Privacy Policy

1. Scope and Application

This Privacy Policy ("Policy") explains how Tradesman ("we," "us," "our," or the "Company") collects, uses, stores, shares, and protects information when you access or use the Tradesman platform, including our websites, mobile applications, APIs, and all related services (collectively, the "Service"). This Policy applies to all users of the Service, including business owners, employees, field workers, and customers. By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with our data practices, please do not use the Service.

2. Information We Collect

We collect the following categories of information:

• Account and identity information: name, email address, phone number, profile photo, user identifiers, organization identifiers, role within an organization, and account credentials. This information is collected directly from you when you create an account and is also processed by our authentication provider, Clerk.
• Business records you create or submit: customer records, contact information, jobs, service requests, estimates, invoices, expenses, purchase orders, pricebook items, inventory records, payroll data, time-clock entries, employee profiles, notes, tags, and any other business data you enter into the Service.
• Communication content: in-app job chat messages, service request messages, attachments, uploaded photos and documents, notes, and any other content you transmit through the Service's communication features.
• Location and geofencing data: when enabled by your organization administrator, the Service may collect precise GPS coordinates, movement patterns, geofence entry and exit events, and background location data from field workers' mobile devices while they are clocked in. Location data is collected at approximately 60-second intervals or upon 50-meter movement. This data continues to be collected in the background even when the mobile app is not actively in use, until the worker clocks out.
• Payment and financial data: payment method information, transaction history, invoice payment status, subscription billing records, and Stripe account identifiers. Full payment card numbers are processed and stored exclusively by our payment processor, Stripe, and are never stored on our servers.
• Voice and audio data: if you use voice dictation features, audio data is processed by on-device speech recognition services. If your organization uses the AI receptionist feature, phone call audio and transcriptions may be processed by our AI voice provider, Retell.
• Technical and device information: device type, model, operating system and version, unique device identifiers, mobile advertising identifiers, browser type and version, screen resolution, language settings, time zone, IP address, network information, app version, and build number.
• Usage and analytics data: pages visited, features used, buttons clicked, search queries, interaction patterns, session duration, session recordings (on mobile), navigation paths, crash reports, and performance metrics. This data is collected through our analytics providers, PostHog and Sentry, and may include session replay recordings that capture your interactions with the mobile application (such as screen taps, scrolls, and navigation — but NOT keyboard input for sensitive fields such as passwords).
• Authentication and security metadata: sign-in and sign-out events, authentication methods used, IP addresses at time of authentication, device fingerprints, failed login attempts, session tokens, and organization membership changes. This data is processed by our authentication provider, Clerk.
• Error and diagnostic telemetry: crash reports, error stack traces, request metadata, application state at time of error, device and browser context, and user identifiers associated with error events. This data is collected by our error monitoring provider, Sentry, and may include personally identifiable information such as your user ID, email address, and name to help us diagnose and resolve issues.
• Push notification data: device push tokens, notification delivery status, notification interaction data, and platform-specific notification identifiers. Push tokens are stored on our servers and associated with your user account.

3. How We Use Information

We use the information we collect for the following purposes:

• To provide, operate, maintain, and improve the Service, including all features you access such as scheduling, dispatching, invoicing, communication, and reporting.
• To authenticate users, manage account access, enforce role-based permissions, detect and prevent fraud, and protect the security and integrity of the Service and our users.
• To process subscription payments, facilitate invoice payments between you and your customers, manage billing cycles, handle payment failures, and prevent payment fraud.
• To generate business reports, analytics dashboards, operational insights, and aggregated statistics that help you manage your business.
• To send transactional and service-related communications, including push notifications, email notifications, in-app alerts, job updates, schedule reminders, payment confirmations, and security alerts.
• To provide AI-powered features, including the AI receptionist, voice transcription, intelligent suggestions, and automated responses, which may involve transmitting data to third-party AI service providers.
• To monitor the performance, stability, and reliability of the Service, diagnose technical issues, debug errors, and improve the user experience through analytics and session recordings.
• To comply with applicable legal obligations, respond to lawful requests from public authorities, enforce our Terms of Service, protect our rights and property, and establish, exercise, or defend legal claims.

5. Sharing and Disclosure

We may share your information with the following categories of recipients:

• Infrastructure and hosting providers: Supabase (database hosting, file storage, and backend infrastructure) and Vercel (web application hosting) process and store your data on our behalf.
• Authentication and identity providers: Clerk processes your sign-in credentials, authentication events, session data, and organization membership information.
• Payment processors: Stripe processes payment card information, subscription billing, and invoice payment transactions. RevenueCat manages subscription status for in-app purchases through Apple and Google app stores.
• Analytics and monitoring providers: PostHog collects usage analytics, interaction events, and session replay recordings. Sentry collects error reports, crash diagnostics, and associated user context including personally identifiable information.
• AI service providers: Retell processes phone call audio and generates AI receptionist responses. Other AI providers may process data for voice transcription and intelligent features.
• Communication service providers: Resend and other email delivery services process and transmit transactional emails on our behalf. Expo processes push notification delivery. These providers may have access to email addresses, message content, and device tokens.
• Mapping and geolocation providers: Google Maps and other mapping services process address data, coordinates, and routing information for dispatch and location features.
• Within your organization: information is shared between users within the same organization workspace according to role-based access controls. Organization owners may access data submitted by workers and customers within their organization, including time-clock records, location data, job details, and communications.
• Law enforcement and legal compliance: we may disclose information to law enforcement agencies, courts, regulators, or other governmental authorities when required by law, subpoena, court order, or other legal process, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
• Business transfers: in connection with a merger, acquisition, reorganization, bankruptcy, dissolution, sale of assets, or similar transaction, your information may be transferred as part of the transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

7. Cookies, Tracking, and Session Recording

We and our third-party providers use cookies, local storage, pixels, and similar tracking technologies for authentication, security, session management, preference storage, analytics, and performance monitoring. Essential cookies are required for the Service to function and cannot be disabled. Analytics and performance cookies may be placed by PostHog and other analytics providers to collect usage data.

