Field Punchtyler@tupper-llc.com

Privacy Policy

Effective 2026-05-28  ·  Last updated 2026-05-28

Overview

Field Punch is a field operations management platform for construction professionals, operated by Tupper LLC (“Field Punch,” “we,” “our,” or “us”). This Privacy Policy explains what personal information we collect, how we use it, with whom we share it, and the choices you have.

By creating an account or using the Service, you agree to this Privacy Policy. If you don’t agree, please don’t use Field Punch.

1. Information we collect

Account and profile information

When you create an account, we collect:

  • Full name, email address, and password (stored as a bcrypt hash — we never see it)
  • Mobile phone number — used for SMS notifications, one-time passcodes, and account recovery
  • Job title or role within your organization
  • Organization name, and the names, emails, and phone numbers of team members or subcontractors you invite
  • Time zone preference

Project and operations data

The core data you create and manage inside Field Punch:

  • Job records: project name, street address, type, status, and certificate-of-occupancy information
  • Punch items: title, description, status, area, assignment history, and status-change log
  • Photos and documents you upload as deficiency evidence or project records
  • Comments, annotations, and notes attached to punch items or documents
  • Contact records: name, company, title, phone numbers, email addresses, and notes
  • Calendar events (inspections, deliveries, site visits) and their details

Usage and technical data

  • IP address, browser type, and device information — used for fraud prevention, security monitoring, and to infer a default time zone
  • Error reports and performance data collected by our monitoring service (Sentry). These are scrubbed of passwords and payment credentials before transmission
  • Last sign-in timestamp — used to apply re-engagement logic to notification delivery
  • Aggregate product analytics (e.g., feature usage counts) — never linked to individual identifiers outside of debugging sessions

SMS messaging data

When you or a team member provides a mobile phone number and consents to SMS notifications, we collect and process that number to deliver transactional text messages through Twilio (see Section 4 — Subprocessors). We do not share your phone number with any party for marketing purposes. Message and data rates from your carrier may apply. You can opt out at any time by replying STOP to any Field Punch text or by updating your notification preferences in the app. Reply HELP for assistance, or email us at tyler@tupper-llc.com.

Payment information

Credit card numbers and billing details are collected and stored exclusively by Stripe. We receive only non-sensitive metadata: the last four digits of your card, card brand, billing name, and subscription status. We never see or store your full card number, CVV, or bank account information.

Information from third parties

When you connect a Google Calendar account, we receive OAuth tokens, your Google account email, and a list of your calendars. We use this only to sync Field Punch events into your selected calendars. We do not read or store your existing calendar events.

2. How we use your information

We use the information we collect to:

  • Provide and operate the Service — display jobs, punch items, photos, and contacts; send the SMS and email notifications you request; host your uploaded files
  • Authenticate and secure your account — verify your identity at sign-in, send one-time passcodes, detect unauthorized access
  • Process payments — bill your payment method for paid subscriptions via Stripe
  • Communicate with you — respond to support requests, send security and service-related notices, and deliver billing receipts. We do not send promotional marketing email without your separate opt-in
  • Improve the Service — diagnose bugs, analyze aggregate usage patterns, and make product decisions. We do not use your content to train AI models
  • Comply with legal obligations — respond to lawful requests from courts or regulators, enforce our Terms, and prevent fraud or abuse

We do not sell your personal information to third parties. We do not use your data for behavioral advertising or share it with data brokers.

3. Legal bases for processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:

  • Contract performance — processing required to deliver the Service you signed up for (account management, feature delivery, billing)
  • Legitimate interests — fraud prevention, security monitoring, and product improvement, where these interests are not overridden by your privacy rights
  • Legal obligation — compliance with applicable laws and response to valid legal process
  • Consent — SMS notifications and any optional data processing you explicitly opt into (you can withdraw consent at any time)

4. Subprocessors and data sharing

We share personal information only with vendors who help us run the Service. Each subprocessor receives only the minimum data necessary for their function and is bound by data processing agreements:

  • Vercel (US) — application hosting and edge network. Processes server requests and serves the web application.
  • Supabase (US) — relational database, object storage for photos and documents, and authentication infrastructure.
  • Twilio(US) — SMS delivery. Receives recipient phone numbers and message content for transactional text messages (assignment alerts, visit reminders, weekly summaries, OTP codes). Twilio’s use of this data is governed by Twilio’s Privacy Policy.
  • Resend (US) — transactional email delivery. Receives recipient email addresses and email content for notifications, digests, and password resets.
  • Sentry (US) — error and performance monitoring. Receives anonymized stack traces and request metadata; we configure Sentry to scrub credentials and PII from error payloads.
  • Stripe (US) — payment processing. Receives billing details for paid subscriptions. We never transmit full card numbers to our servers.
  • Google — calendar integration (optional, only when you connect a Google Calendar account). Receives OAuth tokens and calendar write access scoped to the calendars you select.

