Privacy Policy

Account information. Name, work email, employer, role, and any profile details you provide. We use your work email to authenticate you and route invitations and notifications.

Customer content. Work orders, asset registers, building data, financial inputs, comments, and other content you or your authorized users upload, sync from connected CMMS systems, or generate inside the Service.

Usage and device data. IP address, browser type, operating system, pages visited, timestamps, referring URLs, and similar telemetry collected through cookies and server logs to operate and secure the Service.

Communications. The content of messages you send us through email, support channels, or in-product feedback.

• To provide, maintain, and improve the Service.
• To authenticate users, prevent abuse, and protect the security and integrity of the Service.
• To generate the analytic outputs the Service is designed to produce, including risk scores, scenario rankings, capital memos, and variance reports, on behalf of your organization.
• To communicate with you about your account, billing, product updates, and security advisories.
• To comply with legal obligations and enforce our agreements.

We do not sell your personal information or your customer content.

We share information only with the following categories of recipients, and only as needed to operate the Service:

• Subprocessors who host infrastructure, deliver email, run AI inference, or provide observability. Our current subprocessors are:
  • Supabase — authentication, Postgres database, file storage, and serverless functions. Data hosted in the United States (AWS us-east-1).
  • Vercel — application hosting, edge runtime, and DNS for capplan.io. Data processed in Vercel's edge regions.
  • Resend — transactional email delivery (account confirmation, password reset, invitations, notifications). Mail is signed for our verified domain capplan.io.
  • OpenAI — large language model API used to draft capital memos and asset rationale text. Customer Data sent to OpenAI is not used to train OpenAI's models, per OpenAI's API terms.
  If we add, remove, or replace a subprocessor in a way that materially affects Customer Data, we will provide at least 30 days' notice via email or in-product notice.
• Authorized users within your organization, in accordance with the roles and permissions you configure.
• Professional advisors such as auditors, lawyers, and accountants under confidentiality obligations.
• Authorities when compelled by valid legal process or to protect rights, safety, or property.
• Successors in connection with a merger, acquisition, financing, or reorganization, subject to confidentiality protections.

We retain customer content for as long as your account is active and as needed to provide the Service. After termination, customer content is retained for a limited grace period (by default 30 days) to allow export, and is then deleted from production systems. Backup copies may persist for an additional limited period until overwritten in the normal backup cycle.

We implement administrative, technical, and physical safeguards designed to protect your information, including encryption in transit (TLS) and at rest, role-based access controls, audit logging, and least-privilege provisioning for personnel. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security.

Depending on where you are located, you may have rights to access, correct, delete, port, or restrict processing of your personal information. Most account holders can exercise these rights directly in the Service; for assistance, or for rights that cannot be exercised in-product, email legal@capplan.io. We will verify your identity and respond within the period required by applicable law.

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. Where required, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses.

We use cookies that are strictly necessary to authenticate users and operate the Service, and a limited set of analytics cookies to understand aggregate product usage. We do not use cookies for third-party advertising. You can control cookies through your browser settings, though disabling strictly necessary cookies will prevent the Service from functioning.

The Service is intended for use by businesses and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have, contact us and we will delete it.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or in-product notice before the changes take effect. The "Last updated" date above reflects the most recent revision.

For questions about this policy or our privacy practices:

• Email: legal@capplan.io
• Phone: (940) 977-5637