Privacy Policy

CJD Technologies LLC (“CJD Technologies,” “we,” “us,” or “our”) operates FSM Navigator, a cloud-based field service management platform available at fsmnavigator.com (the “Service”). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you access or use FSM Navigator, including our website, web application, mobile applications, APIs, and related services.

By creating an account, accessing, or using any part of the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

This Privacy Policy applies to all users of the Service, including company administrators (“Owners”), dispatchers, field technicians, inventory managers, asset managers, and customer portal users. If you are using the Service on behalf of an organization, you represent that you are authorized to accept this Privacy Policy on their behalf.

We use the information we collect for the following lawful business purposes:

• Providing and Operating the Service: To create and manage your account, authenticate your identity, process jobs and work orders, dispatch technicians, manage schedules, generate invoices, and facilitate team communication.
• Dispatch Optimization & Auto-Assignment: To calculate optimal travel times, estimate arrival times, and intelligently assign jobs to technicians based on location, skills, and availability.
• Billing & Payments: To process subscription payments, generate invoices, manage billing cycles, calculate prorated charges, and handle refunds through our payment processor (Stripe).
• Sending Transactional Communications: To deliver essential communications such as account verification emails, password reset links, invoice notifications, job assignment alerts, magic link authentication emails, and other operational messages via Amazon SES.
• Security & Fraud Prevention: To protect the security and integrity of the Service, detect and prevent unauthorized access, monitor for abuse, enforce rate limits, scan uploaded files for malware, and comply with our legal obligations.
• Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance. In limited circumstances, authorized support personnel may access your account on a temporary and controlled basis to diagnose and resolve issues you have reported or that are identified through system monitoring.
• Service Improvement: To analyze usage patterns (in aggregate, non-identifying form), monitor system performance, diagnose technical issues, and improve the Service’s functionality, reliability, and user experience.
• Compliance & Legal Obligations: To comply with applicable laws, regulations, and legal processes, and to establish, exercise, or defend our legal rights.

We do not use your personal information for advertising, behavioral profiling, or sale to third-party marketers. We do not serve ads in FSM Navigator. We do not build advertising profiles of our users.

We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:

4.1 Third-Party Service Providers

We share information with carefully selected service providers who assist us in operating the Service. Each provider is contractually obligated to protect your data and may only use it for the specific purpose for which it was shared:

For a complete list of our subprocessors, see our Subprocessors page.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in good faith belief that such action is necessary to: (a) comply with a legal obligation, subpoena, court order, or governmental request; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Service; (d) protect the personal safety of users or the public; or (e) protect against legal liability.

4.3 Business Transfers

If CJD Technologies LLC is involved in a merger, acquisition, asset sale, corporate reorganization, or bankruptcy, your personal information may be transferred as part of that transaction. In such event, we will notify you via email and/or a prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy. The acquiring entity will be required to honor the commitments made in this Privacy Policy.

4.4 With Your Consent

We may share your information in other circumstances with your express consent or at your direction.

4.5 Aggregated or De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you for analytics, benchmarking, or industry research purposes. This information does not constitute personal information under applicable privacy laws.

4.6 Internal Support Access

In order to provide technical support, diagnose reported issues, and maintain the security and integrity of the Service, authorized personnel of CJD Technologies LLC may access your account data under the following conditions:

• Access is limited to the minimum scope and duration necessary to resolve the matter.
• All support access sessions are logged in tamper-evident audit records, including the identity of the support representative, the duration of access, and the actions performed.
• Certain sensitive operations (such as financial transactions, password changes, and data deletion) are prohibited during support access sessions.
• Account administrators are notified when support access to their organization’s data occurs.
• Support personnel are bound by confidentiality obligations as described in our Data Processing Agreement.

For additional details on the technical safeguards governing support access, see our Security & Trust page.

