Privacy Policy

This policy applies to two groups of people whose information may flow through VEVVO:

• Customers — the flooring contractors and trades businesses who sign up for a VEVVO workspace, log in, and operate their business on it. You are our direct user, and most of this policy is written for you.

• End-customers — the homeowners and commercial clients of our Customers, whose contact details, job sites, photos, estimates, invoices, and payment information are entered into VEVVO by our Customers. For end-customer data, our Customer is the controller and VEVVO is the processor — we handle that data on our Customer's behalf and under their instructions.

If you are an end-customer with a question about your data, please contact the contractor you hired. We will route your access, correction, or deletion request to them and assist with fulfilling it.

Account information you give us: your name, business name, email address, phone number, mailing address, password (hashed by our authentication provider — we never see it in plaintext), profile photo, and the plan you selected.

Operational data you put into the Service: your customer list, jobs, estimates, invoices, photos, schedules, crew records, time entries, supplier records, purchase orders, and other business records you create or upload. We treat this as your data; this policy calls it 'Customer Data'.

Payment information: when you subscribe to a paid plan, Stripe collects and stores your billing details directly. We receive a Stripe customer ID, the last 4 digits of your card, the card brand, and the billing ZIP — never your full card number or CVC. When your end-customers pay an invoice through VEVVO, the same is true: Stripe collects the card details, and we receive only a payment record.

Communications you send through us: when you send a transactional email through VEVVO, we pass the recipient address, subject, and body to Resend for delivery. When you send a transactional SMS, we pass the recipient phone number and message body to Twilio for delivery. We retain a copy of the send record (recipient, timestamp, subject, status) for your audit trail.

Phone-verification data: when you or a worker verifies a phone number, we generate a one-time code, send it via Twilio, and store a hashed version of the code along with attempt counts and timestamps until verification succeeds, expires, or is cleaned up by retention.

Device and usage data: standard server logs (IP address, user agent, request path, response code, timestamp) and product analytics (which screens were viewed, which features were used) so we can debug, secure, and improve the Service. These logs are retained for 90 days unless flagged for a security investigation.

Cookies and similar technologies: see Section 7.

To provide the Service: log you in, render your workspace, save the records you create, send the emails and SMS you ask us to send, run scheduled jobs, and produce reports and exports.

To bill you: process subscription charges through Stripe, generate invoices, calculate plan overages, and email you billing notices.

To support you: respond to support requests, troubleshoot bugs you report, and proactively reach out about account issues (failed payments, expiring trials, security alerts).

To keep the Service secure: detect and block fraud, brute-force attacks, scraping, and abuse; investigate suspected violations of our Terms or Acceptable Use Policy; comply with legal process.

To improve the product: aggregated and de-identified analytics that cannot reasonably be used to identify you or your end-customers — for example, 'X% of workspaces use the Calendar each week.' We do not use the contents of your Customer Data to train machine-learning models.

To send you operational and marketing messages: account notifications and security alerts are sent regardless of preference because they are essential to the Service. Product-update and marketing emails are sent only with your consent and you can unsubscribe from any marketing message at any time using the link in the message footer.

We do not sell your personal information or your Customer Data. We do not share it with advertisers or data brokers. We share it only in the limited circumstances below, and only the minimum needed.

Sub-processors that operate parts of the Service for us:

• Clerk — authentication and identity (account creation, login, password reset, email/phone verification, multi-factor authentication, session management). Receives: name, email, phone, hashed credentials, login metadata.

• Stripe — payment processing for both your subscription and your end-customers' invoice payments. Receives: name, email, billing address, card details (collected directly by Stripe — VEVVO does not see full card numbers), payment amounts, and dispute records. See Stripe's privacy policy at https://stripe.com/privacy.

• Resend — transactional email delivery. Receives: recipient email address, subject line, message body, and delivery status.

• Twilio — SMS delivery and phone-number verification. Receives: recipient phone number, message body, and delivery status.

• Cloud hosting and database providers that store the Service infrastructure under standard data-processing terms.

Each sub-processor is contractually bound to handle the data only for the purpose of providing its service to VEVVO, to apply industry-standard security, and to delete the data when no longer needed.

Other limited sharing:

• With your consent or at your direction — for example, when you generate a public share link for an estimate or invoice.

• To comply with law — when we receive a valid subpoena, court order, or other legal process. We will challenge requests we believe are overbroad and, where legally permitted, notify the affected account before complying.

• To protect rights and safety — to investigate fraud, security incidents, or violations of the Terms or Acceptable Use Policy, and to protect the rights, property, or safety of VEVVO, our customers, or the public.

• In a corporate transaction — if VEVVO is acquired, merged, or sells substantially all of its assets, your information may transfer to the successor entity, subject to the same protections as in this policy.

Active account data — kept for as long as your workspace is active.

Operational logs — server access logs are retained for 90 days, then deleted (longer only if flagged for a specific security investigation).

Phone-verification codes — hashed codes and attempt counters are deleted shortly after a code is consumed, expires, or after a configurable retention window.

Email and SMS send records — retained for the life of the account so you can audit what was sent, then deleted with the account.

After account deletion — we retain your operational data for 30 days in case you reactivate, then permanently delete it. Backups are rotated out within 90 days. Tax records, invoices, and payment records are retained for the period required by applicable law (typically 7 years in the U.S.) even after account deletion.

