Privacy Policy

1. Who we are and how to reach us

BuilderPal is operated from Toronto, Ontario, Canada. Questions, access requests, or complaints can be sent to hello@builderpal.io. Our privacy contact details are at the bottom of this page.

2. The personal information we collect

We collect personal information in three ways: (a) information you provide directly, (b) information collected automatically when you use the Service, and (c) information your customers or leads give you, which you upload into the Service.

2.1 Information you provide

• Account & profile: name, email, password (hashed), phone, business name, role, profile photo, time zone, language.
• Billing: billing address, tax ID, last four digits and brand of payment card, Stripe customer ID, subscription tier and history. Full card numbers are handled directly by Stripe and never touch our servers.
• Workspace data: customers and leads you add, quotes, invoices, materials, expenses, jobs, schedules, team members, photos (including any EXIF/GPS metadata embedded in those photos), GPS check-ins, receipts, voice-call recordings and transcripts where enabled, calendar events, email and SMS threads you sync to BuilderPal.
• Compliance documents: insurance certificates, business licenses, and similar documents you choose to upload.
• Communications with us: support tickets, feedback, survey responses.

2.2 Information collected automatically

• Device & usage: IP address, browser/device type, operating system, referring URL, pages viewed, timestamps, feature interactions, crash logs.
• Cookies and similar technologies: see our Cookie Policy.
• Approximate location: derived from IP address. Precise GPS location is only collected when you use a feature that requires it (e.g., on-site check-in or photo capture) and your device grants permission.

2.3 Information your customers and leads provide

When you upload, sync, or accept information about your customers (for example, by sending an AI-drafted quote or receiving a lead from your website), that information may include their name, address, email, phone, photos of their property, payment details, and signed approvals. You are the controller (under GDPR) or the organization (under PIPEDA) of that information, and BuilderPal acts as a processor / service provider on your behalf, subject to our Terms of Service.

3. How we use your information

• Provide the Service: create your account, authenticate you, sync your data, send quotes and invoices, process payments through Stripe or Square, deliver SMS and email through Twilio and Resend, store photos and receipts in S3-compatible storage.
• AI features: draft quotes from photos or voice notes, extract receipt data, summarize inbound messages, transcribe calls, generate reply suggestions. AI inputs and outputs are processed by OpenAI and (optionally) Anthropic — see Section 6.
• Communications: send transactional emails (receipts, quote approvals, password resets), product update notices, and — only with your consent under CASL or another lawful basis — marketing emails.
• Safety, security, and abuse prevention: detect fraud, investigate suspected violations of our Acceptable Use Policy, and protect users, payment processors, and our infrastructure.
• Compliance & legal: respond to lawful requests, enforce our agreements, meet tax and accounting obligations.
• Product improvement: anonymized and aggregated analytics that do not identify you or your customers. We do not use your customer or workspace data to train third-party AI models. See Section 6 for the data-handling commitments of our AI vendors.

4. Our legal bases (PIPEDA & GDPR)

Under PIPEDA we collect, use, and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances, with your knowledge and consent (express or implied). For users in the European Economic Area, the United Kingdom, or Switzerland, the GDPR legal bases we rely on are: (a) contract — delivering the Service you signed up for; (b) legitimate interests — running, securing, and improving the Service in ways that do not override your rights; (c) consent — for marketing communications, optional analytics cookies, and precise GPS; and (d) legal obligation — for tax, accounting, and lawful requests.

5. When we share information

We do not sell your personal information, and we do not share it for cross-context behavioural advertising. We share it only as described below:

• Subprocessors who run parts of the Service on our behalf (payments, email, SMS, AI, storage, hosting, error monitoring). A current list is published at /subprocessors.
• People you direct us to share with — for example, a customer of yours who receives a BuilderPal-hosted quote or invoice, or your accountant via the QuickBooks integration you enable.
• Legal authorities when we are required to comply with a court order, subpoena, or other binding legal process, or to protect the rights, property, or safety of BuilderPal, our users, or the public.
• Business transfers — in a merger, acquisition, financing, or sale of assets, with notice to you and continued protection of your information under terms at least as protective as this Policy.

6. AI features and your data

Some features (photo-to-quote, receipt OCR, AI inbox, voice-command drafting, reply suggestions) send the relevant input to a third-party AI provider — primarily OpenAI, and optionally Anthropic. We send only the data needed for the requested action. We use these providers under their no-training API terms, meaning your inputs and the model's outputs are not used to train their foundation models. AI output may be incomplete or inaccurate; you are responsible for reviewing AI-drafted quotes, measurements, and messages before sending them to customers.

7. International transfers

BuilderPal is operated from Canada, and our hosting infrastructure (Render) runs in the United States (Ohio region). Several of our subprocessors process data in the United States and the European Union. By using the Service you acknowledge that your personal information may be processed outside Canada and may be subject to lawful access requests in those jurisdictions. We use contractual safeguards (including Standard Contractual Clauses where required) for transfers from the EEA, UK, and Switzerland.

8. How long we keep your information

• Account data: while your account is active and for up to 90 days after deletion, after which it is permanently erased or irreversibly anonymized, subject to legal hold.
• Billing records: retained for up to 7 years to meet Canadian tax and accounting requirements.
• Backups: deleted data may persist in encrypted backups for up to 35 days before backup rotation overwrites it.
• Support tickets and security logs:typically retained for 12–24 months for fraud investigation and audit purposes.

9. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, restrict, or object to the processing of your personal information, and to withdraw consent at any time. Submit any of these requests to hello@builderpal.io. We respond within 30 days (or earlier where the law requires).

9.1 Canadians (PIPEDA & Quebec Law 25)

You may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca. Residents of Quebec may contact the Commission d'accès à l'information.

9.2 EEA, UK, and Switzerland (GDPR / UK GDPR)

You have the right to lodge a complaint with your local supervisory authority. Our EU representative will be appointed if and when our EU-targeted activities require one under Article 27 GDPR.

9.3 California residents (CCPA / CPRA)

California residents have the right to know, delete, correct, and opt-out of the "sale" or "sharing" of personal information, and the right not to be discriminated against for exercising these rights. We do not sell personal information and do not share it for cross-context behavioural advertising. To exercise your rights, email hello@builderpal.io.

10. Security

We use technical and organizational safeguards including encryption in transit (TLS) and at rest, signed webhooks for payment and inbound-email callbacks, hashed passwords, scoped API keys, audit logging, regular dependency updates, and least-privilege access controls. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

11. Children

BuilderPal is a business tool for adults. It is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe we have, contact us and we will delete it.

12. Changes to this Policy

We will update the "Last updated" date at the top of this page when this Policy changes. If the change is material we will give reasonable notice (for example, by email or an in-app banner) before it takes effect.

13. Contact