ConeStack

Privacy Policy

Last updated: April 13, 2026

1. Information We Collect

Account Information

When you create an account, we collect: name, email address, company/municipality name, and account role. Passwords are hashed and stored by Supabase (our database provider) — we never have access to plaintext passwords.

Plan Data

When you generate a Traffic Control Plan, we collect: road coordinates (start/end GPS points), road configuration parameters (speed, cross-section, closure type, duration), and the generated sign schedule with GPS positions.

GPS and Location Data

During field deployment, we collect real-time GPS coordinates from workers who have explicitly enabled GPS tracking on their devices. This includes latitude, longitude, and accuracy. Location data is only collected while the GPS toggle is active and stops immediately when disabled.

Photos

Workers may take photos of placed signs for verification. Photos are uploaded to secure cloud storage and are accessible only to the contractor's organization and the municipality the plan is filed to.

Payment Information

All payment processing is handled by Stripe. We do not store credit card numbers, CVVs, or other payment card data on our servers. We receive only transaction confirmations and subscription status from Stripe.

2. How We Use Your Information

  • Plan generation — GPS coordinates and road parameters are processed by our OTM7 engine to generate compliant sign schedules
  • Field deployment — Real-time GPS is used to guide workers to sign placement locations and verify placement accuracy
  • Municipal filing — Plan data, compliance information, and placement verification are shared with the municipality when a plan is filed
  • Billing — Email and organization info are used for subscription management and invoicing
  • Service improvement — Aggregated, anonymized usage data may be used to improve the platform
  • Email notifications — We send transactional emails for filing status changes, team invitations, and password resets

3. Data Sharing

We share your data only in these circumstances:

  • Municipal filings — When you file a TCP with a municipality, the plan data, compliance info, and placement verification are shared with the receiving municipality
  • Service providers — We use Supabase (database), Stripe (payments), Resend (email), Google Maps (geocoding), Mapbox (routing), and OSRM (road geometry). Each provider processes only the data necessary for their function
  • Legal requirements — We may disclose data if required by law, court order, or government regulation

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4. Data Retention

  • Active accounts — Data is retained as long as your account is active
  • Deleted accounts — Data is retained for 90 days after account deletion, then permanently removed
  • Filing records — Municipal filing records and audit trails are retained for 7 years to comply with Ontario record-keeping requirements
  • Worker GPS trails — Real-time location data is retained only for the duration of the active deployment session. Placement GPS coordinates (where each sign was placed) are retained with the plan as part of the audit trail

5. Data Security

We implement the following security measures:

  • Row Level Security (RLS) on all database tables — enforces org-level data isolation
  • API rate limiting on authentication and sensitive endpoints
  • HTTPS encryption for all data in transit
  • Supabase-managed encryption at rest for database and file storage
  • Stripe PCI-DSS compliance for payment processing
  • HttpOnly, Secure, SameSite cookies for session management

6. Your Rights

You have the right to:

  • Access — Request a copy of the data we hold about you
  • Correction — Update your personal information via account settings
  • Deletion — Request deletion of your account and associated data
  • Export — Download your plans, filings, and placement data
  • Withdraw consent — Disable GPS tracking at any time during field deployment

To exercise these rights, contact [email protected].

7. Cookies

We use the following cookies:

  • Authentication cookies — Supabase session tokens (essential, httpOnly)
  • Beta gate cookie — HMAC token for beta access (httpOnly, secure)

We do not use marketing cookies, tracking pixels, or third-party analytics cookies.

8. Children's Privacy

ConeStack is not intended for use by individuals under 18 years of age. We do not knowingly collect data from children.

9. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email to account holders. Continued use of the Service after changes constitutes acceptance.

10. Contact

For privacy questions or data requests, contact:
[email protected]
ConeStack Inc.
Ontario, Canada