Privacy Policy

This Privacy Policy describes how TradelyHQ ("we", "us") collects, uses, and protects personal information when you use our Service. By using the Service you consent to the practices below.

1. Information We Collect

We collect:

• Account information — name, email, phone, company name, role
• Authentication data — passwords (hashed, never stored in plaintext), 2FA tokens, session tokens
• Operational data — work orders, clients, locations, technicians, invoices, quotes, comments, photos, GPS coordinates of arrival/check-out events, time entries
• Payment information — handled by our payment processor (Stripe); we do not store credit card numbers
• Usage data — device, browser, IP address, page views, error logs
• Communications — emails and support requests you send us

2. How We Use Information

• Provide, maintain, and improve the Service
• Authenticate you and protect against fraud / abuse
• Process payments and prevent chargebacks
• Send transactional emails (invoices, password resets, alerts)
• Send product updates and onboarding emails (you can opt out)
• Generate aggregated analytics that don't identify individuals
• Comply with legal obligations

3. How We Share Information

We do not sell your personal information. We share it only with:

• Subprocessors we use to run the Service: Supabase (database + auth + storage), Vercel (hosting), Stripe (payments), Resend (email), Microsoft Translator (i18n), Sentry (error tracking), Crisp (in-app support chat), QuickBooks Online (accounting integration if you opt in)
• Other users in your tenant — within your organization, your data is visible to your team per role-based access controls
• Authorities when required by lawful legal process
• Buyer in the event of a merger, acquisition, or asset sale (we'll notify you)

4. Cross-Tenant Isolation

Your tenant's data is isolated from other tenants by row-level security policies enforced at the database layer. We monitor for and patch any cross-tenant access bugs as a top priority.

5. Data Retention

We retain Customer Data for the duration of your subscription plus a 30-day grace period for export. After that we delete it from active systems within 90 days; backups are purged on rolling 90-day cycles.

6. Your Rights

You can:

• Access your data via the in-product UI
• Export your data via the in-product Export tool (Settings → Data Export)
• Delete your account (see §6.1 below)
• Request correction of inaccurate data by contacting support
• Opt out of marketing emails (transactional emails cannot be opted out without canceling)
• If you are in the EU/UK or California, you have additional rights under GDPR / CCPA — contact us to exercise them

6.1 Account Deletion (GDPR Article 17 / Right to Erasure)

If you are a tenant owner, you can delete your entire portal — tenant record plus all work orders, clients, technicians, invoices, quotes, photos, and related data — self-serve from Settings → Account → Delete Account. The request requires you to type an exact-match confirmation phrase and is processed after a 30-day grace period during which you can cancel from the same panel or by emailing support@tradelyhq.com. Once executed, tenant-scoped data is removed from active systems; backups roll off on 90-day cycles.

If you are a non-owner user (technician, dispatcher, or client-portal user) and want only your own user account removed without deleting the entire tenant, contact your tenant owner first (they can remove your seat directly), or email privacy@tradelyhq.com with the subject line "Account deletion request — [tenant name] — [your email]". We will action requests within 30 days as required by GDPR Article 17. Note: operational records you authored (e.g. comments, completion photos, time entries) may remain visible to your tenant owner as part of their business records, with your identifying information redacted on request.

6.2 Where Your Data Lives

Customer Data is stored and processed in the United States on AWS us-east-1 via our database provider Supabase. Backups are encrypted at rest (AES-256) and retained per Supabase Pro plan terms (point-in-time recovery window plus rolling daily snapshots). Edge functions and the application front-end are hosted on Vercel's global edge network.

6.3 GDPR Compliance Status

We aim to honor data-subject rights under GDPR Article 12-22 and the analogous rights under CCPA/CPRA. Our compliance posture is partial today: tenant-owner self-serve deletion, in-product data export, and access via the in-product UI are implemented. Per-user (non-owner) self-serve deletion, data-portability machine-readable exports beyond the standard CSV, and a fully-automated data-subject request portal are not yet built — those requests are handled manually within the 30-day window. We list this honestly so you can make an informed risk assessment.

7. Security

We use industry-standard practices: TLS in transit, encrypted at rest, hashed passwords, optional 2FA, row-level security, regular third-party penetration testing, and incident response procedures. No system is perfectly secure; report suspected vulnerabilities to security@tradelyhq.com.

8. Cookies

We use cookies/local storage strictly for authentication, session management, and remembering your UI preferences (theme, language, recently-viewed items). We do not use third-party advertising cookies.

9. Children

The Service is not directed to children under 16; we do not knowingly collect their personal information.

10. International Transfers

Your data is stored and processed in the United States — primarily on AWS US-East infrastructure via our database provider Supabase. If you are outside the US, you consent to this transfer.

11. Changes

We may update this Privacy Policy. Material changes will be announced by email or in-app and will require re-acceptance.

12. Contact

Privacy questions: privacy@tradelyhq.com. General support: support@tradelyhq.com.