Privacy Policy

Valoria Ventures, LLC, doing business as BldrOS (“BldrOS,” “we,” “us,” or “our”), is committed to protecting the privacy and security of the personal information entrusted to us. This Privacy Policy describes how we collect, use, disclose, store, and protect information in connection with the BldrOS platform and its associated services (the “Platform”).

This Policy applies to all users of the Platform, including general contractors (“Contractors”), subcontractors (“Subcontractors”), their customers (“End Customers”), vendors, and any other individuals whose information is processed through the Platform.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you are a Contractor using the Platform to manage information about your End Customers, Subcontractors, or vendors, you are responsible for ensuring that your use of the Platform complies with applicable privacy laws and for providing any required notices to those individuals.

1.1 Account and Identity Information

When you create an account, we collect information necessary to establish and maintain your account, including: legal name, business name, email address, phone number, mailing address, tax identification information, and professional licensing information. For organization accounts, we also collect information about additional team members added to the account.

1.2 Payment and Financial Information

Payment processing is handled by Stripe, Inc. When you connect a payment account or process transactions through the Platform, Stripe collects and processes payment card numbers, bank account details, and related financial information directly. BldrOS does not store complete payment card numbers or bank account numbers. We do receive and store transaction metadata from Stripe, including transaction amounts, dates, invoice numbers, payer and payee identifiers, transaction status, and fee amounts for the purpose of providing platform functionality and financial reporting.

1.3 Communication Records

The Platform processes communications through Twilio, Inc., including:

• Voice calls: Call metadata (caller ID, recipient number, date, time, duration, call direction) and, when call recording is enabled by the User, audio recordings of calls.
• SMS messages: Message content, sender and recipient phone numbers, timestamps, and delivery status.
• Call transcriptions: When enabled, AI-generated text transcriptions of recorded calls.

Users are solely responsible for complying with applicable recording consent laws and for informing call participants of any recording in accordance with their jurisdiction’s requirements.

1.4 Project and Business Data

Through normal use of the Platform, we collect and store business operational data including: lead and customer contact information, project details and descriptions, job site addresses, project photographs and images, estimate line items and pricing, invoices, contracts, daily reports, change orders, scheduling data, subcontractor assignments, vendor purchase orders, and other project-related documentation.

1.5 AI Processing Inputs

When you use AI-assisted features, we process the inputs you provide, which may include photographs of job sites or materials, text descriptions of project scope, voice notes and their transcriptions, and any other content submitted for AI analysis. These inputs are processed solely for the purpose of generating the requested output (such as an estimate) and are handled in accordance with Section 4 of this Policy.

1.6 Usage and Technical Data

We automatically collect technical information when you access the Platform, including: IP address, browser type and version, device type and operating system, pages viewed and features used, date and time of access, referring URL, and general geographic location (derived from IP address, not precise GPS). This information is collected to maintain the security and performance of the Platform and to improve our services.

1.7 Audit and Event Data

The Platform maintains a comprehensive audit log of actions taken within the system, including the identity of the user performing the action, the timestamp, the nature of the change, and the values before and after the change. This audit data is maintained for integrity, compliance, and dispute resolution purposes and is treated as immutable.

We use the information we collect for the following purposes:

• Platform operations: To provide, maintain, and operate the Platform and its features, including lead management, estimate generation, payment processing, project management, communication services, and reporting.
• Account management: To create and manage accounts, authenticate users, enforce access controls, and maintain organization-level data isolation.
• Payment facilitation: To facilitate payment transactions between Contractors and their End Customers through Stripe, calculate and collect platform fees, and provide financial reporting and reconciliation.
• Communications: To route and deliver calls and messages, store communication records, and generate transcriptions when requested.
• AI-assisted features: To generate estimates, transcriptions, and other AI-assisted outputs based on user-provided inputs.
• Security and fraud prevention: To detect and prevent unauthorized access, abuse, fraud, and other harmful activities.
• Legal compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests.
• Platform improvement: To analyze usage patterns, diagnose technical issues, and improve the performance, reliability, and functionality of the Platform. Any such analysis uses aggregated or de-identified data.
• Communication with you: To send transactional communications (such as account confirmations, invoices, and security alerts), respond to support requests, and, where you have opted in, send product updates.

BldrOS is a multi-tenant platform. Each organization’s data is logically isolated at the database level using organization-scoped identifiers and enforced through row-level security policies. This means:

• A Contractor’s data is not accessible to other Contractors on the Platform.
• Subcontractor data is scoped to the organization(s) with which the Subcontractor is associated and is not shared across unrelated organizations.
• End Customer data entered by a Contractor is accessible only within that Contractor’s organization.
• Vendor data is scoped to the organization that created the vendor record.

BldrOS platform administrators have the technical ability to access data across organizations solely for the purposes of platform maintenance, support, security investigation, and legal compliance. Such access is logged, audited, and subject to strict internal policies.

We share information with the following categories of third-party service providers, each of which processes data solely for the purposes described below:

4.1 Supabase (Infrastructure and Database)

Supabase provides our database infrastructure, authentication services, file storage, and serverless computing. All Platform data stored in the database resides in Supabase infrastructure. Supabase processes data in accordance with its Privacy Policy and applicable data processing agreements.

4.2 Stripe (Payment Processing)

Stripe processes payment transactions, stores payment method details, manages connected accounts, and handles payout disbursements. Stripe receives transaction data, payer and payee identity information, and financial details necessary to process payments. Stripe is an independent data controller for information it collects directly from users. See Stripe’s Privacy Policy.

4.3 Twilio (Communications)

Twilio provides voice calling, SMS messaging, and phone number provisioning services. Twilio processes phone numbers, call metadata, message content, and call recordings in order to deliver communications services. See Twilio’s Privacy Policy.

4.4 AI Service Providers (Transcription and Analysis)

We use third-party AI service providers to power transcription, estimate generation, and other AI-assisted features. Inputs submitted to AI features (such as audio recordings, photographs, and text) are transmitted to these providers for processing. We select providers that commit to not using customer inputs to train their general models and that maintain commercially reasonable confidentiality and data handling practices. The specific AI providers we use may change over time; the current list is available upon request at privacy@bldros.com.

4.5 Vercel (Hosting and Delivery)

Vercel hosts and delivers the Platform’s web application. Vercel processes standard web request data including IP addresses, request headers, and access logs in the course of serving the application.

BldrOS does not sell, rent, lease, or trade personal information to third parties. We do not provide personal information to data brokers. We do not monetize user data through advertising. We do not share personal information with third parties for their own marketing purposes.

This commitment applies to all categories of information we collect, including account data, business data, communication records, financial data, and usage data.

We retain information for as long as necessary to provide the Platform, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

• Account data: Retained for the duration of the account and for thirty (30) days following account closure, after which it is deleted or anonymized.
• Transaction and financial records: Retained for a minimum of seven (7) years to comply with tax and financial record-keeping requirements.
• Communication records: Call recordings, SMS messages, and transcriptions are retained for the duration of the account and the thirty (30) day post-closure period, unless a longer retention period is required by law.
• Audit logs: Retained for a minimum of three (3) years to support compliance, dispute resolution, and legal requirements.
• Usage and technical data: Retained in identifiable form for up to twelve (12) months; aggregated and de-identified data may be retained indefinitely.

We implement commercially reasonable technical and organizational measures to protect the information we process. These measures include encryption of data in transit using TLS 1.2 or higher, encryption of data at rest, database-level access controls and row-level security policies, authentication and authorization controls, regular security assessments, and access logging and monitoring. For additional details, see our Security Policy.

No method of transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security. We will notify affected users of any security breach in accordance with applicable law.

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

8.1 Right of Access

You have the right to request a copy of the personal information we hold about you. Much of this information is directly accessible through your account dashboard.

8.2 Right to Correction

You have the right to request correction of inaccurate personal information. Account holders can update most information directly through the Platform.

8.3 Right to Deletion

You have the right to request deletion of your personal information, subject to our legal obligations to retain certain data (such as financial records required for tax compliance). Deletion requests will be processed within thirty (30) days.

8.4 Right to Data Portability

You have the right to receive your personal information in a structured, commonly used, machine-readable format. The Platform provides data export functionality for this purpose.

8.5 Right to Restrict Processing

In certain circumstances, you have the right to request that we restrict the processing of your personal information while we address your concerns.

8.6 Right to Object

You have the right to object to certain types of processing, including processing for direct marketing purposes. We honor all opt-out requests promptly.

8.7 Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. You will not receive different pricing, a different quality of service, or any penalty for exercising these rights.

8.8 Exercising Your Rights

To exercise any of these rights, contact us at privacy@bldros.com. We will verify your identity before processing your request and respond within thirty (30) days. If we need additional time, we will notify you of the extension and the reasons for it.

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”). These include:

• The right to know what personal information we collect, use, disclose, and sell (we do not sell personal information).
• The right to delete personal information we have collected, subject to legal exceptions.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising).
• The right to limit the use of sensitive personal information to purposes necessary to provide the services you requested.

You may exercise these rights by contacting us at privacy@bldros.com. You may also designate an authorized agent to submit requests on your behalf.

BldrOS is operated from the United States. If you access the Platform from outside the United States, your information will be transferred to and processed in the United States. By using the Platform, you consent to this transfer. We process data from the European Economic Area, United Kingdom, and other jurisdictions with data protection laws in compliance with applicable legal frameworks and, where required, on the basis of appropriate data transfer mechanisms.

The Platform is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@bldros.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated through the Platform or via email at least thirty (30) days before they take effect. The “Last updated” date at the top of this Policy indicates when it was most recently revised. Your continued use of the Platform after any changes take effect constitutes your acceptance of the revised Policy.

For questions, concerns, or requests regarding this Privacy Policy or our data practices, contact:

Valoria Ventures, LLC d/b/a BldrOS
Privacy Inquiries
Email: privacy@bldros.com
Atlanta, Georgia, United States

For security-related concerns, contact security@bldros.com.