1. Introduction

Garrizon, owned and operated by Michael Ronge (“Owner”, “we”, “us”, or “our”), provides the Garrizon platform (“Service”), a workforce management solution for security guard companies. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Service.

By using the Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you register or are added to the Service, we collect:

Name, email address, and phone number
Organization name and role (admin, supervisor, guard, client)
Password (stored in securely hashed form only — we never store plaintext passwords)
Profile photo (if uploaded)

2.2 Employee & Workforce Data

Organization administrators may enter data about their employees, including:

Guard names, badge numbers, contact information, and profile photos
Employment details such as certifications, assigned sites, and schedules
Timecard and punch records (clock-in/out times, break times, hours worked)
Duty status information (active, on break, offline)

2.3 Location Data

With user consent, the Service collects GPS location data from guards during active shifts. This data is used for real-time monitoring, checkpoint verification, patrol route tracking, incident mapping, and operational reporting. Location tracking only occurs when the guard is actively using field mode features and has granted browser or device location permissions. Guards may revoke location permissions at any time through their device settings.

2.4 Field Logs, Incident Reports & DARs

Guards and supervisors may submit field observation logs, incident reports, and daily activity reports (DARs) that include text descriptions, photographs, GPS coordinates, timestamps, and categorized observations (persons, vehicles, activities). This data is stored within the organization’s account and may be shared with clients through the client portal.

2.5 Client Portal Data

Clients (customers of security companies) access a read-only portal where they can view site coverage information, daily activity reports, and incident reports related to their contracted sites. Client account information (name, email, company) is collected during registration.

2.6 Usage & Technical Data

We automatically collect:

Browser type, device type, and operating system
IP addresses and approximate geographic location
Pages visited, features used, and interaction timestamps
Error logs and performance metrics for service improvement

3. How We Use Your Information

We use collected information to:

Provide, operate, and maintain the Service
Authenticate users and secure accounts
Enable scheduling, time tracking, and workforce management features
Provide GPS-based real-time guard tracking and patrol verification
Generate daily activity reports, field logs, and operational analytics
Deliver client portal reports and site coverage information
Process AI-assisted features such as DAR generation and writing improvements
Send transactional emails (password resets, account notifications, DAR reports)
Monitor and improve Service performance and reliability
Detect and prevent fraud, abuse, and security threats
Comply with legal obligations

We do not sell your personal information to third parties. Ever.

4. AI-Powered Features

The Service includes optional AI-powered features, including DAR generation and text improvement. When you use these features, relevant field log data and text may be sent to third-party AI providers (such as Anthropic) for processing. This data is used solely to generate the requested output and is not used by AI providers to train their models. You can choose not to use AI features without affecting core functionality.

5. Data Sharing

We may share your information only in these circumstances:

Within your organization: Administrators and supervisors can view data for guards within their organization as part of normal operations.
Client portal: Daily activity reports, site coverage, and incident information may be visible to clients (customers of the security company) through the client portal, as configured by the organization administrator.
Service providers: We use trusted third-party services to operate the platform: Cloudflare (hosting, CDN, database, security), Google Maps (mapping), Resend (email delivery), Anthropic (AI features). These providers process data only as needed to provide their services and are bound by their own privacy policies.
Legal requirements: We may disclose information if required by law, court order, subpoena, or governmental regulation, or to protect our rights, property, or safety.
Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

6. Data Security

We implement industry-standard security measures to protect your data:

All data is transmitted over HTTPS/TLS encryption
Passwords are hashed using PBKDF2-SHA256 with cryptographic salting
Data is stored on Cloudflare’s globally distributed, SOC 2 compliant infrastructure
Multi-tenant architecture enforces strict organization-level data isolation
Role-based access controls limit data visibility by user role
Session tokens are securely managed with HttpOnly cookies and automatic expiration
Source code is kept in a private repository with restricted access

While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data but will notify affected users promptly in the event of a data breach.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Organization data (schedules, timecards, incident reports, field logs, DARs) is retained for the duration of the organization’s subscription plus an additional 90-day grace period.

Upon account deletion or subscription cancellation, we will delete your personal data within 30 days. Anonymized, aggregated data that cannot identify individuals may be retained for analytics purposes. Some data may be retained longer if required by law or for legitimate business purposes (such as resolving disputes or enforcing agreements).

8. Your Rights

Depending on your jurisdiction, you may have the right to:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate or incomplete data
Deletion: Request deletion of your personal data (“right to be forgotten”)
Export: Request your data in a portable, machine-readable format
Restrict processing: Request that we limit how we use your data
Object: Object to certain types of data processing
Withdraw consent: Withdraw previously given consent (e.g., location tracking)

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We will not discriminate against you for exercising your privacy rights.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
Right to Non-Discrimination: We will not deny you goods or services, charge different prices, or provide a different quality of service because you exercised your CCPA rights.

To submit a verifiable consumer request, email [email protected] with the subject line “CCPA Request.” We will verify your identity before processing your request and respond within 45 days.

Categories of personal information collected: Identifiers (name, email, phone, IP address), professional/employment information, geolocation data, internet/electronic activity, and photographs.

10. Cookies & Local Storage

The Service uses essential cookies and browser local storage for authentication and session management. These are strictly necessary for the Service to function and cannot be disabled.

We do not use third-party advertising cookies, cross-site tracking pixels, or behavioral analytics tools that track individual users for marketing purposes. The Service may use a service worker for offline caching and performance optimization.

11. Children’s Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us.

12. International Data Transfers

The Service is hosted on Cloudflare’s global network. Your data may be processed in the United States and other countries where Cloudflare operates data centers. By using the Service, you consent to the transfer of your data to these locations. We ensure that appropriate safeguards are in place for international data transfers.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 15 days before they take effect. The “Last updated” date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes constitutes acceptance.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Email: [email protected]
Website: garrizon.net