Privacy Policy

1. Introduction

SubcontractorAudit ("we," "us," or "our") operates the AI-powered subcontractor compliance platform available at subcontractoraudit.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Service. Our platform is designed for general contractors and construction companies to manage Certificate of Insurance (COI) compliance, Pay Application auditing, and Lien Waiver verification.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

When you register for and use the Service, we collect:

• Account information -- your name, email address, phone number, job title, and password credentials
• Organization information -- company name, address, contractor license numbers, and billing details
• Construction documents -- Certificates of Insurance (ACORD 25, ACORD 28), pay applications (AIA G702/G703), lien waivers (conditional and unconditional, progress and final), and any supporting documentation you upload for compliance review
• Subcontractor information -- company names, contact details, license numbers, insurance carrier information, and compliance status data for subcontractors you manage through the platform
• Communications -- messages, support requests, and feedback you send to us

2.2 Information Collected Automatically

When you access the Service, we automatically collect certain technical information:

• Device and browser data -- browser type and version, operating system, device type, and screen resolution
• Usage data -- pages visited, features used, buttons clicked, time spent on pages, and navigation paths within the platform
• Network data -- IP address (anonymized for analytics), referring URL, and general geographic location at the city level

We use Umami, a privacy-focused analytics tool, for usage analytics. Umami does not use cookies, does not collect personally identifiable information, and does not track users across websites. All analytics data is aggregated and cannot be used to identify individual users.

2.3 Information We Do Not Collect

We want to be clear about the types of data we do not collect:

• Personal health information or medical records
• Social Security numbers or government-issued ID numbers of individuals
• Personal financial information (bank account numbers, credit card numbers of individuals)
• Social media profiles or social media activity
• Biometric data
• Data from children under the age of 18

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery -- to provide, operate, and maintain our compliance platform, including processing and analyzing your construction documents
• AI-powered document analysis -- to extract structured data from uploaded COIs, pay applications, and lien waivers using artificial intelligence
• Compliance monitoring -- to track insurance certificate expirations, validate coverage requirements, audit pay application line items, and verify lien waiver completeness
• Notifications -- to send alerts about upcoming insurance expirations, compliance deficiencies, document processing results, and important platform updates
• Customer support -- to respond to your inquiries, troubleshoot issues, and provide technical assistance
• Service improvement -- to analyze aggregate usage patterns, identify common compliance issues, and improve the accuracy and reliability of our platform
• Security -- to detect, prevent, and address technical issues, fraud, and unauthorized access
• Legal compliance -- to comply with applicable laws, regulations, and legal processes

We do not use your information for advertising, profiling for marketing purposes, or selling to third parties.

4. AI Document Processing

Our Service uses the Anthropic Claude API to process and extract structured data from construction documents you upload. Here is how this works and what it means for your data:

• Processing scope -- documents are sent to Anthropic's Claude API solely for the purpose of extracting relevant compliance data (insurance coverage details, pay application line items, lien waiver fields)
• No model training -- your documents are not used to train or improve Anthropic's AI models. Anthropic's API usage policies explicitly prohibit using customer data for model training
• Transient processing -- document content is submitted to the API for real-time processing and is not retained by Anthropic beyond the duration required to complete the API request
• Confidence scoring -- all AI-extracted data includes confidence scores. Results with confidence below 85% are automatically flagged for human review
• Human oversight -- AI extraction results are presented for your review before any compliance determinations are made. The Service provides tools to correct and override AI-extracted data

The Service is a decision-support tool. AI-extracted data should be verified by qualified personnel before being relied upon for compliance, legal, or financial decisions.

5. Data Storage and Security

5.1 Infrastructure

Your data is stored on secure, US-based infrastructure:

• Documents -- uploaded files are stored in Cloudflare R2, an S3-compatible object storage service with server-side encryption at rest
• Structured data -- extracted compliance data, account information, and application data are stored in PostgreSQL databases with encryption at rest using AES-256
• Transit encryption -- all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher

5.2 Access Controls

• Role-based access control (RBAC) with four permission levels: Owner, Admin, Project Manager, and Viewer
• Session tokens are stored as httpOnly cookies and are SHA-256 hashed before database storage
• Passwords are hashed using bcrypt with appropriate work factor
• All API endpoints enforce authentication and authorization checks

5.3 Security Practices

• Regular security assessments and code reviews
• Encrypted backups stored in a separate geographic location
• Intrusion detection monitoring
• Incident response procedures with notification commitments in the event of a data breach

6. Multi-Tenant Data Isolation

Our platform operates on a multi-tenant architecture with strict data isolation between organizations:

• Every database record is scoped to an organization identifier (org_id). PostgreSQL Row-Level Security (RLS) policies enforce this at the database level, ensuring that queries can only access data belonging to the authenticated organization
• Document storage paths include the organization identifier, preventing cross-tenant file access
• API endpoints validate organization membership before serving any data
• No organization can view, access, or modify another organization's data through the platform

7. Data Sharing and Third-Party Services

7.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information or business data to third parties for their commercial purposes. We have never sold user data and have no plans to do so.

