Privacy Policy — Bex Walks & Bex Platform
This version effective: 2026-05-07
Publisher: Harmonic Mean, LLC ("Harmonic Mean", "we", "us")
Contact: [email protected]
This policy covers the Bex Walks mobile app (iOS) and the Bex server-side platform that the app communicates with. Both are operated by Harmonic Mean, LLC. Our internal security controls — encryption, access management, retention, incident response — are documented in the Harmonic Mean Cybersecurity Policy and summarised below.
1. Who this applies to
Bex Walks is a tool used by construction and field-services teams to record on-site observations. You will normally have received access through your employer or another organisation that has contracted with Harmonic Mean (the "Customer"). Where the Customer is the controller of your data, this policy describes how we process that data on their behalf; the Customer's own privacy notice may also apply.
2. What data we collect
We only collect what the app needs to function. Specifically:
| Data | Source | Why we collect it |
|---|---|---|
| Email address (mandatory) | You enter it at login | Authentication; tying observations to a user |
| Photos (optional) | Camera or photo library, with your permission | Attaching visual evidence to observations |
| Audio recordings (voice memos, optional) | Microphone, with your permission | Capturing spoken notes during a walk |
| Precise location (GPS, optional) | Device location services, with your permission | Tagging observations their coordinates |
| Free-text (optional) | You type it | Additional details of a report |
| Device & diagnostic data | Generated automatically | Crash reports, performance telemetry, troubleshooting |
We do not collect contacts, browsing history, advertising identifiers, health data, financial data, or biometric data. We do not track you across other apps or websites. We do not sell personal information.
(Apple's Collected Data declaration in App Store Connect lists the categories above and is the authoritative version.)
3. How we use the data
- To provide the service — store, sync, and display the observations you and your colleagues record.
- To secure the service — detect abuse, debug failures, monitor uptime.
- To improve the service — aggregate, non-identifying performance and reliability metrics.
We do not use your data for advertising, profiling, or to train third-party AI models. AI service providers we use to assist with summarisation are contractually bound not to train on customer data (see Cybersecurity Policy §5.4, §12.2).
4. Where the data lives
- On your device: photos, voice memos, draft observations, and a sync queue are stored locally.
- On our servers: uploaded data is persisted in Microsoft Azure cloud services in United States data centers. No customer data is stored or processed outside the United States.
- At rest: AES-256 encryption.
- In transit: TLS 1.2 or higher for all network traffic between the app, our servers, and any third-party services.
5. Who we share it with
We share personal data only with:
- Sub-processors that operate our infrastructure: Google Cloud (server application hosting), Microsoft Azure (long-term data storage), and the AI providers used (Anthropic and OpenAI). All sub-processors are bound by written agreements that prohibit using the data for their own purposes.
- The Customer (your employer or organisation), who can see the observations recorded under their tenant.
- Legal authorities, where required by law, subpoena, or court order.
We do not sell or rent personal data to anyone.
6. How long we keep it
Data on our servers is deleted after a retention period configured per customer (tenant). The default is 30 days. Customers may request shorter or longer windows. On request, we will delete a user's data; see §8.
Local data on your device persists until you delete the app and/or its data. The app automatically deletes stale data.
Operational logs are retained for security and reliability purposes.
7. Permissions the app requests (only in response to user actions)
- Camera — to take photos of observations.
- Photo Library — to attach existing photos.
- Microphone — to record voice memos.
- Location — to GPS-tag observations.
All four are optional. You can deny or revoke any of them in iOS Settings → Bex Walks; the app will continue to function with the features you permit.
8. Your rights
Depending on where you live, you may have rights under the California Consumer Privacy Act (CCPA), GDPR, or similar laws — including the right to access, correct, export, or delete your personal data, and to object to certain processing. To exercise any of these rights, email [email protected]. We will respond within the timeframe required by applicable law (typically 30–45 days).
If you are an end user covered by an employer/Customer contract, we will usually route your request through the Customer, who is the data controller.
9. Children
Bex Walks is a workplace tool and is not directed at children. We do not knowingly collect personal information from anyone under 16 years of age. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Security
A summary of the controls protecting your data:
- TLS 1.2+ in transit; AES-256 at rest.
- Multi-factor authentication on all production infrastructure access.
- Per-tenant API keys; access controlled via Principle of Least Privilege.
- Immutable, scanned container images; pinned dependencies.
- 24/7 telemetry and alerting; documented incident response procedure.
- All development performed by U.S.-based personnel; background-checked staff.
The full Harmonic Mean Cybersecurity Policy (currently version 2.0, March 2026) is available to Customers and prospective customers under NDA on request.
In the event of a security incident affecting your data, we will notify the affected Customer promptly and in accordance with applicable law.
11. International users
Our servers are in the United States. If you access Bex Walks from outside the U.S., you consent to your data being transferred to and processed in the U.S. We rely on Standard Contractual Clauses where required for transfers from regions that mandate them.
12. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via the app and/or by email to the Customer's administrators at least 14 days before they take effect. The "Effective date" at the top reflects the current version.
13. Contact
Questions, requests, or complaints:
Harmonic Mean, LLC
[email protected]
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.