Aggregated and de-identified analytics that cannot reasonably re-identify a person may be retained indefinitely.

Subject to applicable law (including the California Consumer Privacy Act / CPRA, and similar state laws in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and a growing list of others), you have the right to:

• Access — get a copy of the personal information we hold about you. Customers can self-serve most of this from the Settings → Export tab.

• Correct — fix inaccurate personal information. Most fields are editable in your Profile and Settings; for anything you cannot edit yourself, contact us.

• Delete — ask us to delete your personal information. You can delete your account from Settings; this triggers the 30-day recovery window described in Section 5. Some records (tax, invoice, payment) are retained where the law requires.

• Export / portability — every plan, including Free, can export bookkeeper-ready CSVs of invoices, payments, customers, and jobs from Settings.

• Opt out of marketing — every marketing email has an unsubscribe link that takes effect immediately. Account, security, and billing messages are essential and cannot be turned off without closing the account.

• Opt out of 'sale' or 'sharing' of personal information — VEVVO does not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA, so there is nothing to opt out of. We will honor a Global Privacy Control (GPC) signal as an opt-out request if any future use changes that.

• Non-discrimination — we will not deny you the Service, charge a different price, or provide a lower quality of service for exercising any of these rights.

To make a request, email help@apexcoatinggroup.com (placeholder — confirm with counsel before launch) from the address on your account, or use the contact form. We will verify your identity using the same email or phone associated with your account before disclosing or deleting data. We will respond within the time required by your jurisdiction (45 days under the CCPA, extendable once).

If you are an end-customer of one of our Customers, please direct access, correction, or deletion requests to the contractor you hired — they control your data. We will assist them in fulfilling your request.

VEVVO uses a small number of cookies and equivalent storage:

• Strictly necessary — session cookies set by our authentication provider (Clerk) that keep you logged in, and a CSRF token cookie. The Service will not function without these.

• Functional — local-storage entries that remember your UI preferences (sidebar collapsed/expanded, table column choices, last-used filter) so the Service feels familiar between visits.

• Security — cookies and tokens used to detect session hijacking, brute-force login attempts, and abusive scraping.

We do not set advertising cookies, cross-site tracking pixels, or third-party analytics that follow you across other websites. The product analytics we use are first-party and tied to your authenticated session, not to a tracking identity that follows you elsewhere.

You can clear cookies and local storage at any time using your browser controls; doing so will log you out and reset your UI preferences.

We protect your information with industry-standard administrative, technical, and physical safeguards: TLS in transit, encryption at rest for databases and backups, hashed credentials (we never store passwords in plaintext), least-privilege access controls for our staff, audit logging of administrative actions, and routine vulnerability scans of our dependencies.

No system is perfect. If we discover a security incident that affects your personal information, we will notify you and the appropriate regulators within the time required by applicable law.

You are responsible for keeping your own credentials secure, enabling multi-factor authentication where offered, and revoking access for former employees.

VEVVO is operated from the United States and our primary infrastructure is in the United States. Sub-processors (Stripe, Clerk, Resend, Twilio, our cloud hosting provider) may also process data in the United States and other countries where they operate.

If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have data-protection rules different from those in your own country. Where required, we rely on standard contractual clauses or other lawful transfer mechanisms with our sub-processors.

VEVVO is targeted at U.S.-based contractors and is not designed for, marketed to, or actively sold into the European Economic Area or the United Kingdom; we do not currently offer a Data Processing Addendum (DPA) for those jurisdictions.

VEVVO is a business tool intended for use by adults. The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact help@apexcoatinggroup.com and we will delete it.

VEVVO includes an optional pricing benchmark that helps the on-site estimator wizard suggest typical price ranges for line items such as subfloor prep, transitions, baseboard, and removal. The benchmark is built from contributions made by other workspaces.

What we share when the benchmark is on (default): the line-item add-on type (e.g. 'subfloor'), the unit (sqft / linear ft / each), the priced unit price, the broad flooring category if known, and the country/region you set in Settings. We never share your workspace name, customer name, job address, photos, or any free-text notes.

How we publish: a benchmark for any (add-on type × unit × region) only becomes visible inside the wizard once at least 5 different workspaces have priced it. Until then we only show curated reference prices we have set ourselves.

How to opt out: Settings → 'Help build the price benchmark'. Turning the toggle off stops new contributions immediately and excludes your historical lines from any benchmark recomputation going forward.

We may update this Privacy Policy from time to time. Material changes — for example, a new category of data we collect, a new sub-processor that handles your data, or a new purpose of processing — will be announced by email and an in-dashboard banner with at least 30 days' notice before they take effect. Non-material changes (typo fixes, clarifications, contact info) take effect on posting. The 'Last updated' date at the top of this page always reflects the most recent revision.

Questions, requests, or complaints about this Privacy Policy or your data? Email help@apexcoatinggroup.com (placeholder — confirm with counsel before launch), or write to the legal address listed in our Terms of Service. We will respond as soon as we reasonably can and within any deadlines required by applicable law.

If you are not satisfied with our response, you may have the right to lodge a complaint with the data-protection authority in your jurisdiction (for U.S. residents, typically your state Attorney General).