FieldLedger
TermsPrivacyDPASLA
Draft pending legal review. This page is a working draft. The final version reviewed by counsel will be published before general availability. Contact [email protected] with questions.

Privacy Policy

Last updated: April 24, 2026

This Privacy Policy describes how Startvest LLC, an SDVOSB doing business as FieldLedger (“FieldLedger,” “we”), collects, uses, and shares personal information in connection with the FieldLedger service.

1. Information We Collect

Account information

When you create an account: name, email address, company name, and authentication credentials (handled by Microsoft Entra External ID). Optional federal identity fields: UEI, CAGE code, NAICS codes, set-aside certifications.

Payment information

Stripe processes payment methods and billing. We never store full card numbers; we retain only the last 4 digits, card brand, expiration, and Stripe customer/subscription identifiers.

Customer Data

Data you upload to operate your business in the Service — timesheets, contracts, employee records, equipment usage, rate calculations. You are the controller of this data; we are the processor. See our Data Processing Agreement.

Usage and device information

Pages visited, features used, IP address, browser/OS, session timestamps. Used for security, debugging, and product improvement.

2. Legal Bases (GDPR-aligned)

  • Contract performance — to deliver the Service you subscribed to;
  • Legitimate interest — security monitoring, fraud prevention, product analytics;
  • Legal obligation — responding to lawful requests, retaining DCAA audit records;
  • Consent — optional marketing communications (you may withdraw at any time).

3. How We Use Information

  • Provide, operate, and improve the Service;
  • Process payments and manage subscriptions;
  • Send transactional emails (approvals, invoice notifications, billing);
  • Secure the Service and investigate incidents;
  • Comply with legal obligations and DCAA audit retention.

We do not sell personal information. We do not use Customer Data to train machine learning models that benefit other customers.

4. Subprocessors

We rely on the following subprocessors to deliver the Service. Current list is maintained in our DPA.

  • Microsoft Entra External ID — authentication and session management. Data: email, name, and the Entra user object identifier.
  • Stripe — payment processing. Data: billing details, payment method metadata.
  • Microsoft Azure (US regions) — hosting, database, and file storage. Data: Customer Data at rest and in transit.
  • Intuit QuickBooks Online — accounting integration (optional, with your authorization). Data: chart of accounts, employees, and approved cost exports you choose to sync.
  • Samsara / other telematics — GPS and equipment data import (optional). Data: vehicle and equipment telemetry.

5. Data Retention

  • Active account data — retained while your subscription is active.
  • Audit logs — retained for 7 years after account closure per FAR 52.215-2 and DCAA retention standards.
  • Operational copies — deleted within 30 days of account closure, except audit logs.
  • Backups — purged within 90 days after the deletion of operational copies.

6. Data Location

All Customer Data is stored in US Azure regions. We do not transfer Customer Data outside the United States.

7. Your Rights

You may request access to, correction of, or deletion of your personal information by emailing [email protected]. California residents and EU/UK residents have additional rights under CCPA/CPRA and GDPR/UK GDPR respectively. Deletion requests cannot remove audit logs required for federal retention obligations.

8. Security

We encrypt data in transit (TLS 1.2+) and at rest (AES-256). Access to Customer Data is restricted to personnel with a documented business need. We log and review administrative access. See our DPA for security measures in detail.

9. Children

The Service is not directed to individuals under 16. We do not knowingly collect data from children.

10. Changes

Material changes will be announced at least 30 days before taking effect. The “Last updated” date above reflects the most recent revision.

11. Contact

Privacy questions: [email protected].

12. Trust commitments

FieldLedger is operated by Startvest LLC under the Startvest Trust Principles. Our integrity practices are documented and forkable. Suspected breaches can be reported to [email protected].