Privacy Policy
Effective Date: May 27, 2026 · Last Updated: May 27, 2026
The privacy of your data — and it is your data, not ours — matters to us. This Privacy Policy explains how PCX Analytics LLC (“PCX Analytics,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you use our website (pcxa.app), our cloud-based analytics platform (“PCXa”), and any related services (collectively, the “Services”).
This policy applies to personal data we process as a data controller — meaning data we collect directly from you when you visit our website, create an account, or interact with us. For data our customers upload to PCXa (project schedules, budgets, workforce information, etc.), we act as a data processor on behalf of our customers, who are the data controllers. If your employer or a construction firm uploaded your information to PCXa, please contact that organization directly about their privacy practices.
1. What We Collect and Why
We collect only what we need to provide and improve our Services. Here is what we collect, organized by source.
From You
| Category | Examples | Why We Collect It |
|---|---|---|
| Account Information | Name, email address, company name, job title, password (hashed) | To create and manage your account |
| Billing Information | Payment method, billing address, transaction history | To process payments and issue invoices |
| Communications | Emails, support tickets, survey responses | To respond to your requests and improve our Services |
| Profile Information | Profile photo, time zone, notification preferences | To personalize your experience |
Automatically
| Category | Examples | Why We Collect It |
|---|---|---|
| Usage Data | Pages viewed, features used, click paths, search queries within PCXa | To understand how the Services are used and improve them |
| Device and Browser Data | IP address, browser type and version, operating system, device type | To ensure compatibility and troubleshoot issues |
| Log Data | Access times, error logs, referring URLs | To maintain security and diagnose problems |
| Cookies and Similar Technologies | Session cookies, analytics cookies | See Section 5 |
From Third Parties
| Source | What We Receive | Why |
|---|---|---|
| Identity providers (e.g., Microsoft Entra ID, Google Workspace) | Name, email, organization | Single sign-on authentication |
| Payment processors | Transaction confirmation, fraud signals | Payment verification |
| Public sources | Business contact information | Sales and marketing outreach |
2. Customer Project Data
PCXa is a cloud-based analytics platform. Our customers — typically businesses, project teams, and organizations across multiple industries — upload project and operational data to PCXa for analysis and reporting. This data may include: Project information: project names, addresses, schedules, milestones, status reports
Financial data: budgets, cost codes, change order amounts, pay application data
Workforce information: names, roles, and contact details of project personnel (project managers, superintendents, subcontractor contacts)
Field data: daily reports, inspection records, safety observations, RFIs, submittals
Documents: plans, specifications, photos, and other project files uploaded by users
Important distinctions:
We are the processor, not the controller, of this data. Our customers decide what project data to upload and are responsible for ensuring they have the right to share it with us. We process it only as instructed by the customer and as described in our Data Processing Addendum.
We do not sell project data.
We do not process Protected Health Information (PHI) by default. If you are a Covered Entity or Business Associate under HIPAA and wish to submit PHI to PCXa, you must first execute a separate Business Associate Agreement (“BAA”) with us and obtain our prior written approval to enable HIPAA-covered use. PHI submitted without an executed BAA is prohibited. To inquire about HIPAA-covered use, contact privacy@pcxa.app.
We do not use identifiable project data to train AI/ML models (consistent with Section 3.5 of our Data Processing Addendum) unless you provide explicit written consent. We may use aggregated and de-identified data to improve our analytics models (e.g., construction cost benchmarks). You can opt out of even this aggregated use — see Section 3.
Access is restricted. Only authorized users within the customer’s organization can access their project data. We access it only to provide the Services, troubleshoot issues, or respond to support requests.
3. How We Use Your Information
We use personal information for the following purposes:
| Purpose | Legal Basis (GDPR) | Details |
|---|---|---|
| Providing the Services | Contract performance | Operating PCXa, processing data, generating reports and dashboards |
| Account management | Contract performance | Creating accounts, authenticating users, managing subscriptions |
| Billing and payments | Contract performance | Invoicing, payment processing, tax compliance |
| Customer support | Legitimate interest | Responding to inquiries, troubleshooting, resolving issues |
| Service improvement | Legitimate interest | Analyzing usage patterns, fixing bugs, developing new features |
| Analytics model improvement | Legitimate interest | Using aggregated, de-identified data to improve construction analytics models and benchmarks |
| Security and fraud prevention | Legitimate interest / Legal obligation | Detecting unauthorized access, preventing abuse, maintaining platform integrity |
| Communications | Consent / Legitimate interest | Sending service updates, security alerts, and (with consent) marketing communications |
| Legal compliance | Legal obligation | Responding to legal process, meeting tax and regulatory obligations |
AI/ML model improvement: We may use aggregated and de-identified usage data and project metadata (stripped of all identifying information) to train and improve machine learning models used within PCXa — for example, to improve cost estimation accuracy or schedule risk predictions. De-identification is performed in accordance with applicable standards, including where relevant the CCPA’s three-part test for “deidentified” information (Cal. Civ. Code section 1798.140(m)) and GDPR Recital 26 standards for anonymous information. This data cannot be traced back to any individual, company, or project. If you prefer that your organization’s data not be included even in aggregated form, email privacy@pcxa.app and we will exclude it.
