Privacy Policy

GladiusTurf is a software product built by Gladius Inc. (“Gladius,” “we,” “us”). This Privacy Policy explains what we collect, why we collect it, who we share it with, and the rights you have over your data. It applies to gladiusturf.com, the GladiusTurf web app, the Owner/Crew dashboards, and the Homeowner Client Portal.

We are based in the United States and operate under U.S. law. If you are reading this from outside the U.S., please review the “International Users” section before continuing to use the service.

1. Who this policy covers

GladiusTurf has two kinds of users, and this policy speaks to both:

Owners and dealers — the landscape companies, crew owners, and operators who subscribe to GladiusTurf and use it to run their business.
End users — the homeowners and property owners who interact with a GladiusTurf-powered company through the Client Portal, email, SMS, or voice.

When an owner uploads or creates records about a homeowner, the owner is the controller of that data and Gladius is the processor. We process homeowner data under the owner’s instructions, set out in their subscription agreement and this policy.

2. Information we collect

Owner / dealer information

When you sign up for or operate a GladiusTurf workspace, we collect:

Identity and contact: legal entity name, DBA, business address, owner/admin name, work email, work phone.
Account credentials: handled by Clerk — we receive user IDs and session tokens but never your raw password.
Billing: tier, billing cadence, last four digits of the card, billing address, tax IDs. Card numbers and bank details are entered directly into Stripe and never touch our servers.
Crew and employee records: names, roles, work email and phone, route assignments, and any custom fields you configure.
Customer and job records you upload: anything you put into the system — spreadsheets, notes, photos, voice memos, scheduled jobs, estimates, invoices, payment events.
Product usage: pages viewed, features used, errors encountered, IP address, browser, device, and approximate location derived from IP.

End user / homeowner information

When a landscape company uses GladiusTurf to manage your account or send you communications, we may process:

Name, email address, phone number.
Property address and any access notes you or your provider record.
Service history, scheduled jobs, work-order notes, photos, and any messages exchanged through the portal, email, or SMS.
Payment information (entered into Stripe), payment history, and subscription/recurring service preferences.
Client Portal preferences such as preferred contact channel, language, and notification settings.

Homeowners: if you want to access, correct, or delete your data and you contracted with a landscape company that uses GladiusTurf, please reach out to that company first — they are the controller. If they cannot help, email legal@gladiusturf.com and we will route the request.

3. How we use information

Deliver the product: provision your workspace, sync jobs, send invoices, run the Client Portal, route SMS and voice through Twilio, and process payments through Stripe.
Communicate with you: transactional email via Resend (receipts, password resets, system alerts), product updates, and customer support replies. Marketing email is opt-in and includes an unsubscribe link in every message.
AI processing: a subset of the engines — LeadGrade, ToneRadar, Save Play, the Knowledge Engine, and others — pass customer-text data through Anthropic Claude or OpenAI embeddings to produce guidance, summaries, and routing decisions. We use enterprise terms with zero retention on the model side. We do not allow our AI providers to train external models on your data. Owners can opt out of any AI feature on a per-engine basis in Settings → AI & Automation.
Security and abuse prevention: detect and respond to fraud, spam, scraping, brute-force attempts, and policy violations. Audit logs are retained for compliance.
Improve the product: aggregate, de-identified usage analytics. We use Plausible, which is cookieless and does not build cross-site profiles.
Legal and compliance: meet our obligations under tax, payments, telecom (TCPA / 10DLC), and consumer-protection law.

4. How we share information

We do not sell your data. Period. We do not share it with advertising networks, data brokers, or list compilers. We do not use it to train external AI models.

We share data only with the sub-processors below, and only to the extent needed to run the product:

Vercel — web hosting and edge delivery.
Supabase — managed Postgres database, with row-level security per tenant.
Clerk — identity, authentication, and session management.
Resend — transactional email delivery.
Stripe — subscription billing, Stripe Tax, and payment processing.
Twilio — SMS and voice messaging on behalf of owners.
Anthropic — Claude model inference for AI engines, on enterprise zero-retention terms.
OpenAI — text embeddings for retrieval and search, on enterprise terms.
Plausible — privacy-first, cookieless product analytics.

