Privacy Policy

1. Introduction

Congusto Cleaning Services ("Company," "we," "us," or "our") operates the Congusto Connect platform, a computerized maintenance management system (CMMS) designed for commercial cleaning operations management. Congusto Connect is accessible as a web application and progressive web app (PWA).

This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use our platform and services. It applies to all users ofCongusto Connect, including Owners, Managers, Dispatchers, Subcontractors, and Clients.

By accessing or using Congusto Connect, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must discontinue use immediately.

2. Information We Collect

2.1 Personal Information You Provide

We collect information you provide directly, including:

• Account & Identity Data: Full name, email address, password (stored encrypted via bcrypt hashing), and assigned user role (Owner, Manager, Dispatcher, Subcontractor, or Client).
• Contact Information: Phone number, company name, billing address, and service address.
• Subcontractor Profile Data: Company name, specialties, service area, hourly rate, availability status, and professional notes.
• Client Profile Data: Company name, contact person(s), email(s), phone number(s), title(s), billing address, service address, net payment terms, and contract details.
• Work Order Data: Job descriptions, service types, locations, scheduling information, billing rates, estimated duration, priority levels, special instructions, and tags.
• Chat Messages & Communications: All messages sent through the in-app messaging system, including text content, @mentions, emoji reactions, and threaded replies.
• File Attachments & Documents: Photos (before/during/after job documentation, profile photos), invoices, certificates of insurance (COI), W-9 forms, subcontractor agreements, business licenses, and any other uploaded documents.

2.2 Location & GPS Data

When subcontractors use the check-in and check-out features for work orders, we collect GPS coordinates to verify service delivery at the designated job site. Location data is collected only during active check-in/check-out actions and only with your explicit consent.We do not track your location passively or in the background. Location data is stored as part of the work order record for service verification and operational purposes.

2.3 Photos & Visual Media

We collect photos and images you upload to the platform, including:

• Job Documentation Photos: Before, during, and after photos of work performed, uploaded as work order attachments.
• Profile Photos: Optional photos associated with user accounts.
• Compliance Documents: Scanned copies of insurance certificates, licenses, and agreements.

Photos may contain embedded metadata (EXIF data) including timestamp, camera information, and geolocation. We may use this metadata for service verification purposes.

2.4 Automatically Collected Information

When you use Congusto Connect, we automatically collect:

• Device Information: Browser type and version, operating system, device type (desktop, tablet, mobile), screen resolution, and device identifiers.
• Usage & Analytics Data: Pages visited, features used, click patterns, timestamps of access, session duration, and interaction patterns to help us improve the platform.
• Log & Technical Data: IP address, access times, referring URLs, HTTP status codes, and server request/response data.
• Crash Logs & Error Data: Application error reports, stack traces, and performance metrics when errors occur, to help us diagnose and fix technical issues.
• Network Information: Connection type (Wi-Fi, cellular), latency metrics, and bandwidth indicators to optimize the PWA experience.

2.5 Cookies & Local Storage

Congusto Connect uses the following browser storage technologies:

• Essential Session Cookies: Required for authentication, session management, and security. These cookies are necessary for the platform to function and cannot be disabled.
• CSRF Tokens: Cross-site request forgery protection tokens to secure form submissions.
• Local Storage: Used to persist user preferences such as theme (light/dark), language selection (English/Spanish), sidebar collapse state, and PWA install prompt dismissal.
• Service Worker Cache: Cached assets for offline functionality as part of our Progressive Web App implementation.

We do not use third-party advertising cookies, tracking pixels, or analytics cookies from external providers. All analytics data is processed internally and is not shared with advertising networks.

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery & Operations: To operate Congusto Connect, manage work orders, assign jobs, coordinate scheduling, facilitate communications between parties, and process billing.
• Account Management: To create, maintain, and manage your account; verify identity; process invitations; and authenticate access.
• Service Verification: To use check-in/check-out data and job photos to verify that cleaning services were delivered at the correct location and time.
• Compliance Tracking: To monitor subcontractor document compliance (insurance, licensing, agreements) and send expiration notifications.
• Communications: To send notifications about work order updates, schedule changes, compliance alerts, and system announcements.
• Analytics & Reporting: To generate operational performance reports, scheduling insights, revenue forecasts, and utilization metrics for authorized administrative users.
• Platform Improvement: To understand usage patterns, diagnose technical issues, and improve the platform's functionality and user experience.
• Audit & Record Keeping: To maintain activity logs, audit trails, and compliance records as required for business operations and legal obligations.
• Security: To detect, prevent, and address fraud, unauthorized access, and other security threats.
• Legal Compliance: To comply with applicable laws, regulations, subpoenas, and legal processes.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We may share your information in the following limited circumstances:

4.1 Within the Platform

Work order details, contact information, scheduling data, and messages are shared between authorized users (Owners, Managers, Dispatchers, Subcontractors, and Clients) as necessary for service delivery. Role-based access controls (RBAC) limit data visibility based on each user's role and authorization level.

