InvestigationOS ("we," "us," "our") provides a multi-tenant SaaS platform for security and investigation firms. This Privacy Policy explains what information we collect, how we use it, and the rights you have over your data.

1. Who this applies to

This policy covers visitors to our website and customers ("Organizations") who subscribe to InvestigationOS, as well as the end users that an Organization invites into its workspace (admins, investigators, security officers, clients). Each Organization is a separate tenant with its own isolated data.

2. Information we collect

Account information

Name, email, phone number, and role you provide when registering or being invited.
Authentication credentials (passwords are stored using industry-standard one-way hashing).
Two-factor authentication secrets, if enabled.

Tenant content

Cases, clients, agreements, invoices, files, photos, incident reports, schedules, time entries, training progress, and other data you upload or generate.
Documents uploaded during onboarding (e.g., W-9, I-9, driver's license, guard card) when you choose to provide them.

Usage and technical data

IP address, browser type, device type, pages viewed, and timestamps.
Activity logs of significant actions taken within the platform (used for security and audit).

3. How we use information

To provide, maintain, and improve the service.
To authenticate users and enforce role-based access.
To process subscription payments through our payment processor (Stripe).
To send transactional emails (invites, password resets, billing notifications).
To detect and prevent fraud, abuse, and unauthorized access.
To respond to support requests and comply with legal obligations.

4. Tenant isolation

Every record in InvestigationOS is tagged with a tenantId and every database query is scoped to the authenticated user's tenant. Organizations cannot see, query, or otherwise access data belonging to other Organizations.

5. Data sharing

We do not sell your data. We share data only with:

Subprocessors we contract for infrastructure (cloud hosting, email delivery, file storage, payment processing) under data processing agreements.
Within an Organization: data you upload is visible to authorized roles within that Organization per its access controls.
Law enforcement only when compelled by valid legal process or to protect rights and safety.

6. Subprocessors

We use the following primary subprocessors. We will provide updated lists upon written request.

Cloud hosting and database (US regions)
File object storage (AWS S3)
Transactional email (Resend)
Payment processing (Stripe)

7. Data retention

We retain customer data for as long as the Organization remains active. After cancellation, we retain backups for up to 90 days for disaster recovery, then permanently delete data unless retention is required by law. Organizations can request earlier deletion in writing.

8. Security

Encryption in transit (TLS 1.2+) and at rest (AES-256).
Hashed password storage and optional two-factor authentication.
Role-based access control with strict per-tenant isolation.
Activity logging and audit trails.
Routine vulnerability scanning and dependency monitoring.

9. Your rights

Depending on your location, you may have the right to access, correct, port, or delete your personal data. End users should contact their Organization's administrator first. To exercise rights directly with InvestigationOS, email [email protected].

10. Children

InvestigationOS is not intended for use by individuals under the age of 18. We do not knowingly collect data from minors.

11. International transfers

InvestigationOS is hosted in the United States. By using the service you consent to the transfer of your data to and processing within the U.S.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email and/or in-app notice at least 30 days before taking effect.

13. Contact

For questions about this policy or your data, contact [email protected] or use our contact form.