Privacy Policy

Effective April 24, 2026

1. Who we are

Fulcrum Assets is operated by Fulcrum Systems LLC, a Florida limited liability company with its principal place of business in Miami-Dade County, Florida. This Privacy Policy explains what personal information we collect in connection with the service at fulcrum-assets.com (the "Service"), how we use it, and the choices you have. This Policy applies to information we process as a controller (for example, account creation). For information we process on our customer organizations' behalf as a processor (Customer Data), our customers' privacy notices govern the relationship with their end users; we process that data only under our written agreement with them.

2. What we collect

  • Account data: email address, full name, role, and the locations assigned to your account.
  • Authentication data: hashed password, session tokens, last sign-in timestamp, IP address of sign-in, and multi-factor authentication status.
  • Activity data: asset records you create, counts you perform, depreciation runs you post, transfers you approve — all attributed to your user ID in the audit log for accountability.
  • Operational telemetry: error logs and performance metrics used to keep the Service healthy. We do not include Customer Data payloads in telemetry.

We do not knowingly collect "sensitive data" as defined by the Florida Digital Bill of Rights (Fla. Stat. § 501.702(37)) — including genetic or biometric data, health data, or precise geolocation — and will not process any such data except pursuant to express consent in a written Order.

3. How we use it

We use your information strictly to provide and support the Service: authenticating users, enforcing role- and location-based access, attributing actions in the audit log, sending transactional emails (invitations, password resets, notifications), and responding to support requests. We do not sell personal information, use it for cross-context behavioral advertising, or train machine-learning models on Customer Data.

4. Where it's stored

All Customer Data is stored in our Supabase project hosted on AWS (us-west-2, Oregon, USA). Transactional emails are relayed through Resend (us-east-1, Virginia, USA). Static assets are served from Cloudflare's global CDN. No data is transferred outside the United States in the normal course of operation. Customer Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

We maintain daily encrypted backups of the production database with a minimum thirty (30) day rolling retention. Backups are stored in the same region as the production data, encrypted at rest, and used solely for disaster recovery and the FIPA-compliant restoration obligations described in §7.

5. Who can see it

Within your organization, visibility is controlled by role and location assignment (see Terms of Service §2). We do not disclose personal information to third parties except: (a) to subprocessors strictly necessary to run the Service (listed below); (b) when required by a lawful order, subpoena, or other valid legal process; or (c) to protect our rights, property, or safety, or those of our customers or the public.

Current subprocessors:

  • Supabase, Inc. — managed Postgres, auth, storage, realtime (USA)
  • Amazon Web Services, Inc. — underlying infrastructure for Supabase (USA)
  • Cloudflare, Inc. — CDN, DNS, and DDoS protection (USA / global edge)
  • Resend Corp. — transactional email delivery (USA)

We will give organization administrators at least thirty (30) days' prior written notice (by email to the administrator contact on file) before adding or replacing a subprocessor that processes Customer Data. The list above is the current state and will be kept up to date on this page.

6. Retention

Active account data is retained while your organization's subscription is active. When a user is revoked, their authentication record is deleted immediately; their historical activity is preserved (with the user reference replaced by "Unknown") to maintain audit integrity. When your organization's contract ends, Customer Data is exportable for thirty (30) days and then deleted, unless a longer retention is required by applicable law.

7. Security & breach notification

We use Row-Level Security on the database, ES256-signed session tokens, TLS in transit, AES-256 encryption at rest, and minimum-privilege service accounts. Edge functions handling privileged operations validate the caller's JWT server-side on every request. Security audits are run periodically and after significant schema changes.

In the event of a "breach of security" as defined by the Florida Information Protection Act (Fla. Stat. § 501.171), we will notify affected customer organizations as expeditiously as practicable and within no more than ten (10) days of determining that a breach has occurred, and will cooperate in good faith with their notification obligations to end users and authorities.

8. Your rights

Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal data, and to opt out of certain processing activities. Your organization's administrator can fulfill most of these rights directly through the Service. For anything else, contact us at the email below and we will respond within thirty (30) days. Residents of Florida have the rights set out in the Florida Digital Bill of Rights to the extent that statute applies to our processing.

9. Children

The Service is intended for business use. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us information, contact us and we will delete it.

10. Changes

We will post material changes to this Policy on this page and notify organization administrators by email at least thirty (30) days before they take effect. The "Effective date" above indicates when the current version was published.

11. Contact

Fulcrum Systems LLC · Miami-Dade County, Florida, USA
Privacy questions, concerns, or requests: privacy@fulcrum-assets.com

Home · Terms of Service · Contact