This policy explains what information 36MDC collects, how we use it, who we share it with, and how long we keep it. It covers the 36MDC mobile app, the 36MDC website, and the accounts customers create to use the service. 36MDC is operated by Thirtysix Solutions. If you have a question about anything in this policy, write to hello@36mdc.com.
Who this policy is for
36MDC is a business-to-business platform. Most of the people using it day to day are field staff whose organization has signed up for the service. In that setup, your organization is the "controller" of the records your team collects — they decide what forms run, who has access, and what happens to the data once it leaves 36MDC. 36MDC is the "processor" that stores and transmits those records on their behalf. This policy covers the information 36MDC itself holds about you.
What we collect
Account information
When someone creates an account, we store the email address, a hashed password, the organization they belong to, and the roles assigned to them. We log sign-in events (timestamp, IP, device type) for security review.
Records your team captures
Forms in 36MDC can capture text, numbers, dates, lists, GPS coordinates, photos, and files. The content of those records belongs to your organization — 36MDC stores and transmits them on the organization's behalf and does not use them to train models or for any purpose other than running the service.
Device information (mobile app)
The mobile app reads the operating system, app version, device model, and a per-install identifier so we can support the app and diagnose crashes. The app does not read your contacts, calendar, call log, SMS, or any other app's data.
Product analytics
In production environments, 36MDC uses PostHog to record anonymous product usage — screen views, feature usage, and error events. Analytics are off in development builds. We do not send record contents, photos, or form values to analytics.
Diagnostic logs
Errors and crashes are logged with the minimum detail needed to reproduce the problem (route, device type, stack trace). Logs are retained for 30 days and are not shared outside 36 MDC engineering.
Device permissions the mobile app asks for
- Camera — to take photos for a record and to scan barcodes and QR codes. Photos are attached to the record you are filling in and uploaded to your organization's 36MDC storage. We never access the camera in the background.
- Photos / media library — only if you choose to attach an existing photo to a record. We read the photo you pick and nothing else.
- Location — only on forms that include a GPS field or a map. The app requests location while you have the app open; it does not track location in the background.
How we use information
- To run the service and store the records your team captures.
- To authenticate accounts and protect against abuse.
- To support customers who write in with questions.
- To understand which features are used and where the app fails, so we can improve it.
- To meet legal and tax obligations.
Who we share information with
36MDC does not sell personal information. We share only with the service providers listed below, and only for the purposes described.
- Supabase (database, authentication, file storage) — US regions.
- Vercel (website and API hosting).
- PostHog (product analytics) — US cloud.
- Mapbox (map tiles rendered inside the app when a form uses a map).
- Expo / EAS (mobile app build and push notification delivery).
We also disclose information when required by law, subpoena, or court order, and to protect the rights and safety of 36 MDC, our customers, and the public.
Where data is stored
Production data is stored in the United States. If an enterprise customer requires data residency in a specific region, we will discuss options before onboarding.
How long we keep data
36MDC is a collection platform, not a long-term storage platform. Records are deleted on a rolling schedule after they have been delivered to the customer's downstream systems (webhook, export, or direct connector). The exact retention window is set per organization at onboarding and documented in the customer agreement. Account records are kept for as long as the account is active and for a reasonable period after closure to handle billing and legal disputes.
Your rights
Depending on where you live, you may have rights to access, correct, export, or delete the personal information 36MDC holds about you. To request account deletion, follow the steps on the account deletion page. For other requests, write to hello@36mdc.com from the email address on your account. For records collected inside an organization account, contact the organization directly — they are the controller of that data.
Children
36MDC is built for workplace use and is not directed at children under 13. We do not knowingly collect information from children. If you believe a child has created an account, write to hello@36mdc.com and we will remove it.
Security
Data is encrypted in transit (TLS) and at rest. Access to production systems is limited to a small number of named engineers. Passwords are hashed; we cannot read them. If we ever experience a breach that affects you, we will notify affected accounts by email within 72 hours of confirmation.
Changes to this policy
When this policy changes, we update the effective date at the top of the page. Material changes — for example, a new category of data, a new sub-processor, or a change in how long records are retained — will also be announced by email to account owners at least 14 days before they take effect.
Contact
Questions, requests, or concerns about privacy: hello@36mdc.com.