Privacy Policy

1. Introduction

GC EstimatorAI, Inc. ("GC EstimatorAI," "Company," "we," "us," or "our"), a Delaware corporation, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal information when you use our construction estimating platform and services (the "Service"), including our website at gcestimator.app, mobile applications, and APIs.

This Privacy Policy applies to all users of the Service, including visitors, registered users, and paying subscribers. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our practices, please do not use the Service.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and revising the "Last updated" date. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

2. Information We Collect

2.1 Information You Provide Directly

We collect information you voluntarily provide, including:

• Account Information: Name, email address, password, company name, job title, phone number, and business address when you register for an account.
• Profile Information: Professional credentials, license numbers, company logos, and other profile details you choose to provide.
• Project Data: Construction estimates, blueprints, specifications, drawings, photos, client information, subcontractor details, material lists, invoices, contracts, and other project-related documents you upload or create.
• Client Portal Data: Information about clients you invite to your client portal, including their email addresses, access permissions, and communications through the portal.
• Team and Crew Data: Information about team members and crews, including names, roles, time tracking entries, schedules, and work assignments.
• Financial Information: Billing address and payment method details. Note: Credit card numbers are processed and stored securely by our payment processor (Stripe) and are not stored on our servers.
• Affiliate Program Data: If you join our affiliate program, we collect website URLs, social media profiles, audience information, promotion methods, referral codes, commission tracking data, and payout information.
• E-Signature Data: When using our e-signature features, we collect signature images, signing timestamps, IP addresses, and device information for audit trails.
• Communications: Messages, emails, feedback, support requests, and other communications you send to us or through the Service.
• Survey Responses: Information you provide in surveys, questionnaires, or research studies.

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

• Usage Data: Pages visited, features used, actions taken, time spent on pages, search queries, click patterns, and navigation paths.
• Device Information: IP address, browser type and version, operating system, device type, device identifiers, screen resolution, and language preferences.
• Location Data: Approximate geographic location based on IP address. We do not collect precise GPS location without your explicit consent.
• Log Data: Server logs including access times, referring URLs, error logs, and crash reports.
• Performance Data: Page load times, error rates, and other technical performance metrics.

2.3 Information from Third Parties

We may receive information from:

• Authentication Providers: If you sign in using Google, Microsoft, or other third-party authentication services, we receive your name, email, and profile picture from those services.
• Payment Processors: Transaction status, billing address verification, and fraud prevention data from Stripe.
• Analytics Providers: Aggregated usage statistics and demographic information.
• Business Partners: Referral information when you sign up through a partner or affiliate.
• Affiliate Tracking: If you are referred by an affiliate, we track the referral source using cookies to attribute commissions correctly.

2.4 Sensitive Information

We do not intentionally collect sensitive personal information such as Social Security numbers, racial or ethnic origin, political opinions, religious beliefs, health information, or biometric data. If you upload documents containing such information, you are responsible for ensuring appropriate handling. Please contact us if you have concerns about sensitive data in your uploads.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Improving the Service

• Creating and managing your account
• Processing and fulfilling your subscription
• Providing customer support and responding to inquiries
• Enabling features, functionality, and integrations
• Analyzing usage patterns to improve user experience
• Developing new features and services
• Fixing bugs and troubleshooting issues

3.2 AI and Machine Learning

• Processing documents through AI to generate estimates and analyses
• Improving AI model accuracy using anonymized, aggregated data
• Your identifiable data is NOT used to train AI models available to other users without explicit consent
• AI processing is performed by third-party providers (Anthropic, OpenAI, Google) subject to their privacy policies and data processing agreements

3.3 Communications

• Sending transactional emails (account confirmations, password resets, invoices)
• Providing technical notices, updates, and security alerts
• Sending marketing communications (with your consent)
• Responding to your comments, questions, and requests

3.4 Security and Compliance

• Detecting, preventing, and addressing fraud, abuse, and security threats
• Enforcing our Terms of Service and other policies
• Complying with legal obligations and responding to lawful requests
• Protecting the rights, property, and safety of our users and the public

3.5 Legal Bases for Processing (Where Applicable)

We process your personal information based on: (a) performance of our contract with you; (b) your consent; (c) our legitimate business interests; and (d) compliance with legal obligations.

4. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information and improve the Service. These technologies include:

4.1 Types of Cookies

4.2 Third-Party Analytics

We use Google Analytics (GA4) to analyze usage patterns. Google Analytics uses cookies to collect information about how you use the Service. This information is transmitted to and stored by Google. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

4.3 Managing Cookies

You can manage cookie preferences through our cookie consent banner when you first visit the Service. You can also control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Service.

4.4 Do Not Track

Some browsers offer a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals. However, you can use our cookie preferences or browser settings to limit tracking.

5. How We Share Your Information

We do not sell your personal information. We may share your information only in the following circumstances:

5.1 Service Providers

We share information with third-party vendors who provide services on our behalf:

• Cloud Infrastructure: Amazon Web Services (AWS) for hosting and storage
• Payment Processing: Stripe for payment processing and billing
• Email Delivery: AWS SES for transactional and marketing emails
• AI Processing: Anthropic, OpenAI, and Google for AI-powered features
• Analytics: Google Analytics for usage analysis
• Customer Support: Support tools for managing inquiries

These providers are contractually obligated to use your information only as necessary to provide services to us and in compliance with this Privacy Policy.

5.2 Within Your Organization

If you are part of a team or organization using the Service, your information may be visible to team administrators and other authorized users within your organization based on the permissions you or your administrator have set.

5.3 Legal Requirements

We may disclose your information when required by law, including to: (a) comply with a subpoena, court order, or legal process; (b) respond to lawful requests by government authorities; (c) enforce our Terms of Service; (d) protect against legal liability; or (e) protect the rights, property, or safety of our users or the public.

