Privacy Policy

Tradecraft is a private contractor intelligence network for verified home-service businesses, operated by [Company legal name]. When this policy says “Tradecraft,” “we,” or “us,” it refers to that entity.

From Members (verified businesses):

• Account data: email address, display name, business name, trade type, service area, and verification documents (license, insurance certificate).
• Billing data: handled by Stripe. We store only a Stripe customer ID and subscription status — no card numbers.
• Usage data: lookup history, submission records, credit ledger, session events.

From intelligence submissions (about clients):

• Client identity data: name, email, phone, address — stored as normalized identifiers, not as searchable free text.
• Project signals: numeric ratings, severity flags, project type, value range, and completion date.
• Notes: original text is retained in a legal-hold audit log only; only the AI-neutralized version is shown to other Members.
• Evidence files: stored in encrypted, access-controlled storage.

Automatically collected:

• Request logs (Vercel infrastructure), IP addresses (hashed), browser/device type.
• Performance and error telemetry (Vercel Analytics, Sentry).

• To operate the platform: authenticate you, serve lookups, moderate submissions, compute risk scores.
• To communicate with you: transactional emails for verification status, submission decisions, and billing.
• To prevent abuse: fraud detection, rate limiting, ban enforcement.
• For legal compliance: responding to legal requests, maintaining audit logs.

We do not use your data for advertising, behavioral profiling, or sale to third parties.

We share data only with these service providers:

• Supabase — database and file storage. Data encrypted at rest and in transit.
• Stripe — billing. Processes card data under PCI-DSS compliance. We never see raw card numbers.
• OpenAI — AI moderation and neutralization of submission notes. We use the API tier; OpenAI retains inputs for zero days by default and does not train on API submissions.
• Resend — transactional email delivery. Retains delivery logs for 30 days.
• Vercel — hosting and CDN. Request logs do not include application-level data.
• Sentry — error monitoring. Payloads are scrubbed to avoid capturing PII.

We may also disclose data in response to a valid legal process (court order, subpoena) or to protect the safety of users or the public.

• Account data is retained while your account is active and for a reasonable period afterward to satisfy legal obligations.
• Submission data is retained indefinitely for the network's utility. Submissions can be deleted via a verified DSAR erasure request or by the submitting Member withdrawing their own submission.
• Audit logs are retained for a minimum of three years.
• Billing data is retained per Stripe's own retention policies.

Depending on where you live, you may have rights under CCPA/CPRA or other state privacy laws, including:

• Access — know what personal data we hold about you.
• Deletion — request erasure of your personal data.
• Correction — request correction of inaccurate data.
• Opt-out of sale — we do not sell personal data; we will confirm upon request.
• Opt-out of profiling — we do not profile individuals for advertising purposes.

We will respond to verified requests within 45 days. Submit a request via our data subject request form or email privacy@cofabri.com.

We use TLS in transit, encryption at rest, row-level security policies, Content Security Policy headers, and regular access reviews. Sensitive operations are logged and monitored.

To report a security vulnerability, email security@cofabri.com. We aim to acknowledge reports within 48 hours.

Tradecraft is not directed at individuals under 18. We do not knowingly collect data from minors.

We will notify you of material changes by email or in-app notice. Continued use after the effective date constitutes acceptance.

Privacy questions: privacy@cofabri.com