Privacy Policy

Arbcura Technology LLC and its products

Effective Date: May 23, 2026

1. About This Policy

This Privacy Policy describes how Arbcura Technology LLC ("Arbcura," "we," "us," or "our") collects, uses, and shares information about you when you use our software products and services. This policy applies to the Arbcura suite of products, which currently includes:

• ArborBase — institutional and commercial tree management platform
• Tree Mark — lightweight tree inventory collector for software integration partners
• Echo — marketing operations platform for service businesses
• Cairn — hardware and software for outdoor guest experiences, trails, and stewardship
• TreeVue — tree risk assessment application aligned with industry-standard methodology
• Drop a Log — green wood weight logging application for tree care operations

Each product may have its own product-specific Terms of Service, but this single Privacy Policy applies to all products operated by Arbcura Technology LLC. We use one privacy policy across our product suite because data handling, security practices, and your privacy rights are determined by the company that processes the data, not by the individual product.

Arbcura Technology LLC is a limited liability company organized under the laws of the State of Georgia, with its principal place of business at 1000 Winterville Rd, Athens, GA 30605.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use our products, we may collect:

• Account information: name, email address, phone number, password (stored as a cryptographic hash, never in plain text), profile photo if provided
• Organization information: business name, address, organization type (commercial or institutional), team member details, contractor records, contact information for clients or properties under management
• Tree and property data: tree inventories, species identification, condition assessments, risk ratings, recommendations, work history, photos, location coordinates, property boundaries, zone definitions
• Work and scheduling data: jobs, assignments, work orders, completion records, scheduling preferences
• Communications: messages you send to us, support tickets, feedback
• Payment information: when applicable, billing details processed through our payment processor (we do not store full credit card numbers on our servers — see Section 6)
• SMS consent records: when you opt in to receive SMS messages, we record the consent event including a timestamp, the phone number consent applies to, and the version of the consent language you accepted

2.2 Information Collected Automatically

When you use our products, we automatically collect:

• Usage data: features used, actions taken, pages viewed, time spent, error events
• Device information: device type, operating system, browser type, screen size, IP address
• Location data: approximate location from IP address, and precise GPS coordinates when you grant permission and use location-based features such as tree collection in the field
• Log data: timestamps, request URLs, response codes, error traces (used for service operation and debugging)

2.3 Information from Third Parties

When you sign in using a third-party identity provider (such as Google), we receive basic profile information from that provider, limited to what you authorize for sharing. We may also receive information from species identification services (such as Plant.id) when you submit a tree image for identification — the service returns identification results that we associate with your tree record.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our products
• Process transactions and send related information including confirmations and receipts
• Send transactional communications such as account notifications, password resets, work order updates, and scheduled visit reminders
• Respond to your comments, questions, and customer service requests
• Monitor and analyze trends, usage, and activities to improve our products
• Detect, investigate, and prevent fraudulent transactions, unauthorized access, and other illegal activities
• Comply with legal obligations
• Carry out any other purpose described to you at the time the information was collected

We do not sell your personal information. We do not use your personal information for advertising purposes or share it with advertising networks. We do not engage in cross-context behavioral advertising or "share" personal information as those terms are defined under California law.

4. SMS Communications and Phone Number Data

4.1 What SMS Messages We Send

When you provide a phone number and opt in to SMS communications, we may send you account and operational notifications related to your use of Arbcura products. This includes:

• Account notifications (invitations to join an organization, password reset requests, account changes)
• Operational notifications (work order assignments, completion confirmations, scheduled visit reminders, task updates)
• Service alerts (notifications about service interruptions or significant changes that affect your account)

Message frequency: You may receive up to ten (10) messages per week, depending on your account activity and the operational events that involve you. Message frequency varies based on your role and engagement with the platform.

4.2 Opt-In and Opt-Out

SMS opt-in occurs when you affirmatively consent in your account settings by checking a consent box that states the program description, message frequency, and applicable rates. You can opt out of SMS messages at any time by replying STOP to any message you receive from us. To resume messages after opting out, reply START. For help, reply HELP or contact our support team using the contact information in Section 17.

Standard message and data rates may apply. Arbcura is not responsible for charges from your wireless carrier related to SMS messages.

