Privacy Policy
This Privacy Policy explains how TradeForge ("we," "us," or "our") collects, uses, shares, and protects information when you use our contractor CRM platform and related services (the "Service"). It applies to information we collect:
- On our websites at tradeforgeworks.com and its subdomains
- Through the TradeForge web application and mobile-responsive interfaces
- Through our APIs, integrations, and email communications
This Privacy Policy supplements, and is incorporated into, our Terms of Service.
1. Information We Collect
1.1 Information You Provide Directly
- Account information: name, email address, phone number, company name, company address, trade type, time zone
- Billing information: payment method details (processed and stored by Stripe — see Section 3), billing address, subscription history
- Profile and branding: company logo, brand colors, signature blocks, default contract terms, default tagline
- Customer Data: leads, contacts, jobs, photos, voice transcripts, estimates, proposals, contracts, invoices, insurance claim records, content drafts, and any other data you create or upload
- End Customer information: contact details, addresses, and communication content of your customers and prospects that you enter into the Service
- Communications: support requests, feedback, and other messages you send to us
1.2 Information Collected Automatically
- Usage data: features used, pages visited, AI requests made, photos uploaded, time spent in the application
- Device and connection data: IP address, browser type, operating system, device identifiers, language preference, referring URL
- Log files: application logs containing request timestamps, status codes, and error events
- Cookies and similar technologies: session cookies for authentication, preference cookies for theme/language, and (where consented) analytics cookies
1.3 Information from Third Parties
When you connect optional third-party services (such as EagleView, Google, or Stripe), we receive limited data from those providers as necessary to deliver the integrated feature. See Section 4 for the list of integrations and what we exchange.
2. How We Use Your Information
We use the information we collect to:
- Provide the Service: create your account, authenticate you, deliver the features you use, process payments, and respond to your support requests
- Process AI requests: when you use AI-driven features (such as content generation, lead reply drafting, insurance supplements, or chat assistance), we send your input to our AI provider (Anthropic) for processing — see Section 4
- Personalize the experience: remember your preferences, brand colors, default terms, and trade type
- Improve the Service: analyze usage patterns to identify bugs, prioritize features, and optimize performance
- Communicate with you: send transactional messages (welcome emails, trial reminders, billing receipts, security alerts) and, with your opt-in, product updates and educational content
- Maintain security: detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activity
- Comply with legal obligations: respond to lawful requests, enforce our Terms of Service, and protect our rights, property, and users
3. Payment Processing (Stripe)
All payment card data is collected, processed, and stored by Stripe, Inc. ("Stripe") under its own privacy policy at stripe.com/privacy. TradeForge does not store, access, or transmit your full card number, CVV, or PIN. We store only a Stripe customer reference ID and subscription identifier so we can manage your subscription and display payment history.
4. Third-Party Service Providers and Sub-Processors
We use the following third-party service providers ("sub-processors") to deliver the Service. Each is contractually obligated to maintain appropriate confidentiality and security measures.
| Provider | Purpose | Data Exchanged |
|---|---|---|
| Stripe | Payment processing | Card data (collected directly by Stripe), billing email, subscription details |
| Anthropic | AI model provider | Content you submit to AI features (drafts, photos, notes, chat); context (company name, trade, line items) |
| Resend | Transactional email delivery | Recipient email, subject, body for emails sent through the Service |
| Cloudflare R2 | Photo and document storage (CDN) | Photos, PDFs, and other binary files you upload |
| Cloudflare | DNS, edge network, DDoS protection | IP addresses, request metadata, HTTP traffic |
| Railway | Application hosting + Postgres database | All Customer Data stored in the application |
| EagleView | Roof measurement reports (when connected) | Property addresses you request measurements for; OAuth refresh token |
| 1ESX | Roof measurement reports (when connected) | Property addresses; API credentials you provide |
| National Weather Service (NOAA) | Storm event lookup (Storm Pack) | Search latitude/longitude (we send queries; we do not send your data to NOAA) |
| Google / Facebook / Yelp | Review automation (when connected) | Customer name and email if you choose to send a review request through those platforms |
An up-to-date list of sub-processors is available at [email protected] upon request. We will notify customers via email at least 14 days before adding any new sub-processor that materially changes how Customer Data is processed.
5. AI Processing Disclosure
When you use AI-driven features (estimate drafts, content generation, photo summaries, chat, claim supplements, etc.), the following data is transmitted to Anthropic, PBC for processing:
- The prompt content you generate (typed notes, voice transcripts, captions)
- Context we include to improve relevance (your trade, company name, line item history, prior conversation messages within the current chat)
- Photos you submit to vision-capable features (damage analysis, logo extraction, walkthrough summarization)
Per Anthropic's commercial terms, this data is processed solely to generate a response and is not used to train Anthropic's models. We retain a log of AI usage events (action, model, token count, cost, latency, success/error) for billing reconciliation, abuse detection, and product improvement. We do not retain the full prompt content after the response is delivered to you, unless you save it as part of your Customer Data (e.g. a generated proposal you save to a lead).
