Privacy Policy

Last Updated: June 5, 2026

This Privacy Policy explains how Gatsy ("we," "us," or "our") collects, uses, shares, and protects your information when you use the Gatsy services described below (the "Service").

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with it, please do not use the Service.

If you have questions about this Privacy Policy or our data practices, email info@gatsy.ai.

Scope of This Policy

This Privacy Policy applies to the Gatsy Service, including:

  • Our website at gatsy.ai
  • Our software platform at gatsy.net
  • Our mobile applications on iOS and Android
  • Communications we send to you (email, in-product notifications, SMS messages — see "SMS Messaging" below)
  • Integrations we operate (such as lead-generation forms on advertising platforms)

This Privacy Policy does not apply to third-party services you choose to connect to your Gatsy account through your own credentials (such as your own QuickBooks, Microsoft 365, or Google Workspace tenant). Those services have their own privacy policies, and the data Gatsy reads from or writes to them is governed by the authorization you granted at connection time.

Information We Collect

We collect three kinds of information: information you provide directly, information we collect automatically, and information we receive from third parties.

(a) Information You Provide Directly

Account information (when you register on gatsy.net):

  • First name and last name
  • Email address
  • Password (never stored in plaintext; we store it only as a salted one-way hash using industry-standard methods and cannot recover or view it)
  • Phone number (collected as a contact detail for support and onboarding; used for SMS only if you affirmatively opt in — see "SMS Messaging" below)
  • Company name and company initials
  • Timezone
  • Optional company address (autocompleted via Google Maps Places)

Company / profile information (administrators only):

  • Company logo
  • Billing email and billing name (separately settable from your account email)
  • Company qualifications (free-text)

Payment information:

  • When you add a payment method, we direct you to Stripe's secure form (Stripe Elements). Stripe collects your card number, expiration, CVV, and billing address directly. We never see and do not store your full card number, expiration date, or CVV.
  • From Stripe we receive and store: a Stripe customer ID, a Stripe payment method ID, your card's last four digits, and its brand (e.g., "Visa") for display purposes.
  • Card data is not collected at signup. The 30-day free trial requires no card.

Content you upload and create:

  • Documents you upload such as plans, drawings, specifications, and images (file size limits apply per file)
  • Project and estimating data you create in the Service (including estimates, jobs, customer and vendor records, project documents, photos, expenses, time entries, and quotes)

Communications:

  • Messages you exchange with our AI assistants
  • Replies you send to our transactional emails
  • Inbound SMS messages, when you reply to messages from Gatsy (see "SMS Messaging" below)

(b) Information Collected Automatically

Device and network data:

  • Internet Protocol (IP) address (used only at request time for security purposes; not stored)
  • Browser type, browser version, operating system
  • Mobile device type and operating system (when you use our mobile apps)
  • Push-notification device tokens (when you enable push on a mobile device)

Location data:

  • GPS coordinates (latitude / longitude / accuracy) are continuously recorded during active foreman clock-in to verify work-site presence. Start and end points are retained indefinitely as part of the time-entry record; intermediate breadcrumbs are deleted after 90 days. This feature is used only inside the Service and only while you are clocked in.
  • Job-site coordinates you enter for shift assignments
  • Approximate location derived from Google Maps Places autocomplete when you enter an address

Usage data:

  • Pages you view, features you use, buttons you click
  • Audit log of changes you make in the Service (we automatically capture the action performed, the affected resource, and the time of the action, with sensitive fields stripped). Audit logs are kept for one year.
  • File upload events, document parsing events, AI tool invocations

Cookies and similar tracking technologies:

  • See "Cookies and Tracking Technologies" below for the full disclosure.

(c) Information From Third Parties

When you choose to sign in using a single-sign-on provider, we receive standard profile information from that provider:

  • Google Sign-In: name, email address, profile picture URL, locale (per the scopes you grant during OAuth consent)
  • Microsoft Sign-In: name, email address, and an access token for the duration of your session

When you make a payment, Stripe returns the payment confirmation, last four digits of the card, and the card brand to us.

When you click a Meta or Google ad and convert (e.g., submit our contact or book-demo form), the ad platform shares an anonymous conversion record with us via their tag manager pixels.

If you submit a Gatsy Lead Form on Facebook or Instagram, we receive whatever fields you completed on that form (typically name, email, phone, and any custom fields) plus any consent flags you checked.

