This Privacy Policy explains how SiteSync collects, uses, discloses, and otherwise processes personal data in connection with its websites, application, APIs, support, account management, integrations, and AI-enabled services.

FreedomSeeker OÜ (doing business as "SiteSync," "we," "us," or "our") is an Estonian private limited company with its registered office at Kotkapoja tn 2a-10, 10615 Tallinn, Estonia. We provide SiteSync, a multi-tenant software platform for construction, demolition, and related operational teams.

• This Privacy Policy applies to personal data processed through: our public-facing websites, including sitesync.ai and www.sitesync.ai; our authenticated application at app.sitesync.ai; our APIs and related services, including api.sitesync.ai; our sales, support, onboarding, security, and account-management activities; and our AI features and related functionality made available as part of the services.
• Capitalized terms used but not defined in this Privacy Policy have the meanings given in the Terms of Service, where applicable.
• This Privacy Policy does not apply to: personal data that customers process outside SiteSync or through third-party services not controlled by us; customer-controlled uses of personal data within customer workspaces, except as described below when we process such data on a customer's behalf; or personal data collected for SiteSync's own recruiting or employment purposes, which may be governed by separate notices.

• Depending on the context, SiteSync may act either as a controller or as a processor/service provider.
• When we act as a controller. We act as controller for personal data we use for our own business purposes, such as website administration, account creation, account security, fraud prevention, customer support, service communications, billing and subscription management, legal compliance, analytics for our own services, and direct business-to-business marketing where permitted by law.
• When we act as a processor or service provider. When a customer organization or its authorized users upload, store, submit, or otherwise make available personal data in SiteSync workspaces, projects, documents, chats, workflows, integrations, or similar customer environments, we generally process that data on the customer's behalf. In those cases, the customer organization is typically responsible for the lawfulness of the data, applicable notices, permissions, and instructions relating to that data.
• If your personal data is included in a customer's SiteSync workspace or other customer content, you should generally direct your request to the relevant customer organization first. We will assist our customers where required under applicable law or our contractual commitments.

The personal data we collect depends on how you interact with SiteSync, your role, the services and features you use, and the choices made by you or your organization.

We collect personal data from several sources, including:

• directly from you;
• from your organization or administrators who create, invite, or manage your account;
• from customer content and data uploaded into SiteSync;
• from integrated third-party services connected by you or your organization;
• from our payment, infrastructure, analytics, security, and support providers; and
• automatically from your browser, device, or use of our websites and services.

We use personal data for the following purposes, as applicable:

• to provide, operate, maintain, secure, and improve SiteSync;
• to create and manage accounts, organizations, roles, permissions, and access controls;
• to authenticate users and administer security features such as multi-factor authentication, session controls, and abuse prevention;
• to host, store, organize, search, process, and display customer content in accordance with customer instructions and service functionality;
• to provide AI features requested by customers and users, including retrieval, summarization, chat, workflow assistance, and related functionality;
• to communicate with you about the services, transactions, updates, support matters, and administrative notices;
• to analyze usage, debug errors, monitor reliability, and protect the integrity of our services;
• to manage subscriptions, billing, invoicing, and related financial operations;
• to comply with applicable laws, enforce our terms, protect our rights, and respond to lawful requests; and
• to send business-related marketing or product information where permitted by law and subject to your choices.

• If you are in the European Economic Area or the United Kingdom, we rely on one or more of the following lawful bases depending on the context and the relevant processing activity:
• performance of a contract, including to create and administer accounts, provide the services and requested features, process transactions, provide support, and respond to requests made in connection with the services;
• legitimate interests, including to secure the services, prevent fraud and abuse, debug and improve reliability and performance, provide customer support, manage our business operations, maintain appropriate records, and communicate with business users about service-related updates and relevant business-to-business product information where permitted by law;
• consent, where required by law, including for non-essential cookies and similar technologies and for certain marketing or communications activities;
• compliance with legal obligations, including where we must retain records, respond to lawful requests, or comply with tax, accounting, sanctions, or other legal requirements; and
• establishment, exercise, or defense of legal claims, where applicable.
• Where we rely on legitimate interests, we assess those interests against the rights and freedoms of affected individuals. Where consent is required, you may withdraw it at any time, although withdrawal does not affect processing carried out before withdrawal.

