FieldOS

Security, Privacy & Plain Terms

FieldOS by Anvil Field keeps your field records yours.

This is a working summary, not the binding legal contract. The formal Terms of Service and Privacy Policy govern if documents disagree.

Open Security & Data Delete account Accessibility Export center

You do. Always.

The properties you save, the photos you take, the notes you write, and the packets you generate are your business records. FieldOS is the custodian, not the owner.

Export & backup

Export everything: data backup, CSV, PDF, ZIP, proof packets, photo index, materials, visits, and account records. Export stays available through cloud storage limits, plan changes, cancellation, and refunds.

Local copy

Your local app copy remains under your storage controls. Local data stays until you delete or uninstall; local capture is always free and never expires.

No resale

We do not sell your data, customer addresses, photos, or field records to advertisers, data brokers, or lead resellers.

What we collect and why

Bound camera

Photos are bound to property, job, timestamp, and label before storage. Bound, not loose, so proof stays out of the camera-roll sprawl.

Saved locally

The saved-locally state appears before cloud sync. The local vault and honest sync state mean a dead zone never costs you a record.

Proof and memory

Property cards, visits, before and after photos, notes, materials, voice notes, and proof packets exist for two reasons: proof on dispute day and continuity when a different crew member shows up.

Photo sensitivity

What we do:

Local-first storage, bound records, redaction before share, and explicit packet inclusion.

Local-first by default.

Photos save locally first. Cloud upload is the mirror, not the master.

Blur / redact before share.

Use mask a region for a face, plate, child, keypad, house number, or interior detail before generating the customer-facing packet.

You choose what goes in the packet.

Generating a packet is explicit photo-by-photo selection. Private memory photos can stay out of recipient links.

Special caution — secure facilities, interiors, and minors.

You are responsible for confirming you are allowed to photograph a site, person, vehicle, or interior, and for obtaining consent your work, client agreement, or jurisdiction requires.

Gate/access codes.

FieldOS does not store access codes as authority to enter. Gate codes are encrypted at rest, treated as HIGH-privacy notes, and remain working memory.

Deletion and retention

Delete a photo / job / property:

Deletes from the active local record immediately and queues cloud deletion when sync is available.

Delete your whole account:

Use Delete My Account in Settings, the legacy alias Delete Account & Data, or the public delete-account page. Active share links are revoked. We honor verified cloud deletion requests within 30 days.

Export before you delete:

Prepare a local export first so leaving never destroys your records.

Backups and lag.

A short-lived encrypted backup copy of deleted cloud data may persist for up to 35 days before it rolls off.

Recipients have rights too.

A homeowner or property manager can ask the sender or privacy@anvilfield.com to revoke a share link.

Retention:

Free cloud media follows the Free-tier retention window; Solo and Crew cloud storage is retained while the account is active. Local records remain in app storage until deleted.

Subprocessors

Cloudflare

Cloudflare hosts the app and API, stores synced records, media, and PDFs, keeps sign-in sessions, serves recipient pages, and helps block abuse.

Stripe

Stripe handles FieldOS billing and optional payment-link creation only after you connect billing and check the details. We never see full card numbers.

Square

Square payment-link creation is optional and only uses checked amount/description and packet-link metadata for the sender's own Square account.

Resend

Resend sends transactional email such as account messages, receipts, and packet delivery.

DigitalOcean

DigitalOcean processes cloud AI assist only, and only the exact text you approve before sending.

Cloudflare Workers AI

Cloudflare Workers AI may provide backup cloud-assist processing under the same scope and rules.

No ad networks, analytics resellers, or third-party AI training pipelines are subprocessors at launch. Cloud AI is user-triggered and optional; see the AI policy.

AI - exactly what is sent, kept, and never done

Local AI never transmits anything.

FieldOS intelligence is local by default. Cloud assist is per-request, user-triggered, and optional.

What is sent:

Only the text you review and approve before using cloud assist. No photos, videos, audio, gate/access notes, or customer contact details unless you typed them into that text.

Who processes it:

DigitalOcean is the primary cloud-assist provider. Cloudflare Workers AI may process a backup request under the same rules.

What is recorded:

Usage metadata only: request type, provider and model, timestamp, token counts, check status, and privacy scope. The prompt text and the output text are not stored.

Never trained on:

Your prompts, notes, photos, and field records are never used to train any model.

Check before sending:

AI output lands as an unchecked draft. The app never auto-sends AI-generated text to a customer.

Plain Terms concepts

What FieldOS is.

A personal field record and proof tool. It is not the official record of compliance, licensing, regulatory filing, contract, estimate, invoice, legal agreement, parking authority, towing authority, or permission to enter.

Field aid, not authority.

Packets help show your work. They are evidence you created, not a ruling.

Your responsibilities.

You confirm you are allowed on-site, obtain required consents, meet compliance/safety/recordkeeping obligations, and keep off-app backups of mission-critical records.

Availability.

Field work never depends on our uptime. Capture, save, and packet generation work fully offline.

Liability cap & "as is."

Cloud services are provided as is to the extent the law allows; the formal Terms set the liability cap.

HIGH-privacy notes and recipient view

Sync is consent-based

Gate codes stay local by default until the owner enables team sync. Access and parking notes can remain local-only.

They never appear in share links, recipient views, proof packets, or webhooks

Cloud exports exclude private notes by default; local exports include them only after an explicit include-private-notes toggle.

No account, no profile, no marketing.

Recipients install nothing and sign up for nothing.

No tracking beyond the view receipt.

The only receipt data is view count/time and optional typed signoff name, shown to the sender.

Calculator outputs

FieldOS's calculators and planners are field aids that show their math. A calculator result is assistance you confirm, not advice you owe deference to. FieldOS does not certify code compliance, regulatory compliance, licensing ratios, deposit law, RF legality, or anything else. These boundaries are printed in every export and packet footer.