Privacy Policy

Fabrica is a shop-floor CRM for custom fabrication businesses. We hold sensitive operational data — pipelines, estimates, invoices, contacts. This page explains what we collect, what we do with it, and the controls you have. Plain English.

1. Who we are

Fabrica is operated by Epure Millwork, a New Jersey limited liability company located at 28 Brookside Avenue, Little Falls, NJ 07424 ("Fabrica," "we," "us," "our"). For privacy questions you can reach us at privacy@fabricacrm.com.

When you use the Fabrica software-as-a-service product (the "Service"), your shop is the controller of the data you put into it; Fabrica is the processor that stores and operates on that data on your behalf.

2. What we collect

2.1 Account information

When you sign up we collect your name, work email, shop name, role, and a password (stored hashed with bcrypt or equivalent). If you connect Google or Microsoft for single sign-on, we receive your name, email, and a token to verify future logins.

2.2 Operational data you put in

Whatever you enter into Fabrica — contacts, deals, projects, estimates, invoices, change orders, lien waivers, COI records, time entries, attached PDFs, notes. This is your shop's data. You own it. We hold it to make the Service work.

2.3 Billing information

If you subscribe to a paid plan, our payment processor (Stripe) collects your card details. Stripe stores the card directly — we receive only the last four digits, card brand, expiration, billing zip, and a token we can use to charge the card.

2.4 Usage data

We log technical information to keep the Service running: IP address, browser and OS, pages viewed, timestamps, and actions taken inside the app (deal created, invoice sent, etc.). We also collect crash and error reports.

2.5 Communications

When you email us or write into in-app support, we keep that correspondence to help you and improve the product.

3. How we use it

  • Run the Service. Authenticate you, render your data, generate PDFs, send emails on your behalf, run scheduled jobs.
  • Bill you. Process subscription charges, send receipts, handle refunds.
  • Support you. Answer questions, debug your account, recover from incidents.
  • Improve the product. Aggregate, de-identified usage metrics — what features are used, where errors cluster. We do not train any third-party AI model on your shop's data.
  • Security and abuse prevention. Detect fraud, brute-force attempts, and abuse of the Service.
  • Legal compliance. Respond to lawful requests, enforce our Terms.

We do not sell your personal information. We do not share it with advertisers. We do not use the contents of your contacts, deals, or projects for marketing.

4. Who we share it with

We rely on a small number of vetted subprocessors to operate the Service. As of the effective date above:

  • Vercel, Inc. — application hosting and CDN.
  • Neon, Inc. — managed PostgreSQL database.
  • Stripe, Inc. — payment processing.
  • Resend / Postmark — transactional email delivery (sign-in links, document sends).
  • Cloudflare R2 — encrypted object storage for PDFs and attachments.
  • Google Analytics (gtag.js) — anonymized website analytics on our marketing site (not inside the app).

Each subprocessor is bound by a data processing agreement with terms at least as protective as this policy. We will post a notice on this page at least 30 days before adding a new subprocessor that processes customer data.

We may disclose information in three other limited cases: (a) to comply with a valid legal request, (b) to protect our rights or the safety of others, or (c) in connection with a merger or acquisition — in which case the acquirer assumes these same obligations.

5. How long we keep it

  • Active account data is kept for as long as your account is active.
  • When you cancel, we keep your data for 30 days in case you want to reactivate, then permanently delete it from production systems within an additional 30 days.
  • Backups roll off on a 35-day cycle; deleted data clears all backups within that window.
  • Billing records are kept for 7 years to meet tax and accounting requirements.
  • Aggregate, de-identified analytics may be kept indefinitely.

You can request immediate deletion by emailing privacy@fabricacrm.com.

6. Your rights

Whether you are a customer, an end-user inside a customer's account, or a contact one of our customers has added to their CRM, you have the following rights:

  • Access — see what we hold about you.
  • Correct — fix anything that's wrong.
  • Delete — have it removed (subject to legal retention requirements).
  • Export — receive a machine-readable copy.
  • Restrict or object — limit how we process it.
  • Withdraw consent — where processing relies on consent.

For data that one of our customers added to their account (e.g. a GC contact a shop entered), please contact the shop first; they are the controller. We will support their response.

California residents: you have additional rights under the CCPA / CPRA, including the right to know, delete, correct, limit use of sensitive personal information, and not be discriminated against for exercising those rights. We do not sell or share personal information for cross-context behavioral advertising.

EU / UK / Swiss residents: where GDPR or equivalent applies, our lawful bases for processing are (a) performance of a contract, (b) legitimate interests in operating and securing the Service, (c) consent where required, and (d) legal obligations. You have the right to lodge a complaint with your local supervisory authority.

7. Security

We design Fabrica with the assumption that the data you hand us is sensitive operational data.

  • In transit — TLS 1.2+ on every request.
  • At rest — AES-256 on the managed Postgres instance and object store.
  • Tenant isolation — every query is filtered by your tenant ID; we enforce this at the application layer and via Postgres row-level security where applicable.
  • Access controls — least-privilege access for Fabrica staff, MFA on all admin accounts, audit logs.
  • Backups — daily encrypted backups, 35-day retention, periodic restore drills.
  • Incident response — if there is a breach affecting your data, we will notify you without undue delay and, where required by law, within 72 hours of confirmation.

No system is perfectly secure. If you discover a vulnerability, please report it to security@fabricacrm.com.

8. Cookies & analytics

The Fabrica marketing site uses Google Analytics (gtag.js) with IP anonymization enabled to understand which pages help shops find us. We do not use cross-site advertising cookies. The application itself uses only first-party cookies strictly necessary to keep you signed in, plus a small first-party preferences cookie for your sidebar state.

You can opt out of analytics by enabling "Do Not Track" in your browser or by using the Google Analytics opt-out browser add-on.

9. International transfers

Fabrica is hosted in the United States. If you access the Service from outside the US, you understand that your information will be transferred to and processed in the US. We rely on Standard Contractual Clauses with our subprocessors where required, and we maintain supplementary technical measures (encryption, access controls) consistent with current regulatory guidance.

10. Children

Fabrica is a B2B product not directed to anyone under 16. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it.

11. Changes to this policy

We will post material changes here and, for active customers, send an email at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the latest revision.

12. Contact

Privacy questions, data requests, or anything else covered here:

Epure Millwork — Fabrica
Attn: Privacy
28 Brookside Avenue
Little Falls, NJ 07424
privacy@fabricacrm.com