Each sub-processor is bound by contract to use the data solely to provide their service to us, to meet at least the same security obligations we owe you, and to delete or return data on termination. The current sub-processor list is reproduced here so it is always public; we will update this page within 30 days of any material change and will give Enterprise customers advance written notice under their MSA.

We may also disclose data when we have a good-faith belief it is required by law (subpoena, court order, lawful request from a government authority), to protect the rights, property, or safety of Gladius, our users, or the public, or in connection with a merger, acquisition, or sale of assets — in which case the acquiring party will be bound by this policy or an equivalent one.

5. Cookies and tracking

We use a deliberately small set of cookies. The full list:

Plausible analytics — no cookies, no cross-site tracking, no fingerprinting. Aggregate page views and referrers only.
Clerk session cookies — required to keep you signed in to your workspace. First-party, HTTP-only.
Stripe checkout cookies — set by Stripe during checkout to detect fraud and complete payment. Governed by Stripe’s privacy notice.

We do not use Google Analytics, Meta Pixel, LinkedIn Insight Tag, or any other ad-tech tracker on the product surface. If we ever add one, this list updates first.

6. Your rights

Depending on where you live, you have the right to:

Access — ask what personal information we hold.
Correct — ask us to fix something inaccurate.
Delete — ask us to remove your information, subject to legal retention.
Port — receive a copy in a portable format.
Opt out — of marketing email and, for owners, of AI processing per-engine.
Non-discrimination — we will not penalize you for exercising any of the above.

These rights are recognized under the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (CDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and similar state privacy laws in Utah, Texas, Oregon, Montana, and others. Where a state law applies to you, we honor it whether or not you cite it by name.

To exercise a right, email legal@gladiusturf.com from the address on the account, or contact us through the workspace owner if you are a homeowner. We respond within 30 days. We may need to verify your identity before fulfilling certain requests.

If you are a California resident, you also have the right to know whether we sell or share personal information for cross-context behavioral advertising. We do not. There is nothing to opt out of, but you may still submit the request and we will confirm in writing.

7. Data retention

Active customer data: retained for the life of your subscription. You can export at any time from inside the workspace.
After termination: we keep your workspace data for 90 days so you can export it, then we delete it from primary systems and purge it from backups within the next backup cycle (typically under 35 days).
Audit and security logs: retained for up to 7 years to meet financial-services and tax-compliance requirements that some of our customers carry forward to us.
Billing records: retained as required by U.S. tax law, typically 7 years, and held in Stripe.
Marketing contacts: retained until you unsubscribe, then suppressed (kept in a do-not-contact list) so we do not email you again.

8. Children’s privacy

GladiusTurf is a B2B product for landscape companies and the property owners they serve. It is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child’s information has been submitted to us, email legal@gladiusturf.com and we will delete it.

9. International users and cross-border transfers

Gladius operates in the United States. Our infrastructure runs on U.S. regions of Vercel and Supabase, and most of our sub-processors are U.S.-based. If you access GladiusTurf from outside the United States, you are transferring your information into the U.S., where data-protection laws may differ from those in your jurisdiction.

We do not currently offer EEA, U.K., or Swiss data-residency options. If you require an EU Standard Contractual Clauses-based DPA or U.K. IDTA, email legal@gladiusturf.com before you sign up — we will tell you honestly whether we can support your use case today.

10. Security

We protect your data with industry-standard controls: AES-256 encryption at rest, TLS 1.3 in transit, Postgres row-level security so tenants are isolated at the database engine, scoped Clerk-issued JWTs on every request, least-privilege internal access, and audit logging on sensitive operations. Stripe handles all card data inside its PCI-DSS Level 1 environment so we never see it. The full architecture, the SOC 2 Type II program, and the incident-response process live at /security. Report a vulnerability to security@gladiusturf.com.

11. Changes to this policy

We update this policy when our practices change. The “Last updated” date at the top reflects the most recent revision. For material changes, we email account owners at least 30 days before the change takes effect and post a notice in the product. Continued use after the effective date means you accept the updated policy.

12. Contact

GladiusTurf, a Gladius Inc. product. For privacy questions, data-subject requests, GDPR/CCPA inquiries, or DPA execution, email legal@gladiusturf.com. For security disclosure, email security@gladiusturf.com. For everything else, email founders@gladiusturf.com. We reply within one business day.