Security, Privacy & Plain Terms
Anvil Field: Job Photos & Reports keeps your field records yours.
This is a working summary, not the binding legal contract. The formal Terms of Service and Privacy Policy govern if documents disagree.
You do. Always.
The properties you save, the photos you take, the notes you write, and the packets you generate are your business records. Anvil Field is the custodian, not the owner.
Export & backup
Export everything: data backup, CSV, PDF, ZIP, proof packets, photo index, materials, visits, and account records. Export stays available through cloud storage limits, plan changes, cancellation, and refunds.
Local copy
Your local app copy remains under your storage controls. Local data stays until you delete or uninstall; local capture is always free and never expires.
No resale
We do not sell your data, customer addresses, photos, or field records to advertisers, data brokers, or lead resellers.
What we collect and why
Bound camera
Photos are bound to property, job, timestamp, and label before storage. Bound, not loose, so proof stays out of the camera-roll sprawl.
Saved locally
The saved-locally state appears before cloud sync. The local vault and honest sync state mean a dead zone never costs you a record.
Proof and memory
Property cards, visits, before/after photos, notes, materials, voice notes, and proof packets exist for two reasons: proof on dispute day and continuity when a different crew member shows up.
Photo sensitivity
What we do:
Local-first storage, bound records, redaction before share, and explicit packet inclusion.
Local-first by default.
Photos save locally first. Cloud upload is the mirror, not the master.
Blur / redact before share.
Use mask a region for a face, plate, child, keypad, house number, or interior detail before generating the customer-facing packet.
You choose what goes in the packet.
Generating a packet is explicit photo-by-photo selection. Private memory photos can stay out of recipient links.
Special caution — secure facilities, interiors, and minors.
You are responsible for confirming you are allowed to photograph a site, person, vehicle, or interior, and for obtaining consent your work, client agreement, or jurisdiction requires.
Gate/access codes.
Anvil Field does not store access codes as authority to enter. Gate codes are encrypted at rest, treated as HIGH-privacy notes, and remain working memory.
Deletion and retention
Delete a photo / job / property:
Deletes from the active local record immediately and queues cloud deletion when sync is available.
Delete your whole account:
Use Delete My Account in Settings, the legacy alias Delete Account & Data, or the public delete-account page. Active share links are revoked. We honor verified cloud deletion requests within 30 days.
Export before you delete:
Prepare a local export first so leaving never destroys your records.
Backups and lag.
A short-lived encrypted backup copy of deleted cloud data may persist for up to 35 days before it rolls off.
Recipients have rights too.
A homeowner or property manager can ask the sender or privacy@anvilfield.com to revoke a share link.
Retention:
Free cloud media follows the Free-tier retention window; Solo and Crew cloud storage is retained while the account is active. Local records remain in app storage until deleted.
Subprocessors
Cloudflare
Cloudflare handles hosting, API, synced records, media/PDF storage, account-session storage, configuration, recipient pages, and bot protection.
Stripe
Stripe handles Anvil billing and optional payment-link creation only when configured and checked. We never see full card numbers.
Square
Square payment-link creation is optional and only uses checked amount/description and packet-link metadata for the sender's own Square account.
Resend
Resend sends transactional email such as account messages, receipts, and packet delivery.
DigitalOcean
DigitalOcean processes cloud AI assist only, and only the exact text shown in the confirm sheet.
Cloudflare Workers AI
Cloudflare Workers AI is a fallback adapter only, with the same scope and rules.
No ad networks, analytics resellers, or third-party AI training pipelines are subprocessors at launch. Cloud AI is user-triggered and optional; see the AI policy.
AI - exactly what is sent, kept, and never done
Local AI never transmits anything.
Anvil Field intelligence is local by default. Cloud assist is per-request, user-triggered, and optional.
What is sent:
Only the text shown in the confirm sheet you tap. No photos, videos, audio, gate/access notes, or customer contact details unless you typed them into that text.
Who processes it:
DigitalOcean primary inference; Cloudflare Workers AI fallback under the same rules.
What is recorded:
Usage metadata only: request type, provider and model, timestamp, token counts, check status, and privacy scope. The prompt text and the output text are not stored.
Never trained on:
Your prompts, notes, photos, and field records are never used to train any model.
Check before sending:
AI output lands as an unchecked draft. The app never auto-sends AI-generated text to a customer.
Plain Terms concepts
What Anvil Field is.
A personal field record and proof tool. It is not the official record of compliance, licensing, regulatory filing, contract, estimate, invoice, legal agreement, parking authority, towing authority, or permission to enter.
Field aid, not authority.
Packets help show your work. They are evidence you created, not a ruling.
Your responsibilities.
You confirm you are allowed on-site, obtain required consents, meet compliance/safety/recordkeeping obligations, and keep off-app backups of mission-critical records.
Availability.
field work never depends on our uptime. Capture, save, and packet generation work fully offline.
Liability cap & "as is."
Cloud services are provided as is to the extent the law allows; the formal Terms set the liability cap.
HIGH-privacy notes and recipient view
Sync is consent-based
Gate codes stay local by default until the owner enables team sync. Access and parking notes can remain local-only.
They never appear in share links, recipient views, proof packets, or webhooks
Cloud exports exclude private notes by default; local exports include them only after an explicit include-private-notes toggle.
No account, no profile, no marketing.
Recipients install nothing and sign up for nothing.
No tracking beyond the view receipt.
The only receipt data is view count/time and optional typed signoff name, shown to the sender.
Engine outputs
Anvil Field's calculators and optimizers are deterministic field aids that show their math. A calculator result is assistance you confirm, not advice you owe deference to. Anvil Field does not certify code compliance, regulatory compliance, licensing ratios, deposit law, RF legality, or anything else. These boundaries are printed in every export and packet footer.