Privacy Policy | PumpDocket

This Privacy Policy describes how Steady Grove LLC ("Company," "we," "us," or "our"), operating as PumpDocket, collects, uses, discloses, and protects information when you use the PumpDocket platform, website, and related services (collectively, the "Service"). By accessing or using the Service, you agree to this Privacy Policy.

1. Who We Are

PumpDocket is a business operations platform for septic service companies, operated by Steady Grove LLC, a Minnesota limited liability company. For questions about this policy or your data, contact us at privacy@steadygrove.com.

2. Information We Collect

2.1 Account and Registration Data

When you create an account, we collect your name, email address, phone number, company name, and workspace identifier. If you add team members, we collect their names, email addresses, and assigned roles.

2.2 Operational Data You Provide

In the course of using the Service, you may enter:

Customer records (names, addresses, email addresses, phone numbers).
Service site details (addresses, septic tank specifications, site access notes).
Job records (service dates, descriptions, checklists, materials used, crew assignments).
Financial records (invoices, quotes, payments, recurring billing schedules).
Compliance and environmental records (disposal manifests, inspection reports, compliance documentation).
Communication logs (records of emails and SMS messages sent through the Service).
File imports (CSV uploads of customer or job data).

2.3 End-Customer Data

When you use PumpDocket to manage your customers, you may input personal information about your own customers ("End-Customer Data"). You are the data controller for End-Customer Data. We process it solely on your behalf to provide the Service, and we do not use End-Customer Data for our own marketing or advertising purposes.

2.4 Technical and Usage Data

We automatically collect:

Server request logs (IP address, browser type, referring URL, pages visited, timestamps).
Error and performance diagnostics.
Security telemetry (login attempts, rate-limit events, access anomalies).

2.5 Cookies and Tracking

We use the following categories of cookies and tracking technologies:

Strictly necessary cookies. Session management and authentication cookies that enable core platform functionality. These cannot be disabled.
Analytics cookies. We use Plausible Analytics (privacy-focused, no personal data collected) and Google Analytics 4 (GA4) to understand how visitors use our marketing pages. GA4 sets cookies including _ga and _ga_* with a duration of up to 2 years.
Advertising measurement cookies. When you arrive at our site from a Google Ads advertisement, Google's conversion tracking may set a _gcl_aw cookie (up to 90 days) to measure whether the ad led to a signup or other action. We also store a first-party attribution identifier in your session to measure ad effectiveness.

When you sign up for a trial after clicking an ad, we share a hashed (pseudonymized) version of your email address with Google for conversion measurement. This allows Google to confirm that an ad click led to a signup without transmitting your actual email. No plaintext email addresses are shared with Google.

We do not sell your personal information to advertisers or any other third parties.

How to opt out: You can block analytics and advertising cookies through your browser settings. You can also opt out of Google Analytics using the GA4 opt-out browser add-on or manage your Google ad preferences at Google Ad Settings. Blocking these cookies does not affect your ability to use the PumpDocket platform.

3. How We Use Your Information

Service delivery. Operate, maintain, and improve the PumpDocket platform, including dispatch, scheduling, invoicing, compliance tracking, and reporting features.
Communications. Send transactional emails and SMS messages you initiate (appointment reminders, invoices, quotes, on-my-way notifications, due notices) to your customers on your behalf.
Account administration. Manage your subscription, process payments, and provide customer support.
Security. Protect against unauthorized access, fraud, and abuse; investigate and respond to security incidents.
Legal compliance. Comply with applicable laws, regulations, and legal processes.
Product improvement. Analyze aggregate, de-identified usage patterns to improve reliability and develop new features.

4. How We Share Your Information

We do not sell your personal information. We share data only in the following circumstances:

Service providers. We use third-party processors to help deliver the Service, including:
- Stripe — payment processing. Stripe receives payment card details directly; we never store raw card numbers. Stripe's privacy policy governs their handling of payment data.
- Twilio — SMS delivery. Twilio receives phone numbers and message content only for messages you initiate through the Service.
- QuickBooks (Intuit) — accounting integration. When you enable this integration, selected financial data syncs with your QuickBooks account under your control.
- Google — analytics and advertising measurement. Google receives pseudonymized usage data (page views, conversion events) and hashed email addresses for ad conversion measurement. Google's privacy policy governs their handling of this data.
- Hosting and infrastructure providers — for application hosting, database management, and email delivery.
SMS opt-in records. We do not sell or share text messaging originator opt-in data or consent records with third parties for their own marketing purposes. Mobile numbers and message content are shared only with providers needed to deliver the message you request, such as Twilio.
Legal requirements. We may disclose information if required by law, subpoena, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
Business transfers. In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

5. Data Retention

Active accounts. We retain your data for as long as your account remains active and as needed to provide the Service.
Canceled accounts. After cancellation, we retain account data for up to 90 days to allow for reactivation and to comply with legal obligations. After 90 days, data is queued for permanent deletion unless a longer retention period is required by law.
Compliance records. Disposal manifests, inspection records, and other environmental compliance data may be retained for longer periods as required by applicable federal, state, or local regulations.
Backups. Encrypted backups may retain data for up to 30 days after deletion from the production system.

6. Data Security

We implement industry-standard security measures, including:

Encryption in transit (HTTPS/TLS) for all communications.
Encryption at rest for sensitive data, including integration credentials and authentication tokens.
Role-based access controls for team member permissions.
Rate limiting and brute-force protection on authentication endpoints.
Regular security monitoring and incident response procedures.

No method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

Access the personal information we hold about you.
Correct inaccurate or incomplete information.
Delete your personal information, subject to legal retention requirements.
Export your data in a portable format.
Opt out of non-essential communications.

To exercise any of these rights, contact privacy@steadygrove.com. We will respond within 30 days.

7.1 California Residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information. To submit a request, contact privacy@steadygrove.com.

8. Children's Privacy

PumpDocket is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly.

9. Third-Party Links

The Service may contain links to third-party websites or services. This Privacy Policy does not apply to those external sites. We encourage you to review the privacy policies of any third-party services you interact with.

10. International Data

PumpDocket is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice within the Service prior to the change becoming effective. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us:

Email: privacy@steadygrove.com
Entity: Steady Grove LLC