How We Use Your Information

We use your information to:

  • Provide and operate the Service — create your account, store your data, generate AI outputs, communicate with your vendors, and process the documents you upload.
  • Process payments — through Stripe. We use Stripe to charge your subscription, your add-on bot fees, and any one-time setup fees.
  • Generate AI outputs — your uploaded content (parsed text only — not raw file bytes), your typed prompts, and your project context are sent to AI providers (see "AI Processing" below) to produce the estimates, summaries, and chat responses you request.
  • Send transactional communications — email verification codes, payment receipts, subscription notices, password-reset emails, and (for users who have opted in) SMS account notifications and support replies.
  • Send marketing communications — only if you affirmatively opt in. Marketing SMS is sent to users who have opted in via the Promotional SMS consent checkbox at signup or in account settings (see "SMS Messaging" below). We do not currently send marketing emails; if we add them, you will be able to unsubscribe via any email or in your account settings.
  • Provide customer support — through our AI customer-support assistant and follow-up by our support team at info@gatsy.ai.
  • Improve the Service — by analyzing aggregated usage patterns, debugging errors, and developing new features. We may use de-identified or aggregated data — data that cannot reasonably be linked back to you — to improve the Service, train internal models we own, and benchmark performance. We do not use your data to train any third-party AI provider's models (see "AI Processing").
  • Enforce our Terms and Conditions and protect against fraud or abuse — including by reviewing audit logs and applying rate limits.
  • Comply with legal obligations — respond to lawful requests, satisfy tax and accounting recordkeeping, and similar.

SMS Messaging

How you opt in

Gatsy operates a two-tier opt-in SMS program. You are not enrolled by default. SMS consent is offered separately from account creation and is collected via two standalone, unchecked-by-default checkboxes that appear during account onboarding at gatsy.net (or in your account settings after signup):

  1. Transactional SMS consent — covers account verification codes, password resets, demo confirmations, trial onboarding nudges, support replies, billing reminders, security alerts, and product update notifications.
  2. Promotional SMS consent — covers discount offers, subscription upgrade incentives, feature launch announcements, and time-limited sale alerts.

The two checkboxes are independent. You may opt in to one, both, or neither. SMS consent (of either type) is a separate, optional choice; it is not bundled with your acceptance of our Terms and Conditions, and it is not required to create or maintain a Gatsy account.

We log every opt-in with a timestamp, the consent type (transactional or promotional), the exact consent text you saw at opt-in, the source (account signup or account settings), the IP address of the device used, and the browser's user-agent string. This record is retained for four years from the date of opt-out (or four years from the last message sent, if you do not opt out). STOP replies are honored at the SMS provider level; in-database consent records reflect opt-ins and in-app opt-out toggles.

What messages you'll receive

The messages you receive depend on which checkbox(es) you opted in to.

Transactional category (if you opted in to Transactional SMS):

  • Account verification codes and password resets
  • Demo scheduling confirmations
  • Trial onboarding nudges
  • Account notifications (payment-failed, subscription-expiring, security alerts)
  • Support replies (when you text us first)
  • Product updates (new features, major changes)

Promotional category (if you opted in to Promotional SMS):

  • Promotional offers and discount codes
  • Feature launch announcements and sales alerts
  • Subscription upgrade and renewal offers

If you opted in to one category but not the other, you will only receive messages from the category you opted in to.

Frequency

Msg frequency varies. Typically up to 10 messages per month across all message categories listed above.

Cost

Message and data rates may apply. Gatsy does not charge you for messages; your mobile carrier may.

How to opt out and get help

  • To stop messages: reply STOP to any Gatsy SMS. Our SMS provider (Twilio) immediately blocks further messages to your number across both promotional and transactional categories, and you'll receive one confirmation message.
  • To opt back in after STOP: reply START or UNSTOP.
  • To turn off SMS in your Gatsy account without using STOP: use the SMS preferences in your account settings.
  • For help: reply HELP to any message, or email info@gatsy.ai.

Supported US carriers include AT&T, Verizon, T-Mobile, and other major US carriers. Carriers are not liable for delayed or undelivered messages.

Mobile information will not be shared

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

AI Processing

Gatsy is an AI-powered platform. To generate AI outputs such as estimates, summaries, and chat responses, we send certain content to third-party AI providers:

Providers we use

We use third-party AI service providers — including OpenAI, Google, and Anthropic — as subprocessors to power chat, summarization, document understanding, and embedding features. We also use a third-party vector database provider to store text representations of your uploaded documents for search and retrieval, and a third-party search provider used by certain AI tools (for example, to look up current prices or research bid opportunities). Where AI providers offer different tiers, we use API tiers under which customer data is not used to train provider models by default.

What we send to AI providers

  • Parsed text from your uploaded documents — never the raw file bytes. We extract the text content from your uploaded files (including PDFs, Office documents, and spreadsheets) before sending it to the AI provider as part of the model's context.
  • Your typed prompts and chat messages.
  • Project context — the structure and contents of the project you're working on.
  • Embedded link annotations from your uploaded documents (used to render citations).

We do not send:

  • Your password
  • Your payment information
  • The full file bytes of your uploads
  • The personal data of users on other tenants (data is isolated per customer)

These providers do not use your data to train their models

We use the standard API tiers of the AI providers listed above. Under each provider's API terms of service as of 2024 and later, API customer data is not used to train the provider's models by default. We do not opt in to any data-sharing or training program.

Retention of AI conversation data

  • On our servers: we retain AI conversation history (including messages and tool-call records) for 60 days, after which it is deleted.
  • On the provider's side: OpenAI applies a default 30-day abuse-monitoring retention on API calls (as described in their API terms). Other providers apply their own retention; consult the provider's privacy policy.

Customer-support chatbot

Our customer-support AI assistant answers questions from a curated knowledge base. Conversations with this assistant are not stored long-term.

Important disclaimer

AI outputs are tools to assist your work, not professional advice. AI outputs may contain errors, omissions, or inaccuracies. You are solely responsible for reviewing, verifying, and validating any AI output before relying on it for bidding, contracting, purchasing materials, or any business decision. See our Terms and Conditions for further detail.

Cookies and Tracking Technologies

We and our third-party tag-management partners use cookies and similar technologies on https://gatsy.ai and on the pre-login portions of https://gatsy.net.

We do not use these tools to track activity once you sign in to your Gatsy account.

Categories of cookies

Strictly necessary cookies

Required for the website to function. These cannot be disabled. Includes session cookies and security tokens. We do not set first-party cookies of our own through our applications.

Functional cookies

Remember your preferences (such as theme selection, dismissed banners). Stored in browser localStorage rather than HTTP cookies; cleared when you clear browser storage.

Analytics cookies

Set by Google Analytics 4 and Microsoft Clarity to measure marketing-page traffic and user behavior on pre-login pages. Microsoft Clarity also captures session recordings and heatmaps; recordings are masked to redact form-field contents.

Marketing / advertising cookies

Set by Google Ads and Meta Pixel to attribute conversions from our paid marketing campaigns and to support remarketing.

Marketing and analytics tags

Through Google Tag Manager we deploy analytics, conversion-tracking, and advertising tags from providers including Google Analytics, Google Ads, Meta, and Microsoft Clarity. These tags capture page views, button clicks, and form submissions on our marketing pages to measure traffic and attribute conversions from our paid marketing campaigns. Microsoft Clarity also captures session recordings and heatmaps with form-field contents masked.

Your choices

You can clear or block cookies through your browser settings; doing so may degrade some marketing features. We are in the process of implementing a cookie consent management platform that will allow you to grant or withhold consent for non-essential cookies before they are set.

How We Share Your Information

We do not sell your personal information. We share information only as described below.

Service providers (processors acting on our behalf)

We share data with third-party service providers who help us operate the Service. Each is bound by contract to use the data only for the services they provide to us. Categories:

  • Hosting and content delivery: We use third-party hosting and CDN services
  • Payments: Stripe
  • AI services: see "AI Processing" above
  • Authentication and SSO: Google, Microsoft
  • Mapping and address autocomplete: Google
  • Bot protection: Google reCAPTCHA
  • Push notifications: third-party push provider
  • Email delivery: your own connected Microsoft 365 or Google Workspace account when configured at the tenant level
  • File storage: your tenant's connected Microsoft OneDrive or Google Drive account. In most cases, those files reside in your own cloud-storage tenant, not in ours.
  • Web form delivery: third-party web form provider
  • Marketing analytics: see "Cookies and Tracking Technologies" above
  • Accounting integration: Intuit QuickBooks (only if you connect QuickBooks at the tenant level)
  • SMS delivery: Twilio

A complete and current list of subprocessors is available on request from info@gatsy.ai.

Legal disclosures

We may share information if required to do so by law or in response to valid legal process — for example, subpoenas, court orders, or government requests. Where permitted, we will notify you before complying.

Business transfers

If Gatsy is acquired by or merges with another company, or if substantially all of our assets are sold, your information may be transferred as part of that transaction. We will give you notice (by email and a prominent in-app notice) before your information becomes subject to a different privacy policy.

Mobile information will not be shared for marketing

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Within Your Team (Multi-User Accounts)

Gatsy is a multi-tenant platform. When a Tenant Administrator (typically the person who registered the company) invites additional users to their tenant:

  • All users within the same tenant access shared tenant data. Records created or uploaded by any user in the tenant — including project and estimating data, customer and vendor records, expenses, time entries, GPS breadcrumbs from clock-in, and chat conversations — are visible to other users in the tenant who hold the corresponding permission.
  • Permission visibility is feature-level (e.g., a user granted "expenses" can see all expenses in the tenant), not record-level. Tenant administrators can see all data in the tenant.
  • Tenant administrators can create, edit, and delete users within their tenant.

If you join an existing Gatsy tenant at an employer's invitation, please be aware that your activity, content, and clock-in GPS may be visible to your employer and other authorized teammates.