We retain your personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

• Active Account Data: Retained for the duration of your account’s active subscription and for a reasonable period thereafter to allow for reactivation.
• Billing & Financial Records: Retained for a minimum of seven (7) years to comply with tax, accounting, and regulatory obligations.
• Audit Logs: Retained for a minimum of three (3) years for security and compliance purposes.
• Application Logs: Automatically rotated on a weekly basis with a 40-day retention period. Logs never contain plaintext personally identifiable information.
• Server Access Logs: Our web servers record standard access logs for security monitoring, abuse prevention, and operational diagnostics. These logs may include IP addresses, request timestamps, URLs visited, HTTP status codes, and browser identifiers. Access logs are rotated daily and retained for 30 days in uncompressed form, with compressed archives retained for up to 120 days before automatic deletion. These logs are used solely for security and operational purposes and are not shared with third parties.
• Session Data: Web sessions expire after 8 hours of inactivity. Mobile sessions expire after 30 days. Expired session records are automatically purged.
• Magic Link Tokens: Expire after one (1) hour and are single-use. Token records are purged after expiration.
• Email Verification Codes: Expire after 48 hours and are purged automatically.
• Deleted Data: You can delete your account yourself through the self-service option in your profile settings — your personal information is permanently erased from our live systems right away. If you prefer, you can also email us a deletion request and we’ll process it within 30 days. In both cases, certain records we’re legally required to keep (like audit logs and billing records) are retained for the periods described above. Residual data in encrypted backups is automatically overwritten within 90 days and is never individually accessible.

We take the security of your data seriously and implement industry-leading technical and organizational measures to protect it:

• Encryption at Rest: All sensitive personal information is encrypted using bank-grade encryption standards with unique encryption keys per company for complete data isolation.
• Encryption in Transit: All data transmitted between your device and our servers is protected using modern TLS encryption. API requests are additionally encrypted for defense-in-depth protection.
• Password Security: Passwords are salted and hashed using industry-standard, computationally expensive algorithms. We never store plaintext passwords.
• Multi-Factor Authentication (MFA): Multi-factor authentication using time-based verification codes is available for all users and can be enforced company-wide by administrators.
• Role-Based Access Control (RBAC): Access to data and functionality is restricted based on each user’s assigned role, enforced on every request at the server level.
• Multi-Tenant Data Isolation: Each company’s data is logically isolated at the database level. Users of one company cannot access, view, or modify data belonging to another company. Authorized support access by CJD Technologies LLC personnel is governed by the safeguards described in Section 4.6 and on our Security & Trust page.
• Comprehensive Audit Trails: All significant actions (logins, data changes, permission modifications, and administrative operations) are logged in tamper-evident audit records.
• Malware Scanning: All file uploads are automatically scanned for viruses and malware before they are stored or processed.
• Rate Limiting & Abuse Prevention: Automated rate limiting on all API endpoints protects against brute-force attacks, credential stuffing, and denial-of-service attempts.
• SOC 2 Framework Aligned: Our security controls are designed and maintained in alignment with SOC 2 Type II standards for security, availability, and confidentiality.

6.1 Keeping Your Mobile App Safe

When you first open our mobile app, your phone or tablet sets up a unique security badge that stays on your device. We keep a matching code on our servers so we can recognize your device the next time you connect. This badge helps make sure that only your actual device—not someone copying your account information—can send requests to our servers on your behalf.

When you move from the mobile app to a web page (for example, to manage your subscription or view invoices), we briefly remember your network address and basic browser details for about a minute. This lets us safely hand you off between the app and the browser, while blocking anyone who tries to intercept that handoff. These short-lived details are used only for this security check and are kept with our other security records for the same time periods described above.

You can sign your devices out at any time from your account settings, and we’ll remove the matching code on our side right away.

6.2 Push Notifications on the Mobile App

When you use our mobile app, we deliver operational alerts as push notifications. Delivery is handled by your mobile platform’s native push notification system (iOS or Android), and we use a trusted third-party push delivery provider as part of our secure infrastructure to route messages to your device. The only identifier we store to reach your device is a push token randomly issued by the operating system; it is not a piece of personal data and is linked only to your user account so we send alerts to the right device. We do not sell, share, or expose push tokens to any unrelated third parties.

We only use push notifications for operational events tied to your work. We do not send marketing, promotional, or advertising push notifications. The categories you may receive are:

• Task Assignments & Updates — new task assignments, reassignments, and status changes.
• SLA Alerts — time-critical service level warnings and breach notifications. These are transactional alerts sent to help you meet service commitments, but they remain user-toggleable.
• Messages — in-app chat messages from teammates and customer communication notes.
• Parts Approvals — approval events for parts requests.
• Work Orders — work order lifecycle events (created, activated, completed, cancelled, on hold), sub-job block/unblock, customer approvals and change requests, milestone progression, and document uploads.