5.4 Business Transfers

If we are involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.

5.5 Affiliate Program

If you participate in our affiliate program, we may share limited information about referrals (such as signup status and payment status) with referring affiliates to calculate commissions. We do not share detailed customer information with affiliates.

5.6 Client Portal

When you share project information through our client portal feature, the information you choose to share will be visible to the clients you invite. You control what information is shared and can revoke access at any time.

5.7 With Your Consent

We may share your information for other purposes with your explicit consent.

6. Data Security

We implement comprehensive security measures to protect your information:

• Encryption in Transit: All data is transmitted using TLS 1.2 or higher encryption.
• Encryption at Rest: Stored data is encrypted using AES-256 encryption.
• Access Controls: Role-based access controls and least privilege principles limit data access.
• Infrastructure Security: Services hosted on SOC 2 Type II compliant infrastructure (AWS, Supabase).
• Authentication: Secure password hashing, optional multi-factor authentication, and session management.
• Monitoring: Continuous security monitoring, logging, and alerting for suspicious activity.
• Regular Assessments: Periodic security audits and vulnerability assessments.
• Employee Training: Security awareness training for all team members.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. If you have reason to believe your account has been compromised, please contact us immediately at security@gcestimator.app.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Active Accounts: We retain your information while your account is active.
• Closed Accounts: After account closure, we may retain certain information for up to 7 years to comply with legal, tax, and accounting obligations.
• Backups: Backup copies may be retained for up to 90 days after deletion.
• Legal Holds: We may retain information longer if required for legal proceedings or investigations.

You may request deletion of your data at any time by contacting privacy@gcestimator.app. We will process your request within 30 days, subject to any legal retention requirements.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

8.1 General Rights

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Portability: Request your data in a structured, machine-readable format.
• Opt-Out: Unsubscribe from marketing communications at any time.
• Restrict Processing: Request that we limit how we use your data.
• Object: Object to processing of your personal information for certain purposes.

8.2 Exercising Your Rights

To exercise your rights, contact us at privacy@gcestimator.app. We will verify your identity before processing your request and respond within 30 days (or as required by applicable law). We will not discriminate against you for exercising your privacy rights.

8.3 Authorized Agents

You may designate an authorized agent to make requests on your behalf. We may require written authorization and verification of both your and the agent's identity.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights:

9.1 Categories of Information Collected

In the past 12 months, we have collected the following categories of personal information:

• Identifiers: Name, email, phone number, IP address, account ID
• Commercial Information: Transaction history, subscription details
• Internet Activity: Browsing history, usage data, interactions with Service
• Geolocation Data: Approximate location based on IP address
• Professional Information: Company name, job title, professional credentials
• Inferences: Preferences and characteristics derived from usage data

9.2 Your CCPA Rights

• Right to Know: Request information about the categories and specific pieces of personal information we have collected about you.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted by CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

9.3 Shine the Light

Under California Civil Code Section 1798.83, California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

10. Additional State Privacy Rights

10.1 Virginia (VCDPA)

Virginia residents have the right to: access, correct, delete, and obtain a copy of their personal data; opt out of targeted advertising, sale of personal data, and profiling; and appeal our decisions regarding privacy requests. Contact privacy@gcestimator.app to exercise these rights.

10.2 Colorado (CPA)

Colorado residents have similar rights to Virginia residents, including the right to access, correct, delete, and obtain portable copies of personal data, as well as opt-out rights. You may appeal our decisions by contacting privacy@gcestimator.app.

10.3 Connecticut (CTDPA)

Connecticut residents have the right to access, correct, delete, and obtain copies of their personal data; opt out of targeted advertising, sale of personal data, and profiling; and appeal our decisions.

10.4 Utah (UCPA)

Utah residents have the right to access, delete, and obtain portable copies of their personal data, and to opt out of targeted advertising and sale of personal data.

10.5 Other States

If you reside in a state with consumer privacy laws (such as Nevada, Montana, Oregon, Texas, or others), you may have additional rights. Contact us at privacy@gcestimator.app to learn about rights available in your state.

11. International Users and GDPR

If you are located in the European Union (EU), European Economic Area (EEA), or United Kingdom (UK), the General Data Protection Regulation (GDPR) provides you with additional rights:

• Legal Basis: We process your data based on: (a) your consent; (b) performance of a contract; (c) our legitimate interests; or (d) legal obligations.
• Data Controller: GC EstimatorAI, Inc. is the data controller for your personal information.
• International Transfers: Your data may be transferred to the United States. We use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority.
• Withdraw Consent: Where we rely on consent, you may withdraw it at any time.

Data Protection Officer: For GDPR-related inquiries, contact dpo@gcestimator.app.

12. Children's Privacy

The Service is not intended for children under 16 years of age (or 13 years of age in jurisdictions where permitted). We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at privacy@gcestimator.app.

If we learn that we have collected personal information from a child under 16 without parental consent, we will delete that information promptly. In compliance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13.

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours of discovering the breach (or as required by applicable law)
• Provide information about the nature of the breach and the types of information involved
• Describe the steps we are taking to address the breach
• Offer guidance on steps you can take to protect yourself
• Notify relevant regulatory authorities as required by law

14. Third-Party Links and Services

The Service may contain links to third-party websites or services that are not owned or controlled by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites or services you visit. This Privacy Policy applies solely to information collected through our Service.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

• We will update the "Last updated" and "Effective date" at the top of this page
• For material changes, we will notify you by email or through a prominent notice on the Service
• We may provide a summary of key changes
• Your continued use of the Service after changes become effective constitutes acceptance of the revised policy

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within 30 days (or sooner as required by applicable law). For EU/EEA residents, if you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.