4.3 How We Protect Phone Number Data

Phone numbers are stored securely with the same protections as other account data (see Section 8). Phone numbers are shared only with our SMS delivery provider (Twilio — see Section 6) solely for the purpose of message delivery. We do not share phone numbers with marketing partners, data brokers, or any party for promotional purposes.

5. How We Share Your Information

We share your information in the following limited circumstances:

5.1 With Other Users in Your Organization

Information you contribute to an organization within our products (such as tree records you create, recommendations you author, jobs you assign) is visible to other authorized members of that organization according to the role and capability system configured for your account.

5.2 With Service Providers

We share information with third-party service providers who perform services on our behalf, such as cloud hosting, email delivery, SMS delivery, payment processing, error monitoring, and AI-assisted features. Service providers are contractually obligated to use the information only to perform services for us and to maintain appropriate security. See Section 6 for the current list of service providers.

5.3 For Legal Reasons

We may share information if we reasonably believe disclosure is required by law, legal process, or governmental request; to enforce our Terms of Service; to protect the safety, rights, or property of Arbcura, our users, or others; or in connection with the investigation of suspected fraud or illegal activity.

5.4 With Your Consent

We may share information for other purposes with your consent or at your direction.

5.5 Business Transfers

If Arbcura is involved in a merger, acquisition, financing, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

6. Third-Party Service Providers

We use the following third-party service providers to operate our products. Each provider has its own privacy practices, which we encourage you to review.

Provider	Purpose	Data Shared
Google (Firebase, Cloud Functions, Cloud Storage, Maps)	Authentication, database hosting, file storage, mapping services, computing infrastructure	Account credentials, user data, application data, location data when mapping features are used
Google (Gemini AI)	AI-assisted features such as recommendation drafting and natural language tools	Content you submit to AI-assisted features (which may include tree descriptions, notes, and related context)
Stripe	Payment processing	Billing information for paid accounts; Stripe stores card data directly under their PCI-compliant infrastructure (we do not store card numbers)
SendGrid	Email delivery	Recipient email addresses and message content for transactional emails
Twilio	SMS delivery	Recipient phone numbers and message content for SMS notifications (see Section 4)
Plant.id	Tree species identification	Images you submit for species identification, returned to you with identification results
iNaturalist	Species and ecological data lookups	Species queries and ecological data requests; user-identifying information is not shared with iNaturalist
Cesium	3D satellite imagery and geospatial visualization	Location coordinates of mapped areas; aggregate map tile requests
Sentry	Error and crash reporting	Error messages, stack traces, and minimal context to diagnose application errors; personally identifying data is filtered where possible
Intuit (QuickBooks Online)	Accounting integration for commercial-mode tenants who connect their QuickBooks account	Invoice and customer data, only when a user explicitly connects their QuickBooks account; data is shared bidirectionally per QuickBooks OAuth scope

This list reflects the service providers in use as of the effective date of this policy. We will update this list when we add, remove, or change service providers.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide our products. We retain certain information after account closure as required by law (for example, financial records for tax purposes), to resolve disputes, to enforce our agreements, or for legitimate business purposes such as fraud prevention.

You may request deletion of your personal information at any time by contacting us using the information in Section 17. Some information may be retained in backup archives for a limited period after deletion from active systems. We will respond to deletion requests within thirty (30) days, or as required by applicable law.

8. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your information against unauthorized access, disclosure, alteration, or destruction. These include encryption in transit (HTTPS), encryption at rest for sensitive data, role-based access controls, audit logging, and regular security review of our infrastructure.

No method of transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for activity that occurs under your account.

If we become aware of a security breach that materially affects the security of your information, we will notify you as required by applicable law.

9. Your Rights and Choices

9.1 Access and Correction

You can access and update most of your account information directly within our products. For information you cannot access or update yourself, contact us using the information in Section 17.

9.2 Deletion

You can request deletion of your account and associated personal information by contacting us. Some information may be retained as described in Section 7.

9.3 Marketing Communications

We do not currently send marketing emails through the Arbcura products. Transactional emails (such as account notifications and operational alerts) cannot be opted out of while maintaining an active account, because they are necessary to operate the service.

9.4 SMS Opt-Out

As described in Section 4, you can opt out of SMS messages by replying STOP to any message or by updating your preferences in your account settings.

The sections that follow describe additional rights that apply based on your place of residence. The rights described below are in addition to the general rights in this Section 9.

