Privacy policy
Effective: July 3, 2026 · Last updated: July 2026
Summary (the human version)
Quarry is a measurement product for multi-location brands. We audit publicly available information about your business locations and store the resulting reports for you. We collect very little about people: your name, your work email, the access-request details you submit, a record of your acceptance of our terms, and product-usage analytics. We don't sell data. We don't run advertising. Questions: hello@joinquarry.com.
1. Who we are
The Quarry service is operated by Sodium Streetlight LLC, a Texas limited liability company. Contact: hello@joinquarry.com.
2. What we collect
You provide:
- Account and access-request information: your name, work email, password (stored hashed by our authentication provider), your role, your brand, industry, location-count band, and any optional company URL or LinkedIn you include.
- Consent records: when you accept our Terms and attestation, we record the text version you accepted, a timestamp, and your IP address, as evidence of the agreement.
- Your location roster: business names, addresses, phone numbers, website URLs, and optional Google Place IDs for your locations. Rosters sometimes include location-level contact details (for example, an agent's name and business phone). We treat roster data as your business data and use it only to provide the Service.
Collected automatically:
- Product analytics via PostHog — page views, feature usage, and similar events, using cookies and identifiers. See the Cookie & Analytics Notice.
- Error and diagnostic events via Sentry (stack traces may incidentally capture data present in an error message).
- Standard server and hosting logs (IP address, request paths, timestamps).
From third-party sources: to produce audits we retrieve publicly available information about your locations and nearby competitors (Google Business Profile content, reviews, directory listings, website signals) and outputs of AI-model queries. This is public and derived data about businesses, not consumer profiles.
We do not collect: health, financial-account, biometric, or precise-geolocation data about individuals; data about children (the Service is B2B and not directed to minors). We do not access your Google or social accounts unless you explicitly connect them.
3. How we use information
To review and approve access requests; provide and operate the Service (run scans, render dashboards, generate reports); communicate with you (verification codes, account and service notices) and, at your direction, deliver reports to recipients you designate (such emails include an unsubscribe mechanism); secure the Service and prevent abuse, including enforcing the attestation and Acceptable Use Policy; analyze product usage to improve Quarry; and comply with law.
We do not use your data to train AI models, and our AI providers' API terms provide that API inputs are not used to train their models. We do not sell, rent, or trade personal information, and we do not share it for cross-context behavioral advertising.
4. Who we share it with
- Subprocessors that host and power the Service — the complete, maintained list with purposes and data categories is at /subprocessors (hosting, database/auth, cache, transactional email, bot protection, analytics, error monitoring, places and audit-data providers, AI providers).
- Authorities, when required by a valid legal request.
- A successor entity in a merger, acquisition, or asset sale (with notice to you).
No sale of personal information. No advertising networks. No third parties collect personal information about your activity across other sites through our Service; our analytics and infrastructure vendors process data about your use of our Service only, on our instructions.
5. Retention
Some periods below are enforced by automated jobs; the rest we apply operationally:
| Category | Retention |
|---|---|
| Abandoned access requests (email never verified) and declined requests — including any uploaded roster | Deleted after 30 days by a daily cleanup job |
| Verified access requests awaiting review | Kept while under review |
| Account information | While your account is active; deleted within 30 days of a deletion request |
| Consent records (version, timestamp, IP) | Life of the account plus 4 years |
| Location rosters | While your tenant is active; deleted within 30 days of a deletion request |
| Scan results | While your tenant is active; superseded on re-scan |
| Server/hosting logs | About 3 days |
| Error events (Sentry) | 30 days |
| Analytics events (PostHog) | Target: 12 months |
| Postgres database backups (accounts/auth) | 7 days rolling |
| Payment/tax records (when billing launches) | 7 years |
6. Your choices and rights
You can request access to, correction of, or deletion of your personal information by emailing hello@joinquarry.com; we respond within 30 days.
Do Not Track / Global Privacy Control: because we do not sell or share personal information or run cross-site advertising, there is nothing for a DNT or GPC signal to switch off; we do not change our (already non-tracking) behavior in response to these signals today. If we ever engage in data sales or sharing that a signal governs, we will honor applicable opt-out signals and update this policy first.
7. Security
Encryption in transit, hashed passwords, role-based access control, application-layer tenant scoping, bot protection on public forms, error monitoring, and daily backups of our account database (roster and scan data live in a cache store that is rebuilt from scans rather than separately backed up). No system is perfectly secure. If you believe you've found a vulnerability, email hello@joinquarry.comwith subject "Security report."
8. International transfers
We operate from the United States, and some subprocessors process data in the EU (for example, Apify and Geoapify) — see /subprocessors. If you use the Service from outside the US, your information is processed in the US.
9. Children
The Service is for businesses and is not directed to children under 13; we do not knowingly collect children's personal information.
10. Changes to this policy
We update this policy as the Service or the law changes; the "Last updated" date reflects the latest revision. For material changes we notify active customers by email at least 30 days before the change takes effect.