Privacy Policy

Effective Date: March 18, 2026

1. Introduction

Grit Force Inc. ("we," "us," or "our") operates Grit-Sync, a Buy America Build America (BABA) compliance intelligence platform, accessible at baba-assistant.up.railway.app (the "Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are committed to protecting the privacy and security of our users, including state Departments of Transportation (DOTs), federal-aid project teams, prime contractors, and subcontractors.

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

2.1 Account Information

When you create an account or register for the Service, we may collect:

  • Name and job title
  • Email address (work or organizational)
  • Organization name (e.g., state DOT, contracting firm)
  • Role designation (Administrator, Contractor, Viewer)
  • Password (stored using industry-standard hashing; we never store plaintext passwords)

2.2 Usage Data

We automatically collect certain information when you interact with the Service:

  • Access logs — timestamps, pages visited, features used
  • Device and browser information — browser type, operating system, screen resolution
  • IP address — for security monitoring and rate limiting
  • Referral source — how you arrived at the Service

2.3 Query Data

When you use the compliance search, classification wizard, or Q&A features, we collect:

  • Search queries — the text of questions or product names submitted
  • Classification requests — product descriptions submitted for BABA categorization
  • Feedback responses — thumbs-up/down ratings and optional written feedback on answer quality

Query data is used solely to improve answer accuracy and system performance. It is never sold or shared with third parties for marketing purposes.

2.4 Project and Compliance Data

Users may upload or input project-specific data, including:

  • Project identifiers, bid item lists, and compliance matrices
  • Supplier certifications and certificates of compliance
  • De minimis waiver calculations
  • Change order and material documentation

2.5 Cookies and Similar Technologies

We use cookies and similar technologies as described in Section 12 below.

3. How We Use Information

We use the information we collect for the following purposes:

  • Service delivery — to provide BABA compliance answers, product classifications, and project management features
  • Account management — to authenticate users, manage roles, and enforce access controls
  • Accuracy improvement — to analyze query patterns and feedback to improve our curated answer database and classification engine
  • Security and abuse prevention — to monitor for unauthorized access, rate-limit API requests, and detect anomalous behavior
  • Communication — to send service-related notifications, compliance alerts (e.g., Federal Register updates), and certificate expiry reminders
  • Billing and subscription management — to process payments and manage tier-based feature access
  • Legal compliance — to comply with applicable laws, regulations, and legal processes

We do not use your data to build advertising profiles, and we do not sell personal information to third parties.

4. AI and Data Processing

Key privacy commitment: Grit-Sync uses a retrieval-only AI architecture. Our system does not use generative AI or large language models (LLMs) to produce answers. All responses are retrieved from a curated, expert-verified knowledge base of regulatory guidance, FHWA memos, and official policy documents.

Our technology stack processes your queries as follows:

  • Semantic search — your query is converted to a mathematical vector (embedding) and matched against pre-computed embeddings of our curated knowledge base. No external AI service processes your query text.
  • Classification engine — product names are matched against a local database of 650+ known products with pre-assigned BABA categories. No data is sent to third-party AI providers.
  • Cross-encoder reranking — an on-platform machine learning model reranks search results for relevance. This model runs locally and does not transmit data externally.

This architecture means:

  • Your queries are never sent to OpenAI, Google, Anthropic, or any third-party AI provider
  • Answers are never hallucinated or generated — every response is traceable to a specific source document
  • Your data is not used to train any AI models outside of our own retrieval accuracy improvements

5. Data Storage and Security

5.1 Infrastructure

All data is stored on secure, cloud-hosted infrastructure. Our production environment is hosted on Railway, which operates on Google Cloud Platform infrastructure within the United States.

5.2 Multi-Tenant Data Isolation

Row-Level Security (RLS): Grit-Sync enforces row-level security to ensure complete data isolation between organizations. Each tenant's project data, compliance records, and uploaded documents are cryptographically scoped to their organization. No user from one organization can access, query, or view data belonging to another organization, even at the database level.

5.3 Security Measures

We implement the following security controls:

  • Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS 1.2+
  • Encryption at rest — sensitive data is encrypted at the storage layer
  • Password security — passwords are hashed using industry-standard algorithms (bcrypt); we never store or log plaintext passwords
  • Access controls — role-based access control (RBAC) with Admin, Contractor, and Viewer permission tiers
  • Rate limiting — API endpoints are rate-limited to prevent abuse
  • CSRF protection — cross-site request forgery tokens on all state-changing operations
  • Input sanitization — parameterized database queries to prevent SQL injection; output encoding to prevent XSS
  • Audit logging — all significant actions are recorded with timestamps and user context for compliance audit trails

6. Data Retention

We retain your data according to the following schedule:

  • Account information — retained for the duration of your active subscription, plus 90 days following cancellation to allow for reactivation
  • Query logs — retained for 24 months, then anonymized for aggregate analytics
  • Project and compliance data — retained for the duration of your subscription. Upon account deletion, project data is permanently removed within 30 days
  • Audit trail records — retained for a minimum of 7 years to comply with federal record-keeping requirements applicable to federal-aid projects
  • Billing records — retained as required by applicable tax and financial regulations

You may request early deletion of your data at any time by contacting [email protected]. See Section 8 for details.

7. Third-Party Services

We use the following third-party services in the operation of Grit-Sync. Each processes only the minimum data necessary for its function:

7.1 Stripe (Payment Processing)

We use Stripe to process subscription payments and manage billing. When you subscribe, your payment information (credit card number, billing address) is transmitted directly to Stripe and is never stored on our servers. Stripe is PCI DSS Level 1 certified. See Stripe's Privacy Policy.

7.2 Railway (Application Hosting)

Our application and databases are hosted on Railway, which operates on Google Cloud Platform infrastructure in the United States. Railway processes server logs and deployment metadata. See Railway's Privacy Policy.

7.3 Sentry (Error Monitoring)

We use Sentry for application error monitoring and performance tracking. Sentry may receive error context data including request URLs, browser information, and stack traces. Sentry does not receive query content, user credentials, or project data. See Sentry's Privacy Policy.

7.4 Google Fonts

Our interface loads the Inter typeface from Google Fonts. This results in your browser making a request to Google's servers. See Google's Privacy Policy.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right to Access — request a copy of the personal data we hold about you
  • Right to Correction — request that we correct inaccurate or incomplete data
  • Right to Deletion — request that we delete your personal data, subject to legal retention requirements
  • Right to Data Export — request your data in a structured, machine-readable format (JSON or CSV)
  • Right to Restrict Processing — request that we limit how we use your data
  • Right to Object — object to certain types of data processing

To exercise any of these rights, please contact us at [email protected]. We will respond to verified requests within 30 days. For California residents, see Section 10 for additional rights under the CCPA.

9. Children's Privacy

Grit-Sync is a professional compliance tool designed for use by government employees, contractors, and infrastructure professionals. The Service is not directed at individuals under the age of 18, and we do not knowingly collect personal information from children.

If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights:

  • Right to Know — you may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share your data
  • Right to Delete — you may request deletion of your personal information, subject to certain exceptions
  • Right to Opt-Out of Sale — we do not sell personal information. No opt-out is necessary
  • Right to Non-Discrimination — we will not discriminate against you for exercising any of your CCPA rights
  • Right to Correct — you may request correction of inaccurate personal information
  • Right to Limit Use of Sensitive Information — you may limit the use of any sensitive personal information we collect

To exercise your CCPA rights, email [email protected] with the subject line "CCPA Request." We will verify your identity before processing your request and respond within 45 days.

11. Government Data Handling

For state DOT and government agency users: We recognize the heightened data handling obligations associated with government procurement, federal-aid project data, and public-sector compliance workflows.

Grit-Sync is designed to serve state Departments of Transportation, metropolitan planning organizations, and other public agencies administering federal-aid highway and infrastructure projects. We apply the following additional safeguards for government data:

  • Data sovereignty — all data is stored and processed within the United States
  • No commingling — government agency data is logically isolated from other tenants through row-level security. Agency data is never aggregated or combined across organizations
  • No AI training on government data — government queries and project data are never used to train machine learning models. Our retrieval system uses only pre-existing, publicly available regulatory content
  • Audit readiness — we maintain comprehensive audit logs compatible with federal-aid project documentation requirements, including FHWA and 2 CFR 200 record-keeping expectations
  • FOIA considerations — we will cooperate with government agencies in responding to applicable public records requests. Users should be aware that data submitted to or through government accounts may be subject to Freedom of Information Act (FOIA) or equivalent state open records laws
  • Contract compliance — we are prepared to execute agency-specific data handling agreements, Business Associate Agreements, or similar instruments upon request

For government procurement inquiries or to request a security questionnaire response, contact [email protected].

12. Cookies and Tracking Technologies

12.1 What We Use

  • Session cookies — essential for maintaining your authenticated session. These expire when you close your browser or after a period of inactivity
  • Preference cookies — to remember your display settings and feature preferences. These persist across sessions
  • Security tokens — CSRF tokens to protect against cross-site request forgery attacks

12.2 What We Do Not Use

We do not use:

  • Third-party advertising cookies or trackers
  • Cross-site tracking pixels
  • Social media tracking widgets
  • Fingerprinting techniques

12.3 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service, such as authenticated access.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

  • We will update the "Effective Date" at the top of this page
  • We will notify registered users via email at least 30 days before material changes take effect
  • We will post a prominent notice on the Service dashboard

Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the updated terms. We encourage you to review this page periodically.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 10 business days.