7.2 Service Providers

We share data with the following categories of service providers, solely as necessary to operate and deliver the Service:

Each service provider is contractually obligated to protect data in accordance with industry standards and to use data only for the purposes specified by us.

7.3 Subcontractor Portal Sharing

When you use our subcontractor portal feature, limited compliance-related information is shared with your subcontractors through secure, time-limited magic links. This includes compliance status, required document types, and deficiency details -- but only for the specific subcontractor relationship. See Section 8 for details.

7.4 Integration Partners

If you enable third-party integrations (such as Procore), data will be shared with those services in accordance with their respective privacy policies and the permissions you grant during setup. You may revoke integration access at any time through your account settings.

7.5 Legal Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to: (a) comply with a legal obligation, court order, or subpoena; (b) protect and defend our rights or property; (c) prevent fraud or address security issues; or (d) protect the personal safety of users or the public.

8. Subcontractor Portal

Our Service includes a subcontractor portal that allows subcontractors to view compliance requirements and upload documents without creating an account. Key privacy aspects of the portal:

• Access is granted through HMAC-signed magic links sent via email. No username or password is required
• Portal users can only see information related to their own subcontractor relationship with the general contractor who invited them
• Documents uploaded through the portal are stored and processed under the same security controls as all other platform data
• Magic links expire after a defined period and can be revoked by the general contractor at any time

9. Data Retention

We retain your data according to the following guidelines:

• Active accounts -- we retain all data for as long as your account is active and the Service is in use
• After account closure -- upon termination of your account, you have 30 days to export your data. After 30 days, we will begin deletion of your data from our primary systems within a commercially reasonable timeframe
• Backup retention -- data may persist in encrypted backups for up to 90 days following deletion from primary systems
• Regulatory requirements -- certain compliance records (such as insurance certificates and lien waivers) may be subject to construction industry record-keeping requirements under state or federal law. We may retain such records as legally required
• Aggregated data -- de-identified, aggregated statistical data (which cannot be used to identify any individual or organization) may be retained indefinitely to improve the Service

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal and business data:

• Access -- request a copy of the personal data we hold about you
• Correction -- request that we correct inaccurate or incomplete data
• Deletion -- request that we delete your personal data, subject to any legal retention requirements
• Portability -- request a machine-readable export of your data
• Restriction -- request that we limit the processing of your data in certain circumstances
• Objection -- object to our processing of your data for certain purposes

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

11. Cookies and Analytics

We use a minimal set of cookies that are essential to the operation of the Service. We do not use advertising cookies, social media tracking pixels, or cross-site tracking technologies.

Our analytics provider (Umami) is privacy-focused and does not use cookies or collect personally identifiable information. For detailed information about the specific cookies we use, please see our Cookie Policy.

12. Children's Privacy

The Service is designed for business use by construction industry professionals. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected personal information from a child under 18, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us at [email protected].

13. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Right to know -- you may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business purposes for collection, and the categories of third parties with whom we share information
• Right to delete -- you may request that we delete personal information we have collected from you, subject to certain legal exceptions
• Right to non-discrimination -- we will not discriminate against you for exercising any of your CCPA rights
• No sale of personal information -- we do not sell personal information as defined by the CCPA. We have not sold personal information in the preceding 12 months

To exercise your California privacy rights, contact us at [email protected] with the subject line "CCPA Request."

14. International Data Transfers

SubcontractorAudit is a US-based service. All data is stored and processed within the United States. If you access the Service from outside the United States, please be aware that your data will be transferred to, stored in, and processed in the United States. By using the Service, you consent to this transfer. We apply the same privacy protections described in this policy to all data regardless of the user's location.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Effective date" at the top of this page
• Notify account owners via email at least 15 days before material changes take effect
• Display a prominent notice within the platform dashboard for 30 days following any update

Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: [email protected]
• Website: subcontractoraudit.com

We aim to respond to all privacy-related inquiries within 5 business days.