Compliance Center

Security & Compliance Program

Policies, risk register, and vendor assessments that govern how EcoService Pro protects customer data. This page is maintained by EcoPowerHub AI LLC for prospects, auditors, and internal review. For disclosures contact engmartin@ecopowerhub.ai.

Data Privacy Policy (Internal)

Version: 1.0 · Effective: July 14, 2026 · Owner: Security Lead / DPO delegate

This is the internal engineering-facing companion to the public Privacy Policy. It defines how personal data must be handled inside the codebase and operations.

1. Data classification

| Class | Examples | Handling | | --- | --- | --- | | Public | Marketing site, /llms.txt | No restriction | | Internal | Aggregate metrics, feature flags | Employees only | | Confidential | Customer PII, job photos, invoices | RLS + audit log | | Restricted | Passwords, API keys, service-role key, MFA seeds | Secret store only, never logged |

2. Lawful basis (GDPR)

Contract performance (product delivery), legitimate interest (security & analytics), consent (marketing, precise location), legal obligation (tax, audit).

3. Data minimization

  • Server functions accept only the fields they use — enforced by Zod .strict() schemas.
  • AI features send image descriptions (Gemini) rather than raw photos to third-party LLMs where feasible.
  • Logs redact tokens, passwords, and full email addresses (last 4 of local-part only).

4. Encryption

  • In transit: TLS 1.2+ enforced by Cloudflare; HSTS enabled.
  • At rest: AES-256 (Supabase managed). Backups inherit the same encryption.
  • Application-level: OAuth tokens for third parties (Microsoft, Google) stored encrypted via Supabase Vault; the app never reads the raw column.

5. Retention

| Data | Retention | Deletion trigger | | --- | --- | --- | | Account & profile | Life of account | User deletion request | | Job / customer records | Life of account + 30 d | Account-wide deletion | | Invoices & financial | 7 years (tax law) | Statutory expiry | | audit_logs | 2 years | Rolling purge | | security_events | 1 year | Rolling purge | | Backups | 30 days | PITR window |

6. Data subject rights

  • Access, correction, portability, deletion, restriction, objection.
  • Requests via /data-deletion or engmartin@ecopowerhub.ai.
  • Fulfilled within 30 days (GDPR) / 45 days (CCPA). Extensions documented in audit_logs.

7. Cross-border transfers

US-based processing. EU/UK transfers rely on Standard Contractual Clauses with sub-processors. China transfers require explicit consent (PIPL).

8. Sub-processors

Maintained in vendors/assessments.md. Customers are notified 30 days before adding a new sub-processor that materially changes data flow.

9. AI-specific

Customer content is not used to train foundation models. Prompts and outputs may be stored in audit_logs for debugging up to 90 days.

10. Breach handling

See incident-response-plan.md. GDPR supervisory authority notified within 72 hours of confirmed personal-data breach.

Version-controlled source of truth for this document lives in the project repository. Material changes are reviewed by the Security Lead and approved by the CEO.