Privacy Policy

This Privacy Policy describes how Field.is LLC (“Field,” “we,” “us”) collects, uses, and protects information when you use our practice management platform.

1. Who This Policy Applies To

This policy applies to three categories of people:

Operators: Professionals who subscribe to Field to manage their practice. You have a direct account and contractual relationship with us.
Operator Clients: End users of an Operator's services who access the Field portal or whose data is processed through Field. You may not have a direct relationship with Field — your relationship is with your Operator.
Visitors: People who visit field.is or run a scan without creating an account.

If you are an Operator's client: Your Operator is the data controller for your information. Field processes your data on your Operator's behalf as a data processor. Questions about how your data is used should be directed to your Operator first.

2. What We Collect

From Operators:

• Account information — name, email, password, practice name
• Billing information — processed by Stripe, not stored by Field
• Integration credentials — API keys for Harvest, Gmail, Stripe, AI providers (stored encrypted)
• Practice configuration — pricing, labels, template settings
• Usage data — interaction patterns (topic and category, not content)

From Operator activity (on behalf of Operators):

• Email content — inbound emails triaged through the Gmail integration, stored as source_body
• AI assessments — structured extractions from email content, stored as assessment_json
• Client and project data — including, where applicable, scan results, findings, uptime checks, and health scores
• Work records — time entries, proposals, budget consumption, expenses
• Client communications — updates, reports, and notices sent through Field
• Invoices and billing records

From Operator Clients (via the portal):

• Authentication data — email address, magic link tokens, access codes
• Service requests — content submitted through the portal
• Display preferences — depth setting

From Visitors:

• Scan submissions — site URL and results
• Referral attribution — which Operator referred the scan (?ref= parameter)

3. How We Use Your Information

All data is used exclusively to provide the Field platform services. Specifically:

• To operate the practice management pipeline (inbound, triage, work, settlement)
• To generate reports, assessments, and stewardship records
• To process email triage and provide Signal assessments
• To calculate budgets, billing, and invoicing
• To send transactional emails (reports, notifications, invoices)
• To provide monitoring and alerting services where applicable

We do not sell data. We do not use Operator or Client data for advertising, profiling, or any purpose outside of providing the service.

4. AI Processing

Field uses two layers of AI processing:

Platform AI (Field's key): Site scanning, request parsing, and report draft generation use Field's own AI provider credentials. This processing is part of the core service and does not require Operator configuration.

Operator AI (BYOK or Field-managed): Email triage, inline assessment, and command bar features use the Operator's configured AI provider credentials. When using BYOK (Bring Your Own Key), the data relationship for these features is between the Operator and their AI provider. When using Field-managed AI (Studio plan or AI add-on), Field's credentials are used but the data processor relationship remains the same.

In both cases, data transmitted for AI processing passes through Field's servers. Raw email content (source_body) and AI-generated assessments (assessment_json) are stored in Field's database as described in Section 6.

5. Third-Party Processors

Field shares data with the following third-party services as necessary to provide the platform:

• Anthropic — AI processing (scanning, reports, email triage)
• Stripe — Payment processing and subscription billing
• Resend — Transactional email delivery
• Supabase — Database hosting and authentication (US East)
• Vercel — Application hosting and edge functions
• Pushover — Operator push notifications

Each processor is governed by its own privacy policy and data processing terms. We select processors that maintain appropriate security standards.

6. Data Retention

We retain data according to the following schedule:

• Active Operator data: Retained while the account is active
• Email content (source_body): Retained for 12 months after account cancellation, then permanently deleted
• AI assessments (assessment_json): Same retention as email content (12 months)
• Scan findings and site data: Retained for 12 months after account cancellation
• Billing and invoice records: Retained for 7 years per tax requirements
• Authentication logs: Retained for 90 days
• Passive monitoring data (offboarded clients): Retained for 12 months, then auto-decommissioned

Operators may request immediate deletion of their data at any time (see Section 7). Billing records subject to tax retention requirements cannot be deleted early.

7. Operator Rights

Operators have the right to:

• Access — request a copy of all data Field holds about you and your clients
• Correction — update or correct inaccurate information
• Deletion — request permanent deletion of your account and associated data, subject to the retention schedule above
• Export — receive your data in a portable format
• Restriction — request that Field stop processing specific data while a dispute is resolved

To exercise any of these rights, contact privacy@field.is. We will respond within 30 days.

8. End-Client Data

Field holds data about Operator Clients — people who may not have a direct relationship with Field. This data is processed on behalf of the Operator under the data processor relationship described in our Terms of Service. Operator Clients who wish to exercise privacy rights regarding their data should contact their Operator directly. Operators are responsible for responding to their clients' data requests and may use Field's export and deletion tools to fulfill them.

If an Operator Client believes their data is being processed improperly, they may contact Field directly at privacy@field.is and we will work with the relevant Operator to address the concern.

9. Security

Field implements industry-standard security measures including:

• Encryption in transit (HTTPS/TLS on all connections)
• Encryption at rest (Supabase managed encryption)
• Row-level security on all database tables
• Operator MFA support (TOTP)
• Scoped API key authentication for integrations
• No plaintext credential storage

No system is perfectly secure. If we discover a data breach that affects your information, we will notify affected parties in accordance with applicable law.

10. Cookies and Tracking

Field uses essential cookies for authentication and session management. We do not use tracking cookies, analytics pixels, or third-party advertising trackers. We do not sell or share browsing data with third parties.

11. Children's Privacy

Field is not directed at children under 13. We do not knowingly collect information from children. If you believe a child has provided information to us, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to Operators at least 14 days before taking effect. The “Last updated” date at the top reflects the most recent revision.

13. Contact

For privacy questions or to exercise your data rights:
privacy@field.is
Field.is LLC
[DECISION NEEDED: mailing address]