Privacy Policy

Effective Date: May 23, 2026 · Last Updated: May 23, 2026

1. Overview & Scope
2. Information We Collect
3. How We Use Information
4. Blind Storage & Internal Access
5. Data Security
6. Government & Law-Enforcement Requests
7. Sharing & Disclosure
8. International Transfers
9. Data Retention
10. Your Rights
11. California Residents
12. Children's Privacy
13. Changes to this Policy
14. Contact

1. Overview & Scope

This Privacy Policy ("Policy") describes how OnSite ("OnSite," "we," "us," or "our") collects, uses, discloses, and safeguards information when you access or use our software platform, websites, mobile applications, APIs, and related services (collectively, the "Services"). This Policy applies to individual users, organizational customers, and visitors to our websites and is incorporated by reference into our Terms of Service. By using the Services, you acknowledge the practices described in this Policy.

2. Information We Collect

2.1 Information You Provide

Account information — name, work email address, employer or organization, role, and contact details provided during registration or onboarding.
Billing information — payment instrument details and billing address, collected and processed by our PCI-compliant payment processor. We do not store full card numbers on our systems.
Support & communications — messages, support requests, survey responses, and feedback you submit to us.

2.2 Operational Data

Information you and your authorized users create in the Services — including site assessments, trip plans, motorcade routes, alerts, attachments, photographs, geolocation data, and messages ("Operational Data"). As between you and OnSite, Operational Data belongs to your organization. OnSite's handling of Operational Data is further constrained by Section 4 below.

2.3 Automatically Collected Information

Device identifiers, operating system, browser type, IP address, and approximate location derived from IP.
Service-usage telemetry (feature usage, performance metrics, crash logs, error reports).
Authentication events, audit logs, and security telemetry necessary to operate the Services and detect abuse.

2.4 Information from Third Parties

We may receive information from single sign-on or identity providers you use to authenticate, from integrations you authorize, and from publicly available sources for fraud and abuse prevention.

3. How We Use Information

We use information to provide, maintain, secure, and improve the Services; authenticate users and enforce access controls; detect, investigate, and prevent fraud, abuse, and security incidents; deliver customer support; communicate operational notices, security alerts, and service updates; bill for paid Services and manage subscriptions; comply with applicable legal obligations and enforceable governmental requests; and, with your consent, send marketing communications you may opt out of at any time.

We do not sell personal information. We do not use Operational Data to train artificial-intelligence or machine-learning models except to deliver a feature you have explicitly enabled for your own organization.

4. Blind Storage & Internal Access Controls

OnSite operates on a blind storage architecture with strict internal access controls. OnSite personnel — including employees, contractors, and officers — do not have access to the contents of your Operational Data in the ordinary course of business. Operational Data is encrypted at rest, segregated by customer tenant, and protected by access controls such that OnSite personnel cannot read its contents.

Limited access by a small number of authorized OnSite personnel may occur only:

At your express written request (for example, to assist with a support ticket you initiate);
To respond to a verified, active security incident affecting your tenant;
To comply with valid legal process as described in Section 6.

Every such access is logged, time-limited, role-restricted, and subject to internal review. We do not maintain backdoors and we do not provide unfettered or bulk access to Operational Data.

5. Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including:

TLS 1.2+ encryption in transit and AES-256 encryption at rest;
Field-level encryption for sensitive operational fields, using localized encryption keys;
Multi-factor authentication for administrative access;
Role-based access control, least-privilege provisioning, and periodic access reviews;
Continuous monitoring, vulnerability management, and secure-development practices;
Documented incident-response procedures and audit logging.

No method of transmission or storage is one-hundred-percent secure. In the event of a confirmed personal-data breach, we will notify affected users and applicable regulators in accordance with applicable law.

6. Government & Law-Enforcement Requests

OnSite is committed to protecting customer information from improper disclosure. We disclose customer information in response to government or law-enforcement requests only when each of the following conditions is met:

Valid legal process. We have received a valid, legally binding request — such as a subpoena, court order, search warrant, or equivalent compulsory legal process — that is properly served on OnSite and applicable to OnSite under the law of the jurisdiction in which we are subject to such process.
Legal-team review. The request has been carefully reviewed by OnSite's legal team for legal sufficiency, scope, jurisdictional reach, and authenticity, including verification of the requesting agency and the underlying legal authority.
Narrowing and challenge. We consider whether to challenge, narrow, or quash the request, and we will object to or move to limit any request we determine to be overbroad, defective, improper, or inconsistent with applicable law.
User notice. Where not prohibited by law, court order, or legitimate investigative considerations, we will notify the affected customer prior to disclosure so that the customer may seek to quash or limit the request.

We do not provide governments with direct, unfettered, or bulk access to customer data, encryption keys, or our production systems, and we do not maintain backdoors. Emergency requests are evaluated under a documented internal procedure that requires a good-faith belief, supported by credible evidence, of an imminent risk of death or serious physical harm. We will publish a transparency report describing the volume and types of government requests we receive.

7. Sharing & Disclosure

We share information only as described in this Policy:

With your organization. Operational Data is accessible to authorized users of your tenant under the permissions you configure.
Service providers (sub-processors). Vetted vendors that process information on our behalf under contractual confidentiality and data-protection obligations — including hosting, payments, analytics, communications, and customer support. A current list of sub-processors is available on request.
Business transfers. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to confidentiality protections and continuation of this Policy.
Legal compliance. As set forth in Section 6 above.
With your consent. For any other purpose disclosed at the time of collection.

8. International Transfers

We are based in the United States and store data in U.S. regions by default. Where we transfer personal data from outside the United States, we rely on lawful transfer mechanisms (such as the EU Standard Contractual Clauses, UK International Data Transfer Addendum, and applicable supplementary measures) and implement appropriate safeguards consistent with the destination jurisdiction's legal requirements.

9. Data Retention

We retain personal information for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Operational Data is retained according to the retention configuration of your organization's tenant. Following termination or a verified deletion request, we delete or anonymize data within a commercially reasonable period, subject to mandatory retention requirements and routine backup-rotation schedules.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

Access, correct, or delete your personal information;
Object to or restrict certain processing;
Withdraw consent where processing is based on consent;
Receive a copy of your personal data in a portable format;
Lodge a complaint with a supervisory authority in your jurisdiction.

Enterprise customers control their tenant directly via administrator tools. Individual users should first contact their organization's administrator; you may also contact us at the address in Section 14. We do not use personal information for automated decision-making that produces legal or similarly significant effects without a human in the loop.

11. California Residents (CCPA/CPRA)

California residents may exercise the rights set out in Section 10 and additionally have the right to opt out of any "sharing" of personal information for cross-context behavioral advertising. We do not "sell" personal information as defined under the CCPA/CPRA. To exercise California rights, email privacy@consultingonsite.com. We will not discriminate against you for exercising any right under California law.

12. Children's Privacy

The Services are intended for professional use and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@consultingonsite.com and we will take appropriate steps to delete it.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by reasonable means — such as in-product notice, email to account administrators, or a prominent posting on our website — before they take effect. The "Last Updated" date at the top of this Policy indicates when it was most recently revised.

14. Contact

OnSite
Email: privacy@consultingonsite.com

← Back to home