You have full control over these notifications at two levels:

• System-level (device): On iOS, go to Settings → Notifications → FSM Navigator. On Android, go to Settings → Apps → FSM Navigator → Notifications, where you can also control each category individually as a separate notification channel.
• In-app: Open the mobile app and go to Settings → Notifications. You’ll find a master “Receive all notifications” switch, per-category toggles for every group listed above, and a Quiet Hours configuration that mutes non-critical notifications during times you choose. Because SLA alerts are time-critical, they bypass Quiet Hours so you don’t miss a breach warning.

Push tokens are retained while the app remains installed and your account is active. When you log out or uninstall the app, the stored token is removed so no further alerts can be delivered to that device.

6.3 App Stability Monitoring

To keep the mobile app reliable, we collect technical data about crashes and unexpected errors. This information is strictly about app behavior—it doesn’t include your personal contact information, payment details, or any business data you’ve entered. Crash reports are sent to a trusted third-party crash reporting service operated by our infrastructure provider, which processes the data on our behalf under a data processing agreement.

When the mobile app encounters an error, a brief technical report is sent: the error description, your app version, operating system version, device model, and the sequence of actions leading up to the error. Before the report leaves your device, we automatically remove personal information (such as email, name, and phone number), authentication tokens, and cryptographic keys so that this sensitive data never reaches the crash reporting service. Your user identity in these reports is represented by an anonymous identifier that cannot be used to look you up by name, email, or phone.

Crash reports are retained by the crash reporting service for 90 days and are used only to identify and fix bugs that affect our users. No crash data is collected for users who are not signed in, and we do not use crash data for marketing, advertising, or any purpose unrelated to app stability. We rely on this collection under our legitimate interest in maintaining a reliable service (Article 6(1)(f) GDPR), balanced against the minimal and technical nature of the data involved.

If you prefer not to contribute crash data, you can sign out of the mobile app—crash data is only collected for signed-in sessions. If you have further concerns about this practice, you can reach us at [email protected].

While we employ commercially reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any vulnerabilities or incidents that may arise.

For more details about our security practices, see our Security & Trust page.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right to Access: You may request a copy of the personal information we hold about you.
• Right to Correction: You may request that we correct any inaccurate or incomplete personal information.
• Right to Deletion: You can delete your account at any time through the self-service option in your profile settings — it’s immediate and permanent. Your personal information is erased from our live systems right away. We retain certain records only where legally required: billing records for tax compliance (7 years), audit logs for security and legal purposes (3 years), and any data related to ongoing legal proceedings. You can also submit a deletion request by emailing [email protected].
• Right to Data Portability: You may request a copy of your personal information in a structured, commonly used, and machine-readable format.
• Right to Restrict Processing: You may request that we temporarily or permanently stop processing some or all of your personal information.
• Right to Opt Out of Sale: We do not sell your personal information. However, you have the right to confirm this and to opt out of any future sale, should our practices ever change.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

How to Exercise Your Rights: For account deletion, you can use the self-service option in your profile settings — no email or support ticket needed. For all other privacy requests, email us at [email protected] with the subject line “Privacy Rights Request.” We will verify your identity before processing your request to protect your account. We will respond to verifiable requests within 30 days (or 45 days if we notify you of an extension).

Authorized Agents: You may designate an authorized agent to submit a request on your behalf. The agent must provide proof of authorization signed by you, and we may still require you to verify your identity directly.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell or share (as defined by the CCPA/CPRA) your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.
• Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive personal information (as defined by the CPRA), we use it only for purposes permitted by law, including providing the Service you requested.
• Right to Non-Discrimination: We will not deny you service, charge different prices, provide a different quality of service, or retaliate against you for exercising your CCPA/CPRA rights.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

To exercise any of your California privacy rights, please email [email protected]. We will respond to verified requests within 45 days as required by the CCPA.

FSM Navigator is a business-to-business (B2B) platform designed for use by field service companies and their employees. The Service is not directed at, designed for, or intended for use by individuals under the age of 16.