4. When We Share Your Information
We do not sell personal information. We share it only in these circumstances:
Service Providers (Subprocessors)
We use third-party service providers to help operate our Services. These providers process personal data only on our behalf and under our instructions. A current list of our subprocessors is available upon request by emailing privacy@pcxa.app and at pcxa.app/legal/subprocessors.
At Your Direction
We share information when you instruct us to — for example, when you integrate PCXa with a third-party service, export data, or grant access to a team member.
With Your Organization
If your account is provided by an organization (your employer or a customer of ours), that organization can access your account data and usage information. Their privacy policy governs how they use it.
Legal Requirements
We may disclose personal information if required by law, subpoena, or court order, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others. Where legally permitted, we will notify you before making such a disclosure.
Business Transfers
If PCX Analytics is acquired, merges, or sells substantially all of its assets, personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on our website at least 30 days before your information becomes subject to a different privacy policy.
Aggregated and De-Identified Data
We may share aggregated, de-identified data that cannot reasonably be used to identify you — for example, industry benchmark reports on construction project metrics. This is not “personal information” under applicable privacy laws.
5. Cookies and Tracking
What We Use
| Type | Purpose | Duration |
|---|---|---|
| Strictly necessary cookies | Authentication, security, session management | Session or up to 1 year |
| Analytics cookies | Understanding how visitors use our website and Services | Up to 2 years |
| Preference cookies | Remembering your settings and choices | Up to 1 year |
What We Don’t Use
No third-party advertising cookies. We do not serve ads on PCXa or our website.
No cross-site tracking. We do not track your activity across other websites.
Your Choices
Browser settings: Most browsers let you block or delete cookies. This may affect functionality.
Do Not Track (DNT): We respect DNT signals where technically feasible.
Global Privacy Control (GPC): We honor GPC signals as a valid opt-out of sale/sharing under applicable state laws.
6. Data Security
We implement administrative, technical, and organizational measures appropriate to the nature and sensitivity of personal data processed, designed to protect against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data at rest and in transit, access controls based on the principle of least privilege, and hosting on infrastructure with industry-recognized security practices and standards. Our security practices are reviewed and updated periodically as our operations scale. Specific security measures are described in our Data Processing Addendum (Schedule 2).
No system is 100% secure. If we discover a security incident affecting your personal data, we will notify affected customers without undue delay and within the timeframes required by applicable law. Where EU or UK data protection laws apply, we will notify affected customers within 48 hours of becoming aware of the incident. We will notify applicable authorities as required by law. Further detail on our incident response obligations is in our Data Processing Addendum.
7. Data Retention
We retain personal information only as long as necessary for the purposes described in this policy.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Duration of your account + 30 days after deletion | Service provision; 30-day grace period for reactivation |
| Billing and transaction records | 7 years after transaction | Tax compliance (IRS), financial recordkeeping |
| Customer project data | Duration of subscription + 90 days following the close of the post-termination data extraction window under our Terms of Service | 90-day extraction period per our Terms of Service |
| Usage and analytics data | 2 years, then aggregated/de-identified | Service improvement |
| Support communications | 3 years after resolution | Quality assurance, dispute resolution |
| Server logs | 90 days | Security monitoring and troubleshooting |
| Marketing communications | Until you unsubscribe | Communications |
Extended retention requests: Some customers may need us to retain project data beyond the standard period for litigation holds, warranty claims, regulatory audits, or other legal obligations. We will accommodate reasonable retention requests under our Data Processing Addendum. Extended retention may be subject to additional fees.
After the applicable retention period, we delete or de-identify personal data from primary production systems. Backup copies in encrypted backup systems will be purged within 180 days following termination or expiration of the subscription, consistent with the deletion timelines in our Data Processing Addendum (Section 8.2(a)).
8. International Data Transfers
PCX Analytics is based in the United States. Personal data is stored and processed in the United States by default, using third-party hosting infrastructure (Render, Vercel, and Cloudflare).
EU/UK hosting: Customers who require data residency in the European Union may request EU hosting. Applicable additional fees, if any, are set forth in the applicable Order or Statement of Work.
