Privacy policy

Last updated: March 2026

1. Information We Collect

Account Information (GC Users):

  • Email address and password (managed by Supabase Auth)
  • Company name and insurance requirement preferences
  • Billing information (processed and stored by Stripe — we do not store credit card numbers)

Subcontractor Information:

  • Name, email address, phone number (as provided by the GC)
  • Company name (optional)
  • Uploaded documents (COIs, W-9s, lien waivers, certificates, licenses)

Document Data (AI-Parsed):

  • Insurance carrier names, policy numbers, coverage limits, expiration dates
  • Certificate holder information
  • W-9 data: legal name, business name, EIN, entity type, address
  • This data is extracted automatically from uploaded documents using AI and may contain errors

Receipt and Expense Data:

  • Receipt images (photos uploaded by GC Users)
  • AI-extracted receipt data: vendor names, amounts, dates, line items, categories
  • Expense records: amounts, dates, categories, subcategories, business/personal designation
  • Job assignments for expenses
  • Notes and descriptions added by the user

Job and Project Data:

  • Job names, client names, addresses
  • Job budgets, start/end dates, status
  • Subcontractor assignments per job
  • Financial ledger data (expense totals per job, cost breakdowns by category)

Automatically Collected:

  • IP address, browser type, and device information (standard web server logs)
  • Usage data (pages visited, features used)

2. How We Use Your Information

  • To provide and operate the Service (document storage, compliance tracking, expense tracking, job costing, alerts)
  • To send transactional emails (upload requests, expiry alerts, billing notifications)
  • To process payments via Stripe
  • To parse uploaded documents and receipts using AI (Anthropic Claude API)
  • To generate expense reports, job cost summaries, and year-end packages
  • To improve the Service and fix issues

3. AI Processing

Documents and receipts you upload are processed by AI to extract structured data. This processing is performed solely to provide the Service. Specifically:

  • Receipt images are uploaded to secure cloud storage, then sent to the Anthropic Claude API for data extraction (vendor, amount, date, line items, category)
  • Insurance documents (COIs) are processed to extract carrier names, coverage limits, and expiration dates
  • W-9 forms are processed to extract legal name, EIN, and entity type

Your data is not used to train AI models.

Anthropic processes document and receipt data under their API terms, which prohibit using API inputs for model training. AI-extracted data may contain errors and should be reviewed by the user.

4. Third-Party Services

We use the following third-party services to operate CertVault:

  • Supabase — database hosting, authentication, file storage (your documents and receipt images are stored encrypted at rest)
  • Anthropic (Claude API) — AI document and receipt parsing. Uploaded document images and receipt photos are sent to Anthropic for text extraction. Anthropic does not use API inputs to train models. See Anthropic's usage policy for details.
  • Stripe — payment processing. We do not store credit card information.
  • Resend — transactional email delivery
  • Vercel — application hosting

5. Data Sharing

We do NOT sell, rent, or share your personal information, documents, receipt images, expense data, or financial data with third parties for marketing purposes or any other purpose. Data is shared only with the third-party services listed above, solely to operate the Service.

GC Users can view documents, expenses, and parsed data for subcontractors and jobs they have created. Subcontractors uploading via a tokenized link can only see their own upload status. Accountants invited via the accountant portal receive read-only access to the inviting GC's data.

6. Data Security

  • All data is transmitted over HTTPS (TLS encryption in transit)
  • Documents and receipt images are stored encrypted at rest in Supabase Storage
  • Database access is controlled by row-level security policies (each GC can only access their own data)
  • Service role keys and API keys are stored as environment variables, never exposed to the client
  • Upload tokens are unique UUIDs with 30-day expiration

Breach Notification:

In the event of a data breach that compromises your personal information, we will notify affected individuals and applicable state authorities as required by law, in the most expedient time possible and without unreasonable delay.

7. Data Retention and Deletion

Documents, receipt images, expense records, and account data are retained for as long as your account is active. Receipt images are retained until you delete them individually or close your account. Upon account cancellation:

  • Your data is retained for 30 days to allow for reactivation
  • After 30 days, all documents, receipt images, expense records, parsed data, and account information are automatically and permanently deleted
  • You may also request immediate deletion at any time by contacting support@getcertvault.com or using the account deletion option in your dashboard

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your personal information, documents, receipt images, and expense data
  • Request a copy of your data in a portable format (including expense exports and job cost reports)
  • Opt out of non-essential communications

California residents: Under the CCPA/CPRA, you have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA.

To exercise any of these rights, contact support@getcertvault.com.

9. Children

CertVault is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information promptly.

10. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to active account holders. The "last updated" date at the top reflects the most recent revision.

11. Contact

For privacy-related questions or data requests, contact us at support@getcertvault.com.