Privacy Policy
Last updated: February 10, 2026
1. Introduction
At Barrow AI, Inc. ("Barrow," "we," "our," or "us"), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered environmental site assessment platform and related services (the "Service"). This Privacy Policy is incorporated into and subject to our Terms of Service.
2. Information We Collect
Personal Information
We may collect personal information that you provide directly to us, including:
- Name, email address, and contact information
- Professional credentials and company information
- Account registration details and preferences
- Payment and billing information
- Communications with our support team
Project and Site Data
When using our platform, you may upload or input:
- Site location and property information
- Environmental assessment data and documents
- Maps, photographs, and site plans
- Historical research and regulatory database information
- Draft reports and associated metadata
Automatically Collected Information
We automatically collect certain information when you use our Service:
- Device information (IP address, browser type, operating system)
- Usage data (pages visited, features used, time spent)
- Performance and error logs
- Cookies and similar tracking technologies (see Section 13)
3. How We Use Your Information
We use the collected information for the following purposes:
- Providing and maintaining our AI-powered platform services
- Processing and drafting environmental site assessment reports
- Improving our platform functionality and user experience
- Processing payments and managing subscriptions
- Providing customer support and technical assistance
- Communicating updates, security alerts, and service information
- Ensuring compliance with legal and regulatory requirements
- Detecting and preventing fraud or unauthorized access
4. AI Processing and Data Use
Our AI-powered platform processes your site data to draft environmental assessment reports. We want to be transparent about how this works:
- Your project data is processed by our AI models to draft reports and insights. All outputs are generated by automated AI systems and constitute preliminary drafts only, as described in our Terms of Service.
- We do not use your individual project data to train AI models.
- Individual project details are not shared with other users.
- We implement strict access controls for all data processing.
- You retain ownership of all project data you input into our platform, as set forth in Section 6 of our Terms of Service.
AI System Transparency
In accordance with applicable AI transparency requirements, including the EU AI Act:
- All reports and outputs generated by the Service are produced by artificial intelligence systems, not human authors
- Our AI systems are designed to draft Phase I Environmental Site Assessment reports based on user-provided data and publicly available information. They may produce inaccurate, incomplete, or inconsistent content.
- AI-generated outputs require review by a qualified Environmental Professional before any reliance or distribution
- Barrow is committed to compliance with applicable AI transparency obligations as they come into effect across jurisdictions
Aggregated and Anonymized Data
We may create aggregated, anonymized data derived from your use of the Service ("Aggregated Data"). Aggregated Data is data that has been combined with data from other users and stripped of all personally identifiable information and project-specific details such that it cannot reasonably be used to identify you, your organization, or any specific property or project. Barrow retains all rights in Aggregated Data and may use it for any lawful business purpose, including service improvement, benchmarking, and industry analysis. Aggregated Data is not subject to the data deletion obligations in Section 11 or in our Terms of Service.
5. Your Data Ownership
All data, documents, and materials you upload or provide through our platform remain exclusively your property. For a complete description of data ownership rights, intellectual property, and output ownership, please refer to Section 6 (Data Ownership and Intellectual Property) of our Terms of Service.
6. Information Sharing and Disclosure
We do not sell, trade, or rent your personal information. We may share your information only in the following circumstances:
- Service Providers: Third-party vendors who assist in operating our platform (see Section 7)
- Legal Requirements: When required by law, court order, or regulatory authority
- Business Transfers: In connection with mergers, acquisitions, or asset sales
- Consent: When you explicitly authorize us to share your information
- Security: To protect rights, safety, and security of our users and platform
7. Third-Party Service Providers
We use the following categories of third-party service providers to operate our platform. Your data may be processed by these providers in accordance with their respective privacy policies:
- Authentication: Identity management and secure login services
- Cloud Infrastructure: File storage, hosting, and cloud computing
- AI Processing: Large language model services for report drafting
- Payment Processing: Billing, subscription management, and transaction processing
- Analytics: Product usage analytics and service improvement
- Error Monitoring: Application performance and error tracking
8. Data Security
We implement robust security measures to protect your information:
- End-to-end encryption for data transmission and storage
- Regular security audits and vulnerability assessments
- Access controls and multi-factor authentication
- Secure cloud infrastructure with industry-standard certifications
- Employee training on data protection and security protocols
- Incident response procedures for potential security breaches
9. Data Breach Notification
In the event of a confirmed security breach that compromises the confidentiality, integrity, or availability of your personal information:
- Notification Timeline: Barrow will notify affected users within seventy-two (72) hours of confirming a breach that involves personal information, consistent with applicable laws including the GDPR and state breach notification statutes.
- Notification Contents: The notification will include, to the extent known: the nature and scope of the breach, the categories of data affected, the likely consequences, and the measures Barrow has taken or proposes to take to address the breach and mitigate its effects.