10. California Residents (CCPA/CPRA)

10.1 Categories of Personal Information We Collect

In the preceding twelve (12) months, we have collected the following categories of personal information about California residents, as defined under the CCPA/CPRA:

• Identifiers (such as name, email address, phone number, IP address, account identifiers)
• Customer records information (such as contact information and billing details)
• Commercial information (such as account history and subscription records)
• Internet or other electronic network activity information (such as usage logs and device information)
• Geolocation data (precise GPS coordinates only when you grant location permission)
• Professional or employment-related information (such as your role within an organization)
• Inferences drawn from the above, such as user activity patterns within the product

The sources of this information, our purposes for collecting it, and the parties with whom we share it are described in Sections 2, 3, 5, and 6 of this policy.

10.2 Sensitive Personal Information

We do not collect sensitive personal information as defined under the CCPA/CPRA for purposes other than providing our services and complying with the law. Accordingly, we are not required to provide a separate notice of right to limit use of sensitive personal information.

10.3 Sale or Sharing of Personal Information

We do not sell personal information. We do not "share" personal information for cross-context behavioral advertising as that term is defined under the CCPA/CPRA. We have not sold or shared personal information about California residents in the preceding twelve (12) months. We do not knowingly sell or share the personal information of minors under sixteen (16) years of age.

10.4 Your California Privacy Rights

If you are a California resident, you have the following rights:

• Right to Know: request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, our business or commercial purposes for collecting it, and the categories of third parties with whom we share it
• Right to Delete: request that we delete personal information we have collected about you, subject to certain exceptions
• Right to Correct: request that we correct inaccurate personal information we hold about you
• Right to Opt-Out of Sale or Sharing: as stated above, we do not sell or share personal information, so there is no need to opt out, but you have the right to do so if our practices change
• Right to Non-Discrimination: we will not discriminate against you for exercising any of these rights

10.5 How to Exercise Your Rights

To exercise these rights, contact us at privacy@arbcura.com, by phone at 706-909-9137, or by mail at the address in Section 17. We will verify your identity before responding to your request, typically by confirming information you previously provided when creating your account. We will respond within forty-five (45) days, with a possible forty-five (45) day extension.

10.6 Authorized Agents

You may designate an authorized agent to make a request on your behalf by providing the agent with written permission, signed by you, and verifying your identity directly with us. We may deny requests from agents who do not provide proof that they have been authorized to act on your behalf.

10.7 Shine the Light

California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for direct marketing purposes. As stated above, we do not disclose personal information to third parties for their direct marketing purposes.

11. Other US State Residents

11.1 Your Rights

Depending on the laws in your state, you may have some or all of the following rights:

• Right of Access: request to know what personal data we process about you and obtain a copy
• Right to Correct: request that we correct inaccurate personal data
• Right to Delete: request deletion of personal data we hold about you
• Right to Data Portability: receive a copy of your personal data in a portable, readily usable format
• Right to Opt-Out: opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects

As stated elsewhere in this policy, we do not sell personal data, do not engage in targeted advertising, and do not engage in profiling that produces legal or similarly significant effects about you. Accordingly, the opt-out right does not require action on your part with respect to our current practices.

11.2 How to Exercise Your Rights

To exercise these rights, contact us at privacy@arbcura.com or by mail at the address in Section 17. We will verify your identity before responding and will respond within the timeframes required by applicable law (typically forty-five (45) days, with possible extensions).

11.3 Appeal Process

If we decline to take action on your request, you have the right to appeal that decision. To appeal, reply to our response with the word "Appeal" in the subject line, or contact privacy@arbcura.com with details of your original request and reasons you believe our response was incorrect. We will respond to appeals within sixty (60) days. If your appeal is denied, you may have the right to contact your state Attorney General to submit a complaint.

12. European Economic Area, United Kingdom, and Switzerland Residents

12.1 Data Controller

For the purposes of the GDPR and related laws, Arbcura Technology LLC is the data controller responsible for personal data processed in connection with our products. You can contact us about data protection matters using the information in Section 17.

12.2 Legal Basis for Processing

We process personal data on one or more of the following legal bases:

• Performance of a contract: processing necessary to provide our products to you under our Terms of Service
• Legitimate interests: processing necessary for our legitimate interests in operating, maintaining, and improving our products, provided that those interests are not overridden by your rights and freedoms (such as for fraud prevention, security, and analytics)
• Consent: processing based on your specific consent (such as for SMS communications under Section 4)
• Legal obligation: processing necessary to comply with our legal obligations

12.3 Your Rights

Under the GDPR and similar laws, you have the following rights:

• Right of Access: obtain confirmation of whether we process personal data about you, and obtain a copy of that data
• Right to Rectification: request that we correct inaccurate or incomplete personal data
• Right to Erasure ("Right to be Forgotten"): request deletion of your personal data in certain circumstances
• Right to Restriction of Processing: request that we limit how we process your personal data in certain circumstances
• Right to Data Portability: receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller
• Right to Object: object to processing based on legitimate interests, including profiling
• Right to Withdraw Consent: where processing is based on consent, withdraw that consent at any time (without affecting the lawfulness of processing before withdrawal)
• Right to Lodge a Complaint: lodge a complaint with the supervisory authority in your country of residence, place of work, or where the alleged infringement occurred

12.4 How to Exercise Your Rights

To exercise these rights, contact us at privacy@arbcura.com. We will respond within thirty (30) days, with possible extensions if your request is complex or if we receive many requests. There is generally no fee for exercising these rights, but we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.

12.5 International Data Transfers

Arbcura is based in the United States, and our products operate from the United States. Personal data we collect from individuals in the EEA, United Kingdom, and Switzerland is transferred to and processed in the United States. We rely on appropriate safeguards for such transfers, which may include Standard Contractual Clauses adopted by the European Commission, our service providers' adherence to the EU-US Data Privacy Framework, or other lawful transfer mechanisms.

12.6 EU Representative

At this time, Arbcura does not actively offer products to data subjects in the EEA or systematically monitor their behavior in the EEA, and accordingly we have not appointed a Designated Representative under Article 27 of the GDPR. If our practices change, we will update this policy and appoint a Designated Representative as required.

13. Canadian Residents

13.1 Accountability

Arbcura is accountable for the personal information under our control. Our Privacy Officer can be reached at privacy@arbcura.com or at the address in Section 17.

13.2 Purposes

The purposes for which we collect personal information are described in Sections 2 and 3 of this policy. We do not use personal information for purposes other than those identified, except with your consent or as required by law.

13.3 Consent

By providing us with personal information and using our products, you consent to our collection, use, and disclosure of that information as described in this policy. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting us. Note that withdrawing consent may affect our ability to provide our products to you.

13.4 Limiting Collection, Use, and Disclosure

We limit the collection of personal information to what is necessary for the purposes identified, and we do not use or disclose personal information for purposes other than those for which it was collected, except with consent or as required by law.

13.5 Accuracy and Safeguards

We take reasonable steps to ensure personal information is accurate, complete, and up-to-date for the purposes for which it is used. We protect personal information with appropriate safeguards as described in Section 8.

13.6 Individual Access

You have the right to access your personal information and to challenge its accuracy and completeness. Contact us at privacy@arbcura.com to make a request. We will respond within thirty (30) days.

13.7 Challenging Compliance

You may challenge our compliance with PIPEDA or applicable provincial law by contacting our Privacy Officer at privacy@arbcura.com. If your concern is not resolved, you may file a complaint with the Office of the Privacy Commissioner of Canada or with the applicable provincial privacy authority.

14. Children's Privacy

Our products are not directed to children under thirteen (13) years of age (or under sixteen (16) in jurisdictions where that is the applicable age), and we do not knowingly collect personal information from children under that age. If we learn that we have collected personal information from a child under the applicable age, we will delete that information as quickly as possible. If you believe we may have information about a child under that age, please contact us using the information in Section 17.

15. International Users

Arbcura is based in the United States, and our products are operated from the United States. If you access our products from outside the United States, your information will be transferred to, stored, and processed in the United States. By using our products, you consent to the transfer of your information to the United States and to processing in accordance with this policy. For residents of the EEA, United Kingdom, Switzerland, and Canada, see Sections 12 and 13 for additional rights and protections.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account with us) or by posting a notice within the products. The "Effective Date" at the top of this policy indicates when it was last updated. Continued use of our products after a change indicates your acceptance of the updated policy.

17. Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about how we handle your information, contact us: