CrossBeam Privacy Policy
Effective Date: April 10, 2026 Version: v1.1
CrossBeam ("CrossBeam," "we," "us," or "our") is operated by Onboard Dot AI LLC, a California limited liability company. This Privacy Policy explains how we collect, use, share, and protect personal information when you use the CrossBeam platform.
This Privacy Policy applies to all CrossBeam services, including our marketing website, demonstration materials, partner city submittal portals, and the CrossBeam web application, wherever they appear under domains we operate (collectively, the "Services").
By using the Services, you agree to the practices described in this Privacy Policy. If you do not agree, do not use the Services.
1. Who We Are
CrossBeam is an AI-assisted plan review and online permit submittal platform built for California cities and the contractors, designers, and property owners who submit building permit applications to them.
Operator: Onboard Dot AI LLC, doing business as CrossBeam Contact: team@getonbreeze.com
2. Our Two Roles Under California Law
CrossBeam operates in two distinct roles depending on how you interact with the platform:
a) When you use a partner city's submittal portal, we act as a service provider to that city under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.). In this role, we process your submitted construction documents and related information on behalf of the city, solely for the purposes set out in our agreement with the city and the city-specific Terms of Service you accept at submittal. The city remains the "business" with respect to that information.
b) When you create a CrossBeam account, contact us, or interact with our marketing or demonstration materials, we act as a business under the CCPA. In this role, we determine the purposes and means of processing your personal information, and this Privacy Policy governs that processing.
This Privacy Policy applies to both roles. Where a city's Terms of Service govern a specific submittal, those Terms control over this Privacy Policy with respect to the materials you submit to that city.
3. Information We Collect
We collect the following categories of personal information, as defined under Cal. Civ. Code § 1798.140(v):
a) Identifiers — name, email address, phone number, account credentials, IP address, and similar identifiers you provide when creating an account or submitting a permit application.
b) Customer records — billing contact information for paid features, where applicable.
c) Commercial information — records of permit applications you have created, draft and submitted plan review activity, and related interactions with the platform.
d) Internet or other electronic network activity information — log data such as the pages you view, the actions you take, the device and browser you use, the time of your visit, and advertising identifiers set by third-party advertising tools (such as Meta's _fbp and _fbc cookies and Google's _gcl_* cookies).
e) Geolocation data — coarse geolocation derived from IP address (city or region level only). We do not collect precise geolocation.
f) Professional or employment-related information — your role (contractor, designer, property owner, city staff), company affiliation, and professional license information you choose to provide.
g) Submitted permit content — when you submit a permit application through a partner city's portal, the construction documents, drawings, calculations, specifications, project addresses, applicant names, and related materials ("Submitted Materials") you upload. Submitted Materials may contain personal information about you, the property owner, the design professional of record, and others involved in the project.
h) Inferences — inferences drawn from the above to characterize the status, completeness, and likely review outcome of a permit application.
We do not knowingly collect any of the categories of "sensitive personal information" defined under Cal. Civ. Code § 1798.140(ae) (such as government identifiers, financial account credentials, precise geolocation, racial or ethnic origin, health information, or biometric data).
4. How We Use Information
We use the personal information we collect for the following business and commercial purposes:
- To provide the Services — to operate the CrossBeam platform, run AI-assisted plan pre-checks, generate review reports and corrections letters, route permit applications to the appropriate city, and deliver other features you request.
- To support partner cities — to perform plan review services on behalf of cities under our agreements with them.
- To manage your account — to authenticate you, communicate with you about your account, and respond to your support requests.
- To improve and maintain the quality of the Services — to measure accuracy, identify and fix errors, and improve the quality of our review outputs, consistent with Cal. Civ. Code § 1798.140(e)(8) (see Section 5).
- To secure the Services — to detect, prevent, and respond to fraud, abuse, security incidents, and unlawful activity.
- To comply with legal obligations — to comply with applicable law, respond to lawful requests from public authorities, and enforce our Terms of Service.
5. AI Processing and Automated Decision-Making
CrossBeam uses artificial intelligence to perform pre-check review of permit applications. The following disclosures apply:
a) AI pre-check is advisory, not binding. AI-generated review comments are produced by automated systems and are not produced by a licensed architect, engineer, or building official. They do not constitute professional advice. All permit decisions are made by city staff after their own review.
b) No training on Submitted Materials. We do not use the original construction documents you submit ("Submitted Materials") to train, fine-tune, or otherwise develop any artificial intelligence or machine learning model. Submitted Materials are processed solely for inference — that is, to analyze your specific plans and generate review comments for your application. We require all third-party AI service providers we use to be contractually prohibited from retaining or using Submitted Materials for model training.
c) Service quality and improvement. We retain certain information related to review outcomes for the purposes of measuring accuracy, monitoring quality, identifying errors, and improving the Services. This use falls within the business purposes recognized under Cal. Civ. Code § 1798.140(e)(8) (verifying or maintaining the quality or safety of a service, and improving, upgrading, or enhancing the service). The original Submitted Materials are deleted in accordance with the retention schedule in Section 8 and are not used for model training or fine-tuning. Where practicable, we de-identify project-specific information before using it for service improvement.
d) Right to human review. Because AI pre-check is advisory and city staff make all binding decisions, every permit application you submit through the Services is reviewed by a human at the city before any decision is made. If you have questions about how the AI analysis works or want to discuss a specific AI-generated review comment, contact us at team@getonbreeze.com.
6. How We Share Information
We share personal information only in the following circumstances:
a) With partner cities. When you submit a permit application through a partner city's portal, we share your Submitted Materials and related information with that city for permit review. The city's own policies govern its use and retention of that information once received.
b) With service providers (sub-processors). We rely on a small number of trusted vendors to operate the Services. Each is contractually required to process personal information only for the purposes we direct and to maintain appropriate security safeguards. Our current sub-processors are:
| Vendor | Purpose |
|---|---|
| Supabase | Database, authentication, file storage |
| Vercel | Web application hosting |
| Google Cloud (Cloud Run) | Backend server hosting |
| Anthropic | AI inference |
| Google (Gemini API) | AI inference |
| Cloudflare | Edge hosting and API infrastructure |
| Stripe | Payment processing for permit fees, where applicable |
| Google (Google Ads, Google Analytics) | Advertising conversion measurement and website analytics |
| Meta (Facebook) | Advertising conversion measurement and audience targeting |
We will update this list when we add or change material sub-processors.
c) For legal reasons. We may disclose personal information when we believe in good faith that disclosure is required to comply with applicable law, respond to a lawful subpoena or court order, protect the rights or safety of CrossBeam or others, or enforce our Terms of Service.
d) In connection with a business transfer. If CrossBeam is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections.
7. Sale or Sharing of Personal Information
We do not sell your personal information.
Sharing for advertising purposes. When you visit our marketing website or application, we use advertising pixels from Google and Meta that transmit browsing activity (such as pages viewed, IP address, and device identifiers) to those platforms for the purpose of measuring ad campaign performance and serving relevant ads to you on other websites. Under the California Consumer Privacy Act, this transmission may constitute "sharing" of personal information for cross-context behavioral advertising as defined in Cal. Civ. Code § 1798.140(ah).
Your right to opt out. You have the right to opt out of this sharing. You can do so in any of the following ways:
- Global Privacy Control (GPC). If your browser sends a GPC signal (see globalprivacycontrol.org), we will treat it as a valid opt-out request and will not load advertising pixels for your session.
- Cookie preferences. You may manage your tracking preferences through the cookie settings link available on our website. When you opt out, we will disable advertising pixels and retain your preference for future visits.
- Browser settings. Most browsers allow you to block third-party cookies or use ad-blocking extensions, which will prevent advertising pixels from loading.
Opting out of advertising sharing does not affect your ability to use the Services. Analytics tools that do not share data for cross-context behavioral advertising (such as Google Analytics in its default configuration) may continue to operate after opt-out, as they serve a legitimate business purpose of understanding how visitors use our website.
We have not sold personal information in the preceding twelve months and have no plans to do so.
8. Data Retention
We retain personal information only as long as necessary for the purposes described in this Privacy Policy. Our default retention periods are:
| Category | Retention period |
|---|---|
| Submitted Materials (plans, drawings, calculations, etc.) | 90 days after permit completion or withdrawal, then deleted from CrossBeam systems |
| Account information (name, email, login credentials) | Until you delete your account, plus up to 30 days in routine backups |
| Permit application metadata (project address, status history) | Retained while your account is active; deleted within 90 days of account closure |
| Service quality and improvement data (as described in Section 5; de-identified where practicable) | Retained for ongoing measurement and improvement of the Services |
| Server and security logs | 90 days |
| Support correspondence (emails to team@getonbreeze.com) | 2 years |
| Marketing and waitlist contacts | Until you ask us to delete them |
A partner city may specify a different retention period for materials submitted through its portal; that period will be disclosed to you at the time of submittal. The partner city may also independently retain copies of submitted materials in its own records system in accordance with California Government Code Section 34090 and other applicable records retention laws. Such retention by the city is governed by the city's own policies and is outside the scope of this Privacy Policy.
9. Data Security
We store personal information on secure, SOC 2-compliant infrastructure located in the United States. We use industry-standard administrative, technical, and physical safeguards to protect personal information from unauthorized access, disclosure, alteration, and destruction. No system is perfectly secure, however, and we cannot guarantee absolute security.
10. Your California Privacy Rights
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to Know — You have the right to request that we disclose what personal information we have collected, used, disclosed, and sold or shared about you in the preceding twelve months.
- Right to Delete — You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
- Right to Correct — You have the right to request that we correct inaccurate personal information we maintain about you.
- Right to Opt Out of Sale or Sharing — You have the right to opt out of the sale or sharing of your personal information. As described in Section 7, we do not sell personal information. We share limited browsing data with advertising platforms; you may opt out at any time using the methods described in Section 7.
- Right to Limit Use of Sensitive Personal Information — You have the right to limit our use of sensitive personal information. As described in Section 3, we do not collect sensitive personal information.
- Right to Non-Discrimination — We will not discriminate against you for exercising any of these rights. You will not be denied service, charged a different price, or provided a different level of quality because you exercised your CCPA rights.
11. How to Exercise Your Rights
To exercise any of the rights described in Section 10, email us at team@getonbreeze.com with the subject line "California Privacy Request" and tell us which right you wish to exercise.
We will respond to your request within forty-five (45) days. If we need more time, we will let you know within the initial 45-day window and may take up to an additional 45 days to respond.
Verification. Before we act on your request, we may need to verify your identity. We will ask you to provide information that allows us to reasonably match you to the personal information we maintain. We will only use the verification information for verification.
Authorized agents. You may designate an authorized agent to make a request on your behalf. We may require the agent to provide written permission signed by you and may require you to verify your own identity directly with us before we act on the request.
12. Cookies and Analytics
The CrossBeam Services use cookies and similar technologies that are strictly necessary to operate the platform — for example, to keep you signed in and to remember your preferences.
We also use the following analytics and advertising tools:
| Tool | Provider | Purpose | Category |
|---|---|---|---|
| Google Analytics (GA4) | Website traffic and usage analytics | Analytics | |
| Google Ads (gtag.js) | Advertising conversion measurement | Advertising | |
| Meta Pixel | Meta / Facebook | Advertising conversion measurement and retargeting | Advertising |
| Meta Conversions API | Meta / Facebook | Server-side advertising event tracking | Advertising |
Analytics tools (Google Analytics) collect information about how visitors use our website — such as pages viewed, time on site, and referral source — to help us improve the Services. Analytics data is not shared with third parties for advertising purposes.
Advertising tools (Google Ads, Meta Pixel, Meta Conversions API) transmit browsing and conversion data to those platforms for campaign measurement and ad targeting. As described in Section 7, you may opt out of these tools at any time.
Global Privacy Control (GPC). If your browser sends a GPC signal, we will treat that signal as a valid request to opt out of advertising tracking for your session. Advertising pixels will not load, and no browsing data will be transmitted to advertising platforms. Analytics-only tools will continue to operate.
13. Children
The CrossBeam Services are not directed at children under the age of 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has provided us with personal information, please contact us at team@getonbreeze.com and we will delete it.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the Effective Date and Version at the top of this document. Where required by law, we will also notify you of material changes by email or through the Services. Continued use of the Services after the updated Privacy Policy takes effect constitutes acceptance of the updated terms.
15. Contact
If you have questions about this Privacy Policy or our privacy practices, contact us:
CrossBeam (operated by Onboard Dot AI LLC) Email: team@getonbreeze.com