Privacy Policy
This Privacy Policy describes how Pillar FSM ("Pillar," "we," "us," or "our") collects, uses, stores, and protects your personal information when you use our field service management platform and related services.
Last updated: February 2026
1. Information We Collect
We collect information in the following categories when you create an account, use our platform, or interact with our services.
1.1 Account Information
When you register for Pillar, we collect:
- Full name, email address, and phone number
- Company name, trade type, and business address
- User role (Owner, Dispatcher, Technician, or Customer)
- Password (stored using bcrypt hashing — we never store plaintext passwords)
1.2 Usage Data
When you use the platform, we automatically collect:
- Browser type, operating system, and device information (collected via standard HTTP request headers)
- IP address and approximate location derived from it
- Security-related audit events, including login attempts, role changes, account modifications, and password changes, recorded with actor details, timestamps, and user agent information
We do not use third-party analytics services (such as Google Analytics or similar tracking tools) and do not track pages visited, features used, or session duration.
1.3 Location Data
With your consent, we collect GPS location data from technicians' devices for the following purposes:
- Real-time technician tracking (latitude, longitude, accuracy, heading, and speed)
- GPS-verified clock-in and clock-out for time entries
- Route planning, distance calculations, and drive time estimates
We also geocode business addresses (customer locations, service locations, and company addresses) to support map-based features. This uses the Google Maps geocoding service.
1.4 Payment Information
Payment card details are collected and processed directly by Stripe. We do not store credit card numbers, CVVs, or full card details on our servers. We retain only:
- Payment method identifiers (tokens referencing your Stripe records)
- Card last four digits and card brand (for display purposes only)
- Billing history, invoice records, and payment status
1.5 Communication Data
When communications are sent through the platform, we log:
- Email messages (subject, content, sender, recipient, delivery status)
- SMS messages (content, sender, recipient, delivery status, opt-out compliance)
- Phone call metadata (duration, direction, outcome, recording URL if enabled)
1.6 Files and Documents
Files you upload to the platform — such as job photos, signed contracts, permits, equipment images, and company logos — are stored securely in cloud storage (AWS S3). We retain file metadata including file name, type, size, upload timestamp, and the user who uploaded it.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the service: Managing jobs, scheduling, dispatching, invoicing, customer communication, and all other platform features
- Authentication and security: Verifying your identity, managing sessions, enforcing role-based access controls, and maintaining audit logs
- Billing and payments: Processing your subscription, managing payment methods, and generating invoices
- Communication: Sending appointment reminders, invoice notifications, estimate approvals, and other operational messages
- Analytics and reporting: Generating profitability reports, technician performance metrics, labor variance analysis, and business dashboards
- Improving the platform: Understanding usage patterns to improve features, fix issues, and inform product development
- Compliance: Meeting legal obligations, responding to lawful requests, and maintaining SMS/TCPA compliance records
3. Legal Basis for Processing
We process your personal information under the following legal bases:
- Contract performance: Processing necessary to provide you with the services you have subscribed to
- Legitimate interest: Improving our platform, preventing fraud, and maintaining security
- Consent: Where required, such as for GPS location tracking, marketing communications, and SMS messaging
- Legal obligation: Compliance with applicable laws, regulations, and lawful requests from authorities
4. Information Sharing & Third Parties
We do not sell your personal information. We share data only in the following circumstances:
4.1 Within Your Organization
Pillar is a multi-tenant platform with strict data isolation. Your company's data is only accessible to users within your organization, based on their assigned role. Customer portal users can only see their own data — never internal notes, other customers' information, or administrative interfaces.
4.2 Service Providers
We share information with third-party service providers who process data on our behalf, as described in Section 9. These providers are contractually bound to use your data only for the purposes we specify.
4.3 Legal Requirements
We may disclose your information if required to do so by law, or if we believe in good faith that such disclosure is necessary to comply with a legal obligation, protect our rights or safety, or prevent fraud.
4.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email before your information becomes subject to a different privacy policy.
5. Data Storage & Security
We take the security of your data seriously and implement multiple layers of protection:
- Multi-tenant data isolation: Every database table includes a company identifier. A global tenant interceptor automatically enforces isolation on every request, preventing cross-tenant data access.
- Encryption: Data is encrypted in transit using TLS/HTTPS. Passwords are hashed using bcrypt. Authentication tokens are stored in HttpOnly cookies to prevent client-side script access.
- Role-Based Access Control (RBAC): Every API endpoint is protected by role-based guards. Users can only access data and actions permitted by their assigned role.
- Rate limiting: API requests are rate-limited globally and per-endpoint to prevent abuse. Sensitive endpoints like login and password reset have stricter limits.
- Audit logging: Security-relevant actions (login attempts, role changes, account modifications, password changes) are recorded with actor details, timestamps, IP addresses, and user agent information.
- Input validation: All API inputs are validated and sanitized. HTML content is sanitized to prevent cross-site scripting (XSS) attacks. Unknown request properties are rejected.
- Secure file storage: Uploaded files are stored in AWS S3 with time-limited presigned URLs. Direct file access is never exposed.
6. Data Retention
We retain your personal information for as long as your account is active or as needed to provide you with our services. Specifically:
- Active accounts: Data is retained for the duration of your subscription and active use of the platform.
- After account closure: We retain your data for a reasonable period after account closure to comply with legal obligations, resolve disputes, and enforce our agreements. Certain records (such as financial transactions and audit logs) may be retained longer as required by law.
- Soft deletion: When you delete records within the platform (such as customers, equipment, or time entries), they are soft-deleted — marked as deleted but preserved in the database for data integrity and compliance. You can request permanent deletion by contacting us.
- Communication logs: SMS, email, and call records are retained for the duration of your subscription to support compliance requirements (such as TCPA and A2P 10DLC regulations).
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Right to access: Request a copy of the personal information we hold about you.
- Right to correction: Request that we correct inaccurate or incomplete information. You can update most account information directly through the platform.
- Right to deletion: Request that we delete your personal information, subject to any legal retention requirements.
- Right to data portability: Request a machine-readable copy of your data for transfer to another service.
- Right to restrict processing: Request that we limit how we process your data in certain circumstances.
- Right to withdraw consent: Where processing is based on consent (such as GPS tracking or marketing communications), you may withdraw consent at any time.
- SMS opt-out: Customers can opt out of SMS communications at any time through the customer portal or by responding with standard opt-out keywords. We track opt-out status, method, and date for compliance.
To exercise any of these rights, contact us at admin@pillarfsm.com. We will respond to your request within 30 days.
9. Third-Party Services
We use the following third-party services to operate the platform. Each provider processes data in accordance with their own privacy policy:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing for platform subscriptions and customer payment collection (via Stripe Connect) | Payment card details, billing address, transaction amounts, invoice records |
| Twilio | SMS messaging, voice calls, call recording, and A2P 10DLC compliance | Phone numbers, message content, call metadata, compliance records |
| SendGrid | Transactional email delivery and white-label domain authentication | Email addresses, message content, delivery status |
| Google Maps | Address geocoding, route planning, distance calculations, and map views | Addresses, GPS coordinates, route waypoints |
| AWS S3 | Secure file and document storage (photos, contracts, permits, logos) | Uploaded files and associated metadata |
| Redis | Session caching, rate limiting, and performance optimization | Session tokens, rate limit counters (no personal data stored permanently) |
10. International Data Transfers
Your information may be transferred to and processed in countries other than the country in which you reside. Our third-party service providers (such as AWS, Stripe, and SendGrid) operate data centers in multiple regions. When we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses and compliance with applicable data protection frameworks.
11. Children's Privacy
Pillar is a business-to-business platform designed for field service companies. Our services are not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at admin@pillarfsm.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes:
- We will update the "Last updated" date at the top of this page.
- For material changes that affect how we handle your personal information, we will notify you via email at the address associated with your account.
- Continued use of the platform after changes take effect constitutes acceptance of the updated policy.
We encourage you to review this page periodically to stay informed about how we protect your information.
13. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your information, you can reach us at:
Pillar FSM
Email: admin@pillarfsm.com
We aim to respond to all privacy-related inquiries within 30 days.