On our mobile application, PostHog may record user sessions, capturing screen interactions including taps, scrolls, and navigation patterns. Session recordings are used to understand user behavior, diagnose issues, and improve the Service. Sensitive input fields (such as password fields) are automatically excluded from session recordings. You may opt out of analytics and session recording by adjusting your notification and privacy settings within the Service, where available, or by contacting us.

4. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your personal data on the following legal bases: (a) Contract Performance — processing necessary to provide the Service as described in our Terms of Service; (b) Legitimate Interests — processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and conducting analytics, where those interests are not overridden by your data protection rights; (c) Legal Obligations — processing necessary to comply with applicable legal requirements; and (d) Consent — where we have obtained your explicit consent for specific processing activities, such as optional analytics cookies or marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.

6. Data Controller and Processor Roles

For customer records, employee data, job information, and other business data submitted by an organization through the Service, the organization is the data controller (or "business" under CCPA), and Tradesman acts as the data processor (or "service provider" under CCPA) on the organization's behalf. Organization administrators are responsible for ensuring they have a lawful basis for collecting and processing the personal data of their customers and employees. For account information, billing data, security logs, product analytics, and other data we collect for our own operational purposes, Tradesman is the data controller.

8. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service, fulfill the purposes described in this Policy, comply with legal obligations (including tax and accounting requirements), resolve disputes, and enforce our agreements. When records are no longer needed for these purposes, they may be archived or deactivated rather than permanently deleted to maintain data integrity and comply with business record-keeping obligations. Specific retention periods may vary by data type: account data is retained for the life of the account plus a reasonable post-termination period; financial records may be retained for seven (7) years or longer as required by tax law; communication content is retained for the life of the associated job or service request; and analytics data is retained in aggregated or anonymized form. After applicable retention periods expire, data is securely deleted or irreversibly anonymized.

9. Security

We implement reasonable administrative, technical, and physical security measures designed to protect the confidentiality, integrity, and availability of your information, including encryption of data in transit (TLS/SSL), access controls, authentication requirements, and regular security monitoring. However, NO METHOD OF ELECTRONIC TRANSMISSION OR STORAGE IS 100% SECURE. We cannot and do not guarantee the absolute security of your information. You are responsible for maintaining the security of your account credentials and for any activity that occurs under your account. You should immediately notify us if you suspect any unauthorized access to your account.

10. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information: (a) Right to Access — request a copy of the personal information we hold about you; (b) Right to Correction — request that we correct inaccurate or incomplete personal information; (c) Right to Deletion — request that we delete your personal information, subject to certain legal exceptions; (d) Right to Portability — request a copy of your personal information in a structured, commonly used, machine-readable format; (e) Right to Object — object to certain processing of your personal information based on legitimate interests; (f) Right to Restrict Processing — request that we restrict certain processing activities; (g) Right to Withdraw Consent — withdraw consent at any time where processing is based on consent; and (h) Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights. To exercise any of these rights, please contact us at hello@trytradesman.com. We will respond to verifiable requests within the timeframes required by applicable law (generally 30 to 45 days). We may request additional information to verify your identity before fulfilling your request.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA") provide you with additional rights regarding your personal information. In the preceding twelve (12) months, we have collected the categories of personal information described in Section 2 above. We do not "sell" personal information as defined by the CCPA, and we do not "share" personal information for cross-context behavioral advertising purposes. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age. California residents have the right to: (a) know what personal information we collect, use, disclose, and sell; (b) request deletion of personal information; (c) opt out of the sale or sharing of personal information; (d) correct inaccurate personal information; and (e) not be discriminated against for exercising these rights. To submit a request, contact us at hello@trytradesman.com or through the mechanisms described in the Contact section.

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, the General Data Protection Regulation ("GDPR") and applicable local implementations provide you with additional rights. You may exercise the rights described in Section 10 above. If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. For international transfers of personal data outside the EEA/UK, we rely on appropriate legal mechanisms, including Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms.

13. Children's Privacy

The Service is not directed to, intended for, or designed to attract children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect, solicit, or maintain personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take reasonable steps to delete that information promptly. If you believe that a child under 13 has provided us with personal information, please contact us immediately at hello@trytradesman.com.

14. International Data Transfers

Your information may be transferred to, stored in, and processed in countries other than the country in which you reside, including the United States, where our servers and service providers are located. These countries may have data protection laws that differ from those in your jurisdiction. By using the Service, you consent to the transfer of your information to these countries. Where required by applicable law, we implement appropriate safeguards for international data transfers, including Standard Contractual Clauses, data processing agreements, and reliance on adequacy decisions.

15. Do Not Track Signals

Some web browsers may transmit "Do Not Track" ("DNT") signals to websites. Because there is no universally accepted standard for how to interpret DNT signals, we do not currently respond to or alter our data collection practices upon receiving DNT signals. If a uniform standard for DNT is established, we will reassess our practices.

16. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will update the effective date at the top of this Policy and, where feasible, notify you through additional means such as in-app notifications or email. Your continued use of the Service after the effective date of any revised Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically to stay informed about how we protect your information.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: hello@trytradesman.com. For data protection inquiries from EEA/UK residents, you may also contact our designated data protection point of contact at the same email address. We aim to respond to all inquiries within a reasonable timeframe and in compliance with applicable data protection laws.