How we handle your data.

We collect as little data as we can get away with. We don't sell anything. We don't use advertising cookies. The only "tracking" on this site is anonymous page-view counts that don't follow you anywhere.

When you submit a form (contact, careers, the live demo), we keep what you wrote so we can answer you. When you stop being a prospect, customer, or applicant, we delete it on request.

Pittwater is a Connecticut-based AV systems integration firm. Our office of record is 487 Federal Rd, Brookfield CT 06804. You can reach our team at hello@pittwater.co.

This policy covers the website at pittwater.co (and our project demo subdomain at pitth2o.com). It does not cover anything we do under contract for our clients — those engagements have their own NDAs and data-handling terms.

When you browse the site: Anonymous page-view counts and Core Web Vitals (loading speed, layout stability) via Vercel Analytics. No cookies are set. Your IP address is processed by our hosting provider (Vercel) to serve you the page, but is not stored or shared.

When you submit a form (Contact, Careers, "Send a note"): the fields you typed — typically your name, email, optional company/location, and the message body. We use this to reply to you.

When you use the live-control demo on the homepage: a randomly-generated session ID (so we know whose clicks are whose), a one-way SHA-256 hash of your IP address (so two browser tabs from the same network don't grab two queue slots), and your approximate city/country if your browser shares it. All of this is deleted automatically about an hour after you leave the page.

When you view the /monitoring page: nothing about you, the visitor, is collected. The numbers shown on that page (device counts, incident feed, fleet uptime) are pulled by our server from XYTE — our third-party monitoring backend — and rendered with every customer and device identifier replaced by a one-way hash so no real client is named on the page. While the tab is open, your browser polls our own endpoint /api/monitoring/pulse about once a minute for fresh counters; polling stops automatically when the tab is hidden. No cookies, no fingerprinting, no analytics specific to /monitoring.

We do not collect: payment information, precise location, anything from your social media accounts, or browsing data from outside this website. We never run advertising trackers.

Form submissions: we read them and reply. Nothing else.

Demo session data: routes your clicks to the right Q-SYS processor in our office and enforces the one-visitor-at-a-time queue.

Analytics: lets us see which pages people read so we can decide where to invest writing time. No individual-level data is exposed to us — Vercel Analytics is page-view counts in aggregate.

We do not use any of this to build a profile of you, sell your data, train an AI model, or send you marketing email you didn't ask for.

We use a small set of trusted processors to actually run the website. Each one only sees the data it needs to do its job:

Vercel (hosting + analytics) — vercel.com/legal/privacy-policy Sanity (CMS, for the content you read on the public site) — sanity.io/legal/privacy Upstash Redis (live demo session/queue state) — upstash.com/trust/privacy.pdf Cloudflare Stream (the live demo camera feed) — cloudflare.com/privacypolicy Cloudflare Tunnel (the encrypted tunnel between our cloud and the Brookfield office bridge) — cloudflare.com/privacypolicy XYTE (the third-party AV monitoring backend feeding the /monitoring page; we send no visitor data to XYTE — only our own server pulls fleet stats from it) — xyte.io/privacy-policy Resend (the email delivery service used when you submit a form) — resend.com/legal/privacy-policy Slack (where form submissions land internally for our team to read) — slack.com/trust/privacy/privacy-policy Google Maps (embedded on the Contact page) — policies.google.com/privacy

We do not sell your information. We do not share it with advertisers, data brokers, or anyone outside this list.

Two surfaces on this site sign in with Google: the staff album at /photos and the field-survey PWA at /capture. We use the official Google Identity Services and OAuth flow — we never see or store your Google password.

/photos (staff only — @pittwater.co Workspace accounts) requests the Drive scope. This lets a Pittwater staffer browse, organise, rename, share, and delete files inside the Pittwater Shared Drive. We use it only for the Shared Drive site-survey album the team works with day-to-day; we do not read, list, modify, or delete files in any staffer's personal Drive in the course of normal use.

