Legal
Privacy Policy.
Last updated: June 16, 2026
This Privacy Policy explains how TradelyHQ Inc. (“TradelyHQ,” “we,” “us,” or “our”), a Delaware corporation, collects, uses, and shares information in connection with our software-as-a-service application, our mobile apps, our websites, and related services (together, the “Service”). TradelyHQ is a business-to-business product for commercial maintenance contractors in the United States. It is not directed to consumers, and it is not directed to or intended for anyone under 18.
Please read this Policy together with our Security page and, where a customer has one in place with us, our Data Processing Addendum. If anything in a signed agreement between us and a customer conflicts with this Policy, that agreement controls for that customer.
1. Who we are and our two roles
We handle information in two different roles, and which one applies determines whom you should contact:
- We are the controller for information we collect to run our own business and operate the Service, for example the account administrator’s contact details, billing information, and the usage, log, and device data we generate when you use the Service. This Policy describes how we handle that information.
- We are a processor and service provider for the data our customers (the contractors) put into their accounts: their work orders, clients, technicians, invoices, photos, signatures, location data, and any personal information within them (“Customer Data”). For Customer Data, the customer is the controller and the business responsible, and they decide how it is used. We process Customer Data only on documented instructions from that customer, which include the instructions in our agreements with them and the actions they and their authorized users take inside the Service. We do not use Customer Data for our own purposes, and we do not sell it.
If you are an individual whose information appears in a contractor’s account (for example, you are that contractor’s client, a person at a site they service, or one of their technicians), and you want to access, correct, or delete that information, please contact that contractor, who is the party responsible for it. We will support the contractor in responding to your request as required by law and by our agreement with them.
2. Information we collect
Account information. When you create or administer an account, we collect your name, business name, email address, phone number, role, and login credentials. Passwords are stored using one-way hashing, not in readable form.
Billing information. Subscription payments are processed by Stripe. Stripe collects and stores your payment-card and billing details. We do not store full payment-card numbers. We receive limited billing data such as your plan, subscription status, seat count, the last four digits and card brand, and invoice records.
Usage, log, and device data. When you use the Service, we automatically collect information such as your IP address, browser and device type, operating system, app version, pages and features used, actions taken, timestamps, referring pages, and diagnostic and performance data. We use this information to operate, secure, troubleshoot, and improve the Service, to apply rate limits, to detect and prevent fraud and abuse, and to confirm that signups originate from within the United States, which is a requirement for using the Service.
Location data. When a user enters a site or customer address, that address is sent to a third-party mapping service to convert it into map coordinates, as described in Section 5. Separately, our field-technician features can record the device’s precise geographic location (latitude, longitude, and an accuracy estimate) at the moment a technician taps to confirm arrival at a site and again at check-out. This happens only when the user grants location permission and takes that action. If permission is denied, the visit is recorded without location. Admins and the relevant client can see that a visit occurred and where it was reported. We use this data to confirm site visits, to make an on-site or off-site determination for payroll and hours reconciliation, and to resolve disputes. These location pins are retained for the life of the work order record (see the retention section).
Photos and uploaded files. The Service lets users attach photos and files to work orders, such as job-site, intake, and completion photos. These may contain personal information and image metadata. They are stored in our file storage described in Section 5.
Completion signatures. When a customer approves a completed work order, the Service can capture an on-screen signature image and the printed name entered alongside it. Alongside the signature image and printed name, the system also records the date, time, and the signer’s IP address and device type as a tamper-evidence record. We collect this only as a record that the work was approved. We do not analyze it to identify or authenticate any person, and we do not use it as a biometric identifier.
Voice notes and text you send to our assistive features. If a user chooses to use a voice note, an AI writing-assist, a translation, or an import-mapping feature, the audio or text involved is processed to provide that feature. Section 6 explains exactly what is sent and to whom.
Push-notification tokens. If you enable notifications in our mobile or web app, your device or browser issues a push token that we store so we can deliver notifications to you. Delivery is handled by the push service built into your device or browser, as described in Section 5.
On-device biometrics (we never receive these). If you turn on Face ID, Touch ID, or a similar feature to unlock the app, that biometric check happens entirely on your device through the operating system. The biometric data stays in your device’s secure hardware. We never receive, see, or store your fingerprint, face data, or any biometric template.
Cookies and similar technologies. We and our providers use cookies and similar technologies for essential functions, such as keeping you signed in, defending the signup form against bots, and remembering your cookie choices, and, where you allow it, for analytics and error monitoring. See Section 7.
Support communications. If you contact us by email or through in-app chat, we collect the information you provide and our correspondence so we can help you and keep records.
Activity and audit logs. To secure the Service and support dispute resolution, we keep logs of meaningful actions inside an account, which can include the acting user’s identifier and email, the role they hold, what record changed, and when.
Integration data (with your consent). If you connect an optional integration such as QuickBooks Online, you authorize the exchange of the relevant data through that integration, for example the customers, invoices, and line items you choose to sync. We use that data only to provide the integration you enabled.