We may disclose personal data to the following categories of recipients, depending on the context:

• service providers and subprocessors that help us operate the services, such as hosting, infrastructure, security, observability, communications, payment, and productivity providers;
• AI service providers that process AI inputs and related data solely to provide the requested AI functionality;
• integration partners and connected third-party systems, when enabled by a customer or user;
• your organization and its administrators, where relevant to account administration, workspace governance, permissions, support, compliance, or security;
• professional advisers, auditors, insurers, and corporate transaction counterparties;
• competent authorities, regulators, courts, or other third parties where required by law or necessary to protect rights, safety, or the services; and
• other parties in connection with a merger, financing, acquisition, restructuring, or sale of all or part of our business.
• We do not share personal data for cross-context behavioral advertising.

• Depending on the services and features used, SiteSync may use service providers and infrastructure providers such as OpenAI, Anthropic, Stripe, Resend, Datadog, Vercel, Render, Cloudflare, Google Workspace, LangSmith, and similar providers that support the delivery, security, observability, communications, and payment functions of our services.
• We may also support customer-enabled integrations with third-party systems such as HoorayHR and Centix.
• Information about our privacy and security program, including certain vendor, subprocessor, transfer, and trust materials, may be made available through our Trust Center at https://trust.sitesync.ai.
• Third-party services, integrations, and websites operate under their own terms and privacy notices. We are not responsible for the privacy practices of third parties except to the extent we engage them to process personal data on our behalf.

• SiteSync includes AI features that may use third-party AI providers, including OpenAI and Anthropic, to generate outputs, answer questions, summarize information, reason over customer data, and support workflow-related assistance.
• When you use AI features, we may send AI inputs and related context to our AI providers and supporting infrastructure in order to provide the requested functionality.
• As described in our AI Product Terms, SiteSync does not use customer data, AI inputs, or AI outputs to train shared or generalized artificial intelligence or machine-learning models. SiteSync also configures and contracts with the third-party AI providers it uses for SiteSync AI features so that customer data, AI inputs, and AI outputs submitted through those features are not used to train shared or generalized models for those providers.
• Certain AI features may return or prepare proposed actions for execution within the Services. Where SiteSync makes such features available, the proposed action is presented for review and approval by an authorized user before execution.
• SiteSync does not use AI Features to make solely automated decisions that produce legal effects concerning an individual or similarly significantly affect an individual without meaningful human review and involvement.
• AI outputs may be inaccurate, incomplete, or unsuitable for a particular purpose. AI outputs should be reviewed by appropriately qualified humans before they are relied upon, especially for operational, legal, employment, compliance, financial, safety, or similarly significant matters.
• For more information about AI-specific terms, usage conditions, and responsibilities, please review our AI Product Terms.

• We use cookies, local storage, and similar technologies to operate and secure our websites and services, remember settings, analyze performance and usage, and support limited communications and product analytics activities.
• Please review our Cookie Policy for more detailed information about the cookies and similar technologies we use, the categories in which they fall, and how you can manage your preferences.
• Where required by law, we ask for consent before placing or activating non-essential cookies and similar technologies.

• SiteSync is not designed to be a primary system of record for highly sensitive personal data.
• Customers and users should not upload sensitive personal data to SiteSync unless such upload is strictly necessary, lawful, and appropriate for the intended use of the Services.
• This includes, by way of example, detailed health records, full payment card numbers, full bank account credentials, biometric templates, criminal-record datasets, government identification datasets, and special-category or similarly sensitive personal data, except where strictly necessary and lawfully processed.
• Because some free-text fields, documents, attachments, and AI inputs may technically allow users to submit a wide range of content, customers remain responsible for controlling what data they upload and for limiting uploads of sensitive personal data except where necessary and lawful.

We retain personal data for as long as necessary for the purposes described in this Privacy Policy, including to provide the services, comply with legal obligations, resolve disputes, enforce agreements, and protect the integrity and security of SiteSync. Retention periods vary depending on the nature of the data, the relevant service, customer instructions, legal requirements, and operational needs.

• In general: account, organization, and customer workspace data are retained for the life of the relevant account or contractual relationship and for a reasonable period thereafter as needed for backup, legal, security, and dispute-resolution purposes;
• customer documents, uploads, and other customer content are generally retained until deleted by the customer or until the relevant account or organization is deleted, subject to backup cycles and legal retention requirements;
• temporary import or processing artifacts may be deleted sooner once ingestion or processing is complete;
• audit and compliance logs may be retained for up to 12 months;
• certain observability and security logs, including Datadog logs, may be retained for up to 3 months;
• backups may be retained for up to 6 months;
• certain AI workflow-state data, including LangGraph checkpoints, may be retained for up to 1 week;
• billing and transaction-related records may be retained for longer where required by tax, accounting, anti-fraud, or other legal obligations;
• data deleted by users is retained for up to 30 days in a recoverable state, after which it is permanently and irreversibly deleted with no further retention by SiteSync;
• cookie-consent records and related preference data are retained for the period needed to honor and demonstrate the relevant choice, subject to technical and legal requirements.
• We may also retain de-identified or aggregated information that no longer reasonably identifies an individual.

• SiteSync operates internationally and may process personal data in the European Union, the United Kingdom, the United States, and other jurisdictions where our service providers or infrastructure are located.
• Where personal data is transferred to a country that does not benefit from an adequacy decision or equivalent recognition under applicable data protection law, SiteSync relies on an appropriate lawful transfer mechanism, which may include standard contractual clauses, the UK International Data Transfer Addendum, or another valid transfer mechanism recognized under applicable law, together with supplementary measures where appropriate.
• Additional information about SiteSync's transfer practices and certain related trust materials may be made available through SiteSync's Trust Center.

• We use technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. Depending on the context, these measures may include access controls, encryption in transit, one-way hashing of passwords, appropriate secure storage and protection methods for other credentials, session protections, multi-factor authentication, logging, rate limiting, infrastructure monitoring, and other security practices.
• However, no security measure is perfect, and we cannot guarantee absolute security.

• Depending on your location and the context in which we process your personal data, you may have rights to request access to, correction of, deletion of, restriction of, portability of, or objection to certain processing of your personal data. You may also have the right to withdraw consent where processing is based on consent.
• If we process your personal data on behalf of a customer organization, you should generally submit your request to that organization first. We will support our customers in responding to applicable requests where required.
• To exercise rights that apply to data for which we act as controller, please contact us using the details in the Contact Us section below. We may need to verify your identity before fulfilling a request.
• If you are located in the EEA or the United Kingdom, you may also have the right to lodge a complaint with your local supervisory authority or data protection regulator.

• This section applies where U.S. state privacy laws give individuals specific rights regarding personal information processed by businesses acting as controllers or businesses.
• Subject to applicable law and any available exemptions, eligible individuals may have rights to know, access, correct, delete, or obtain a portable copy of certain personal information, and to appeal a denied request where required by law.
• We do not sell personal data. We also do not share personal data for cross-context behavioral advertising.
• Where we process personal data on behalf of our business customers, we do so as a service provider or processor and handle that data under our customers' instructions.
• Authorized agents may make requests on behalf of individuals where permitted by law, subject to verification and any documentation reasonably required.

• SiteSync is not directed to children. You must be at least 18 years old to create an account directly. Individuals who are at least 16 years old may use SiteSync only as authorized users acting under the supervision and authority of an organization that has authorized their use.
• If you believe a child has provided personal data to us in violation of this section, please contact us.

We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, operational practices, or privacy and security program. When we do, we will post the updated version here and update the effective date above. Where required by law, we will provide additional notice or obtain consent.

Якщо у вас є питання щодо цієї Політики конфіденційності або наших практик конфіденційності, зв'яжіться з нами за адресою: