On this page
  1. Who we are
  2. What this policy covers
  3. What we collect
  4. Information you give us
  5. Information collected automatically
  6. Information we receive from other sources
  7. How we use your information
  8. Legal bases (for residents of the EEA, UK, and similar jurisdictions)
  9. Who we share with
  10. International data transfers
  11. How long we keep your information
  12. Outbound communications retention
  13. Photo retention
  14. Your rights
  15. SMS communications
  16. Email communications
  17. Cookies (web)
  18. Mobile app permissions
  19. Device camera (operator and crew only)
  20. Children's privacy
  21. Security
  22. Changes to this policy
  23. Revision history
  24. How to contact us

Simply Polished — Privacy Policy

Who we are

This Privacy Policy describes how Simply Polished Cleaning Co. ("Simply Polished", "we", "us") collects, uses, shares, and protects personal information when you use our cleaning services, our website, or our mobile app.

Business name: Simply Polished Cleaning Co. Service area: Greenwood, Indiana and surrounding communities (approximately fifteen (15) miles). Contact (privacy inquiries): privacy@frameworkdynamics.cloud Mail (postal): Framework Dynamics LLC, P.O. Box (operator-managed), Indianapolis, IN 46201, United States.

The website and (when launched) mobile app are operated on our behalf by Framework Dynamics LLC under a services agreement. Framework Dynamics acts as a data processor for us, follows our written instructions, and does not use customer data for its own purposes. Privacy and rights-exercise inquiries are routed through Framework Dynamics for operational continuity.

What this policy covers

  • Our website at simplypolished.app.frameworkdynamics.io (and any future canonical domain we publish).
  • Our mobile app on Google Play and the Apple App Store, when launched.
  • Cleaning services we perform at your home or business.
  • Communications we exchange with you by SMS, email, or phone.

For what data the mobile app specifically collects (by store category), see our Data Safety Declaration at /legal/data-safety once the mobile app is published.

What we collect

We collect only the information we need to run the service. Specific categories:

Information you give us

  • Contact information. Your name, email address, phone number, service address, optional preferred display name.
  • Service preferences. Cleaning cadence, product preferences, allergies or sensitivities, pet information, note on "rooms not to enter", access instructions (lockbox codes, hidden-key location, gate codes, alarm disarm steps).
  • Photos. Before-and-after photos of rooms we clean, with your consent. You choose the photo-consent scope at account setup and may change or revoke it at any time.
  • Reviews, notes, and messages. Reviews you post, notes you send us, replies to our SMS, and support-contact messages.
  • Help-center feedback. When you submit thumbs-up/down or a comment on a knowledge-base article (/kb/[slug]), we record the vote, your optional comment, and an anonymized form of your IP address (last octet zeroed for IPv4; last 5 segments zeroed for IPv6). Comments pass through a PII-scrubber before storage that masks detected emails and phone numbers; the comment is then reviewed for spam and off-topic content before being shown publicly. Off-topic or spam comments are kept in our records for audit purposes per our retention schedule but are not displayed. You can request deletion of your feedback via the account-data-rights flow at /account or by contacting Kaitlyn directly.
  • Payment information. Payment card data is collected and processed by Stripe, Inc. and never transmitted to or stored on our servers. We only see non-sensitive payment metadata (last 4 digits, card brand, receipt URL, Stripe customer ID).
  • Employee-applicant information (only if you are applying for or hired for a position with Kaitlyn, not for customers). Subject to a separate employee privacy notice.

Information collected automatically

  • App activity. Which screens you open, which actions you take, how long sessions last. This is used to fix bugs and improve the app, not to build an advertising profile.
  • Device and diagnostic information. Device type, OS version, app version, crash stacks, build manifest (commit SHA, version). Used for crash reporting and debugging. A built-in PII sanitizer removes names, addresses, and other personal fields before crash reports are sent.
  • Location.
    • Approximate location — used to check whether your address is in our service area.
    • Precise location (mobile, employees only) — used for geofenced clock-in at a job site. We do not track employee location outside of an active clock-in session.
    • Precise location (mobile, owner only, opt-in) — used for mileage tracking when a job is active.
    • Clients never send precise location to us through the app.
  • Cookies and similar technologies (web). We use strictly-necessary cookies for authentication and session management, and a minimal analytics cookie that you can opt out of via our cookie banner.

Information we receive from other sources

  • Referrals. If another client refers you, we record that attribution so we can credit the referral.
  • Payment and identity-verification providers. Stripe may tell us whether a card is valid and return a receipt identifier.
  • Google and Apple sign-in. If you sign in with Google or Apple, we receive your name, email, and a unique provider ID — only what we need to authenticate you.

How we use your information

We use your information only to:

  • Deliver the cleaning services you request.
  • Schedule, confirm, and remind you about visits.
  • Produce and deliver invoices and process payments.
  • Communicate with you about your account, your bookings, and our service (transactional communication).
  • Improve the app, fix bugs, and prevent fraud or abuse.
  • Send you optional marketing communications (with your explicit opt-in).
  • Comply with legal obligations (tax records, TCPA SMS-consent audit trail, worker-safety incident recordkeeping).

We do not:

  • Sell your personal information to advertisers or data brokers.
  • Share your personal information for cross-company advertising or profiling.
  • Use automated decision-making to decline service based on protected characteristics.

Where GDPR or equivalent law applies, we rely on the following lawful bases:

  • Performance of a contract — to deliver services you have booked.
  • Legitimate interest — app reliability, abuse prevention, defending our rights.
  • Consent — marketing SMS, marketing email, photo use beyond "Internal Only" scope, optional analytics.
  • Legal obligation — tax records, TCPA-consent audit trail.

You can withdraw consent at any time; withdrawal does not affect the lawfulness of processing before the withdrawal.

Who we share with

We share personal information only with:

  • Service providers acting under contract on our behalf (sub-processors):
    • Framework Dynamics LLC — software hosting, operations, and customer support.
    • Supabase, Inc. — Postgres database, authentication, and private object storage (photos, receipts). SOC 2 Type II.
    • Vercel, Inc. — Next.js application hosting and edge content delivery. SOC 2 Type II.
    • Stripe, Inc. — payments.
    • Twilio, Inc. — SMS delivery.
    • Google LLC — Maps + Places (address autocomplete), Calendar (operator-side OAuth for two-way booking sync), and Sign in with Google (federated authentication on the web sign-in page when you choose "Continue with Google"; we receive your Google account's email address, display name, and Google account ID, which we use solely to authenticate you against your existing Simply Polished account; we do not request Calendar, Drive, Gmail, or any other Google data scope for authentication). You can revoke this access at any time at https://myaccount.google.com/permissions. Google Maps Platform — failover geocoding + static maps: when our primary mapping provider (Mapbox) is unhealthy, the operator-side maps stack (owner / admin / employee surfaces only) automatically fails over to Google Maps Platform's Geocoding, Static Maps, and Distance Matrix APIs. Public visitor addresses (anonymous quote submissions, the landing-page service-area map) NEVER reach Google Maps Platform — they stay on Mapbox or fall through to a placeholder. Per Google Maps Platform Terms §3.2.5, latitude/longitude returned by Google Geocoding may not be cached longer than thirty (30) days; we run a daily staleness sweep at 05:15 Indianapolis-time that re-geocodes every Google-sourced address past that window. The operator can pin or unpin Google failover at /admin/maps. Mobile-only Google services (Firebase Cloud Messaging for push notifications, Firebase Crashlytics for crash reporting, Play Integrity for anti-abuse) are not active today and only become active when our mobile app launches; we will update this policy and the Data Safety Declaration before that happens.
    • Mapbox, Inc. — static-map thumbnails (booking + schedule surfaces), geocoding of service addresses (forward + reverse, used as the fallback when the Census Geocoder doesn't return a match), and interactive maps inside the owner portal. Addresses are sent to Mapbox only when an operator or client renders a map that references them; raw coordinates are cached on our side after the first lookup.
    • United States Census Bureau (US federal government, geocoding.geo.census.gov) — primary forward-geocoder for converting US service addresses into latitude/longitude. The Census Bureau's geocoding API is published under a Public Domain license and is operated by the federal government; it is not a third-party data processor in the GDPR sense, and we disclose it here for transparency. Addresses are sent to Census only when an operator triggers a map render or address-save event. Raw coordinates are cached on our side after the first lookup.
    • Apple Inc. — App Attest (owner-mode anti-abuse), Sign in with Apple.
    • Functional Software, Inc. (Sentry) — non-crash error reporting.
    • Intuit, Inc. (QuickBooks Online) — accounting sync (Phase 9, when enabled).
    • OpenAI, OpenAI Ireland Limited (or Voyage AI Inc., or Google LLC for the Generative Language API — depending on which provider Framework Dynamics has provisioned at any given time) — embedding generation for the Knowledge Base hybrid search (web app's /kb help center). When you type a query into the help-center search, the text of that query is sent to the chosen provider for AI-powered semantic matching. Queries are scrubbed of email addresses, phone numbers, and long digit runs before transit. The provider retains the request for ≤30 days for abuse monitoring per their standard data-processing agreement; no model training. The Knowledge Base falls back to keyword-only search when the AI provider is unavailable. Operators can disable the AI tier on request.
  • Other clients only in the limited case of shared-address relationships (landlord and tenant at the same address), and only the address itself, not your personal profile.
  • Law enforcement or regulators when legally required.
  • A successor business in the event Simply Polished or Framework Dynamics is sold or reorganized; in that case we will notify you in advance where practical.

We do not otherwise share personal information with third parties.

International data transfers

Our service providers may process information in jurisdictions other than yours (for example, in the United States). Where required, we rely on standard contractual clauses or equivalent safeguards. Contact us at the email above for a copy of applicable transfer mechanisms.

How long we keep your information

We retain information only as long as we need it. Specific windows, mirrored from our runtime configuration:

CategoryRetention
Application + security logs90 days
SMS consent + delivery logs365 days (TCPA audit)
Employee tax and identity documents7 years (IRS + I-9 requirements)
Booking and invoice historyWhile your account is active plus 7 years (tax)
PhotosPer your consent scope; immediately unpublished on revocation; see §Photo retention below
Crash and diagnostic logs90 days
Outbound message bodies (drafts + sent copies)7 days for un-approved drafts; 30 days post-send for approved + delivered messages; see §Outbound communications retention below

Records subject to legal retention are quarantined on account deletion and deleted at the end of their retention period.

Outbound communications retention

Every email and SMS we send to you (booking confirmations, 24-hour reminders, invoice notifications, payment receipts, post-visit review requests, reschedule decisions, quote auto-replies, and any operator-composed message) flows through an internal review queue before delivery. The queue stores the rendered message — subject line, plaintext body, HTML body for email, and recipient address — alongside the audit-trail metadata.

Two retention windows apply to that stored copy:

  • Un-approved drafts that the operator has not approved or cancelled within seven (7) days are automatically deleted by a nightly retention sweep. The audit row indicating that a draft existed is preserved in our security log under the same 90-day window as other application logs.
  • Approved + delivered messages keep the rendered copy for thirty (30) days after the actual send so the operator can verify what was sent if a delivery dispute arises. After that window, the recipient address and message body are redacted by the same nightly sweep; the audit-trail metadata (template name, status, timing) remains in the security-log retention window for compliance review.

Account-deletion requests trigger an immediate redaction of every Outbound-message row tied to the deleting user's identity (recipient email, recipient phone, subject, body, failure reason). The audit shape (template name, timing, status) survives so the security log remains queryable, but the personal data is erased on the same nightly sweep that handles the rest of the deletion.

