Privacy Policy

Last updated: March 2026

1. Information We Collect

Account Information (GC Users):

  • Email address and password (managed by Supabase Auth)
  • Company name and insurance requirement preferences
  • Billing information (processed and stored by Stripe — we do not store credit card numbers)

Subcontractor Information:

  • Name, email address, phone number (as provided by the GC)
  • Company name (optional)
  • Uploaded documents (COIs, certificates, licenses)

Document Data (AI-Parsed):

  • Insurance carrier names, policy numbers, coverage limits, expiration dates
  • Certificate holder information
  • This data is extracted automatically from uploaded documents using AI and may contain errors

Automatically Collected:

  • IP address, browser type, and device information (standard web server logs)
  • Usage data (pages visited, features used)

2. How We Use Your Information

  • To provide and operate the Service (document storage, compliance tracking, alerts)
  • To send transactional emails (upload requests, expiry alerts, billing notifications)
  • To process payments via Stripe
  • To parse uploaded documents using AI (Anthropic Claude API)
  • To improve the Service and fix issues

3. Third-Party Services

We use the following third-party services to operate CertVault:

  • Supabase — database hosting, authentication, file storage (your documents are stored encrypted at rest)
  • Anthropic (Claude API) — AI document parsing. Uploaded document images are sent to Anthropic for text extraction. Anthropic does not use API inputs to train models. See Anthropic's usage policy for details.
  • Stripe — payment processing. We do not store credit card information.
  • Resend — transactional email delivery
  • Vercel — application hosting

4. Data Sharing

We do NOT sell, rent, or share your personal information or documents with third parties for marketing purposes. Data is shared only with the third-party services listed above, solely to operate the Service.

GC Users can view documents and parsed data for subcontractors they have added. Subcontractors uploading via a tokenized link can only see their own upload status.

5. Data Security

  • All data is transmitted over HTTPS (TLS encryption in transit)
  • Documents are stored encrypted at rest in Supabase Storage
  • Database access is controlled by row-level security policies (each GC can only access their own data)
  • Service role keys and API keys are stored as environment variables, never exposed to the client
  • Upload tokens are unique UUIDs with 30-day expiration

Breach Notification:

In the event of a data breach that compromises your personal information, we will notify affected individuals and applicable state authorities as required by law, in the most expedient time possible and without unreasonable delay.

6. Data Retention and Deletion

Documents and account data are retained for as long as your account is active. Upon account cancellation:

  • Your data is retained for 30 days to allow for reactivation
  • After 30 days, all documents, parsed data, and account information are automatically and permanently deleted
  • You may also request immediate deletion at any time by contacting support@certvault.com or using the account deletion option in your dashboard

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your personal information and documents
  • Request a copy of your data in a portable format
  • Opt out of non-essential communications

California residents: Under the CCPA/CPRA, you have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA.

To exercise any of these rights, contact support@certvault.com.

8. Children

CertVault is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information promptly.

9. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to active account holders. The "last updated" date at the top reflects the most recent revision.

10. Contact

For privacy-related questions or data requests, contact us at support@certvault.com.