Privacy Policy

This Privacy Policy describes how Precon, Inc. (“Precon,” “we,” “us”) collects, uses, shares, and protects personal data when you visit our website, use the Precon platform, or otherwise interact with us. This Policy applies to all users, including organization administrators, team members, and visitors.

Data Controller. Precon acts as the Data Controller for personal data we collect directly, such as account registration information, website usage data, and marketing interactions.

Data Processor. When processing Customer Data on behalf of your organization (e.g., construction documents, email content, project files), Precon acts as the Data Processor. Our processing obligations as Processor are detailed in our Data Processing Addendum.

We collect the following categories of personal data:

• Personal Identifiers — name, email address, phone number, job title
• Commercial Information — organization name, role, subscription plan, billing history
• Project Data — construction documents, plans, specifications, takeoffs, bid materials, and contract files you upload
• Email Content — email headers, body text, and attachments accessed through connected email integrations (Google Workspace, Microsoft 365)
• Usage Data — features used, pages visited, click patterns, search queries, session duration
• Device and Browser Information — IP address, browser type, operating system, device identifiers
• Geolocation — city-level location derived from IP address
• Professional Information — construction trades, market sectors, service areas, project types
• Inferences — AI-generated analyses, lead scores, project fit assessments, and entity classifications
• Financial Information — payment method and billing address (processed by our payment processor; we do not store full card numbers)
• Cookies and Tracking Data — see our Cookie Policy for full details

• Directly from you — when you register, fill out your profile, upload documents, or contact us
• From your organization — when an administrator invites you or configures organization settings
• Automatically — through cookies, analytics, and server logs when you use the Service
• Via email integrations — when you connect your email account through Google or Microsoft OAuth
• From public sources — for lead generation features, we may collect publicly available project information from government records, permit databases, and public bid boards

We use personal data for the following purposes. Where required by law (including GDPR Article 6), we identify the legal basis for each category of processing:

• Provide the Service — account creation, authentication, platform access, document processing, AI analysis, email intelligence, lead generation. Legal basis: performance of contract.
• Improve the Service — analyze usage patterns, diagnose technical issues, develop new features, conduct A/B testing, and generate aggregated analytics. Legal basis: legitimate interest (service improvement).
• Security and fraud prevention — detect and prevent unauthorized access, abuse, fraud, and security threats; enforce our Terms and Acceptable Use Policy. Legal basis: legitimate interest (security and fraud prevention).
• Customer support — respond to inquiries, troubleshoot issues, and provide technical assistance. Legal basis: performance of contract.
• Legal compliance — fulfill legal obligations, respond to lawful requests, and protect legal rights. Legal basis: legal obligation; legitimate interest.
• Transactional communications — account verification, password resets, security alerts, billing receipts, and Terms updates. Legal basis: performance of contract.
• Marketing communications — product updates, feature announcements, and educational content, sent only with your consent. Legal basis: consent (opt-in).
• AI processing — sending document text and project data to AI models for analysis, generation, and classification as part of the Service. Legal basis: performance of contract; legitimate interest (service delivery).

Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting privacy@precon.com.

Precon uses third-party AI models (such as Google Gemini) to process certain Customer Data. Here is how we handle data in AI processing:

• What data is sent: Document text, email content, and project metadata relevant to the specific AI task (e.g., takeoff, entity extraction, contract analysis)
• Processing purpose: Each AI request serves a specific function (document analysis, content generation, entity recognition, classification)
• Zero retention by AI providers: Our AI sub-processors are contractually required not to retain Customer Data beyond the duration of processing a single request
• No model training: Customer Data is not used to train or improve foundation AI models, by Precon or any sub-processor
• Quality assurance: Precon may retain anonymized input/output pairs for up to ninety (90) days for quality monitoring and accuracy improvement purposes

When you connect your email account, we access the following through OAuth:

• Email headers (sender, recipient, subject, date)
• Email body text
• Attachments (for document processing, if applicable)

We process email data to:

• Detect construction project opportunities and bid invitations
• Track project communication timelines
• Extract contact and company information
• Identify award notifications and rejection communications
• Surface deadline-related communications

Disconnection: You may revoke email access at any time through your account settings. Upon disconnection, we stop accessing new emails. Previously processed insights are retained for thirty (30) days, then deleted. Raw email content is deleted within seven (7) days of disconnection.

