1. Introduction
This Privacy Policy describes how Salora Suite (“Salora,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you use our web application at app.salorasuite.com, our client portal, our mobile applications, and any related services (collectively, the “Service”). By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.
Salora Suite is a multi-tenant security and operations management platform. Organizations (“Customers”) use Salora to manage their security workforce, scheduling, reporting, communications, compliance, billing, and client relationships. This policy applies to all users of the Service, including organization owners, administrators, dispatchers, security officers (“guards”), and external client portal users.
2. Information We Collect
2.1 Account and Identity Information
- Full name, email address, and password (managed via our authentication provider)
- Profile avatar/photo
- Organization name, role within the organization, and badge number
- Platform role and onboarding status
2.2 Organization and Workforce Information
- Employee and contractor records: compensation rates, licenses, compliance documents (document numbers, expiry dates), availability, time-off requests, and performance data
- Timesheets: hours worked, pay rates, gross pay, bill amounts, approvals, and exceptions
- Shift schedules, handoff notes, and dispatch records
2.3 Location and Device Data
- Real-time GPS coordinates of security officers while on duty, including latitude, longitude, accuracy, altitude, heading, and speed
- Device metadata associated with location data: battery level, charging status, and network type
- Device information for push notifications: device identifier, platform, and push notification token
2.4 Communications
- Messages sent through in-app chat channels, including text content and file attachments
- Support ticket messages and attachments
- AI assistant conversation content, prompts, and responses
2.5 Documents and Signatures
- Files uploaded to the Service, including contracts, reports, compliance documents, receipts, and site documentation
- Electronic signature data: signature image, signer name, signer email, IP address at time of signing, browser user agent at time of signing, and a verification hash
2.6 Client and Portal Information
- Client contact name, email address, and phone number
- Portal account credentials and access tokens
2.7 Site and Operational Data
- Site addresses, geographic coordinates, and boundary definitions
- Site contacts, checkpoints, guard tour data, post orders, and incident reports
- Encrypted vault entries (site-specific sensitive information)
2.8 Billing and Financial Information
We use Stripe to process payments. We store Stripe customer and subscription identifiers. We do not store full credit card numbers on our servers — all payment card data is handled directly by Stripe.
- Invoice records, expense reports, and payroll period data
2.9 Automatically Collected Information
- Cookies: Authentication session cookies (required for login), and a preference cookie to remember your selected client in the portal
- Analytics: Page views, performance metrics, and navigation patterns via Vercel Analytics and Vercel Speed Insights
- Error Monitoring: Error reports and limited session replay data via Sentry (we have disabled default collection of personally identifiable information in our error monitoring configuration; session replays are sampled at a low rate for debugging purposes)
- Browser storage: Temporary session data such as support chat tokens and UI state preferences
2.10 Information from Third-Party Services
- Your public IP address, retrieved from a third-party IP lookup service (ipify), used exclusively to record the signing context of electronic signatures
- Weather data based on geographic coordinates, retrieved from Open-Meteo for display in the client portal
3. How We Use Your Information
We use the information we collect to:
- Provide and operate the Service: Authenticate users, manage multi-tenant access, deliver scheduling, dispatch, reporting, chat, and all core platform features
- Process payments: Manage subscriptions, invoicing, and billing through Stripe
- Enable real-time operations: Track officer locations during active shifts for operational visibility, safety, and accountability
- Facilitate electronic signatures: Record signing context (IP address, user agent, timestamp) to support the legal validity of electronically signed documents
- Deliver AI-powered features: Process your prompts through our AI assistant to generate reports, polish text, and assist with operational tasks
- Send communications: Deliver transactional emails (invitations, password resets, document signing requests, time-off decisions, notifications) and in-app/push notifications based on your preferences
- Provide customer support: Power our in-app support chat and help desk
- Monitor and improve the Service: Analyze usage patterns, diagnose errors, debug issues, and improve performance and reliability
- Ensure security and compliance: Maintain audit logs, enforce access controls, and detect unauthorized access
- Fulfill legal obligations: Comply with applicable laws, respond to legal process, and enforce our terms
4. How We Share Your Information
We do not sell your personal information. We share information only in the following circumstances:
4.1 Within Your Organization
Your organization's administrators and authorized personnel can access your profile, location data, schedules, timesheets, communications, and other operational data as part of the platform's multi-tenant design. Client portal users can view reports, documents, and operational data scoped to their assigned sites.
4.2 Service Providers (Sub-processors)
We use the following third-party service providers to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting, authentication, file storage, real-time features | All Service data (encrypted at rest and in transit) |
| Stripe | Payment processing | Billing contact info, subscription data, payment method tokens |
| OpenAI | AI assistant features | Conversation prompts and context necessary to generate responses |
| Mailgun | Transactional email delivery | Recipient email addresses, email content |
| Sentry | Error monitoring and debugging | Error stack traces, limited session replay data, device/browser metadata |
| Vercel | Application hosting, analytics, performance monitoring | Page view data, performance metrics, server logs |
| Intercom | In-app customer support | User name, email, and support conversation content |
| Mapbox | Map rendering | Geographic coordinates for map display |
| Address autocomplete (Google Places API) | Partial address queries entered during site creation | |
| Expo | Push notification delivery | Push tokens and notification payloads |
| Open-Meteo | Weather data | Geographic coordinates (latitude/longitude) |
| ipify | IP address lookup | Network request (returns your public IP) |
Each provider processes data in accordance with their own privacy policies and our data processing agreements.
4.3 Legal Requirements
We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Salora, our users, or others.
4.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify affected users of any change in ownership or control.
5. Data Retention
- Account data is retained for the duration of your account's existence and for a reasonable period thereafter to fulfill legal and operational obligations.
- Location data is retained for operational and compliance purposes as determined by your organization's policies.
- Audit logs and activity records are retained to support security investigations, compliance requirements, and dispute resolution.
- Electronic signature records (including IP address and user agent) are retained for the legally required period to support the enforceability of signed documents.
- AI conversation data is retained to provide conversation history and for usage accounting purposes.
- Deleted files are queued for permanent removal from storage through an automated background process.
Organizations may configure their own data retention preferences within the platform where applicable. Upon account deletion or request, we will delete or anonymize personal data except where retention is required by law.
6. Data Security
We implement industry-standard security measures to protect your information:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS/HTTPS
- Encryption at rest: Database and file storage are encrypted at rest through our infrastructure providers
- Row-Level Security (RLS): Database access is enforced at the row level, ensuring users can only access data belonging to their organization and role
- Role-based access control: The platform enforces a strict permission hierarchy (owner > admin > dispatcher > guard) with granular permissions per feature
- Vault encryption: Sensitive site-specific data stored in the vault is encrypted with organization-scoped keys
- Audit logging: Access to sensitive data (vault entries, documents, permissions changes) is logged for accountability
- Authentication security: Passwords are hashed and managed by our authentication provider; session tokens are stored in secure, HTTP-only cookies
Despite our efforts, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
7. Your Rights and Choices
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your personal data, subject to legal retention requirements
- Data Portability: Request your data in a structured, machine-readable format
- Restriction: Request that we restrict processing of your data in certain circumstances
- Objection: Object to processing of your data for certain purposes
- Withdraw Consent: Where processing is based on consent, withdraw that consent at any time
- Notification Preferences: You can manage your email and push notification preferences within the Service
To exercise any of these rights, please contact us at the address provided in Section 12. We will respond within the timeframe required by applicable law.
Note for organization-managed accounts: If your account is managed by an organization (your employer or client), please direct your data rights requests to your organization administrator first. The organization acts as the data controller for operational data processed through their tenant.
8. Cookies and Tracking Technologies
We use the following cookies and similar technologies:
| Cookie / Technology | Type | Purpose | Duration |
|---|---|---|---|
| Supabase session cookies | Strictly Necessary | Maintain your authenticated session | Session-based |
| portal_active_client | Functional | Remember your selected client in the portal | 1 year |
| Vercel Analytics | Analytics | Aggregate page view and performance metrics | Session-based |
| Vercel Speed Insights | Performance | Measure page load and interaction performance | Session-based |
| Sentry | Error Monitoring | Capture errors and sampled session replays for debugging | Session-based |
| Intercom | Support | Enable in-app support chat | Managed by Intercom |
We use sessionStorage (cleared when the browser tab closes) for temporary UI state such as support chat tokens and first-visit indicators. We do not use advertising or cross-site tracking cookies.
9. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us.
10. International Data Transfers
Our Service is hosted in the United States using cloud infrastructure providers (Vercel and Supabase). If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. We rely on our service providers' compliance frameworks (including Standard Contractual Clauses where applicable) to ensure adequate data protection for international transfers.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top of this page and, where appropriate, notify you through the Service or via email. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data practices, please contact us at:
Salora Suite
Email: support@salorasuite.com
Website: https://salorasuite.com