Privacy Policy

BuildCrux (“we,” “our,” or “us”) is a product of TackOn Labs. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use the BuildCrux platform, including our website at buildcrux.com, our mobile applications, and all related services (collectively, the “Service”).

By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide

• Account Information: When you create an account, we collect your name, email address, password, company name, phone number, and trade/industry type.
• Billing Information: Payment details such as credit card numbers and billing addresses are collected and processed securely by our payment processor, Stripe. We do not store full credit card numbers on our servers.
• Project Data: Information you enter about your projects, clients, invoices, estimates, contracts, expenses, mileage logs, photos, team members, and other business data.
• Communications: Messages sent through the platform, support requests, and any other communications with us.
• E-Signature Data: When contracts are signed electronically through BuildCrux, we collect the signer's name, email address, IP address, signature image, and timestamp for audit purposes.

1.2 Information Collected Automatically

• Usage Data: We collect information about how you interact with the Service, including pages visited, features used, and actions taken.
• Device Information: Browser type, operating system, device identifiers, and screen resolution.
• Location Data: If you enable mileage tracking or GPS features, we collect precise location data (including when the BuildCrux mobile app is in the background, solely while a trip is active) from your device. You can revoke location permission in your device settings at any time.
• Camera and Photo Access: The mobile app requests camera and photo library access so you can capture receipts, upload project photos, and scan blueprints. Media is only accessed when you explicitly choose to capture or upload.
• Crash Diagnostics and Performance Data: We collect crash logs, error stack traces, device model, OS version, app version, and anonymized user identifiers via our error-monitoring provider (Sentry) to diagnose bugs and improve stability. No message content, project data, or payment details are included in crash reports.
• Push Notification Tokens: If you grant permission, the mobile app registers a push token with Expo / Apple APNs / Google FCM so we can deliver transactional notifications (invites accepted, invoice paid, etc.).
• Log Data: Server logs that include your IP address, access times, and referring URLs.
• Cookies and Similar Technologies: We use cookies and similar tracking technologies to maintain your session, remember preferences, and analyze usage. See our Cookie Policy for details.

1.3 Information from Third Parties

• Payment Processor: Stripe may provide us with limited transaction information such as payment status and the last four digits of the card used.
• Authentication Providers: If you sign in using a third-party service, we may receive your name, email, and profile information from that provider.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process transactions and send related billing information
• Send you transactional notifications (e.g., contract signing requests, payment confirmations, invoice reminders)
• Provide customer support and respond to your requests
• Improve and optimize the Service through analytics and usage patterns
• Generate AI-powered estimates based on project data you provide
• Enforce our Terms of Service and protect against fraud or abuse
• Send marketing communications about product updates and new features (with your consent, and you can opt out at any time)
• Comply with legal obligations

3. How We Share Your Information

We do not sell your personal information. We may share your information with the following sub-processors, each contractually obligated to protect your data:

• Supabase — database hosting, authentication, and file storage (receipts, photos, blueprints)
• Stripe — payment processing and subscription billing
• Vercel — web application hosting and CDN
• AI infrastructure provider — third-party AI processing for blueprint analysis and cost estimates. Content submitted is not used to train external AI models. The specific provider is available on request to support@buildcrux.com.
• Sentry — error monitoring and crash reporting
• Google Cloud (Maps, Places, Distance Matrix) — address autocomplete, geocoding, and mileage distance calculation
• Titan (Hostinger) — transactional email delivery (invitations, password resets, invoice notifications)
• GoHighLevel / Twilio — SMS delivery for team invitations and customer notifications when you opt into SMS
• Expo (push notifications) — routes push tokens to Apple APNs and Google FCM for mobile notifications
• Meta (Facebook) Pixel — measures visits to our public marketing website (buildcrux.com) and the effectiveness of our advertising. It is used only on our public marketing pages, not inside the signed-in app, and does not receive your project, customer, or payment data.
• Google Analytics (GA4) — measures traffic and acquisition channels on our public marketing website (buildcrux.com). Like the Meta Pixel, it is used only on our public marketing pages, not inside the signed-in app, and does not receive your project, customer, or payment data.

