Privacy Policy

1. Scope & who we are

This Privacy Policy describes how AOS Construction Software LLC, a Wyoming limited liability company ("AOS," "we," "us," or "our"), collects, uses, and discloses information when you visit aos.build, use our software-as-a-service platform (the "Service"), or otherwise interact with us. AOS provides a construction operations platform used by AEC firms — including general contractors, subcontractors, residential builders, owners, and architects — and the workers, vendors, and project participants they engage.

This policy applies to:

• Visitors to our marketing website and anyone who fills out a form to contact us.
• Customers — the construction companies that license the Service — and their authorized users.
• End users who interact with the Service through a customer's account, including subcontractors invited to bid and project owners invited to view pay applications, RFIs, and similar artifacts.

For the data our customers process about their own employees, subcontractors, and project owners using the Service, AOS acts as a service provider / data processor. Our customer is the controller and is responsible for the lawful basis of that processing under their own privacy policies and agreements.

2. Information we collect

2.1 Information you provide

• Account information: name, work email, work phone number, job title, company, role, and password.
• Profile information: profile photo, certifications, licenses, and similar data your employer asks you to maintain.
• Contact form / demo requests: name, company, email, phone, role, company size, and any additional details you provide.
• Project content: documents, drawings, RFIs, submittals, change orders, pay applications, photos, daily logs, and other content you or your employer enter into the Service.
• Payment and billing information for our customers (collected through our payment processor; we do not store full card numbers on our systems).

2.2 Information collected automatically

• Device and log data: IP address, browser type and version, operating system, referring URL, pages viewed, time stamps, and similar diagnostic data.
• Usage data: features used, navigation patterns, error reports, and performance metrics.
• Cookies and similar technologies as described in Section 6.

2.3 Information from third parties

• Single sign-on (SSO): if you sign in with Google or Microsoft, we receive your verified email address, name, and a unique identifier from that provider.
• Integrations: when your employer enables an integration with a third-party system — such as an accounting platform, a payment or card-issuing platform, or a project management platform — we receive data from that system as needed to operate the integration.

2.4 Field-collected information

When users submit timesheets, daily logs, or photos through the Service, AOS may collect, with your employer's authorization:

• Geolocation at the time of clock-in and clock-out, used for geofence verification against an active jobsite.
• Photos uploaded to a daily log, including embedded EXIF metadata such as camera, timestamp, and (if enabled on your device) GPS coordinates.
• Crew attestation records — when you confirm hours from your phone for yourself or your crew.

3. How we use information

We use the information described above to:

• Provide, operate, maintain, and improve the Service.
• Authenticate users, prevent fraud, and protect the security of the Service.
• Send transactional communications — account notifications, system alerts, password resets, billing notices, and similar messages required for the operation of the Service.
• Send marketing communications about AOS to customers and prospects who have requested information from us (you may opt out at any time).
• Deliver SMS messages described in Section 4.
• Respond to your support requests and inquiries.
• Comply with legal obligations and enforce our agreements.
• Generate aggregated, de-identified analytics about how the Service is used, which we may share publicly without identifying you.

4. SMS / text messaging policy

4.1 What messages we send

AOS sends SMS messages on behalf of our customers and, in some cases, directly from AOS for account-level events. SMS message types include:

• Account notifications — login alerts, password resets, two-factor codes.
• Operational alerts — schedule slip warnings, change-order SLA risk, forecast-at-completion overrun, missing timesheets, and similar workflow events.
• Field-operations prompts — daily-log reminders, mileage capture requests, certification expiration warnings.
• Pay-application and approval status — when your action is required as a reviewer or approver.

4.2 How you opt in

You only receive SMS messages from AOS if one of the following has occurred:

• You created or were issued an AOS account through your employer, and your employer collected your mobile number with your consent for operational use.
• You provided your mobile number on a contact form or in another opt-in flow on our website that disclosed that we may text you.
• You replied to an AOS message confirming opt-in, or you used an in-app preference to enable SMS.

4.3 How you opt out

You can opt out of non-account-critical SMS at any time by replying STOP to any message from AOS. Reply HELP for help. After replying STOP you will receive one final message confirming the opt-out, and we will cease sending you marketing or operational SMS. We may continue to send transactional security messages required for account access (such as two-factor authentication codes) where you have an active account, and you may revoke that consent only by closing your account.

4.4 Frequency, costs, and carriers

Message frequency varies based on your role and the events your employer has configured. Message and data rates may apply. AOS is not responsible for delays or non-delivery caused by your wireless carrier. SMS support is available across major U.S. wireless carriers; we do not guarantee delivery on every carrier or in every country.

4.5 What we do not do with your mobile number or SMS opt-in

• We do not sell, rent, or lease your mobile phone number to anyone.
• We do not share your mobile phone number or SMS opt-in status with third parties or affiliates for their marketing or promotional purposes.
• We do not include SMS opt-in data, consent records, or originator phone numbers in any data set we license, sell, or transfer to third parties.

Third-party service providers we use to deliver the SMS message itself (notably our messaging provider, Twilio) receive only the data required to deliver the message, and are bound by their own privacy obligations and our agreement with them.