Customer Data you and your users submit. When you use the Service, you and your users submit Customer Data, which may contain personal information about your clients, the people at the sites you service, and your technicians. We process that data on the customer’s behalf as described in Section 1. Some of this information may be collected on a contractor’s behalf through tools the contractor chooses to deploy, such as an embedded intake or booking form on the contractor’s own website. Where that happens, the contractor is the controller and is responsible for providing any required notice to the individuals involved.
If you choose not to provide certain information. Some features need specific information or a device permission to work, for example location access to confirm a site visit or camera access to attach photos. If you choose not to provide that information or decline the permission, that feature may not work, but you can still use the rest of the Service.
3. How we use information and our legal bases
We use the information above to: provide, operate, maintain, and secure the Service; authenticate users and prevent fraud, bots, and abuse; process payments and manage subscriptions; deliver notifications you have enabled; provide customer support; monitor, troubleshoot, and improve performance and reliability; develop new features and de-identified analytics; communicate with you about your account, security, and service-related matters; and comply with law and enforce our agreements.
Where data-protection law requires a legal basis, we rely on: performance of our contract with you, to provide the Service and billing; our legitimate interests, to secure, operate, and improve the Service and to protect against fraud and misuse, balanced against your rights; your consent, for example for optional analytics and error-monitoring cookies, optional integrations, and features that require device permissions such as location, camera, or notifications; and compliance with legal obligations. For Customer Data we process on a contractor’s behalf, that contractor is responsible for the legal basis and for any required notices and consents.
4. How we share and disclose information
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only as follows:
- Subprocessors and service providers who help us run the Service, under contracts that limit their use of the information to providing services to us. See the list in Section 5.
- At your direction, including with third-party integrations you connect, such as QuickBooks Online, and with the recipients you choose within the Service, for example clients or technicians you grant access to.
- For legal reasons, when we believe in good faith that disclosure is necessary to comply with law, legal process, or a lawful government request, to enforce our terms, or to protect the rights, property, or safety of TradelyHQ, our users, or others.
- Business transfers, in connection with a merger, acquisition, financing, reorganization, or sale of assets. We will require any successor to honor this Policy for the information involved or to give you notice and a choice where the law requires it.
- De-identified or aggregated data that does not identify you or any individual, which we may use and share for any lawful purpose.
5. Subprocessors
We use the following providers to host and run the Service. This list reflects the providers we use today. We update it when a subprocessor is added, changed, or removed, and our Security page carries the same list. Some providers below are only involved if you turn on the related feature or integration.
| Provider | Location | What it does |
|---|---|---|
| Supabase | United States | Database, authentication, file storage, and back-end functions. Holds most of what you save in TradelyHQ. |
| Vercel | United States | Hosting for the website and app, plus product analytics and performance insights. |
| Stripe | United States | Payment processing for your subscription. We never store full card numbers. |
| Cloudflare R2 | United States | Storage for some uploaded photos and media. |
| Cloudflare Turnstile | United States | Bot and abuse protection on our signup form. Processes signals from the signup page to tell humans from automated abuse. |
| Resend | United States | Sends transactional emails such as invoice reminders, password resets, and team invites. |
| Crisp | France | In-app support chat. Only sees information from people who start a chat. |
| Sentry | United States | Error monitoring, active only if you accept analytics cookies. Typed text and form values are masked. |
| Better Stack | European Union | Uptime monitoring and back-end logs. Service-health signals, not customer records. |
| Anthropic | United States | Powers optional AI features, including writing-assist, intake-autofill, in-app translation, and AI-assisted dispatching, scheduling, and automation and agent features. Receives the text and the work-order, scheduling, and related details needed to perform the feature you use. See Section 6. |
| OpenAI | United States | Powers optional voice-note transcription. Receives the audio you record for that feature. See Section 6. |
| Apple and Google push services | United States | Deliver push notifications to your device or browser if you enable them. Receive a device push token and the notification payload. |
| U.S. Census Bureau Geocoder | United States | Converts site and customer addresses you enter into map coordinates, for route planning and sales-tax jurisdiction lookup. |
| OpenStreetMap Foundation / Nominatim | European Union | Fallback address-to-coordinate lookup when the Census geocoder returns no match. |
| QuickBooks Online (Intuit) | United States, optional | Used only if you connect QuickBooks to sync invoices and customers. |
We may also use SMS or other messaging providers to deliver notifications if you choose to enable those channels. If we add such a provider, we will list it here before turning it on.
6. AI and assistive features
Some optional features use third-party AI providers to do their work. These features run only when you turn them on or a user chooses to use them.
- AI writing-assist and intake-autofill send the work-order text or notes you submit to Anthropic to clean up wording or suggest fields. They do not send your photos, signatures, payment details, or location.