Data Retention

We retain personal data only for as long as needed to provide the Service and to satisfy our legal, accounting, and compliance obligations. Specifically:

DataRetention
Account recordDeleted immediately upon account deletion request (we do not offer a grace period today)
Payment and billing recordsSeven (7) years from the last transaction, to satisfy tax and accounting recordkeeping
Audit logsOne (1) year
AI conversation history60 days, after which it is deleted
GPS clock-in breadcrumbs (intermediate points)90 days
GPS clock-in start and end pointsRetained with the corresponding time-entry record
Database backups (per-tenant)7 days
Email-verification codes15 minutes (expiry); old codes are removed within 24 hours
SMS opt-in consent records4 years from opt-out, or from last message sent if no opt-out
Estimating documents (uploaded by you)Retained until you delete them or your account is closed
Uploaded attachments stored in your OneDrive / Google DriveGoverned by your own retention policy on that cloud-storage tenant

When you request account deletion, we will delete your personal data (and the related business data we control) within 30 days of the request, except where retention is required by law or legitimate business need (such as the payment-records retention above).

Data Security

We use commercially reasonable measures to protect your information:

  • All web and API traffic is encrypted in transit using TLS.
  • Passwords are stored only as a salted one-way hash using industry-standard methods; we cannot view or recover your plaintext password.
  • Payment card data is handled by Stripe and never touches our servers.
  • We apply logical access controls to keep each customer's data separated and accessible only to authorized users.
  • We strip sensitive fields (passwords, tokens, secrets, API keys, full card numbers, CVV) from our internal logs before they are stored.
  • We use role-based permissions and feature-level gates within the Service.
  • We require Google reCAPTCHA on signup, login, password-reset, and email-verification flows to deter automated abuse.
  • We use industry-standard session management controls, including the ability to invalidate active sessions (for example, when you change your password).

No system is perfectly secure. While we work hard to protect your information, we cannot guarantee absolute security. If you suspect your account has been compromised, email info@gatsy.ai immediately.

Your Choices and Rights

Access, update, correct

  • Account info: update your name, email, timezone, and similar in your account settings.
  • Company info: administrators can update company name, address, phone, and logo in tenant settings.
  • Marketing preferences: promotional SMS is controlled by the dedicated Promotional SMS checkbox at signup, by the in-account SMS preferences, and by the global STOP reply mechanism described under "SMS Messaging." Transactional SMS is controlled by the dedicated Transactional SMS checkbox at signup, by the in-account SMS preferences, and by the same STOP reply mechanism. Marketing emails are not sent today; when we add them, you will be able to opt out in your account settings or via any email's unsubscribe link.

Delete your account

You can request account deletion by emailing info@gatsy.ai. We will delete your account and the personal data we control within 30 days of the request, except where retention is required by law or legitimate business need (see "Data Retention"). Self-serve account deletion is on our roadmap.

Export your data

You can request a structured export of your personal data and your content by emailing info@gatsy.ai. We will provide the export within 30 days of the request. Self-serve data export is on our roadmap.

Opt out of SMS

Reply STOP to any Gatsy SMS message. See "SMS Messaging" above.

Cookies

You can clear or block cookies through your browser settings.

California residents (CCPA / CPRA)

If you reside in California, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know what personal information we collect, the categories of sources, the purposes for collection, and the categories of third parties we share with — this Privacy Policy provides that disclosure.
  • Right to access the specific pieces of personal information we have collected about you in the prior 12 months.
  • Right to delete the personal information we have collected, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell personal information, and we do not "share" personal information as defined under California law except through the marketing analytics described in "Cookies and Tracking Technologies."
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination — we will not deny service, charge different prices, or provide lesser quality if you exercise these rights.

To exercise any of these rights, email info@gatsy.ai with the subject "California Privacy Request." We may ask you to verify your identity. We will respond within the timeframe required by law (typically 45 days, extendable once for an additional 45 days where reasonably necessary).

You may also designate an authorized agent to make a request on your behalf; the agent must provide written authorization signed by you.

Children's Privacy

The Service is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 13 years of age (per the Children's Online Privacy Protection Act). If you believe we have inadvertently collected information from a child under 13, please email info@gatsy.ai and we will delete it.

International Users

Gatsy serves customers in the United States only. Our infrastructure is hosted in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States.

We do not target our Service at residents of the European Union, the United Kingdom, or other jurisdictions with general data-protection regimes such as GDPR. If you are a resident of such a jurisdiction, please do not use the Service.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email (to the address on file with your account) and by posting a prominent notice in the Service before the changes take effect. The "Last Updated" date at the top of this Policy will always reflect the most recent revision.

Continued use of the Service after a change to this Policy means you accept the updated Policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy:

Address

1600 S. Federal HWY, Suite 200
Pompano Beach, FL 33062

View Manual