Privacy Policy

Last updated: [DATE]. Effective: [DATE].

Template draft — final review required. This document has been drafted to be comprehensive but has not yet been reviewed by an attorney licensed in your jurisdiction. Before going live, replace every [BRACKETED] placeholder with the corresponding real value (legal entity name, state, address, support email, governing-law venue, etc.) and have an attorney confirm it covers the laws applicable to your business and your customers' locations.

This Privacy Policy explains how [LEGAL ENTITY NAME] ("MyTradeCrate", "we", "us") collects, uses, discloses, and protects information when you visit our marketing website, sign up for an Account, or use the MyTradeCrate platform (collectively, the "Service"). It applies to Account holders and their Authorized Users, end-customers of our customers (e.g., homeowners who book a job through a public booking page), and visitors to our website.

1. Roles: Controller vs. Processor

For information about Account holders, Authorized Users, billing contacts, and visitors to our marketing site, MyTradeCrate is the data controller.
For Customer Content — information about your own end-customers, employees, vendors, properties, jobs, photos, signatures, and similar — you (the Account holder) are the data controller and MyTradeCrate is your data processor, processing data only on your documented instructions and as described in our Data Processing Agreement.

2. Information We Collect

From you (Account holders and Authorized Users)

Account info: name, business name, email address, phone number, password (hashed using bcrypt by Supabase Auth), profile photo, role.
Business info: mailing address, tax rate, currency, logo, public booking slug, integration tokens (Google, QuickBooks, Stripe Connect).
Billing info: processed by Stripe under its own privacy policy. We store the Stripe customer ID, subscription ID, card brand, last four digits, and billing-history metadata. We never see or store full card numbers, CVCs, or bank credentials.
Two-factor secrets: if you enable 2FA, your TOTP secret is stored encrypted by Supabase Auth.
Support communications: if you contact us, we keep a copy of the conversation and any files you send.

About your end-customers (Customer Content)

Contact details (names, addresses, phone, email), service history, photos, signatures, estimates, invoices, payment history, custom fields, notes.
Geolocation (latitude/longitude) of properties, if entered.
Audio or video files you choose to attach (we do not perform automated content analysis).

About visitors to public surfaces

If a member of the public submits a booking through your public widget or pays an invoice through a portal link, we collect the contact and payment information they provide to fulfill the request.
Such visitors are end-customers of our Customer, not direct customers of MyTradeCrate; their primary privacy relationship is with you.

Automatically

Usage data: pages visited, features used, click events, button taps, time on page, referrer, search queries, request IDs.
Device and connection: IP address, browser type and version, operating system, device model, screen resolution, locale, timezone.
Cookies and similar: essential first-party cookies for authentication and session management. No third-party advertising or cross-site tracking cookies. See our Cookies Policy.
Error reports: when an exception occurs, anonymized stack traces, breadcrumbs, and request metadata may be sent to Sentry to help us diagnose problems. We instruct Sentry not to record personally identifying request bodies.
Audit logs: we log who took which action in your Account and when, for security and abuse prevention.

3. Sources

We collect information directly from you when you sign up, from your Authorized Users when they accept invitations, from your end-customers when they interact with your public surfaces, and automatically from your devices when you use the Service. We do not buy personal data from data brokers and do not enrich profiles from third-party data.

4. How We Use Information

To provide, secure, maintain, and improve the Service.
To authenticate you, fulfill your transactions, and process subscription payments through Stripe.
To send transactional emails and SMS related to your Account (receipts, billing notices, security alerts, password resets, system status).
To respond to your support requests and other inquiries.
To detect, investigate, and prevent fraud, abuse, security incidents, or violations of our Terms or Acceptable Use Policy.
To comply with legal obligations and respond to lawful requests from public authorities.
To enforce our agreements and protect our rights and the rights of our customers.
To send product updates, tips, and marketing communications — only with your consent, and only to Account holders. You may opt out at any time using the unsubscribe link in our emails.
To create aggregated, de-identified statistics about how the Service is used; such data does not identify you and may be retained indefinitely.

5. Legal Bases for Processing (GDPR / UK GDPR)

If you are in the EEA, UK, or Switzerland, our legal bases include:

Contract: processing necessary to provide the Service you signed up for.
Legal obligation: tax, accounting, anti-fraud, anti-money-laundering, or court-ordered processing.
Legitimate interests: securing the Service, preventing abuse, improving features, and operating our business — balanced against your rights.
Consent: marketing emails, optional cookies, voluntary disclosures. You may withdraw consent at any time.

6. Sharing and Disclosure

We do not sell or rent personal information. We share information only as follows:

Subprocessors: we use third-party service providers to deliver the Service (Supabase, Vercel, Stripe, Resend, Telnyx, Google, Intuit, Backblaze, Sentry). Each is bound by a written data-processing agreement that restricts use of personal data to providing services to us. The current list is at /legal/subprocessors.
Your Authorized Users: information you enter into your Account is visible to anyone in your organization with the appropriate role.
Legal compliance: when required by law, subpoena, court order, regulatory request, or to defend against legal claims.
Safety: to protect the rights, property, or safety of MyTradeCrate, our customers, or others, including investigation of fraud or abuse.
Business transfer: in connection with a merger, acquisition, financing, or sale of assets, in which case the successor will be bound by no less protective privacy commitments.
With your direction: if you connect a third-party integration (Google Drive, QuickBooks, Stripe Connect), we share data with that integration only as you instruct.

7. International Transfers

MyTradeCrate is operated from the United States and processes data on infrastructure located primarily in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. Where required by law (e.g., transfers from the EEA, UK, or Switzerland), we rely on the Standard Contractual Clauses approved by the European Commission and supplementary measures described in our DPA.

8. Data Retention

Account and Customer Content: retained for the life of your Subscription plus a ninety (90) day grace period for export and recovery, then permanently deleted from production systems. Backups containing deleted records are overwritten within ninety (90) days following grace-period expiration.
Audit logs: retained for two (2) years.
Auto-save drafts: retained for thirty (30) days.
Customer-portal sessions and short-lived tokens: deleted within seven (7) days after expiration.
Billing and tax records: retained for seven (7) years to comply with U.S. tax law.
Marketing email subscribers: retained until you unsubscribe plus thirty (30) days for suppression-list purposes.
We may retain limited information longer when required by law or to defend against actual or threatened legal claims.

9. Security

All data in transit is encrypted using TLS 1.2 or higher.
Data at rest is encrypted by Supabase using AES-256.
Passwords are hashed using bcrypt and never stored in plaintext.
BYOC messaging keys (Resend, Telnyx) are encrypted at the application layer using a key separate from the database before being stored.
Access to production systems is restricted to authorized personnel, requires multi-factor authentication, and is logged.
We follow industry-standard practices including dependency scanning, code review, vulnerability triage, and incident-response procedures.
No system is perfectly secure. In the event of a security breach affecting your data, we will notify you and any required regulator within seventy-two (72) hours of confirming the breach, in accordance with applicable law.

10. Your Rights and Choices

Depending on where you live, you may have one or more of the following rights with respect to personal information about you:

Access: request a copy of personal information we hold about you.
Correction: request correction of inaccurate or incomplete information.
Deletion: request deletion, subject to legal retention obligations.
Portability: receive your data in a structured, commonly used, machine-readable format and ask us to transmit it to another controller where technically feasible.
Restriction or objection: object to certain processing or ask us to restrict it.
Withdrawal of consent: withdraw consent at any time, without affecting the lawfulness of prior processing.
Right to lodge a complaint: with a data-protection authority. Contacting us first is encouraged but not required.

To exercise these rights, email [PRIVACY EMAIL] from the address associated with your Account. We will respond within thirty (30) days (or longer where law permits, with notice). For requests about an end-customer's data held by a MyTradeCrate customer (your contractor), please contact that contractor directly; we will support them in fulfilling your request.

U.S. state privacy rights (CA / CO / CT / VA / UT / and similar)

Residents of certain U.S. states have specific rights under state privacy laws, including the California Consumer Privacy Act (as amended by the CPRA), and similar laws in Colorado, Connecticut, Virginia, Utah, and other states. We do not "sell" or "share" (as defined under those laws) personal information for cross-context behavioral advertising. We will not discriminate against you for exercising any of these rights. To submit a request, email [PRIVACY EMAIL].

EEA / UK / Switzerland

See Section 5 for our legal bases. You may lodge a complaint with your local data-protection authority.

11. Children

The Service is not directed at children under sixteen (16). We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us at [PRIVACY EMAIL] and we will delete it.

12. Automated Decision-Making

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects on you.

13. Cookies and Tracking

See our Cookies Policy. We use only first-party essential cookies for authentication and session management. We do not allow third-party advertising or cross-site tracking cookies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and by in-app banner at least thirty (30) days before the changes take effect. The "Last updated" date at the top reflects the most recent revision. If you do not agree to a change, your sole remedy is to cancel your Subscription before the effective date and request deletion of your data.

15. Contact

Privacy questions and rights requests: [PRIVACY EMAIL].
Mailing address: [LEGAL ENTITY NAME], [BUSINESS ADDRESS].