- Remediation: Barrow will take commercially reasonable steps to contain the breach, investigate its cause, remediate vulnerabilities, and prevent recurrence. Where appropriate, Barrow will provide affected users with identity protection services or other reasonable remediation.
- Regulatory Notification: Barrow will notify applicable data protection authorities as required by law.
10. Data Retention
We retain your information for as long as necessary to provide our services and comply with legal obligations:
- Account information: Until you delete your account
- Project data: As long as you maintain your account, plus the retrieval period described in Section 16 of our Terms of Service
- Payment information: As required for tax and accounting purposes
- Usage logs: Typically 12-24 months for security and optimization
11. Your Rights and Choices
You have several rights regarding your personal information:
- Access: Request a copy of your personal data
- Correction: Update or correct inaccurate information
- Deletion: Request deletion of your personal data
- Portability: Export your data in a common format
- Restriction: Limit how we process your information
- Objection: Object to certain types of processing
To exercise these rights, please contact us at privacy@barrow.site. We will respond to verified requests within thirty (30) days, or within the timeframe required by applicable law.
12. GDPR — Legal Basis for Processing (EEA/UK Users)
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases as required by the General Data Protection Regulation (GDPR):
- Performance of Contract: Processing necessary to provide the Service, including account management, report generation, and payment processing (Articles 6(1)(b))
- Legitimate Interest: Processing necessary for our legitimate business interests, including service improvement, analytics, fraud prevention, and security, where these interests are not overridden by your data protection rights (Article 6(1)(f))
- Legal Obligation: Processing necessary to comply with applicable laws, regulations, or legal proceedings (Article 6(1)(c))
- Consent: Where we rely on your consent for processing (such as optional marketing communications or non-essential cookies), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal (Article 6(1)(a))
For users in the EEA/UK, you also have the right to lodge a complaint with your local data protection supervisory authority.
13. Cookies and Tracking Technologies
13.1 Types of Cookies
We use cookies and similar technologies to enhance your experience and operate the Service. The cookies we use fall into the following categories:
- Essential Cookies: Required for the Service to function. These include authentication session cookies, security tokens (CSRF protection), and user preference cookies (theme selection). These cannot be disabled without breaking core functionality. Duration: session or up to 7 days.
- Analytics Cookies: Used to understand how visitors interact with the Service. These cookies collect information such as pages visited, features used, and session duration. Duration: up to 12 months.
- Performance Cookies: Used to monitor application performance and errors. These cookies help us identify and resolve issues. Duration: up to 12 months.
13.2 Your Cookie Choices
You can control cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. However, if you block essential cookies, some features of the Service may not function properly. For users in jurisdictions requiring cookie consent (including the EU/EEA), we will obtain your consent before setting non-essential cookies.
14. CCPA/CPRA — California Privacy Rights
If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act (collectively, "CCPA"):
14.1 Categories of Personal Information Collected
In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA:
- Identifiers: Name, email address, IP address, account credentials
- Commercial Information: Payment history, subscription details, transaction records
- Professional Information: Professional credentials, company affiliation, job title
- Internet/Electronic Activity: Browsing history on our Service, search queries, interaction data
- Geolocation Data: Approximate location derived from IP address
14.2 No Sale or Sharing
Barrow does not sell personal information and does not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA.
14.3 Your CCPA Rights
As a California resident, you have the right to:
- Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
- Delete: Request that we delete your personal information, subject to certain exceptions
- Correct: Request correction of inaccurate personal information
- Opt-Out: Opt out of the sale or sharing of personal information (not applicable — we do not sell or share)
- Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights
14.4 Exercising Your Rights
To submit a CCPA request, contact us at privacy@barrow.site. We will verify your identity before processing requests. You may also designate an authorized agent to submit requests on your behalf; authorized agents must provide proof of written authorization.
15. International Data Transfers
Your information may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place to protect your information in accordance with applicable data protection laws, including, where applicable, Standard Contractual Clauses approved by the European Commission or other lawful transfer mechanisms.
16. Children's Privacy
Our Service is not intended for children under 13 years of age (or under 16 in jurisdictions where applicable, including certain EU member states under the GDPR). We do not knowingly collect personal information from children under these age thresholds. If you become aware that a child has provided us with personal information, please contact us immediately, and we will take steps to delete such information.
17. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of any material changes via email or through the Service at least thirty (30) days before such changes take effect. Your continued use of our Service after such changes take effect constitutes acceptance of the updated Privacy Policy.
18. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
General Inquiries: info@barrow.site
Privacy-Specific Requests: privacy@barrow.site
For users in the European Union or United Kingdom, you also have the right to lodge a complaint with your local data protection supervisory authority.