We may also share information: (a) with your consent; (b) to comply with a legal obligation or lawful court order; (c) to protect the rights, property, or safety of Field Punch, our users, or the public; or (d) in connection with a merger, acquisition, or sale of all or part of our business, in which case the acquirer will be bound by this policy or notified of the need to obtain fresh consent.

We do not sell your personal information to any third party.

5. SMS messaging terms

When you provide a mobile phone number and consent to SMS communications from Field Punch, you agree to receive text messages related to your account and projects. Message types include:

  • Assignment notifications — new punch items assigned to you
  • Rejection alerts — a PM has requested revisions on your submitted work
  • Visit-day reminders — morning-of reminder when you have a scheduled site visit
  • Weekly summaries — a Monday recap of your open items and pending reviews
  • Account and security codes — one-time passcodes and password-reset links

Message frequency variesbased on your activity and notification preferences. Msg & data rates may apply.

To opt out: Reply STOP to any Field Punch text message at any time, or turn off individual SMS channels in your Pro Portal settings. After you send STOP, you will receive one confirmation message and no further SMS messages from Field Punch unless you re-opt in.

For help: Reply HELP to any Field Punch text or email tyler@tupper-llc.com.

Consent to receive SMS messages is not a condition of using the Service. You can use Field Punch without consenting to SMS notifications.

6. Cookies and local storage

Field Punch uses a minimal set of cookies and local storage:

  • Session cookie (strictly necessary) — issued by Supabase Auth to keep you signed in. This cookie is required for the Service to function; it cannot be disabled.
  • Preferences (functional) — small values stored in your browser (e.g., your selected active organization) to preserve your settings between visits.

We do not use advertising cookies, cross-site tracking pixels, or any third-party analytics that follow you across the web. We do not use Google Analytics, Facebook Pixel, or similar tools.

7. Data retention

  • Active accounts: We retain your content for as long as your account is active and in good standing.
  • After deletion: When you delete your account, we retain a backup copy for up to 30 days to allow recovery in case of accidental deletion. After that window, personal data is permanently purged from our production systems.
  • System and audit logs: Aggregate security logs, access logs, and anonymized error reports may be retained for up to 90 days for security and compliance purposes.
  • Billing records: Transaction records required for tax, legal, or financial reporting may be retained for up to 7 years as required by applicable law.
  • Backups: Encrypted database backups may persist for up to 30 days in disaster-recovery storage; they are purged on a rolling schedule.

8. Your privacy rights

Depending on where you live, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — ask us to correct inaccurate data (most data can be corrected directly in the app)
  • Deletion — request that we delete your personal data, subject to our legal retention obligations
  • Portability — request a machine-readable export of your data
  • Objection / restriction — object to or ask us to restrict certain processing activities
  • Withdraw consent — where processing is based on consent (e.g., SMS notifications), you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, email tyler@tupper-llc.com with the subject line “Privacy Request.” We will respond within 30 days. We may need to verify your identity before fulfilling a request.

9. California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share it
  • Right to Delete — request that we delete personal information we have collected from you, subject to exceptions
  • Right to Correct — request that we correct inaccurate personal information
  • Right to Opt Out of Sale or Sharing — we do not sell or share your personal information for cross-context behavioral advertising
  • Right to Non-Discrimination — we will not discriminate against you for exercising any CCPA rights
  • Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information for purposes other than providing the Service

To submit a CCPA request, email tyler@tupper-llc.com with the subject line “California Privacy Request.” We do not sell personal information to third parties and have not done so in the preceding 12 months.

10. Children's privacy

Field Punch is a business tool for construction professionals. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has provided us with personal data, please contact us immediately at tyler@tupper-llc.com and we will take prompt action to delete it.

11. International data transfers

Field Punch is operated from the United States. Our servers, databases, and subprocessors are primarily located in the US. If you use the Service from outside the US — including from the European Economic Area, the United Kingdom, or Canada — your personal data will be transferred to and processed in the United States.

For EEA and UK users, we rely on standard contractual clauses (SCCs) and other appropriate safeguards to legitimize such transfers in accordance with GDPR and UK GDPR requirements.

12. Security

We protect your data with industry-standard measures, including:

  • Row-level security (RLS) policies on every database table — no query can return data outside your authorized organization
  • Encrypted connections (TLS 1.2+) between your browser, our servers, and all subprocessors
  • Bcrypt password hashing — your password is never stored in plaintext and our team cannot read it
  • Hashed, rotatable access tokens for passwordless Pro Portal links, with a 1-year expiry and instant rotation capability
  • Strict access controls limiting production database access to a minimal set of authorized personnel
  • Automated content-type validation on all uploaded files to prevent malicious file injection

No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to tyler@tupper-llc.com. We will investigate and respond promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes to how we collect, use, or share personal information, we will notify you by email and by posting a notice inside the app at least 14 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact us

If you have questions, concerns, or requests related to this Privacy Policy, please contact us:

Tupper LLC d/b/a Field Punch
Email: tyler@tupper-llc.com
Website: fieldpunch.app

See also our Terms of Service.