Privacy Policy

Sovelus, Inc. (“Sovelus,” “we,” “us,” or “our”) operates the software-as-a-service currently branded “Job Shack” (the “Service”). This Privacy Policy describes how we collect, use, disclose, and protect information when you use the Service, and explains your privacy rights.

Definitions

“Sovelus” means Sovelus, Inc., a Washington corporation, together with its affiliates.

“Job Shack” means Sovelus’s hosted software-as-a-service product currently branded “Job Shack,” including related websites, admin consoles, APIs, documentation, and optional Mobile App Shells.

“Service” has the same meaning as “Job Shack.” References to the “Service” include any rebranded or successor versions provided by Sovelus.

1. Who We Are

Sovelus, 9321 NE 72ND AVE B6, Vancouver, WA 98665.
Contact: support@sovelus.com.

2. Scope

This Policy applies to the Service and any related websites, Mobile App Shells, and Local Tools (if any) that Sovelus provides.

Roles (Controller/Processor).
For Client Content (e.g., timecards, job data, employee records uploaded or synced by a customer), the customer (the “Client”) is the data controller and Sovelus is the data processor. For Service Data that Sovelus collects to operate the Service (e.g., account profile, billing contacts, security and diagnostic logs), Sovelus is the controller.

3. Information We Collect

• Account/Identity Data: name, email, phone, company, role, and similar identifiers.
  
  

• Usage/Device Data: IP address, device/browser type, pages viewed, timestamps, diagnostic logs.
  
  

• Business Data (Client Content): data you or your Authorized Users submit or sync (e.g., jobs, employees, cost codes), including data sourced from third‑party integrations (e.g., Intuit/QuickBooks, Sage).
  
  

• Cookies/Tracking: cookies and similar technologies to operate, secure, and improve the Service.
  
  

• Payments (processed by Stripe). Payment information is submitted directly to Stripe. Sovelus receives only limited billing metadata (e.g., invoice IDs, transaction status, tokenized references) and does not collect or store full payment card numbers or bank account numbers.

4. How We Use Information

To provide, operate, secure, and improve the Service; manage accounts and authentication; enable integrations; provide support; analyze performance; and communicate about updates or relevant offerings. We may send product and transactional communications related to your use of the Service; you can opt out of marketing emails at any time using the unsubscribe link in those emails (product and transactional messages may still be sent).

5. AI Features (If Enabled)

If you enable optional AI-assisted modules, the Service may use retrieval-augmented generation (“RAG”) techniques to improve search, Q&A, and similar features.

• Embeddings and Retrieval. The Service may create vector embeddings of selected Client Content and store them in a tenant-segregated index to improve relevance and performance. Embeddings are treated as Client Content and scoped to your tenant; no cross-tenant mixing occurs.
  
  

• Snippets and Prompts. To generate responses, the Service may send user prompts and minimal context snippets derived from Client Content to AI model providers solely to process the specific request. We use data-minimization (e.g., truncation, chunking, and context filtering) designed to avoid unnecessary disclosure of Client Content.
  
  

• No Model Training on Client Content. Sovelus does not permit third-party AI model providers to use Client Content (including snippets, prompts, or embeddings) to train or improve their foundation models. Providers engaged by Sovelus act as subprocessors and are contractually restricted to use such data only to deliver the requested inference, with time-bounded retention for operations and safety, and no training use.
  
  

• Security. Client Content, prompts, snippets, and embeddings are encrypted in transit and at rest, and access is restricted to authorized personnel and systems. We apply safeguards designed to prevent cross-tenant access and reduce exposure of sensitive information.
  
  

• Your Responsibilities. AI outputs may be inaccurate or incomplete. You are responsible for review and for not submitting regulated or highly sensitive data to AI features unless your policies and applicable law permit it.
  
  

• Configuration and Deletion. If you disable AI modules, new prompts and snippets will not be sent to AI providers. Embeddings and indices are treated as Client Content for retention and deletion under Section 8.

6. Legal Bases (EEA/UK)

We rely on performance of a contract, legitimate interests (e.g., securing and improving the Service), compliance with legal obligations, and consent where required.

7. Sharing of Information

With service providers (hosting, support, analytics, communications, payment); with integration partners as you configure; within our corporate group; for business transfers; to comply with law; and with your consent. We do not sell personal information.

Payments:
Payments are processed directly by our payment service provider (e.g., Stripe) using their hosted pages/SDKs. When you enter payment information, you provide it directly to Stripe; Sovelus does not receive or store full payment card numbers or bank account details. Stripe may send Sovelus limited billing metadata (e.g., invoice IDs, transaction status, tokenized references) so we can administer subscriptions and receipts. Stripe maintains PCI-DSS compliant controls.

