PRIVACY
POLICY.

As development progresses toward public launch, this policy will be updated to reflect any changes in data practices. Beta participants will be notified by email of any material updates before they take effect. Continued use of the Service following notification constitutes acceptance of the revised policy.

CROXSYNC is an independent software application developed and operated by Croxsoft Ltd. Procore Technologies, Inc. and Microsoft Corporation are third-party platform providers whose APIs CROXSYNC integrates with. Neither Procore nor Microsoft is a party to this Privacy Policy, and neither bears any responsibility or liability for how CROXSYNC accesses, handles, stores, or processes your data.

By using CROXSYNC, you acknowledge and agree that all data protection obligations relating to your use of this application rest solely with Croxsoft Ltd (trading as CROXSYNC), and not with Procore or Microsoft.

We collect and process the minimum personal information strictly necessary to provide the synchronisation Service. This includes:

CROXSYNC explicitly does not collect, store, or process the following:

• File content — all documents, drawings, photos, and other files remain exclusively within your Procore and SharePoint accounts at all times
• Passwords or credentials — CROXSYNC uses OAuth 2.0 exclusively; no third-party credentials are ever entered into or stored by CROXSYNC
• Payment card details — no billing system is active during beta; no payment or financial data of any kind is collected or stored
• SMS opt-in data or phone numbers — CROXSYNC does not operate any SMS messaging service
• Biometric data, health data, or any special category data as defined under UK/EU GDPR
• Data in excess of what is strictly necessary for the delivery of synchronisation functionality
• Customer Data for the purpose of training, fine-tuning, benchmarking, or otherwise improving any machine learning or artificial intelligence system

Personal information collected by CROXSYNC is used solely for the following purposes:

• Authenticating your account and maintaining a secure session
• Establishing and maintaining OAuth 2.0 connections to your Procore and Microsoft SharePoint accounts
• Comparing file metadata across connected platforms to identify synchronisation actions required
• Performing authorised file transfers between Procore and SharePoint on your behalf
• Maintaining sync history and audit logs accessible to you as the account holder
• Responding to support requests and communicating material service updates
• Monitoring and improving platform reliability, security, and performance during the beta phase

CROXSYNC employs a streaming-first architecture specifically designed to ensure that file content never persists on our infrastructure. When a file transfer is performed:

• Files are transferred incrementally — each segment is downloaded from the source and immediately uploaded to the destination without being held in full
• No complete file is assembled, buffered, or retained on CROXSYNC servers at any point during or after a transfer
• Upon completion of each transfer, no file data whatsoever remains on CROXSYNC infrastructure
• Only the metadata record (file name, size, timestamp, platform-assigned ID) is retained for sync state management and audit purposes

CROXSYNC currently integrates with the following third-party platforms:

• Procore — a construction management platform operated by Procore Technologies, Inc. CROXSYNC is a verified Procore Connected App.
• Microsoft SharePoint — a cloud collaboration platform forming part of Microsoft 365, operated by Microsoft Corporation. CROXSYNC is a verified Microsoft publisher.

By connecting a third-party service through CROXSYNC, you:

• Expressly authorise CROXSYNC to access and interact with that service on your behalf via its OAuth 2.0 authorisation flow
• Confirm that you are a duly authorised user of that third-party platform and hold a valid subscription or licence to use it
• Acknowledge that the third-party platform's own terms of service and privacy policy govern that platform's handling of your data independently of CROXSYNC
• Acknowledge that OAuth access tokens are stored by CROXSYNC in encrypted form
• Acknowledge that CROXSYNC requests only the minimum API scopes and permissions strictly required to perform synchronisation

All personal data and Customer Data processed by CROXSYNC is stored exclusively within the European Union.

• No Customer Data is stored, replicated, or transferred outside the European Union without prior explicit disclosure and, where required, your consent
• All data in transit between CROXSYNC and third-party APIs (Procore, Microsoft) is encrypted via TLS 1.2 or higher
• All data at rest is encrypted at the infrastructure level in addition to application-level encryption of OAuth tokens

CROXSYNC employs reasonable and appropriate technical, administrative, and organisational safeguards to protect personal information and Customer Data against misuse, interference, loss, unauthorised access, modification, and disclosure:

• OAuth 2.0 authentication exclusively — no third-party passwords, credentials, or secrets are stored by CROXSYNC
• OAuth access tokens encrypted at rest using AES-256-GCM
• TLS encryption enforced on all connections — no data is transmitted in plaintext
• Role-based access controls — Customer Data is accessible only to the authenticated account holder
• Technical controls to prevent unauthorised webhook access and sync loop exploitation
• API credentials maintained in strict confidence and not exposed in any public-facing system
• Ongoing security review and vulnerability assessment as part of the beta development process

CROXSYNC will not disclose your personal information or Customer Data to any third party except in the following limited circumstances:

• Authorised cloud infrastructure providers acting as data processors under our instruction, bound by data processing agreements and EU data protection standards
• Professional or legal advisers — where strictly necessary for legal compliance or the defence of legal claims
• Regulatory authorities — where disclosure is required by applicable law or court order

CROXSYNC uses cookies for two distinct purposes:

• Session management (essential) — strictly necessary cookies used to authenticate your session and maintain your login state. These cannot be disabled without impairing core platform functionality.
• Analytics (non-essential) — Google Analytics 4 is used to understand platform usage, identify performance issues, and guide product improvements. Analytics cookies are loaded only after you provide explicit informed consent via the cookie consent banner displayed on first visit.

You may withdraw consent for analytics cookies at any time without affecting your ability to use the Service. Declining analytics has no impact on synchronisation functionality or your account.

Personal information and Customer Data is retained only for as long as is necessary for the purpose for which it was collected:

• Account data (name, email, organisation) — retained for the duration your account remains active
• OAuth access tokens — retained only while the relevant integration connection is active; deleted immediately and permanently upon disconnection
• File metadata and sync logs — retained for the duration of the relevant sync bridge to support audit trail and operational continuity
• Following account deletion — all personal data, Customer Data, OAuth tokens, and associated metadata will be permanently purged from all systems within 30 days of the deletion request

In the event of any actual or reasonably suspected security incident involving unauthorised access to, disclosure of, or loss of Customer Data, CROXSYNC will:

• Notify Procore Technologies, Inc. at security@procore.com within 24 hours of becoming aware of the incident, as required under the Procore API Terms of Use
• Notify affected users and, where required by applicable law, the relevant supervisory authority (including the ICO for UK data subjects), within legally mandated timeframes
• Preserve all available evidence relating to the incident and provide a full written report including: nature and root cause of the incident, categories and approximate number of affected individuals and organisations, categories and approximate volume of affected records, likely consequences, and corrective and remediation actions taken
• Bear sole responsibility, at our expense, for investigating, containing, and remediating the incident and for all required notifications to affected customers and regulatory authorities

You may at any time request access to, correction of, restriction of processing of, or deletion of your personal information by contacting us at support@croxsync.com. We will respond to all verifiable requests within 10 business days. No fee will be charged for a request unless it is manifestly unfounded, excessive, or repetitive.