Additionally:

• Your Team and Clients: When you invite team members to your workspace or send contracts/invoices to clients, those users will see the project and business data you share with them.
• Legal Requirements: We may disclose your information if required by law, subpoena, or government request, or to protect the rights, property, or safety of BuildCrux, our users, or the public.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.

4. Data Security

We implement industry-standard security measures to protect your data, including:

• Encryption in transit (TLS/SSL) and at rest
• Secure authentication with hashed passwords
• Row-level security (RLS) policies ensuring users can only access their own workspace data
• PCI-compliant payment processing through Stripe
• Regular security monitoring and updates

While we take reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain your account data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, tax, or compliance purposes. Business data (invoices, contracts, project records) may be retained longer to comply with record-keeping obligations.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Delete your account at any time without contacting support. In the mobile app go to Settings → Delete Account; on the web you can email privacy@buildcrux.com. Deletion permanently removes your auth record, cascades through every workspace you sole-own, and cancels any active subscription. Some business records (invoices, tax-relevant data) may be retained as required by law.
• Portability: Request your data in a portable, machine-readable format (CSV export is available from your dashboard).
• Opt-Out: Unsubscribe from marketing emails at any time using the link in any marketing email.
• Restrict Processing: Request that we limit how we use your data in certain circumstances.

To exercise any of these rights, contact us at privacy@buildcrux.com.

7. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.

8. International Data Transfers

Your data may be processed and stored on servers located in the United States. If you are accessing the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.

9. SMS Messaging

BuildCrux operates an A2P 10DLC SMS messaging program registered with The Campaign Registry. The program is scoped to Account Notification messages sent to BuildCrux contractor account holders about their own BuildCrux account: subscription receipts, billing notices, payment-failure alerts, and security/sign-in notifications. The program does not send marketing or promotional messages, OTP / 2FA codes, customer-facing project messages, or team-invitation SMS.

How phone numbers are collected. SMS is opt-in only. Account holders enter their mobile number at Settings → Business Info → Phone in the BuildCrux web application and manually select an unchecked SMS consent checkbox. The phone field is optional and SMS consent is never a condition of account creation, subscription, or any other service. The server records the opt-in timestamp as workspaces.sms_consented_at, which is the consent evidence retained for audit.

Verbatim consent disclosure shown next to the checkbox:“I agree to receive transactional SMS notifications from BuildCrux regarding account activity, billing, and security alerts to the number above. Message frequency varies. Message and data rates may apply. Reply HELP for help and STOP to opt out. Consent is not a condition of purchase. See our SMS terms and Privacy Policy.”

Opt-out. Recipients can opt out at any time by replying STOP, OPTOUT, CANCEL, END, QUIT, UNSUBSCRIBE, REVOKE, or STOPALL to any message they receive. Opt-out is enforced at the Twilio Messaging Service layer, so a recipient who opts out will not receive further messages unless they explicitly resubscribe by replying START or UNSTOP. Reply HELP at any time to receive contact information.

Message and data rates may apply. Carriers are not liable for delayed or undelivered messages.

No sharing of mobile information. We do not share, sell, or rent your mobile opt-in data, opt-in consent, telephone number, or other personally-identifiable information collected from your mobile opt-in, with third parties or affiliates for their marketing or promotional purposes. All the above categories exclude text-messaging originator opt-in data and consent; this information will not be shared with any third parties.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes.

Full SMS program documentation, including a screenshot of the opt-in checkbox, is available at our public SMS Consent & Opt-In Documentation page, and the complete program terms are in our Terms of Service, Section: SMS Messaging Program Terms.

10. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing any personal data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we may also send you an email notification. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data, contact us at: