Security

Built to keep your data safe.

Your work orders, client information, invoices, and field data deserve the same care your business does. We take that seriously at every layer.

Our promises

Four things we get right so you don't have to think about it.

01

Your data stays yours

Every customer's data is isolated from every other customer's through row-level security, so one business's clients, work orders, invoices, and team information are not accessible to another business on TradelyHQ.

02

Everything is logged

Every meaningful action, such as who created a work order, who marked an invoice paid, and who changed a permission, is recorded in a detailed, append-only audit log designed to resist tampering. If something needs investigating later, the history is there.

03

Your privacy is protected

Customer-identifying information is handled with care across our systems. We follow the applicable US privacy laws that cover our customers, including the California CCPA and CPRA, and you can request your data be exported or deleted from your account settings at any time.

04

Continuously tested

Our security posture is reviewed regularly, not just at launch. We run automated checks on every change we ship and carry out periodic security reviews to help keep the standard high.

Subprocessors

The companies we use to run TradelyHQ.

We don't run every piece of TradelyHQ ourselves. A handful of trusted services help us host the app, send emails, and keep the lights on. Here's the full list, what each one does, and what they see.

Supabase

United States

Stores your database, handles sign-in, holds your uploaded files, and runs our back-end functions.

Sees: everything you save in TradelyHQ, including work orders, clients, invoices, attachments, and account info.

Vercel

United States

Hosts the TradelyHQ website and the app itself.

Sees: the pages and requests that flow through the app, not the contents of your records.

Stripe

United States

Handles the payment side, the credit card processing for your TradelyHQ subscription, so we never touch card numbers ourselves.

Sees: your billing details and card information.

Resend

United States

Sends the transactional emails we ship on your behalf, such as invoice reminders, password resets, and team invites.

Sees: the email addresses and contents of those messages.

Crisp

France

Powers the in-app support chat, the little bubble in the corner.

Sees: only the email and chat messages of people who actually start a conversation. If you never open chat, Crisp sees nothing about you.

Sentry

United States

Watches for errors so we can fix things before they pile up. Only active if you accept the "Analytics" cookie option.

Sees: error details and session replays, with anything you typed and any form values automatically blacked out.

Better Stack

European Union

Tells us if the app goes down and keeps the logs we use to diagnose problems.

Sees: our own service-health signals, such as uptime checks and back-end logs. No customer information.

Cloudflare R2

United States

Stores some of the photos and media you upload, such as job-site pictures and attachments.

Sees: the files you upload. Nothing else about your account.

QuickBooks Online

United States, optional

Only used if you choose to connect your QuickBooks account so invoices sync to your books. If you never connect it, it sees nothing.

Sees (if connected): the invoices, customers, and line items you sync over.

Cloudflare Turnstile

United States

Protects the signup form against bots and automated abuse.

Sees: signals from the signup page used to tell real people from automated abuse. Not your account records.

Anthropic

United States, optional

Powers the optional writing-assist, intake-autofill, and in-app translation features. Only runs when you choose to use one of them.

Sees (if used): only the work-order text, notes, or text to translate that you submit to that feature. We do not let it train its models on your content.

OpenAI

United States, optional

Turns voice notes into text when you use the optional voice-note feature.

Sees (if used): only the audio you record for transcription. We do not let it train its models on your content.

Apple and Google push

United States, optional

Deliver push notifications to your phone or browser, if you turn notifications on.

See (if enabled): a device push token and the notification we send you. Not your account records.

U.S. Census Bureau Geocoder

United States

Converts the site and customer addresses you enter into map coordinates, for route planning and sales-tax jurisdiction lookup.

Sees: the addresses you enter, sent for coordinate lookup. Not your full account records.

OpenStreetMap Foundation / Nominatim

European Union

Fallback address-to-coordinate lookup when the Census geocoder returns no match.

Sees: the address looked up, only when the Census geocoder finds no match. Not your full account records.

This list is current as of June 3, 2026. We update this page whenever a subprocessor is added, changed, or removed.

Built so you can stop worrying about it.

Data encrypted in transit and at rest. Applicable privacy laws followed. We don't sell your information. The basics, done right.