Photo retention

Photos have per-category minimum retention floors driven by legal record-keeping obligations. Soft-deleted photos (yours or ours) enter a 30-day operator grace window before hard deletion unless a legal floor applies:

Photo categoryRetention floorDriver
Quote intake photos1 yearQuote-to-conversion recordkeeping
Booking before / after photos1 yearSeasonal dispute window
Walkthrough photos2 yearsService-history reference
Damage-evidence photos5 yearsOSHA 29 CFR 1904 records-retention
Receipt / expense photos7 yearsIRS records-retention for Schedule C

At upload we automatically strip camera metadata (including GPS, capture time, and device identifiers) from the image itself before we persist it; only the upload timestamp and your rights-attestation timestamp are retained alongside the image. You can request deletion of any photo you uploaded through the in-app controls or by contacting us; photos are deleted at the end of the applicable retention floor, and the underlying object-storage bytes are removed on the same schedule. Photos you mark for deletion before the floor expires are quarantined (not visible in the app, not displayed) and hard-deleted at the floor.

Your rights

Depending on your jurisdiction, you may have the rights below. You can exercise any right by emailing privacy@frameworkdynamics.cloud or using the in-app controls at Settings → Privacy.

  • Access — obtain a copy of personal information we hold about you.
  • Correction — request that we correct inaccurate information.
  • Deletion — request that we delete personal information we hold (subject to legal-retention carve-outs above).
  • Portability — receive a machine-readable copy of information you provided to us. Exports are provided in JSON by default; CSV is available on request.
  • Opt-out of sale / sharing — we do not sell or share personal information for cross-context advertising, so there is nothing to opt out of; we honor a Global Privacy Control signal regardless.
  • Opt-out of targeted advertising — we do not do targeted advertising.
  • Object to processing — where processing is based on legitimate interest, you can object on grounds relating to your situation.
  • Restriction — ask us to limit processing in specific circumstances.
  • Non-discrimination — we will not deny service, charge different prices, or provide a different quality of service because you exercised a right.
  • Appeal — if we decline your request, you may appeal. We will acknowledge within the time required by law.
  • Complaint — you may also complain to a supervisory authority (Indiana Attorney General, California Privacy Protection Agency, your national data-protection authority, as applicable).

Response times. We acknowledge verified rights requests promptly and substantively respond within thirty (30) days. Where a request is unusually complex or where we receive a high volume of requests, we may extend the response window by an additional sixty (60) days and will notify you in writing of the extension and the reason for it.

Account deletion grace period. When you request account deletion through the in-app Privacy controls, we begin a thirty (30) day grace period during which you can cancel the request and recover your account. After the grace period ends, a nightly anonymization sweep removes personally identifying information from your records. Data subject to legal-retention floors (TCPA SMS consent records for 365 days, employee tax documents for seven (7) years, OSHA-relevant damage photos for five (5) years, IRS-relevant receipts for seven (7) years, paid-invoice records for seven (7) years) is quarantined — invisible to staff — and deleted at the end of its retention window. Cancelling deletion before the grace period ends restores your account exactly as it was.

California residents have rights under the California Consumer Privacy Act (CCPA/CPRA). Indiana residents have rights under the Indiana Consumer Data Protection Act (ICDPA), effective 2026. Residents of the EEA, UK, and similar jurisdictions have rights under the General Data Protection Regulation (GDPR). Colorado, Virginia, Connecticut, and Utah residents have rights under their respective state laws. We honor these rights equally regardless of jurisdiction.

We verify a rights request by asking you to authenticate through the account holding the data, or (if you don't have an account) by requesting information that matches what we already hold about you.

EU data-protection contact. Simply Polished is a small Indiana-based service business that does not process EU personal data at scale and is not required to appoint a Data Protection Officer under GDPR Article 37. EU residents may contact us at privacy@frameworkdynamics.cloud for any rights-exercise inquiry; we treat EU rights requests with the same care and timeline as those from any other jurisdiction.

SMS communications

We send SMS for scheduling, confirmations, reminders, and — only if you opt in separately — marketing.

  • Transactional SMS. By providing your mobile number, you consent to transactional SMS about your booking.
  • Marketing SMS. We will send marketing SMS only if you explicitly opt in. We confirm with a double-opt-in reply.
  • Opt out. Reply STOP, UNSUBSCRIBE, END, QUIT, or CANCEL to any SMS to opt out. We honor requests immediately. You can also opt out via Settings or email.
  • Quiet hours. We do not send SMS between 9:00 PM and 8:00 AM local recipient time, except for urgent reschedules or same-day cancellations.
  • Standard message and data rates may apply from your carrier.
  • Brand registration. We operate under registered A2P 10DLC brand and campaign with our SMS carrier.