- Import column mapping sends a small sample of cell values from a file you are importing to Anthropic so it can suggest how columns map to our fields. It does not send the entire file.
- Voice-note transcription sends the audio you record to OpenAI to turn it into text. The resulting transcript is stored with your work order.
- Translation sends the text you ask us to translate to Anthropic. Completed translations are cached so the same text is not sent again.
- AI dispatching, scheduling, automation, and agents send the work-order, scheduling, client, and assignment details the feature needs to suggest or carry out the actions you set up to Anthropic. They do not send payment-card details or signatures. These features run on your instructions and the settings you choose, and they may run automatically once you turn them on.
We send these providers only the specific content needed to provide the feature you used. We have these providers process that content solely to return the result to you, on terms that do not permit them to use your content to train their own or any third party’s general AI models. If you do not use these features, no data is sent to these providers.
7. Cookies and analytics
We use essential cookies that are required for the Service to function, for example to keep you signed in, to protect the signup form against bots, and to remember your cookie preferences. With your consent, we also use analytics and error-monitoring technologies, such as Sentry and Vercel analytics, to understand usage and diagnose problems. You can manage non-essential cookies through our cookie banner and your browser settings. Disabling non-essential cookies will not affect core functionality. We do not use cookies for cross-context behavioral advertising, and we do not sell or share personal information for that purpose.
8. Data retention and deletion
We retain personal information for as long as needed to provide the Service, maintain your account, comply with legal, tax, and accounting obligations, resolve disputes, and enforce our agreements.
For Customer Data, we retain it for the life of the customer’s account. After an account is terminated, we provide an export window described in our Terms of Service, and then we begin deleting or de-identifying the data in the ordinary course. Deletion is processed on a defined schedule rather than instantly, and once it runs we make a reasonable, best-effort attempt to pass the deletion or de-identification along to the subprocessors that received the affected data. Residual copies may remain in our routine, rolling backups until those backups cycle out, and we may retain information where a legal hold or a legal, tax, or accounting requirement applies.
9. Security
We use technical and organizational measures designed to protect information. These include encryption in transit using TLS and encryption at rest, tenant isolation enforced through row-level security so that each customer’s data is separated from every other customer’s, role-based access controls, least-privilege access for our personnel, logging of meaningful actions, and automated security checks on the changes we ship. No method of transmission or storage is completely secure, and no system can be guaranteed to be free of vulnerabilities, so while we work hard to protect your information we cannot guarantee absolute security. You are responsible for safeguarding your credentials and for configuring access within your account.
If a security incident affecting personal information occurs, we will investigate and, where we are required to do so by applicable law or by our agreement with a customer, notify the affected customer or individuals and the appropriate authorities without undue delay. Where we act as a processor, we will notify the relevant customer so that the customer, as controller, can meet its own notification obligations.
10. Where your information is processed
We are based in, and primarily store and process information in, the United States. The Service is intended for businesses in the United States. If you access the Service from outside the United States, you understand that your information will be processed in the United States and in other countries where our subprocessors operate, which may have data-protection laws different from your own. Where we transfer personal data internationally and the law requires it, we use appropriate safeguards.
11. Your privacy rights
Account holders. You can access and update much of your account information directly in the Service. A data export is available in your account settings, and you can request correction or deletion of your data through your account settings or by contacting us. We will honor verified requests as required by law.
California residents (CCPA and CPRA). If you are a California resident, you have the right to know what personal information we collect and how we use and disclose it, to request access to it, to request that we delete or correct it, and to be free from discrimination for exercising your rights. We do not sell your personal information, and we do not share it for cross-context behavioral advertising. Much of the personal information we handle is processed on behalf of our business customers, and for that information we act as a service provider that uses it only to provide the Service and only on the customer’s documented instructions. To exercise a right, contact us at privacy@tradelyhq.com. We will verify your request and may ask for information to confirm your identity. You may use an authorized agent where the law permits. If the request concerns information a contractor uploaded, we will direct you to that contractor, who is the business responsible for it.
EU and UK users. The Service is directed to businesses in the United States and is not offered to individuals in the EU or UK. To the extent EU or UK data-protection law applies to any limited processing, individuals may have rights of access, correction, deletion, restriction, portability, and objection, and may lodge a complaint with a supervisory authority. For data a contractor uploaded, please contact that contractor, who is the controller.
We will not discriminate against you for exercising any of these rights.
12. Children
The Service is a business tool that is not directed to children and is not intended for anyone under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us personal information, contact us and we will delete it.
13. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will update the “Last updated” date above and provide reasonable notice, for example by email or an in-app notice. The Policy in effect at the time you use the Service applies to that use, and your continued use of the Service after changes take effect means you accept the updated Policy.
14. Contact us
TradelyHQ Inc. is the entity responsible for the information described in this Policy where we act as a controller. Questions, requests, or concerns about privacy? Email us at privacy@tradelyhq.com or support@tradelyhq.com.
Last updated: June 16, 2026