Key point: Punchitect does not store your project files. All floor plans, photos, and punch list data live exclusively in your Microsoft OneDrive, legacy SharePoint folder, or IT-approved SharePoint Enterprise workspace. We access your files only to provide the Service, using permissions you explicitly grant.
This Privacy Policy describes how Punchitect Labs LLC ("Punchitect," "we," "us," or "our"), a New York limited liability company, collects, uses, and protects information in connection with the Punchitect web application and related services (the "Service"). By using the Service, you agree to the practices described here.
This Policy applies to the firm administrator and all authorized users within a subscribing organization ("Firm"). References to "you" mean the individual user and, where context requires, the Firm on whose behalf you act.
When you sign in using your Microsoft account, we receive the following from Microsoft's identity platform via OAuth 2.0:
We do not receive or store your Microsoft account password. Authentication is handled entirely by Microsoft's identity platform. Punchitect offers two sign-in paths: Sign in with Microsoft for individual users, trials, Personal OneDrive, or legacy SharePoint folder-link storage; and Sign in with SharePoint Enterprise for organizations whose IT administrator has configured selected-site access to an approved SharePoint site or library.
We request only the Microsoft Graph scopes needed for the selected path: User.Read to identify you, Files.ReadWrite only for Personal OneDrive or legacy folder-link storage, and Sites.Selected for SharePoint Enterprise tenants that restrict Punchitect to an IT-approved SharePoint location.
When a Firm administrator registers your organization, we store the following in Cloudflare KV (a cloud key-value store hosted in the United States):
Payment processing is handled entirely by Stripe, Inc. We store only:
We do not store, transmit, or have access to your full credit card number, CVV, or bank account details. Those are collected and stored directly by Stripe under their PCI-DSS compliance program. See Stripe's Privacy Policy.
Punchitect is designed with a zero file-hosting architecture. Your project data — including floor plan images, photos, punch list items, room data, and reports — is stored exclusively in your organization's Microsoft OneDrive or SharePoint. We do not store copies of this data on our servers. We access your files only via the Microsoft Graph API, using the delegated permissions you grant, and only to provide the features of the Service.
In SharePoint Enterprise mode, project files are written only to the approved SharePoint site, library, or folder configured by your Firm Administrator or IT administrator. Personal OneDrive is not used for that mode unless your organization later changes its storage configuration.
Cloudflare Pages, which hosts and serves the Service, automatically collects basic request metadata as part of standard CDN and security operations. This includes:
We do not run third-party web analytics (e.g., Google Analytics). Infrastructure logs are retained by Cloudflare for up to 30 days in accordance with their standard log retention practices. We do not use these logs to identify individual users in normal operations; they are used only for debugging, security investigation, and abuse prevention.
The Punchitect web application uses your browser's localStorage to store an auto-saved draft of your current project session, your authentication profile (name, email, tenant ID — not your token), and user interface preferences. This data never leaves your device unless you explicitly save a project to your cloud storage. You can clear this data at any time by clearing your browser's site data for punchitect.com.
We use the information we collect solely to provide and improve the Service:
We do not sell, rent, or trade your personal data. We do not use your data for advertising, behavioral profiling, or any purpose other than providing the Service.
If you are located in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under GDPR Article 6:
Firm registration and subscription data is stored in Cloudflare KV infrastructure, which is operated in the United States. Your project files remain in your Microsoft-managed OneDrive or SharePoint tenant; Microsoft's own data residency settings for your organization govern where those files are stored.
We implement the following security measures:
No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to following industry-standard practices.
Active accounts: We retain firm registration and billing records for as long as your account is active and for a minimum of 3 years after termination to satisfy tax and financial recordkeeping requirements.
Project data: We do not store your project files. Deletion of project data is entirely within your control via your Microsoft OneDrive or SharePoint.
Infrastructure logs: Retained by Cloudflare for up to 30 days.
Account deletion requests: If you wish to have your firm record and personal data deleted from our systems, contact us at [email protected]. We will fulfill verified deletion requests within 30 days, except where retention is required by law.
We rely on the following third-party subprocessors to deliver the Service. Each subprocessor is contractually required to protect personal data in accordance with applicable law.
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Microsoft Corporation Privacy Statement |
Identity authentication (OAuth), cloud file storage (OneDrive/SharePoint), Microsoft Graph API | Name, email, tenant ID, access tokens, project files (in your own tenant) | United States (and your Microsoft tenant's configured region) |
| Stripe, Inc. Privacy Policy |
Payment processing, subscription billing, customer portal | Email address, payment method data (collected directly by Stripe), billing history | United States |
| Cloudflare, Inc. Privacy Policy |
Web hosting, CDN, serverless API execution (Pages Functions), key-value data storage (KV) | Firm registration data, subscription metadata, IP addresses, request logs | United States |
We will update this list and notify you of material changes to our subprocessor relationships.
Punchitect is operated from the United States. If you access the Service from the European Economic Area, United Kingdom, or other regions with data protection laws that may differ from US law, please be aware that your firm registration and billing data will be processed in the United States.
For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) incorporated into our agreements with Cloudflare, Stripe, and Microsoft as the legal mechanism for international data transfers under GDPR Chapter V. If you require a Data Processing Agreement (DPA) for your organization's compliance requirements, contact us at [email protected].
Regardless of where you are located, you may contact us to:
You have the right to: data portability (receive your data in a structured, machine-readable format); object to processing based on legitimate interests; and lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority or the UK ICO).
California residents have the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate personal information, and the right to opt out of the sale or sharing of personal information. We do not sell or share your personal information with third parties for cross-context behavioral advertising. To exercise your rights, contact us at [email protected]. We will not discriminate against you for exercising your privacy rights.
Punchitect is a business-to-business service. The Firm administrator who registers your organization is responsible for managing user access, ensuring that only authorized personnel use the Service under your subscription, and maintaining the security of your Microsoft tenant and designated storage folder. Individual users' rights requests may be fulfilled through the Firm administrator.
If your organization requires a Data Processing Agreement (DPA) as a data controller, please contact us at [email protected]. We will provide a DPA upon request.
The Service is intended exclusively for professional use by individuals 18 years of age or older. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently received data from a child under 13, we will delete it promptly.
We may update this Privacy Policy from time to time. We will update the "Last updated" date above. For material changes — such as new categories of data collection or new subprocessors — we will provide at least 30 days' advance notice by email to the registered Firm administrator. Continued use of the Service after the effective date of a change constitutes your acceptance of the updated policy.
Punchitect Labs LLC is the data controller for personal data processed in connection with the Service.
For privacy questions, data subject requests, or DPA inquiries, contact us at:
[email protected]