4.2 Third-Party Service Providers

We use the following categories of third-party services:

• Cloud Hosting & Infrastructure: Our platform is hosted on cloud infrastructure providers that maintain SOC 2 and ISO 27001 certifications.
• Cloud Storage (AWS S3): File attachments, photos, and documents are stored in Amazon Web Services (AWS) S3 with server-side encryption and access controls.
• Authentication Services: NextAuth.js handles secure authentication with encrypted session tokens.
• Email Notification Services: We use email delivery services to send system notifications, compliance alerts, and account communications.
• Database Services: PostgreSQL database with encrypted connections and data-at-rest encryption.

These providers access your data only as needed to perform their functions under contractual obligations that require them to protect your information.

4.3 Legal Requirements

We may disclose information if required by law, subpoena, court order, government regulation, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or part of our assets, your information may be transferred as part of the business transaction. We will notify you via email and/or prominent notice on our platform before your information is transferred and becomes subject to a different privacy policy.

5. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this policy. Specific retention periods are as follows:

When you request account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., financial records, audit trails, ongoing disputes).

6. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
• Encryption at Rest: Passwords are hashed using bcrypt. Database connections are encrypted. Files in cloud storage use server-side encryption (AES-256).
• Access Controls: Role-based access control (RBAC) limits data access to authorized users based on their role. API endpoints enforce authentication and authorization checks.
• Audit Logging: All significant data changes, including work order modifications, user actions, and administrative operations, are recorded in immutable audit logs.
• Session Management: Sessions expire automatically after 24 hours. JWT tokens are used for secure, stateless authentication.
• Secure File Storage: Uploaded files are stored in AWS S3 with presigned URLs for temporary access, preventing unauthorized direct access.
• Input Validation: All user inputs are validated and sanitized to prevent injection attacks and cross-site scripting (XSS).

While we strive to protect your information using commercially reasonable measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized access resulting from circumstances beyond our reasonable control.

7. Your Privacy Rights

7.1 General Rights (All Users)

Regardless of your location, all users have the right to:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your account and personal data (subject to retention requirements).
• Data Portability: Receive your data in a structured, commonly used, machine-readable format.
• Opt-Out: Opt out of non-essential communications and notifications.
• Restrict Processing: Request that we limit processing of your data in certain circumstances.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

7.2 California Residents — CCPA/CPRA Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the business or commercial purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, legal obligations, security).
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out of such activities.
• Right to Limit Use of Sensitive Personal Information: We only use sensitive personal information (such as precise geolocation) for the purposes disclosed in this policy, which are permissible under the CCPA/CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a CCPA request, email [email protected] with the subject line "CCPA Request." We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

Categories of Personal Information Collected (Past 12 Months): Identifiers (name, email, phone), commercial information (work orders, billing), internet/network activity (usage data, logs), geolocation data (check-in GPS), professional/employment information (company, specialties), and visual/audio information (photos, attachments).

7.3 European Users — GDPR Rights

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR):

• Right of Access (Art. 15): Obtain confirmation of whether we process your personal data and receive a copy.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten") where processing is no longer necessary.
• Right to Restrict Processing (Art. 18): Request restriction of processing in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling.
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal.
• Right to Lodge a Complaint: Lodge a complaint with a supervisory authority in your member state.

Legal Basis for Processing (GDPR Art. 6):

• Contractual Necessity: Processing necessary for the performance of our service (work order management, scheduling, communications).
• Legitimate Interests: Platform improvement, security monitoring, fraud prevention, and analytics.
• Consent: Location data collection (check-in/check-out), optional photo uploads, and non-essential notifications.
• Legal Obligation: Retention of financial and audit records as required by applicable law.

International Data Transfers: Your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for cross-border data transfers.

8. Children's Privacy

Congusto Connect is a B2B platform intended for use by adults in professional business contexts. We do not knowingly collect personal information from individuals under the age of 18. If you believe we have inadvertently collected information from a minor, please contact us immediately at [email protected], and we will promptly delete such information.

9. Do Not Track Signals

Congusto Connect does not respond to "Do Not Track" (DNT) browser signals because we do not engage in cross-site tracking. We do not use third-party tracking cookies or advertising networks that would require DNT compliance.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last updated" date
• Sending an email notification for significant changes affecting your rights
• Displaying an in-app notification for 30 days following material changes

Your continued use of Congusto Connect after such changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, your personal data, or wish to exercise any of your privacy rights, please contact us: