Privacy Policy

1. Introduction

Archingen, PLC, doing business as PermitZIP (“PermitZIP”, “we”, “us”, or “our”), is a licensed engineering firm providing mechanical, electrical, and plumbing (MEP) design services. This Privacy Policy explains how we collect, use, disclose, and safeguard information across two related but distinct surfaces:

• The PermitZIP Hours application (“App”) — an internal time-tracking, billing, and project-management tool used by PermitZIP employees and authorized contractors. Sections 3 through 17 below cover this surface.
• SMS / text-message communications with PermitZIP clients — texts we exchange with clients of our engineering services about active projects. Section 2 below covers this surface.

The two surfaces are intentionally documented in one policy because the same legal entity (Archingen, PLC) operates both. The internal App is not a public service. The SMS communications are with external business contacts only and are governed by the rules in section 2.

2. SMS / Text Messaging Communications

This section governs PermitZIP's use of SMS / MMS text messaging for two-way conversational communications with clients of our engineering services. It applies to the three PermitZIP business numbers and to any text-message exchange initiated through them.

2.1 Who receives messages

We send text messages only to existing PermitZIP business contacts — clients with active or pending engineering projects, signers on our proposals, and individuals who have explicitly provided their phone number to us through one of the opt-in channels described below. We do not send to purchased lists, third-party leads, or cold-outreach prospects.

2.2 How we collect your phone number and consent (opt-in)

Opt-in is captured through three channels and recorded in our internal consent ledger:

1. Quote-request form at permitzip.app. The form includes a clearly-labeled, unchecked-by-default SMS-consent checkbox: “I agree that PermitZIP may text me about my project. Message and data rates may apply. Reply STOP at any time to unsubscribe.” You must affirmatively check the box to receive messages.
2. Verbal opt-in during a project intake call. A PermitZIP team member asks “OK to text you about this project?” If you agree, the team member records the consent in our application.
3. Reply opt-in. If you text one of our published business numbers first, your message qualifies as opt-in for that conversation thread.

2.3 What messages contain

Texts from PermitZIP cover business communications about your active engineering project, including:

• Replies to design questions and clarifications
• Scheduling notes for site visits and inspections
• Status updates on permit-ready drawings and code review
• Follow-up on signed proposals, change orders, and invoices
• Replies to inbound questions you initiate

Messages may contain links to documents on our project portals and a callback phone number. Messages do not contain marketing of unrelated products or services, age-gated content, or content related to lending or loans.

2.4 How to opt out (STOP / HELP)

You can opt out of SMS communications at any time:

• Reply STOP (or any of: STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT) to any text from PermitZIP. We will stop sending messages immediately and confirm with a single opt-out acknowledgement.
• Reply HELP (or INFO) to receive support contact information.
• Reply START (or SUBSCRIBE, IN, OPTIN) after a prior STOP to resubscribe.

Standard message and data rates from your mobile carrier may apply. Message frequency varies by project activity; consent is not a condition of any purchase. Every opt-out is recorded in our consent ledger and the originating phone number is blocked from outbound sends until you explicitly reply START.

2.5 What we do NOT do with your phone number or message content

We do not sell, rent, share, lease, or otherwise transfer your phone number, consent status, or SMS message content to any third party for marketing, promotional, or advertising purposes. SMS opt-in data and consent records are not shared with affiliates, partners, lead-generation services, or any other outside organization. The only third parties that ever process your SMS data are the carriers and the messaging-platform providers strictly necessary to deliver the message to your phone (Twilio Inc. as our messaging service provider, and your wireless carrier).

2.6 SMS data security and retention

SMS message content and metadata (sender, recipient, timestamp, delivery status) are stored in our internal systems for the purpose of conducting business with you and maintaining audit records. Message content is encrypted in transit (HTTPS / TLS) and at rest (AES-256). We retain SMS records for the same duration as the underlying engineering project plus seven years for accounting and compliance purposes, after which they are deleted.

2.7 Contact about SMS practices

Questions about SMS communications, opt-in records, or this section: email info@permitzip.com or call (833) 896-9335.

3. Information We Collect (PermitZIP Hours App)

Note: Sections 3 through 17 below describe data practices specific to the internal PermitZIP Hours application used by PermitZIP employees and authorized contractors. SMS communications with clients are governed by section 2 above.

