Your data,
your terms

Estimate.Pro Labs, Inc. (“Estimate.Pro,” “we,” “us,” or “our”) operates a SaaS estimating, bidding, and project-management platform for U.S. trade contractors and construction professionals. This Privacy Policy explains what information we collect, how we use it, with whom we share it, how we secure it, and the rights you have. It applies to Estimate.Pro, our mobile apps, the Customer Portal, the Sub-Bid Portal, and any related APIs (collectively, the “Service”).

1.Overview & Scope

We act as a data “processor” (or “service provider” under CCPA) for project data, customer records, and other content uploaded by our paying Customers. We act as a data “controller” for the limited account information we collect directly from individual users to operate Estimate.Pro. This Policy covers both roles. It does not cover websites or services we do not operate; consult those providers’ policies separately.

2.Information We Collect

Account information. Name, work email, phone (optional), company name, role, and password hash. We use Supabase Auth to authenticate; passwords are hashed and salted, never stored in plaintext.

Project data. Estimates, takeoffs, photos, drawings, daily logs, schedule milestones, change orders, vendor records, customer records, invoices, and any other content you create in or upload to the Service.

AI prompts and outputs. Text you submit to AI features and the AI-generated responses, including estimate drafts, scope writeups, and email replies.

Usage analytics. Pages visited, features used, error logs, IP address, browser type, device type, OS, and approximate geolocation derived from IP. We use this minimally and primarily for security, debugging, and product improvement.

Payment information. All card data is collected and stored exclusively by Stripe, Inc. We never see, transmit, or store full card numbers, CVCs, or bank credentials. We receive only a customer ID, the last four digits, card brand, and billing status.

3.How We Use Information

We use the information we collect to (a) operate, maintain, and secure the Service; (b) authenticate users and enforce access controls; (c) provide AI-powered features on your behalf; (d) send transactional emails such as receipts, password resets, and project notifications; (e) communicate about product updates, service issues, and (where permitted) marketing; (f) detect, investigate, and prevent fraud, abuse, and security incidents; (g) comply with legal obligations; and (h) measure, analyze, and improve the Service in aggregated form.

4.How We Share Information

We share information only with the third-party sub-processors necessary to operate the Service and only as needed for the purpose described:

Stripe — payment processing and Connect onboarding for paid invoicing. Supabase — database hosting, authentication, and file storage (US region). Resend — outbound transactional and project email. Postmark — inbound email parsing for project inboxes. Anthropic — large-language-model inference for AI features. Google Maps — address geocoding and route distance. QuickBooks Online (optional, only if you connect it) — accounting sync for invoices and customers.

We may also disclose information when required by law (subpoena, court order, regulatory request), to enforce our Terms, to protect rights and safety, or as part of a corporate transaction (merger, acquisition, financing, or asset sale), in which case we will provide notice and continue to honor this Policy.

We do not sell or rent personal information, and we do not share it for cross-context behavioral advertising. Project data is never used to train third-party AI models.

5.AI Processing

AI features in the Service are powered by Anthropic’s Claude models. When you invoke an AI feature, the relevant prompt — which may include excerpts of your project data — is sent to Anthropic’s API for inference. Per our agreement with Anthropic and Anthropic’s commercial data terms, your inputs and outputs are not used to train Anthropic’s models. Anthropic retains inputs only as long as necessary to deliver the response and to comply with its trust-and-safety obligations. We do not send raw card data, raw bank credentials, or unredacted authentication tokens to AI providers.

6.Cookies & Tracking

We use a small number of essential first-party cookies (or equivalent localStorage entries) to maintain your session, remember UI preferences, and protect against CSRF. We use minimal first-party analytics to understand usage trends in aggregate. We do not load third-party advertising trackers, social-media pixels, or cross-site profiling tools. We honor Global Privacy Control (GPC) signals where applicable.

7.Customer Portal Data

The Customer Portal lets your end customers (typically homeowners or commercial clients) view estimates, sign change orders, and pay invoices using a magic-link URL secured by signed, time-limited HMAC tokens. Customer Portal users do not create accounts and we do not collect credentials from them. The Customer (you) controls who receives portal links and may revoke access at any time. We process portal information solely on your behalf as a service provider.

8.Sub-Bid Portal Data

The Sub-Bid Portal lets your subcontractors view bid invitations, plans, and scope sheets, and submit pricing back to you. Like the Customer Portal, sub-bidders do not create Estimate.Pro accounts; access is via signed magic links. Pricing submitted by sub-bidders is treated as your project data and is shared back to you under the controls described in this Policy.

9.Email Handling

Inbound email addressed to project inboxes is received by Postmark, parsed, and stored alongside the relevant project. Outbound email is sent via Resend on your behalf using your verified sending domain. AI-generated auto-replies are programmatically scrubbed before sending to redact internal cost data, internal margin notes, and internal labor rates. We retain email metadata (sender, recipient, subject, timestamp) for the lifetime of the project record and full email bodies for 18 months unless your retention settings specify otherwise.

10.Storage & Retention

We retain account information and Customer Content for as long as your account is active. After you cancel your subscription or delete your account, we will delete or de-identify Customer Content within thirty (30) days, except where (a) you exported and re-imported the data elsewhere; (b) we are required to retain it for legal, tax, or accounting compliance; (c) it exists in encrypted backups, which expire on a rolling 35-day cycle; or (d) it is subject to a litigation hold. Aggregated, de-identified data may be retained indefinitely.

11.Security

We protect information in transit with TLS 1.3 and at rest with AES-256. Tenant isolation is enforced at the database layer using Postgres Row-Level Security (RLS) policies. Customer and Sub-Bid Portals are gated by signed HMAC tokens with short expirations. Production access is restricted to a small, audited set of engineers using SSO and hardware-backed second factors. We maintain logging, intrusion detection, and an incident-response runbook. No system can be guaranteed perfectly secure; we work hard to reduce risk continuously.

12.Your Rights

Subject to verification of your identity, you may (a) access the personal information we hold about you; (b) export your account profile and project data in machine-readable form; (c) correct inaccurate information; (d) delete your account and associated data; and (e) opt out of non-essential marketing communications at any time. California residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and limit; we do not sell personal information and do not engage in cross-context behavioral advertising. EEA, UK, and Swiss residents have rights under the GDPR/UK GDPR, including the right to object, restrict processing, and lodge a complaint with their supervisory authority. To exercise any right, email privacy@estimate.pro.

13.Children’s Privacy

The Service is intended for construction professionals and is not directed to children under eighteen (18) years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

14.International Users

Estimate.Pro is operated from, and primarily hosted in, the United States. If you access the Service from outside the U.S., you understand and consent to the transfer of your information to the U.S. and to processing by our U.S.-based personnel and infrastructure. Where required, we rely on Standard Contractual Clauses or equivalent legal mechanisms for cross-border data transfer. The Service is not currently designed for, and may not be appropriate for, use under jurisdictions that require local data residency.

15.Data Breach Notification

In the event of a data breach affecting your personal information or Customer Content, we will notify the affected Customer without undue delay and, where required, the relevant supervisory authorities, in accordance with applicable law. Notice will describe the nature of the breach, the data involved, the steps we are taking to mitigate it, and recommended actions you may take.

16.Changes & Contact

We may update this Policy from time to time. If we make a material change, we will provide at least thirty (30) days’ advance notice by email and in-app notice. Your continued use of the Service after the effective date of the updated Policy constitutes acceptance. For privacy questions, complaints, or rights requests, contact privacy@estimate.pro. Postal mail may be addressed to Estimate.Pro Labs, Inc., Attn: Privacy, Boston, Massachusetts.