Privacy Policy

1. Overview

Quantum Peg, Inc., doing business as InventoryGrant (“Company,” “we,” “us,” or “our”), operates the InventoryGrant software platform (“Service”). This Privacy Policy describes our practices regarding the collection, use, storage, disclosure, and protection of information we collect from users (“you”) through the Service.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, please do not use the Service.

We reserve the right to modify this Privacy Policy at any time. We will post any changes on this page and update the Effective Date. Your continued use of the Service after any modification constitutes your acceptance of the revised Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

We collect information you provide when you:

• Create an account — name, email address, password (hashed; we never store plaintext passwords), and organization name
• Set up your organization — organization type, EIN, mailing address, phone number, website, primary contact information
• Add grants — grant program, fiscal year, award numbers, state agency, award amounts, performance period dates
• Add assets — equipment name, manufacturer, model, serial number, AEL codes, purchase price, vendor information, acquisition and installation dates, warranty dates, physical location, custodian contact information, condition, and any notes
• Upload files — photographs of equipment, invoices, award letters, maintenance records, and other documents
• Perform inventory checks — check dates, condition assessments, location and serial number confirmations
• Record dispositions — disposition method, dates, proceeds, transfer recipients, and state approval references
• Contact us — any information included in your communications with our support team

2.2 Information Collected Automatically

When you use the Service, we and our service providers may automatically collect:

• Log data — IP address, browser type, operating system, referring URLs, pages visited, and timestamps
• Device information — device type, unique device identifiers, and mobile network information
• Usage data — features used, actions taken, session duration, and error reports
• Cookies and similar technologies — see Section 5 below

2.3 Information from Third Parties

We may receive information about you from:

• Authentication providers (currently Supabase Auth) — user ID, email address, name, and authentication tokens when you sign in
• Payment processors (currently Stripe, Inc.) — billing address, last four digits of payment card, payment status, and subscription information. We do not receive or store full payment card numbers.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, maintain, and improve the Service
• Process transactions and manage your subscription
• Send transactional communications — account confirmations, billing receipts, warranty expiration reminders, and inventory check reminders
• Respond to your support requests and inquiries
• Monitor and analyze usage patterns to improve user experience
• Detect, prevent, and address security issues, fraud, and abuse
• Comply with legal obligations and enforce our Terms of Service
• Send service announcements and updates regarding the Service (you may opt out of non-essential communications)
• Aggregate and anonymize data for product analytics and business reporting (no individual can be identified from aggregated data)

We do not sell your personal information to third parties. We do not use your grant data or equipment records for advertising purposes.

4. How We Share Your Information

We may share your information in the following circumstances:

4.1 Service Providers

We share information with third-party vendors and service providers that perform services on our behalf, including:

• Supabase, Inc. — database hosting and file storage
• Supabase, Inc. — user authentication and identity management
• Stripe, Inc. — payment processing
• Resend — transactional email delivery
• Vercel, Inc. — application hosting and infrastructure
• Inngest, Inc. — background job processing

These providers are contractually obligated to use your information only as necessary to provide services to us and in accordance with this Privacy Policy.

4.2 Within Your Organization

Information you add to the Service is visible to other members of your organization who have been granted access. You are responsible for managing member access within your account.

4.3 Public Asset Pages

If you enable public QR pages for an asset, certain information about that asset (name, location, condition, custodian contact) becomes publicly accessible to anyone with the URL or QR code. You control which information is displayed on public pages through asset settings.

4.4 Legal Requirements

We may disclose your information if we believe in good faith that such disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service; (c) protect the rights, property, or safety of our company, our users, or others; or (d) detect, prevent, or address fraud or security issues.

4.5 Business Transfers

If we are involved in a merger, acquisition, asset sale, financing, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.

4.6 With Your Consent

We may share your information for other purposes with your prior consent.

5. Cookies and Tracking Technologies

We and our service providers use cookies, web beacons, pixels, and similar tracking technologies to operate the Service and collect usage information. These technologies help us maintain your login session, remember your preferences, understand how you use the Service, and improve performance.

Session cookies are deleted when you close your browser. Persistent cookies remain on your device for a set period. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent; however, refusing cookies may limit your ability to use certain features of the Service.

We do not currently use cookies for third-party advertising or cross-site tracking.

6. Data Retention

We retain your account information and organizational data for as long as your account is active or as needed to provide the Service. If you close your account, we will delete or anonymize your data within a reasonable period, typically 90 days, unless we are required to retain it longer by law or for legitimate business purposes such as resolving disputes or enforcing our agreements.

Audit log entries are retained for a minimum of seven (7) years to support potential federal audit requirements under 2 CFR Part 200. You may not request deletion of audit log entries if your organization has active federal grant obligations.

Uploaded files (photos, documents) are deleted upon account closure, subject to the same retention exceptions above.

7. Data Security

We implement reasonable administrative, technical, and physical security measures designed to protect your information from unauthorized access, disclosure, alteration, and destruction. These include:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of data at rest
• Row-level security policies restricting database access to authorized users
• Service-role-only write access to audit logs (tamper-proof)
• Regular security assessments of our infrastructure

However, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your information. You are responsible for maintaining the security of your account credentials and for any activity that occurs under your account.

8. Your Rights and Choices

8.1 Access and Correction

You may access and update most of your account and organization information directly through the Service. If you need assistance accessing or correcting information we hold about you, please contact us at privacy@inventorygrant.com.

8.2 Deletion

You may request deletion of your account and associated personal data by contacting us at privacy@inventorygrant.com. We will honor deletion requests subject to our data retention obligations described in Section 6, our legal obligations, and legitimate business purposes. We may retain certain information in anonymized or aggregated form.

8.3 Communication Preferences

You may opt out of non-essential marketing communications by following the unsubscribe instructions in those emails or by contacting us. You cannot opt out of transactional communications that are necessary to provide the Service (e.g., payment receipts, security alerts).

8.4 California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (“CCPA”) may provide you with certain rights regarding your personal information, including the right to know what personal information we have collected, the right to delete personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your rights. To exercise these rights, contact us at privacy@inventorygrant.com.

8.5 Nevada Residents

Nevada law gives Nevada residents the right to opt out of the sale of certain personal information. We do not sell personal information as defined under Nevada law.

8.6 European Economic Area and United Kingdom

If you are located in the EEA or UK, you may have rights under the General Data Protection Regulation (“GDPR”) or UK GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and objection. Our legal basis for processing your personal data is typically performance of our contract with you or our legitimate business interests. To exercise your rights, contact us at privacy@inventorygrant.com. You also have the right to lodge a complaint with your local data protection authority.

9. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at privacy@inventorygrant.com.

10. Third-Party Links and Services

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of third parties, and this Privacy Policy does not apply to information collected by third parties. We encourage you to review the privacy policies of any third-party services you access through the Service.

11. Government Grant Data

The Service is designed to help organizations track federally funded equipment. You may input data relating to federal grants, award numbers, equipment purchased with federal funds, and related compliance information. This information is stored and processed on your behalf. We do not share this information with FEMA, the Department of Homeland Security, or any other government agency except as required by law.

You are solely responsible for the accuracy of grant and equipment data you enter into the Service and for your organization’s compliance with all applicable federal grant requirements. The Service is a tracking tool, not a compliance guarantee.

12. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. We will post the revised policy on this page with an updated Effective Date. For material changes, we may also notify you by email or through a notice on the Service. Your continued use of the Service after the revised Privacy Policy has been posted constitutes your acceptance of the changes. If you do not agree with the revised policy, you must discontinue using the Service.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

We will respond to privacy requests within a reasonable timeframe and no later than 45 days of receipt, unless a longer period is permitted by applicable law.

Last updated: February 19, 2026. We may update this Privacy Policy at any time. Continued use of the Service constitutes acceptance of the current Privacy Policy.