We share personal data only in the following circumstances:

• Sub-processors: AI providers, cloud infrastructure (Google Cloud Platform), analytics services, and email delivery services, each bound by data processing agreements
• Legal requirements: When required by law, subpoena, court order, or government request
• Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users
• Aggregated data: We may share anonymized, aggregated analytics that cannot identify any individual or organization

Precon does not sell personal data. Precon does not share personal data for cross-context behavioral advertising.

Precon does not intentionally collect sensitive personal information as defined under the CCPA/CPRA (such as Social Security numbers, driver's license numbers, financial account numbers, precise geolocation, racial or ethnic origin, religious beliefs, health data, or biometric data). If you upload documents that incidentally contain sensitive personal information (for example, worker identification numbers in construction documents), that information is processed solely as part of the document processing pipeline and is not extracted, categorized, or used for any purpose other than providing the Service.

If you believe that the Service has collected sensitive personal information you wish to have deleted, contact privacy@precon.com.

Precon does not offer financial incentives, price or service differences, or payments to consumers as compensation for the collection, retention, or sale of personal information. If this changes in the future, we will update this section with a description of the incentive, the categories of personal information involved, and how to opt in or opt out.

We use cookies and similar technologies as described in our Cookie Policy. In summary, we use strictly necessary cookies for authentication and security, and analytics cookies to understand usage patterns. We do not currently use marketing or advertising cookies.

Do Not Track / Global Privacy Control. Some browsers transmit “Do Not Track” (DNT) or Global Privacy Control (GPC) signals. Precon honors GPC signals as a valid opt-out of the sale or sharing of personal information where applicable under the CCPA/CPRA. We do not currently respond to DNT signals, as there is no industry-standard protocol for DNT. We do not sell personal data or engage in cross-context behavioral advertising, so DNT and GPC signals do not result in a material change to your experience.

We retain personal data only as long as necessary for the purposes described in this Policy, or as required by law. Specific retention periods by data category:

• Account and profile data: Retained for the duration of your active account. Upon account deletion or termination, deleted within sixty (60) days after the thirty (30) day export window
• Customer Data (documents, project files): Retained for the duration of your account. Upon termination, you have a thirty (30) day export window, after which Customer Data is deleted from primary systems within sixty (60) days
• Email integration data: Raw email content is deleted within seven (7) days of disconnecting your email integration. Processed insights (opportunity records, contact extractions) are retained for thirty (30) days after disconnection, then deleted
• Usage and analytics data: Retained for up to twenty-four (24) months in identifiable form. After twenty-four months, usage data is either deleted or irreversibly anonymized for aggregate analytics
• Server logs: Web server access logs and error logs are retained for up to ninety (90) days for security monitoring and debugging, then automatically purged
• AI quality assurance data: Anonymized input/output pairs retained for up to ninety (90) days for accuracy monitoring, then deleted. No identifiable Customer Data is retained for QA purposes
• Customer support records: Support tickets and associated correspondence are retained for up to three (3) years after resolution for quality assurance and dispute resolution, then deleted
• Billing and transaction records: Retained for up to seven (7) years to comply with tax, accounting, and financial reporting obligations
• Consent records: Records of your acceptance of Terms, Privacy Policy versions, and consent timestamps are retained for the duration of your account and for seven (7) years after account closure for legal compliance
• Backups: Backup copies are purged within ninety (90) days of deletion from primary systems
• Legal holds: Data subject to legal preservation obligations, litigation holds, or regulatory investigations is retained as required by applicable law, isolated from active systems, and deleted once the hold is released
• Aggregated data: Irreversibly anonymized, aggregated statistical data that cannot be re-identified may be retained indefinitely

Precon processes data primarily in the United States using Google Cloud Platform. If you are located outside the United States, your data will be transferred to and processed in the US.

For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2 Controller-to-Processor) and the UK International Data Transfer Addendum. Details are set forth in our Data Processing Addendum.

Depending on your location, you may have the following rights regarding your personal data:

GDPR (EEA/UK): Access, rectification, erasure, portability, restriction of processing, objection to processing (including objection to processing based on legitimate interest), withdrawal of consent at any time (without affecting the lawfulness of processing based on consent before withdrawal), and the right to lodge a complaint with your local supervisory authority.

CCPA/CPRA (California): Right to know (categories and specific pieces of personal information collected), right to delete, right to correct, right to opt-out of sale or sharing of personal information, right to limit use of sensitive personal information, and right to non-discrimination for exercising privacy rights. Precon does not sell personal data and does not share personal data for cross-context behavioral advertising.

State privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and others): Access, deletion, correction, portability, opt-out of targeted advertising, opt-out of sale of personal data, and opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.

How to Exercise Your Rights

Submit requests by emailing privacy@precon.com with the subject line “Data Rights Request.” Include your full name, the email address associated with your account, and a description of your request.

Identity Verification

To protect your privacy, we must verify your identity before processing a rights request. We will ask you to confirm information we have on file (such as your account email and organization name). For requests submitted by someone other than the account holder, additional verification may be required (see Authorized Agents below). We will not fulfill a request if we cannot verify the requester's identity.

Authorized Agents

Under the CCPA/CPRA and certain other state privacy laws, you may designate an authorized agent to submit data rights requests on your behalf. The authorized agent must provide: (a) written authorization signed by you; and (b) proof of the agent's identity. We may also contact you directly to confirm the agent's authority. If the agent does not provide sufficient evidence, we may deny the request.

Opt-Out of Marketing

You may opt out of marketing communications at any time by: (a) clicking the “unsubscribe” link in any marketing email; (b) updating your notification preferences in account settings; or (c) emailing privacy@precon.com. Opt-out requests are processed within ten (10) business days. Opting out of marketing does not affect transactional communications necessary for the operation of your account.

Opt-Out of Analytics

You may limit analytics tracking by: (a) adjusting your browser cookie settings; (b) enabling Global Privacy Control (GPC) in your browser; or (c) contacting us at privacy@precon.com. See our Cookie Policy for details on managing cookies.

Response Timeline

We will acknowledge receipt of your request within five (5) business days and provide a substantive response within thirty (30) days (or the applicable statutory period). If we need additional time, we will notify you of the extension and the reason, up to an additional sixty (60) days where permitted by law.

Right to Appeal

If we decline your data rights request, you may appeal by emailing privacy@precon.com with the subject line “Privacy Appeal.” We will review the appeal and respond within sixty (60) days. If we deny the appeal, we will provide the reasons and, where applicable, inform you of your right to contact your state attorney general or supervisory authority.

Precon uses automated processing, including AI and machine learning, in the following ways:

• Document classification and entity extraction: Algorithms analyze uploaded documents to identify document types (plans, specifications, schedules), extract entities (materials, dimensions, specifications), and classify content by construction trade. The logic relies on pattern matching, spatial analysis, and LLM-based classification trained on general construction knowledge
• Lead scoring: Automated scoring ranks project opportunities based on factors such as geographic match, trade relevance, project size, and historical win rates. The score is a numerical ranking intended to help you prioritize opportunities, not to make decisions on your behalf
• Contract risk scoring: AI analyzes contract clauses and assigns risk levels (low, medium, high) based on clause type, language patterns, and deviation from standard industry terms. These scores are advisory and do not replace legal review
• Email intelligence classification: Email content is automatically classified by type (bid invitation, award notification, RFI, general correspondence) using NLP models. The classification determines how the email is surfaced in the platform
• AI-powered takeoff and estimation: Automated measurement and quantity extraction from construction drawings using document processing pipelines and LLM analysis. Results are approximations subject to the limitations described in our AI & Risk Disclosure

Significance and consequences. These automated processes produce outputs that may influence your business decisions, including which projects to pursue, how to price bids, and which contract terms to negotiate. However, the Service is designed as a decision-support tool: no automated process makes a final decision on your behalf. All outputs require human review and professional judgment before action.

Your rights. Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. Because Precon's automated outputs are advisory and do not make binding decisions, they generally do not fall within Article 22. Nevertheless, if you believe an automated output has significantly affected you, you may contact privacy@precon.com to request human review. We will review the output, explain the logic involved, and, if appropriate, override or correct the result.

The Service is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will delete it promptly.

We implement industry-standard technical and organizational measures to protect your data, including:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Role-based access controls and least-privilege principles
• Audit logging of data access and administrative actions
• Infrastructure security through Google Cloud Platform (GCP)
• Incident response procedures

No method of transmission or storage is completely secure. If you become aware of a security incident, contact security@precon.com immediately.

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' advance notice via the email associated with your account. Previous versions are archived and available at /legal/privacy.

For privacy-related inquiries, data subject requests, or complaints:

• Email: privacy@precon.com
• Mail: Precon, Inc., Attention: Privacy, [Address on file]