Email communications

Commercial email (if any) includes:

  • Our legal business name and physical postal address (CAN-SPAM requirement).
  • A clear and conspicuous subject line.
  • A functional unsubscribe link honored within ten (10) business days.

We do not send email using deceptive subject lines or sender information.

Cookies (web)

We use:

  • Strictly-necessary cookies for authentication, session management, CSRF protection. These cannot be disabled because the site cannot function without them.
  • Preference cookies to remember your theme (light/dark) and locale.
  • Analytics cookies only with your consent. We do not use third-party advertising cookies.

A cookie banner on first visit lets you accept or decline non-essential cookies. You can change your choice at any time via Settings → Privacy.

Mobile app permissions

The mobile app requests permissions only when they are needed. Each prompt includes a plain-English explanation. See our Data Safety Declaration at /legal/data-safety for the per-permission justification table.

We do not declare permissions we do not use. In particular:

  • We do not request the ability to read SMS on your device.
  • We do not request access to your contacts.
  • We do not request access to your microphone.
  • We do not use advertising identifiers (GAID / IDFA) for tracking.

Device camera (operator and crew only)

Signed-in operators or crew members can use the device camera for two purposes inside the app: capturing before-and-after service photos (subject to the photo-consent rules above) and scanning inventory barcodes when receiving stock or logging supply use on a job. Both flows are operator-side only — clients do not encounter a camera prompt unless they are uploading photos to a quote request, in which case the client controls the upload entirely.

For barcode scanning specifically:

  • The camera streams locally to the app to decode the barcode. Frames are not uploaded, stored, or transmitted to our servers.
  • Only the decoded barcode value and its symbology (UPC, EAN, Code 128, QR, etc.) are captured, and only after the decoder finds a match or the operator taps Capture.
  • Camera access is requested by your browser per session. Denying it does not break any feature — manual entry of the barcode value is always available.
  • We do not retain images of any kind from a barcode scan; the only artifact written to our servers is the decoded barcode value associated with the inventory item the operator scanned it onto.

Children's privacy

The app is gated to users 18 and older. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us at the address above and we will delete it promptly.

Security

We protect your information using industry-standard measures:

  • Transport encryption. TLS 1.2 or higher for all communication.
  • At-rest encryption. Database encryption at rest, plus AES-256-GCM field-level encryption for sensitive fields (unlock codes, OAuth tokens, employee tax documents — the latter with a separate encryption key).
  • Access controls. Staff access is least-privilege; owner-only data (employee documents, payroll) is audit-logged on every read.
  • Secure development. PII sanitizer scrubs crash and analytics logs; secrets are never committed to source code; dependency updates are reviewed.
  • Incident response. We will notify you of a data breach affecting your personal information within the time required by applicable law (generally 72 hours for GDPR; other windows apply by jurisdiction).

No system is perfectly secure. Using a strong, unique password and enabling multi-factor authentication (owner accounts) significantly reduces risk.

Changes to this policy

We may update this policy from time to time. Material changes require your affirmative re-acceptance where law requires it, and in any case will be posted with a revised Effective Date and announced via an email or in-app banner at least 30 days before taking effect.

Revision history

VersionDateChangeStatus
0.1.0-draft2026-04-17Initial pre-review scaffoldPRE_REVIEW

How to contact us

  • Privacy + rights inquiries: privacy@frameworkdynamics.cloud
  • Legal correspondence: legal@frameworkdynamics.cloud
  • General client support: support@frameworkdynamics.cloud
  • Mail: Framework Dynamics LLC, P.O. Box (operator-managed), Indianapolis, IN 46201, United States.
  • Phone: the number published on our website and your invoices.

Version 0.1.0-draft · Effective 2026-04-17 · Status: PRE_REVIEW

Jurisdiction: Indiana