Transfer mechanisms: When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on:
Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914), as detailed in our Data Processing Addendum (Schedule 3)
UK International Data Transfer Addendum issued by the UK Information Commissioner
Where applicable, other lawful transfer mechanisms under applicable data protection laws
9. Your Privacy Rights
Depending on where you are located, you may have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Correction | Request correction of inaccurate or incomplete data |
| Deletion | Request deletion of your personal data, subject to legal exceptions |
| Portability | Receive your data in a structured, machine-readable format |
| Restriction | Request that we limit processing of your data in certain circumstances |
| Objection | Object to processing based on legitimate interests |
| Withdraw consent | Where processing is based on consent, withdraw it at any time |
| Non-discrimination | Exercise your rights without receiving discriminatory treatment |
How to exercise your rights: Email privacy@pcxa.app with your request. We will respond within 45 days (or 30 days for GDPR requests). We may extend the response period by an additional 45 days (or 60 days for GDPR requests) where reasonably necessary given the complexity or number of requests, in which case we will notify you of the extension and the reasons within the initial response period. We will verify your identity before processing your request. Verification may require you to confirm information associated with your account (such as your registered email address or account credentials) or, for requests involving sensitive data, to provide additional identifying information. We will not use information submitted for verification for any purpose other than verifying your identity.
If your data was uploaded by a customer: If your personal data was uploaded to PCXa by one of our customers (for example, your employer’s construction firm), please direct your request to that organization first. They are the data controller and can instruct us to modify or delete your data. If you cannot reach them, contact us and we will assist where we can.
10. State-Specific Disclosures (US)
Texas (TDPSA)
The Texas Data Privacy and Security Act gives Texas residents specific rights regarding their personal data. If you are a Texas resident, you have the right to:
Confirm whether we are processing your personal data
Access your personal data
Correct inaccuracies
Delete your personal data
Obtain a portable copy of your data
Opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects
We do not sell personal data. We do not engage in targeted advertising. We do not profile consumers for decisions that produce legal or similarly significant effects.
To exercise your TDPSA rights, email privacy@pcxa.app. If we decline your request, you may appeal by emailing the same address with “TDPSA Appeal” in the subject line. If your appeal is denied, you may contact the Texas Attorney General at texasattorneygeneral.gov.
California (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides additional rights:
Right to know: What personal information we collect, use, disclose, and sell
Right to delete: Request deletion of your personal information
Right to correct: Request correction of inaccurate personal information
Right to opt out of sale/sharing: We do not sell or share personal information for cross-context behavioral advertising
Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond what is necessary to provide the Services
Right to non-discrimination: We will not discriminate against you for exercising your rights
Categories of personal information collected in the preceding 12 months: Identifiers (name, email, IP address); commercial information (transaction records, subscription details); internet or electronic network activity (usage data, log data); professional information (job title, company); geolocation data (IP-derived, approximate). See Section 1 for details.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
To exercise your rights, email privacy@pcxa.app. You may also designate an authorized agent to make a request on your behalf.
Other US States
We extend the core rights described above — access, correction, deletion, portability, and opt-out — to residents of all US states with comprehensive privacy laws, including Colorado, Connecticut, Virginia, Oregon, Montana, and others as enacted.
11. European Economic Area, United Kingdom, and Switzerland
Note: PCX Analytics does not currently market or offer its Services to individuals or organizations located in the EEA, UK, or Switzerland. The provisions below are included for completeness and will apply to the extent we process personal data of individuals in these regions.
If you are located in the EEA, UK, or Switzerland, the following additional information applies:
Data Controller: PCX Analytics LLC, 5900 Balcones Drive, Suite 100, Austin, TX 78731, USA. Email: privacy@pcxa.app.
Lawful Bases for Processing: We process personal data under the following legal bases:
Contract performance (Article 6(1)(b)): To provide and manage the Services you have subscribed to
Legitimate interests (Article 6(1)(f)): To improve our Services, ensure security, and communicate with you — balanced against your rights and freedoms
Legal obligation (Article 6(1)(c)): To comply with applicable laws and regulations
Consent (Article 6(1)(a)): For marketing communications and optional analytics; you may withdraw consent at any time
Data Protection Officer: Given our current size and processing activities, we have not appointed a DPO. Privacy inquiries should be directed to privacy@pcxa.app.
EEA/UK Representative: We have not yet designated an EEA or UK representative as required by GDPR Article 27 and the UK GDPR. We will appoint a representative prior to actively marketing or onboarding customers located in the EEA or UK, and will update this policy with representative contact details at that time.
Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority.
International Transfers: See Section 8.
12. Children’s Privacy
Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@pcxa.app.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (sent to the address associated with your account) or by posting a prominent notice on our website at least 30 days before the changes take effect.
We encourage you to review this policy periodically. The “Last Updated” date at the top indicates when this policy was most recently revised.
14. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
PCX Analytics LLC
Attn: Privacy
5900 Balcones Drive, Suite 100
Austin, TX 78731, USA
Email: privacy@pcxa.app
Structural patterns adapted from the GitHub Privacy Statement (CC0 — public domain) and Basecamp Privacy Policy (CC BY 4.0 — attribution: 37signals, LLC). Construction-industry content developed for PCX Analytics LLC. All content should be reviewed by qualified legal counsel before publication.