5. How we share information

We share information in the following limited circumstances:

• With your employer (the AOS customer) when you are a user of an account they administer. Your employer can see information you submit through the Service in the course of normal use.
• With service providers who help us operate the Service. Each is contractually bound to use the data only as we direct and to keep it confidential. Categories include:
  • Cloud hosting (Render).
  • Object storage for files and images (Managed object storage).
  • Email delivery (Amazon Simple Email Service / AWS SES).
  • SMS delivery (Twilio).
  • Error monitoring and system performance monitoring.
  • Payment processing for our customer billing.
• With integration partners you authorize — such as accounting platforms, payment and card-issuing platforms, or project management platforms — when your employer enables and configures the integration.
• For legal reasons — to comply with applicable law, valid legal process, or governmental request; to protect the rights, property, or safety of AOS, our users, or others; or to enforce our agreements.
• In a corporate transaction — if AOS is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction subject to standard confidentiality protections.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

6. Cookies & analytics

We keep cookies and tracking to a minimum. On our marketing site we use no advertising cookies and no cross-site tracking. Categories of cookies and similar technologies we use:

• Strictly necessary — required for authentication, security, and basic site functionality.
• Functional — remember preferences such as your default project view (stored in your browser).
• Analytics — aggregated, privacy-respecting traffic data via Umami. Umami is a cookieless analytics tool: it sets no cookies, assigns no persistent identifier to you, and does not track you across other websites. We do not run third-party advertising trackers on our marketing site.

How our analytics works

Because our analytics is cookieless and collects no personal data, no cookie-consent banner is required and none is shown. Umami counts page views using anonymized, aggregated signals only. It does not store anything on your device and cannot be used to identify you or follow you from one visit to the next.

What our analytics collects

For each page view, Umami records aggregate, non-identifying information such as the page URL, referrer, approximate country or region (derived from your IP address, which is not stored), device type, browser, and screen size. No IP address, email address, name, or other personally-identifying information is retained, and no advertising or cross-site profile is built. Umami's handling of analytics data is described in the Umami documentation.

Other cookies

You can control cookies through your browser settings. Disabling strictly-necessary cookies will prevent the Service from functioning correctly.

7. Data retention

We retain personal information for as long as your AOS account is active and for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Construction-industry records (project records, pay applications, change orders, daily logs, timesheets, and audit trails) typically must be retained for several years after project close-out under applicable retention rules; we honor our customers' configured retention periods within those limits.

When personal information is no longer needed, we delete or de-identify it on a rolling basis, unless we are legally required to keep it longer.

8. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

• Industry-standard encryption in transit (TLS) for all traffic to and from the Service.
• Encryption at rest for sensitive credentials, including per-customer integration credentials.
• A separate database for every customer.
• Role-based access controls and field-level audit logging.
• Soft-delete with a documented deletion-approval workflow for sensitive operations.
• Single sign-on through Google and Microsoft, with optional dedicated Microsoft Entra setups.

No security measure is perfect. If you believe your account or any AOS-stored data has been compromised, please contact us immediately at security@aos.build.

9. Your rights & choices

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate personal information.
• Delete personal information, subject to lawful exceptions.
• Port your personal information in a structured, commonly-used format.
• Opt out of marketing communications at any time. Use the unsubscribe link in any marketing email, reply STOP to any SMS message, or contact us directly.
• Object to or restrict certain processing.

To exercise any of these rights, email privacy@aos.build. If you are an end user of the Service through a customer's account, please direct your request to your employer first; we will assist them in fulfilling it. We will respond within the time required by applicable law.

10. Children's privacy

The Service is intended for use by construction professionals and is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us and we will delete it.

11. International users

AOS operates from the United States. If you access the Service from outside the United States, your information will be transferred to, processed, and stored in the United States. By using the Service, you consent to that transfer.

12. U.S. state privacy rights

Residents of certain U.S. states (including California, Virginia, Colorado, Connecticut, Utah, and others as new laws come into effect) have additional rights under their state privacy laws.

12.1 California (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, the categories of sources, the business purpose, the categories of third parties with whom we share it, and to request deletion or correction. We do not sell personal information and we do not share personal information for cross-context behavioral advertising as those terms are defined under California law. You also have the right not to be discriminated against for exercising your rights.

12.2 Categories of personal information collected

Within the past 12 months, we have collected the following categories of personal information for the business purposes described in Sections 2 and 3:

Category	Collected?
Identifiers (name, email, phone, IP)	Yes
Customer records (signed up under contract)	Yes
Commercial information	Yes
Internet / network activity	Yes
Geolocation (jobsite geofence, with employer authorization)	Yes
Professional / employment information	Yes
Audio / visual (uploaded photos)	Yes
Sensitive personal information (precise geolocation, account credentials)	Yes — used only for the operational purposes described in this policy
Biometric information	No
Inferences for profiling / behavioral advertising	No

12.3 How to submit a state privacy request

Email privacy@aos.build with your name, the state you reside in, and the right you wish to exercise. We will verify your identity (typically by confirming information already on file) and respond within the time required by applicable law. You may designate an authorized agent to submit a request on your behalf; we will require written authorization and verification of identity.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Effective date" above and, where appropriate, by sending a notice to your account email or posting a banner on the Service. Your continued use of the Service after the new effective date constitutes acceptance of the updated policy.

14. Contact us

Questions about this Privacy Policy or about how we handle your information:

• Privacy: privacy@aos.build
• Security: security@aos.build
• General: hello@aos.build
• Mailing address: AOS, Wyoming, USA