The Service does not respond to “Do Not Track” signals. You can manage cookies via your browser settings.

8. Data Retention

• We retain personal data for as long as necessary to provide the Service and for other legitimate and lawful purposes (including security, fraud prevention, recordkeeping, accounting, and legal compliance). For Client Content, access is available only while the subscription is active. If a subscription lapses or is canceled, the account may be re-activated for up to six (6) months; after that period, we may permanently delete some or all data without further notice. If a tenant/company is deleted by the Client, the data will be rendered unavailable through the Service immediately and we are not obligated to maintain, provide, or restore that data.
  
  

• We may retain limited residual copies of information for a time-bounded period in systems maintained for business continuity, security, and legal compliance. Such copies are not ordinarily accessible and are purged in the ordinary course. We may also retain information as required to comply with applicable law, enforce agreements, or resolve disputes.
  
  

• We do not provide custom data-archival services or extended retention arrangements.
  
  

• Payments and Billing Records. Sovelus retains only limited billing metadata received from Stripe (e.g., invoices, transaction status, tokenized references) for accounting, tax, fraud prevention, and compliance for periods required by law. Full payment card and bank details are handled by Stripe and are not stored by Sovelus.
  
  

• Service Data. Account profile details, subscription and billing metadata, support communications, security and diagnostic logs.
  
  

• Note on rights requests. For Client Content (controlled by the Client), requests should be directed to the Client; we will act only on the Client’s documented instructions or where legally required. For Service Data we control (e.g., account/billing info), contact support@sovelus.com.

9. International Transfers

• The Service is currently intended for use in the United States. We process personal data in the United States. If you access the Service from outside the United States, you do so at your own initiative and consent to the transfer and processing of your information in the United States, which may have different data-protection laws than your jurisdiction.
  
  

• If we expand availability to other regions in the future, we will implement appropriate transfer mechanisms and regional terms as required by applicable law (for example, the EU/UK Standard Contractual Clauses (SCCs) or other approved safeguards), and we will update this Privacy Policy accordingly.
  
  

• Our service providers (e.g., cloud hosting, payment processing, support tooling) may process limited information on our behalf. We require them to handle personal data in accordance with our instructions and applicable law.
  
  

• Sovelus may decline or limit access from specific locations to comply with law or manage risk.

10. Security

We use administrative, technical, and physical safeguards appropriate to the nature of the data and the Service, and we maintain security logging and monitoring designed to detect and investigate anomalous activity. No method of transmission or storage is completely secure.

11. Your Rights

Your rights depend on your location and who controls the data.

• Client Content (we act as processor). If you submit a request (e.g., access, correction, deletion, portability, objection, restriction) regarding Client Content, we will refer your request to the relevant Client (your employer or service provider) because they control that data. We will act on the Client’s documented instructions or where we are legally required to do so.
  
  

• Service Data (we act as controller). For requests about Service Data that Sovelus controls (e.g., your Sovelus account profile, billing contact, or security logs we control), contact support@sovelus.com. We will verify and respond as required by law.
  
  

• Limits. We (and/or the Client) may retain certain data where necessary to comply with legal obligations, to establish, exercise, or defend legal claims, for security and fraud prevention, or to maintain business records required by law. We may decline or charge a reasonable fee for manifestly unfounded or excessive requests, as permitted by law.

12. California Notice (CCPA/CPRA)

We provide the disclosures and honor rights required under California law, including the rights to know, delete, correct, and limit use of sensitive personal information. We do not sell or share personal information (as “sale” and “share” are defined under the CPRA) and we do not use personal information for cross-context behavioral advertising. Sensitive personal information is used only for permitted purposes (e.g., security, service operation, or as you direct).

13. Children and Minimum Age

The Service is intended for business use by individuals 18 years of age or older who are authorized by the Client. Sovelus does not knowingly collect personal data from children under 13. Responsibility for any access by minors rests with the Client.

14. Cookies and Preferences

You can control cookies via browser settings. Some cookies are essential for the Service to function.

15. Third‑Party Sites and Integrations

The Service may link to or integrate with third‑party sites/services. Their privacy practices are governed by their own policies.

16. Data Processing Addendum (DPA)

For customers that require a DPA (e.g., under GDPR), Sovelus will make a DPA, including applicable transfer mechanisms, available upon request.

17. Changes to this Policy

We may update this Policy. If changes are material, we will provide a prominent notice or request consent where required. The “Last updated” date shows the latest version.

18. Contact

Questions or requests: support@sovelus.com
Mail: Sovelus, 9321 NE 72ND AVE B6, Vancouver, WA 98665.