states, your state attorney general).