We do not knowingly collect personal information from anyone under the age of 16. If we become aware that we have collected personal information from a child under 16, we will take immediate steps to delete that information from our servers. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at [email protected] so that we can take appropriate action.

FSM Navigator is operated from the United States. All data collected through the Service is stored on servers located in the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

By using the Service, you consent to the transfer of your information to the United States. We apply the same security protections described in this Privacy Policy to all data regardless of origin. Where required by law, we implement appropriate safeguards for cross-border data transfers, including standard contractual clauses or other mechanisms recognized by applicable data protection authorities.

FSM Navigator uses a minimal set of cookies for the Service to function, plus Google Analytics 4 (GA4) on public-facing pages to understand website traffic. We do not use advertising cookies, behavioral profiling cookies, or cross-site tracking cookies. Google Analytics is not loaded on any authenticated pages (dashboards, customer portal, or internal application).

Because we only use strictly necessary and functional cookies (no targeting or advertising), a cookie consent banner is not required under most privacy regulations. You can configure your browser to block or delete cookies, but doing so may prevent you from using the Service’s authenticated features.

For a detailed explanation of each cookie, how to manage them, and your rights, please see our Cookie Policy.

FSM Navigator honors Do Not Track (“DNT”) signals sent by your browser. We use Google Analytics 4 on public-facing pages for aggregated website traffic analysis, but we do not engage in cross-site tracking, behavioral advertising, or retargeting. When a DNT signal is detected, Google Analytics respects it per Google’s policies. We do not track you across third-party websites, and no service integrated with FSM Navigator performs cross-site tracking on our behalf.

The Service may contain links to third-party websites, services, or applications that are not operated or controlled by CJD Technologies LLC (for example, links to Stripe’s payment portal or QuickBooks Online). This Privacy Policy does not apply to any third-party sites or services. We encourage you to review the privacy policies of any third-party services before providing them with your personal information. We are not responsible for the privacy practices, content, or security of any third-party websites or services.

FSM Navigator is a multi-tenant platform, meaning multiple companies use the same infrastructure. We maintain strict logical data isolation between all tenant companies:

• Complete Separation: Every database query is scoped to the authenticated company. Users of one company cannot view, search, modify, or export data belonging to another company.
• Per-Tenant Encryption Keys: Each company’s sensitive data is encrypted with unique, company-specific encryption keys. Even in the unlikely event of unauthorized database access, data from one company cannot be decrypted using another company’s keys.
• Server-Enforced Boundaries: Tenant isolation is enforced at the application server level on every API request—not merely at the user interface level. Bypassing tenancy controls through direct API manipulation is not possible.
• Audit Independence: Audit logs are scoped per company. Administrators of one company cannot view the audit history of another company.
• Authorized Support Access: In order to deliver technical support and maintain the Service, authorized CJD Technologies LLC personnel may access tenant data under strictly controlled conditions. Such access is:
  • Time-limited and restricted to the minimum scope necessary
  • Fully logged in tamper-evident audit records
  • Subject to prohibitions on sensitive operations (e.g., financial transactions, data deletion)
  • Accompanied by notification to the affected account administrators

For contractual data handling obligations, see our Data Processing Agreement.

In the event that we become aware of a confirmed security breach involving the unauthorized access, acquisition, or disclosure of your personal information, we will:

1. Investigate and Contain: Immediately investigate the scope and nature of the breach and take all reasonable steps to contain it and prevent further unauthorized access.
2. Notify Affected Users: Notify affected users and, where applicable, company administrators by email without unreasonable delay, and in no event later than required by applicable law (e.g., within 72 hours under GDPR, or as required by the laws of your state of residence).
3. Notify Authorities: Report the breach to the appropriate supervisory or regulatory authorities as required by applicable law.
4. Provide Remediation Information: Include in our notification the nature of the breach, the types of data involved, the steps we have taken in response, and recommendations for steps you can take to protect yourself.

We maintain real-time security monitoring, automated threat detection, and incident response procedures designed to identify and respond to potential breaches as quickly as possible.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the “Last Updated” date at the top of this page.
• Post a prominent notice on the Service or send an email notification to registered users at least 30 days before material changes take effect.
• Where required by law, obtain your consent to material changes before they take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within five (5) business days.