This Privacy Policy describes how Carbide Coding LLC ("Carbide Coding," "we," "us") collects, uses, and shares information when you use the PlotDock mobile and web applications (collectively, "PlotDock" or the "Service"). By using PlotDock you agree to the practices described here.
PlotDock is a site-survey documentation tool for fire alarm, access control, and CCTV professionals. The Service lets you organize survey projects, mark device placements on floor plans, capture site photos, and generate reports.
The data controller is:
When you create an account we collect your email address, display name, and a password (stored only as a salted hash; we never see your plaintext password). For Corporate-tier accounts we also collect your company name and role within that company.
PlotDock stores the content you create or upload, including: folder and project names, floor plan images and PDFs, device placements (X/Y coordinates and device type), site photos taken with your camera or imported from your device, scale calibration data, address text used for satellite-view lookups, and exported reports (PDF, CSV, BOM).
We automatically collect: IP address, device type and operating system version, app version, device language and time zone, and a session token used to enforce single-device login.
For mobile users with an active or trial subscription, PlotDock writes encrypted diagnostic logs to your device. Logs are encrypted with a per-user AES-256 key escrowed in our database; we use them only to debug issues you report. You may share a log file with our support team via the in-app "Share Logs" button. Mobile users in read-only or wiped subscription states, and all web users, get console-only logging that we never receive.
If you enable biometric unlock, the on-or-off preference is stored locally in your device's secure storage. We never receive your fingerprint, face, or any other biometric data — that data stays on your device and is processed by your device's operating system.
Your light/dark mode preference is stored locally on your device only.
For Corporate-tier accounts, we record an audit trail of significant actions taken within your company (user invitations, role changes, billing events, etc.). The audit log is visible to administrators of your company.
We do not store your credit card number. Payments are processed by Apple, Google Play, or Stripe depending on tier and platform; those providers handle your payment information under their own privacy policies.
Each time you accept our Terms of Service (when you create an account, when you re-subscribe after a data wipe, or when you accept a Corporate company invitation), we permanently record the date and time of acceptance, your IP address, the version of the Terms of Service you accepted, and the context of acceptance. See section 4 for the lifecycle context, and section 10 for the retention rules that apply to these records.
PlotDock subscriptions for Individual-tier users move through four phases. Your data retention varies by phase.
When you create an Individual account, you receive 30 days of full access at no charge. We record your trial start date. No payment information is collected yet. Cloud sync is enabled; your projects and photos sync between your devices.
If you subscribe via Apple App Store or Google Play before or during your trial expiration, you keep full access for as long as your subscription remains active. Cloud sync remains enabled.
If your trial expires without subscribing, or if a paid subscription lapses, your account enters read-only state. You can sign in and view your existing projects, folders, photos, device placements, and reports, but you cannot create new content, edit existing content, generate new reports, or export project archives. Cloud sync to new devices is disabled. We record the date you entered read-only state. You can subscribe at any time during this phase to restore full access.
If you remain in read-only state for six months without resubscribing, we automatically delete your project data — folders, projects, floor plans, device placements, photos, exported reports, and audit log entries. The wipe is performed by a scheduled cleanup process running daily. Your account itself remains. Your email, display name, hashed password, and all Terms of Service acceptance records are preserved indefinitely. You can sign back in and resubscribe at any time, but your prior project data is gone and cannot be recovered.
Corporate-tier accounts (Admin, User, Technician roles) are paid from day one via Stripe and do not have a trial or read-only phase. Project data is retained for the lifetime of the Corporate company account.
Every Terms of Service acceptance is recorded with the date and time, your IP address, the version of the Terms accepted, and the context of acceptance (sign-up, re-subscription after a wipe, Corporate company invitation acceptance, etc.). These records are retained indefinitely as a legal record of your acceptance, including after a data wipe, including after you re-subscribe, and including after a user-initiated account deletion request. They are not subject to deletion requests under GDPR Article 17 ("right to be forgotten") or the equivalent CCPA right. We retain these records under the legitimate-interests basis (GDPR Article 6(1)(f)) for legal-records preservation. A user who lapses and re-subscribes multiple times accumulates a Terms of Service acceptance record for each event.
If you re-subscribe after your project data has been wiped, you start with an empty account — no past projects are recovered. You re-accept the current Terms of Service (a new acceptance record is added to your account's Terms of Service history). Trial periods are not re-issued after a wipe; the 30-day trial is one-per-account by design. If you want a true fresh trial, you can sign up with a different email address.
We share data only with service providers we contract to operate the Service, and only the data they need to perform their function. We do not sell your personal information, and we do not share it for advertising or marketing purposes.
Regardless of where you live, you may:
To exercise any of these rights, email privacy@plotdock.app. We respond within 30 days.
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation:
Our legal bases for processing your data under GDPR are: (a) contract — to provide the Service you've signed up for; (b) consent — for push notifications and biometric unlock; (c) legitimate interests — for security, fraud prevention, product improvement, and indefinite retention of Terms of Service acceptance records for legal-records preservation; (d) legal obligation — to comply with applicable law.
To exercise these rights, email privacy@plotdock.app.
If you are a California resident, you have rights under the California Consumer Privacy Act and California Privacy Rights Act:
We do not sell or share personal information for advertising, marketing, or cross-context behavioral advertising purposes as those terms are defined under CCPA. PlotDock has no advertising and no analytics-for-marketing. The third-party service providers listed in section 5 receive only the data they need to operate the Service on our behalf.
Categories of personal information we have collected in the past twelve months: identifiers (email, IP address), commercial information (subscription tier, payment status), internet activity (app usage), geolocation (IP-derived approximate location, satellite-search address queries), professional information (company, role), and inferences drawn from the above.
PlotDock is not directed to children under 13 (or under 16 in the EEA, the United Kingdom, and Switzerland). We do not knowingly collect personal information from children.
If you are a parent or guardian and believe your child has provided personal information to PlotDock, contact us at privacy@plotdock.app and we will delete it.
We use industry-standard safeguards to protect your data:
No system is perfectly secure. If you become aware of a security issue with PlotDock, please report it to privacy@plotdock.app.
Your data is stored on infrastructure operated by Supabase, which has data centers in multiple regions. By default we use Supabase's US-region data centers. Data transferred from the EEA, the United Kingdom, or Switzerland to the United States relies on the EU-US Data Privacy Framework where applicable, or Standard Contractual Clauses approved by the European Commission. Our other service providers (Firebase, Stripe, Google Maps Platform) have their own data transfer safeguards documented in their respective privacy policies linked in section 5.
We may update this Privacy Policy to reflect changes in our practices, services, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and notify users in-app or by email. Your continued use of PlotDock after changes take effect constitutes acceptance of the updated policy.
For privacy questions, data requests, or to exercise any of the rights described above:
For general support inquiries, please use the in-app "Share Logs" or "Contact Support" options where available, or email support@plotdock.app.