/capture (staff + invited external contractors) requests only the drive.file scope ("Only files you use with this app"). Under drive.file, the app can create new photos and videos in the specific project folder a Pittwater staffer has granted the contractor access to, and read back only the files we ourselves uploaded. It cannot see, list, modify, or delete any other file in the contractor's Drive.

Limited Use disclosure. Pittwater's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

- We use Google user data only to provide and improve the user-facing features of the Pittwater Capture and Pittwater Photos surfaces (signing you in, showing you the right project folder, uploading the photos you took, browsing the album). - We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with the user's prior consent. - We do not use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising. - We do not allow humans to read Google user data except with the user's affirmative agreement for specific pieces of data, when necessary for security purposes (e.g. investigating abuse), to comply with applicable law, or where the data is aggregated and used for internal operations in accordance with the User Data Policy. - We do not use Google user data to develop, improve, or train generalised or non-personalised AI and/or ML models.

Storage and retention. Photos and videos you capture or upload are stored in the relevant project's folder in Pittwater's Google Shared Drive. Session tokens (the short-lived access token plus a refresh token we use to renew it) are kept in an encrypted server-side session cookie issued by Auth.js and a Vercel-hosted token store; they are not exposed to the browser. We delete server-side session records when you sign out, when your contractor grant expires, or when the session record is naturally evicted.

Revoking access. You can revoke this app's access to your Google Account at any time at myaccount.google.com/permissions. Revoking access does not delete photos previously uploaded from your phone — those continue to live in Pittwater's Shared Drive; email hello@pittwater.co if you want them removed.

We don't set any cookies on this site. Vercel Analytics is cookieless by design. We don't run Google Analytics, advertising pixels, or any tracker that follows you between websites.

The only exception is our CMS administration interface at /studio, which uses Sanity's authentication cookies — but that area is for our team only, not for site visitors.

See our Cookie Policy for the full breakdown.

Form submissions stay in our email and Slack indefinitely so we can find them when we need to. You can ask us to delete yours at any time and we will.

Live-demo session data has a one-hour time-to-live in Redis and is purged automatically.

Analytics data is retained per Vercel's policy — typically rolling, no per-user history because no per-user identification exists.

Careers applications are kept for up to two years in case a fit opens up later. Tell us to delete sooner and we will.

Regardless of where you live, you can email hello@pittwater.co and ask us to:

- Tell you what we have on file about you - Correct anything that's wrong - Delete it entirely - Send you a copy in a portable format

We'll respond within 30 days. We don't charge a fee.

If you're in the EU, UK, Switzerland, or similar jurisdictions: the legal basis for processing your form submission is consent (you chose to submit it) or legitimate interest (we need to answer you). For analytics, the basis is legitimate interest (running the website). You can object to processing at any time by emailing us — we may keep your contact details if we have a legal obligation, but we'll stop using them otherwise.

If you're in California, Connecticut, Virginia, Colorado, or any other state with a consumer privacy law: you have the same set of rights — access, correction, deletion, portability, and the right to opt out of sale. We do not sell or share personal information for cross-context behavioral advertising, full stop.

This website is not directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe a child has submitted information to us, email hello@pittwater.co and we'll delete it.

Our processors are primarily US-based. If you're in the EU/UK and submit a form, your data will be transferred to and stored in the United States. We rely on the EU-US Data Privacy Framework and standard contractual clauses (where applicable) as the legal mechanism for that transfer. The processors above each publish their own SCC/DPF posture; we use only providers that have one.

All data in transit uses TLS. Form submissions never touch a third party outside the processors listed above. Our internal Slack workspace requires 2FA, our email account requires 2FA, our hosting account requires 2FA, and our CMS uses SSO with 2FA. We don't store passwords or payment information on our infrastructure.

If you believe you've found a security issue with this website, please email security@pittwater.co with details. We respond to good-faith reports within 72 hours.

When we materially change this policy, we update the Last updated date at the top and, where required by law, give visitors at least 30 days' notice via a banner on the site. Cosmetic edits (typo fixes, layout) don't trigger a notice.

Questions about this policy or about how we handle your data:

Email: hello@pittwater.co Mail: Pittwater, 487 Federal Rd, Brookfield CT 06804, USA