6. How We Share Information
6.1 Sharing We Do
- With sub-processors (listed in Section 4) as needed to operate the Service
- With End Customers you communicate with through the Service (e.g. when you send an estimate or contract, the recipient receives the content you authorize)
- With your authorized Sub-Users (employees, team members, contractors) you invite to your account
- In legal compliance: in response to a valid subpoena, court order, or government request, or when we believe in good faith that disclosure is necessary to comply with the law, protect our rights, prevent fraud, or protect the safety of any person
- In a business transaction: in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of substantially all of our assets. We will provide notice and an opportunity to object before your data is transferred to a successor entity
6.2 Sharing We DO NOT Do
- We do not sell your personal information or your Customer Data to third parties
- We do not share your Customer Data with advertisers
- We do not use Customer Data to train AI models
- We do not share End Customer contact details with anyone outside the sub-processors listed above without your explicit instruction
7. Data Retention
- Account and Customer Data: retained while your account is active
- After cancellation: Customer Data is retained for 30 days, then permanently deleted. You may request earlier deletion or an export anytime within the 30-day window
- Billing records: retained for the period required by applicable tax and accounting laws (typically 7 years in the U.S.)
- Server logs: retained for up to 90 days for security and operational purposes
- AI usage events: retained for up to 24 months for billing reconciliation, abuse detection, and aggregate analytics
- Backup snapshots: backups containing your Customer Data may persist for up to 30 days beyond the retention periods above for disaster-recovery purposes
8. Data Security
We use industry-standard security measures to protect your information, including:
- Encryption in transit: all traffic to the Service is encrypted with TLS 1.2+
- Encryption at rest: our database (managed Postgres) and object storage (Cloudflare R2) encrypt data at rest
- Password security: passwords are hashed using bcrypt with a per-user salt; we never store plaintext passwords
- Authentication: sessions use JSON Web Tokens (JWT) signed with a server-side secret, expiring after 30 days of inactivity
- Access controls: employee access to production systems is limited to those with a need to know and is logged
- Payment data: handled exclusively by Stripe (PCI-DSS Level 1 certified) — we never touch your card data
- Backups: automated database backups taken daily and retained for at least 7 days
No security system is impenetrable. While we take reasonable precautions, we cannot guarantee the absolute security of your data. In the event of a confirmed data breach affecting your personal information, we will notify affected customers as required by applicable law, generally within 72 hours of discovery.
9. Your Rights and Choices
9.1 General Rights
- Access: view your Customer Data at any time from your account
- Export: download a CSV copy of your data via account settings or by emailing [email protected]
- Correction: update your account, profile, and billing information from the relevant settings page
- Deletion: cancel your subscription and request permanent deletion of your data within 30 days of cancellation
- Marketing opt-out: unsubscribe from product or marketing email at any time using the link in any such email; transactional communications (billing, security) cannot be opted out of while your account is active
9.2 California Residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including the rights to:
- Know what personal information we have collected about you and how we use it
- Request deletion of your personal information
- Request correction of inaccurate personal information
- Opt out of "selling" or "sharing" of personal information (we do not sell or share, so no action is required)
- Limit the use of sensitive personal information (we do not use sensitive personal information for advertising or profiling)
- Not be discriminated against for exercising your privacy rights
To exercise these rights, email [email protected]. We will respond within 45 days as required by law.
9.3 European Economic Area, UK, and Switzerland (GDPR)
If you are in the EEA, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and equivalent laws, including:
- The right to access your personal data
- The right to rectification of inaccurate data
- The right to erasure ("right to be forgotten")
- The right to restrict or object to processing
- The right to data portability
- The right to lodge a complaint with your supervisory authority
The lawful basis for our processing is (a) the contract between you and TradeForge (performance of the Terms of Service), (b) our legitimate interest in operating, securing, and improving the Service, (c) your consent (where applicable, such as for marketing emails), and (d) compliance with legal obligations.
To exercise your rights, email [email protected].
10. International Data Transfers
TradeForge is operated from the United States. By using the Service, you understand that your data will be transferred to, processed in, and stored in the United States, which may have different data protection laws than your country of residence. Where required by law, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) to safeguard international data transfers.
11. Cookies and Tracking
We use the following types of cookies and similar technologies:
- Essential cookies: required for authentication and core functionality (session cookies). These cannot be disabled while using the Service
- Preference cookies: remember UI preferences such as theme, last-viewed pages, and form drafts
- Analytics cookies: if enabled, aggregate analytics about Service usage (currently we use minimal first-party analytics; we do not load Google Analytics, Facebook Pixel, or similar third-party trackers by default on the authenticated Service)
You can configure your browser to refuse cookies, but doing so may impair authentication and core functionality.
12. Children's Privacy
The Service is intended for business users 18 years of age or older. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete it as soon as possible. If you believe a child has provided us with personal information, contact us at [email protected].
13. Do Not Track
Some browsers offer "Do Not Track" signals. We currently do not respond to Do Not Track signals, as no consistent industry standard for compliance has emerged. We do not track users across third-party websites for advertising purposes.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or in-app notification at least 14 days before the changes take effect. The "Last Updated" date at the top of this page indicates when the policy was most recently revised. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy or want to exercise any of your rights, contact us:
TradeForge
General privacy inquiries: [email protected]
Legal: [email protected]
Support: [email protected]
Delaware, Ohio · United States
By using the TradeForge Service, you confirm you have read, understood, and accept this Privacy Policy and our Terms of Service.