Privacy Policy

1. Who we are

Free Time Platform is a software service operated by Leg Day Development LLC, a Delaware limited liability company with its principal place of business in Charlotte, North Carolina. When we say "we," "us," or "our" in this policy, we mean Leg Day Development LLC. When we say "the Service," we mean the Free Time Platform website, mobile applications, and related services.

2. How the relationship works

Free Time Platform is sold to construction companies (we call them "Customers") who use it to manage their projects, employees, and operations. If you are an employee, contractor, or guest accessing the platform, your employer is our Customer — they decide what data goes into the platform, who has access, and what permissions you have.

This means:

• If you have questions about the data your employer has stored about you, ask your employer first.
• We treat your employer as the data controller for the information they put into the platform.
• If you stop working for that employer, your employer is responsible for removing or transferring your data within the platform.

3. What we collect

Information your employer provides about you

• Your name, work email, and job title
• Your role and permissions within the platform
• Optional: phone number, employee number, hire date, pay rate, and other employment details your employer chooses to record

Information you create using the platform

• Project records, daily progress entries, timesheets, and reports you author
• Documents, drawings, and photos you upload — including jobsite photos taken from your mobile device
• Messages you send through the in-app messaging feature
• Comments, signatures, and approvals you add to records

Information collected automatically

• Authentication data: when you sign in, we record the date, time, and source of the sign-in so we can detect unauthorized access.
• Usage data: we log which pages you visit and which actions you take within the platform, so we can investigate issues and improve the product.
• Device data: we collect basic information about the device you use to access the platform (operating system, browser or mobile app version) for compatibility and troubleshooting.
• Crash reports: if the application crashes, we collect anonymized error information through Sentry (see Section 6). We do not collect screen contents in crash reports, and we mask personal information when crash data is sent.
• Location: we do not track your phone's location. We do, however, store the jobsite coordinates your employer enters for each project — these are used to fetch local weather for daily reports.

4. Why we collect it

We use your information for the following purposes:

• To deliver the Service. Account information lets you sign in. Project data is what the Service is built around.
• To keep the Service secure. Authentication and usage logs help us detect unauthorized access and investigate security incidents.
• To support you and your employer. When you contact us for help, we may look at your account to understand the issue.
• To improve the product. We use aggregated, non-identifying usage information to understand which features matter most.
• To meet legal obligations. If a court order, subpoena, or law requires us to disclose information, we will comply — and where legally permitted, we will notify your employer first.

We do not use your information to show advertising, build advertising profiles, or sell to third parties. We do not train artificial intelligence or machine learning models on your data.

5. How we secure your information

• All data in transit is encrypted using TLS 1.2 or higher.
• All data at rest is encrypted using AES-256.
• Database credentials and other secrets are stored in a managed secrets service with strict access controls and audit logging.
• Access to production systems is gated by multi-factor authentication, and every access is logged.
• All user accounts on the platform are protected by multi-factor authentication (TOTP), which is required at sign-up and cannot be disabled.
• We are working toward SOC 2 Type 1 attestation within nine months of our first paying customer, and Type 2 within eighteen months.

6. Service providers we use

To operate the Service, we share information with a limited set of carefully selected service providers. Each is contractually obligated to protect your information and use it only to deliver services to us.

• Amazon Web Services (AWS): hosts the Service infrastructure (compute, storage, database, authentication). AWS is bound by a data processing agreement and provides the underlying physical security and compliance certifications.
• Sentry: receives anonymized error reports when the application crashes, so we can fix bugs. Sentry is configured to mask personal information in error reports and does not have access to your project data.
• Open-Meteo: receives a project's geographic coordinates (provided by your employer when creating a project) to return local weather. Open-Meteo does not receive any user-identifying information.
• BetterStack: hosts our public status page and receives only the same health-check data we make public to anyone.
• Email delivery (AWS SES): sends transactional emails like sign-in invitations and password resets. Recipient email addresses are processed only for delivery purposes.

We do not share your information with any other third parties for marketing, analytics, advertising, or any other purpose.

7. How long we keep your information

Your employer decides how long their data lives in the platform. While your employer is an active Customer, we keep the data they entrust to us.

When your employer's relationship with us ends, we keep their data in read-only form for ninety (90) days so they can export anything they want to keep. After that, we delete or anonymize the data within thirty (30) days, except where a law requires us to retain it longer (for example, accounting records).

System logs (sign-ins, audit trail) are retained for up to twelve (12) months and then deleted on a rolling basis.

Backups are retained for up to thirty-five (35) days for disaster recovery, then automatically purged.

8. Your rights

Depending on where you live, you may have legal rights regarding your personal information. These include:

• The right to know what information we hold about you
• The right to ask us to correct inaccurate information
• The right to ask us to delete your information, subject to legal retention requirements
• The right to ask us to limit how we process your information
• The right to take a copy of your information in a portable format
• The right not to be discriminated against for exercising any of these rights

How to exercise these rights: First, ask your employer — they are the data controller and can usually address your request within the platform itself. If your employer cannot help, contact us directly at the address below and we will work with your employer to respond within thirty (30) days.

We will not sell your personal information. We have never sold personal information in the past twelve (12) months.

9. Children's privacy

Free Time Platform is a workplace tool for adults. We do not knowingly collect personal information from anyone under the age of sixteen. If you believe a child has provided personal information through the Service, please contact us and we will delete it promptly.

10. International users

Free Time Platform is operated from the United States, and all infrastructure is hosted in the United States (specifically, AWS's us-east-1 region in Northern Virginia). If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

We do not currently offer service-region selection. If you are a Customer with a regulatory requirement to host data in a specific region, contact us.

11. Changes to this policy

We will post the most current version of this policy on this page, with the "Last updated" date at the top. If we make a material change — meaning a change that meaningfully alters how we collect, use, or share your information — we will notify Customers (the construction companies that use the Service) at least thirty (30) days before the change takes effect. Continued use of the Service after the effective date means you accept the updated policy.

12. Contact us

We aim to respond to all privacy inquiries within five (5) business days.