Privacy Policy

ApexTrust (“Company,” “we,” “us,” or “our”) operates the Drawdown Tracker application (“Service”). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Service.

Information You Provide

• Account information: Name, email address, password (hashed), role (rep, manager, or process owner), and team affiliation.
• Drawdown data: Client/painter names, job names, job addresses, general contractor names, products/colors, quantities, PO numbers, and notes.
• Job outcomes: Whether jobs were approved or denied.
• Voice and text input: Voice recordings are processed in your browser via Web Speech API. The resulting text transcription is sent to our AI service for structuring. We do not store raw audio recordings.
• Uploaded images: Screenshots uploaded for AI-powered drawdown extraction are processed and not retained after extraction is complete.

Information Collected Automatically

• Usage data: Pages visited, features used, timestamps of actions.
• Device and browser information: Browser type, operating system, and screen resolution.
• Log data: IP addresses, access times, and referring URLs for security and troubleshooting.

We use your information to:

• Provide, maintain, and improve the Service.
• Process and track drawdown requests through their lifecycle.
• Send email notifications about drawdown status changes, overdue alerts, and account activity.
• Authenticate users and maintain account security (including login attempt tracking and account lockout).
• Generate AI-powered data extraction from voice, text, and image inputs.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations.

• We use Anthropic's Claude API to structure voice transcriptions, parse email text, and extract data from screenshots.
• Data sent to the AI service is used solely to provide the Service functionality and is processed according to Anthropic's API data usage policies.
• AI-processed data is not used to train AI models.
• We do not send your password, authentication tokens, or financial information to AI services.

We do not sell your personal information. We may share information in the following circumstances:

• Within your team: Managers and process owners can view drawdown data for all team members. Reps can only view their own data.
• Service providers: We use third-party services to operate the Service.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

• Account data is retained for as long as your account is active or as needed to provide the Service.
• Drawdown data is retained for the duration of your team's use of the Service. When a user account is deleted, their drawdowns may be reassigned to another team member; historical event data is preserved.
• Log data is retained for up to 90 days for security and troubleshooting purposes.
• You may request deletion of your account by contacting your team manager or us directly.

We implement appropriate technical and organizational measures to protect your information, including:

• Password hashing (bcrypt).
• HTTPS encryption in transit.
• HTTP security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options).
• JWT-based session management with 7-day expiry.
• CSRF protection via origin header validation.
• Account lockout after repeated failed login attempts.
• Input validation and HTML sanitization on all form submissions.

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete your account and associated personal data.
• Object to or restrict certain processing of your information.
• Data portability — receive your data in a structured, machine-readable format.
• Withdraw consent where processing is based on consent.

To exercise any of these rights, please contact your manager, who will raise your request with ApexTrust.

The Service uses:

• Session cookies for authentication (httpOnly, sameSite=lax, secure in production).
• Local storage for temporary UI state (e.g., draft drawdown data during creation).

We do not use third-party tracking cookies or advertising cookies.

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete it.

The Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States. By using the Service, you consent to this transfer.

We may update this Privacy Policy from time to time. We will notify users of material changes by updating the “Last Updated” date at the top of this page. Continued use of the Service after changes constitutes acceptance.