E2 Solutions · Command Center

Your data, your control.

Plain English about what we save, what we don't, how you get your data back any time, and where it physically lives. With receipts — every claim has a link to verify.

Your data is YOUR data. Always.

We hold it on your behalf so the platform can do its job. We never sell it, never train AI on it, never share it with marketing partners. And if you ever leave, you take it ALL with you — one click, full export, no questions.

What we save vs what we don't.

Being honest here: we ARE a CRM. We save your business data on purpose — that's the whole point. Here's exactly what.

WE DO SAVE

  • +Your customer list (names, phones, emails, addresses you added)
  • +Notes you write about customers
  • +Texts + emails you send through Command Center
  • +Texts customers send to your business number
  • +Photos you upload (jobsite photos, logos)
  • +Where each customer is in your pipeline
  • +Your brand colors, voice samples, FAQ
  • +Call recordings (only for customers, only if you enabled the recording add-on, only for 30 days)
  • +Your login history (when, from where)

This is your business operating data. It's yours. We hold it so the platform can show you stuff.

WE DON'T SAVE

  • Your Facebook password (we use OAuth — never see it)
  • Your Google password (OAuth — never see it)
  • Your Stripe / card number (Stripe handles it; we see nothing)
  • Personal calls or texts from your mom, kid, friends
  • Calls from unknown numbers (only customers get logged)
  • Your Google Calendar data permanently (we read it each time you load the dashboard; never make a copy)
  • Data “for training AI” — every AI call is stateless. The data goes to Claude for ONE generation, results come back, nothing is retained
  • Anything to sell to advertisers or data brokers

The receipts — prove it.

Don't take our word for it. Every claim above has a public source you can verify yourself.

We never train AI on your data

Anthropic (the makers of Claude, the AI we use) commit in their public API Terms that data sent through their API is never used for model training. They're contractually bound to us, and they publish this.

Read Anthropic's API Terms

We never see your card number

Stripe is PCI-DSS Level 1 certified — the highest tier. They handle all card data; Command Center receives only a customer ID + last 4 digits.

Read Stripe's security docs

Your data is held in Canada

Supabase (our database) is SOC 2 Type II attested. Our database lives in their AWS Canada-Central region. Same datacenter your bank likely uses.

Read Supabase's security page

One client can't read another client's data

Every database table has a Postgres Row-Level Security policy. Client A literally cannot query for Client B's data — the database refuses at the query level. This is defense-in-depth, not just “please be careful.”

How RLS works

Phones with known passwords get audited

No one at Command Center holds a password to your Facebook, Google, or any account. Every connection is OAuth — bank-grade. You can revoke us in 30 seconds from your own account settings without telling us.

Revoke Google access right now

Getting your data out — one click.

The single most important commitment we make. If we're ever bad for your business, you should be able to leave with everything.

HOW YOU GET YOUR DATA

  1. 1

    Open Command Center → Settings → Export

    One menu item. Always visible. No customer-success-team needed.

  2. 2

    Click Export everything

    One button. You'll see a progress bar — usually 30-60 seconds for a typical business.

  3. 3

    Download the .zip file

    You get a single download containing CSV files for every table (contacts, messages, notes, pipeline, etc.) PLUS the same data as JSON (machine-readable). Plus every file you ever uploaded, in a /files/ folder.

  4. 4

    Open it in Excel, Google Sheets, or import it anywhere

    CSVs open in any spreadsheet. JSON imports into any modern CRM. The data is in standard formats — nobody locks you in.

What's in the export? Everything. Your contacts, every note you wrote, every text + email + call ever sent or received, every photo, every file, your pipeline state, your brand config, your voice samples, your FAQ. The whole dataset, in formats anyone can open.

What's the format? Standard Postgres data exported as .csv (one per table) + .json (machine-readable) + /files/ folder for media. Nothing proprietary.

If you ever leave us.

Day 0

You cancel

Tell us. We don't argue, we don't try to save the deal with discounts. We help you migrate out.

