Privacy Policy

This policy explains what data Sub.Trade collects, how we use it, who we share it with, and what rights you have.

Data we collect

• Account data — name, email, organization, role. Collected at sign-up and used for authentication and routing.
• Contractor profile data — company details, service regions, focus areas, credentials, insurance policies, logos. Collected from the contractor directly or seeded by an admin on their behalf.
• Project and bid data — project scopes, bid packages, bid responses, awards. Collected from organization users as they work.
• Uploaded files — COIs, drawings, estimates, credentials. Stored in Cloudflare R2 with encryption at rest. Access is scoped to the uploading tenant.
• Usage and audit data — which user performed which action and when. Used for internal audit, troubleshooting, and security.

How we use it

• To operate the service (match contractors to bid packages, deliver invite emails, etc.)
• To improve the product (anonymized usage analytics)
• To comply with legal obligations
• To communicate material product changes and security notices

Who we share it with

We share data only with:

• Organizations you've connected to(for contractors): your company profile, credentials, insurance, service regions are shared with the GCs, integrators, resellers, end users, or manufacturers on the platform you've accepted a connection with. Not their internal notes.
• Sub-processors we use to run the service: Clerk (authentication), Netlify (hosting), Neon (database), Cloudflare R2 (file storage), Resend (email), Anthropic (AI document extraction). Each has their own privacy policy.
• Government authorities where required by law.

We do not sell your data.We do not share contractor profile data with an organization the contractor hasn't connected to.

Your rights

• Access — you can see your own data anywhere in the product. Export to CSV is available from most lists.
• Correction — update any profile field from the relevant settings page.
• Deletion — delete your account to have your personal data removed. Some audit records are retained for legal and security purposes. Contact help@sub.trade for a full deletion request.
• Portability — export your profile data on request.
• Objection / withdrawal of consent — email us.

If you are in the EU/UK or California, you have additional rights under GDPR / CCPA. We honor these on request.

Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 at our sub-processors). Access to production systems is limited to authorized personnel with multi-factor authentication. Audit logs track sensitive operations. Uploaded files are isolated per-tenant.

Retention

Account data is retained while your account is active. Upon account deletion, data is soft-deleted for 90 days (recoverable on request) and then hard-deleted except where retention is required for audit, tax, or legal reasons.

International transfers

Sub.Trade and its sub-processors may store and process data in the United States. By using the service from outside the US, you consent to this transfer.

Contact

Questions, requests, or complaints? Email privacy@sub.trade or help@sub.trade.

Note: This is placeholder language. A reviewed legal version will replace it before any paid customer signs up. If you have a legal compliance requirement (e.g. SOC 2, HIPAA), reach out before relying on this.