3.1 Information from Google OAuth

• Email address
• Full name
• Google profile ID
• Profile picture

3.2 Information from Hubstaff

• Time tracking data (hours worked, projects, tasks, descriptions)
• User ID and organization membership
• Project information and client names
• Billing and pay rates

3.3 Information from QuickBooks

• Customer names and contact information
• Service items and pricing
• Invoice data (numbers, amounts, dates)
• Company information

3.4 Information You Provide

• Billable status selections
• Notes and descriptions
• Notification preferences
• Project-to-customer mappings

4. How We Use Your Information (PermitZIP Hours App)

We use the collected information to:

• Provide the Service: Sync time entries, manage billing, generate invoices
• Authentication: Verify your identity via Google OAuth
• Authorization: Determine your role and permissions (Team Member, Manager, Admin)
• Analytics: Track billable hours, costs, revenue, and profit margins
• Reporting: Generate invoices and export data to QuickBooks
• Communications: Send monthly reminder emails (if opted in)
• Compliance: Maintain audit logs for security and compliance purposes

5. How We Share Your Information (PermitZIP Hours App)

5.1 Within PermitZIP

Your information is shared within PermitZip as follows:

• Team Members: Can view their own time entries and associated data
• Managers: Can view all team members' time entries for approval and billing purposes
• Admins: Have full access to all data for system administration

5.2 Third-Party Services

• Supabase: Database hosting and authentication (encrypted at rest)
• Vercel: Application hosting
• Upstash Redis: Caching service (temporary data only, with TTL)
• Resend: Email delivery service

Important: We do NOT share your data with any parties outside of PermitZip except the service providers listed above, who are bound by data processing agreements.

5.3 QuickBooks Data

When you connect QuickBooks, we access your QuickBooks company data to:

• Retrieve customer information for invoice generation
• Create invoices in your QuickBooks company
• Link time entries to QuickBooks projects

This data is only accessible to PermitZip managers and admins and is never shared externally.

6. Data Security (PermitZIP Hours App)

We protect your information using:

• Encryption: All sensitive credentials encrypted with AES-256-GCM
• HTTPS: All data transmitted over encrypted connections
• Authentication: Google OAuth 2.0 for secure login
• Authorization: Role-based access control with Row Level Security (RLS)
• Audit Logging: All sensitive operations logged for security review
• Secure Tokens: OAuth tokens encrypted at rest, auto-refresh, proper revocation

7. Data Retention (PermitZIP Hours App)

We retain your information as follows:

• Time Entries: Retained indefinitely for billing and tax purposes
• Invoices: Retained for 7 years per accounting standards
• Audit Logs: Retained for 2 years
• OAuth Tokens: Deleted immediately upon disconnection
• Cache Data: Automatically expires per TTL (5 minutes to 24 hours)

8. Your Rights

As a PermitZip employee, you have the right to:

• Access: View your personal time entry data at any time
• Correction: Request corrections to your time entries
• Notification Preferences: Opt out of email reminders via Settings
• Disconnect: Disconnect Hubstaff and QuickBooks integrations at any time

To exercise these rights, contact your manager or email info@permitzip.com.

9. QuickBooks-Specific Data Practices

When you authorize our App to access your QuickBooks company:

• We request minimal scopes: accounting and payment
• OAuth tokens are encrypted using AES-256 and stored securely
• Tokens are automatically refreshed before expiry
• You can revoke access anytime by disconnecting in Settings
• When disconnected, tokens are revoked with QuickBooks and deleted from our database
• QuickBooks data synced to our app (customers, items) is deleted upon disconnection

10. Cookies and Tracking

We use cookies for:

• Authentication: Supabase session cookies (httpOnly, secure)
• OAuth State: Temporary cookies for CSRF protection (deleted after use)
• Theme Preference: Dark/light mode selection

We do NOT use tracking cookies, analytics cookies, or advertising cookies.

11. Data Processing Location

Your data is processed and stored in the United States using:

• Supabase (US region)
• Vercel (US region)
• Upstash Redis (US region)

12. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you via email within 72 hours of discovering the breach. We will also notify relevant authorities as required by law.

13. Children's Privacy

The App is intended for use by PermitZip employees who are 18 years or older. We do not knowingly collect information from individuals under 18.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the “Last Updated” date
• Sending an email notification to all users

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact:

16. Consent

By using the App, you consent to this Privacy Policy and agree to its terms. By opting in to SMS communications through any of the channels described in section 2.2, you consent to the SMS practices described in section 2.

17. Legal Entity

PermitZIP is a trade name of Archingen, PLC, a professional limited liability company. References to “PermitZIP” in this Privacy Policy refer to Archingen, PLC operating under that trade name.