Days 1-30

Off-boarding window

Your account stays live and read-only. Export as many times as you want. We help if you need it.

Day 30+

Permanent deletion

All your data gets permanently deleted from active systems. Backups overwrite within 90 days. You get an email confirming.

Where your data physically lives.

Each provider only sees what it needs for its job. We name every one publicly. Click through to see their security practices.

What they see: Your customers, messages, notes, pipeline state, files — everything that's structured business data. The primary database.

AWS Canada-Central regionSOC 2 Type II

What they see: Code + temporary request data. No customer data is stored at Vercel — they just serve the app pages.

Global edge, primary processing in North AmericaSOC 2 Type II

What they see: DNS routing + content delivery. Sees URLs, IP addresses, basic request metadata. Never sees your customer data.

Global edge networkSOC 2 Type II

What they see: SMS + voice routing. Sees the To/From phone numbers and message text in transit. Recordings (when enabled, only for customers) live here for 30 days then auto-delete.

North AmericaISO 27001, SOC 2 Type II

What they see: Outbound + inbound transactional email delivery. Sees recipient + email body in transit. Doesn't archive.

United StatesSOC 2 Type II

What they see: AI content generation + Co-Pilot brain. Sees a single prompt (your voice sample + the photo / topic / context, or your Co-Pilot command) and returns a single response. Never retains the input.

United StatesSOC 2 Type II — and per their API Terms, no training on customer data

OpenAI (Whisper)

Their security page →

What they see: Speech-to-text only. Used for call recording transcripts + Co-Pilot voice input. Sees audio for the few seconds it takes to transcribe, returns text. We don't keep the audio on our side; per OpenAI's API Terms, they retain it ≤30 days for abuse review, then delete. No training on API data.

United StatesPer OpenAI API Terms — no training on customer data; 30-day max audio retention

What they see: Payment processing. Sees your card details (we don't). Charges your subscription monthly.

United States / CanadaPCI-DSS Level 1

Meta (Facebook + Instagram)

Their security page →

What they see: Only sees content you APPROVE for publishing. We never share customer data with them; we publish posts you tapped Approve on.

Per Meta's policiesSubject to your OAuth permission — revocable in 30 seconds

What they see: Calendar + GBP publishing + identity sign-in. We read your calendar live each time, never copy it. We post to GBP when you approve.

Per Google's policiesSubject to your OAuth permission — revocable in 30 seconds

Replicate (Studio features only)

Their security page →

What they see: AI image + video generation. Stateless — generates one image / video on demand, returns it, retains nothing.

United StatesPer-request only; no data retained

Daily.co (in-app video calls)

Their security page →

What they see: WebRTC video calling infrastructure. We don't record video by default; if you choose to record, file is held briefly then transferred to your Command Center file storage.

United StatesSOC 2 Type II

Important:we don't sell or share your data with ANY service not on this list. If a new sub-processor joins the platform, this page updates first. If you ever see something here you don't understand, call us — we'll explain.

One honest thing.

We're not a giant company with a SOC 2 audit certificate and an annual third-party penetration test. We're a family business — Carson + Alaina — running Command Center on the same Postgres database, the same encryption, the same OAuth standards that Stripe and Notion use. We didn't cut corners on the architecture. We did cut corners on the compliance theater that doesn't actually change the security of your data.

When we get to 50+ clients we'll probably do SOC 2 to make enterprise customers comfortable. Until then, the substance IS the security: HTTPS everywhere, encrypted storage, Row-Level Security, OAuth-only integrations, audit logs, real backups. That's what those certifications audit — we just deliver them directly without the certificate.

If that doesn't fly for your business, we'll be the first to say so on the kickoff call. Some businesses need enterprise-tier compliance and we're not the right fit yet. That's OK.

For the technical / curious.

The technical security details — encryption ciphers, breach policy, full sub-processor list with regions, compliance attestations — live at /security. The legal Privacy Policy with PIPEDA + CASL language lives at /privacy. Same content, different audiences.