Legal

Privacy Policy

Effective date: March 1, 2026  ·  Last updated: March 1, 2026  ·  Version: 1.0

🔒

Plain-language summary: We collect only what we need to run the app. We never sell your data. You own your photos, jobs, and customer information. You can export or delete everything at any time by contacting support@roofforge.app.

Overview

RoofForge, LLC ("RoofForge," "we," "us," or "our") operates the RoofForge mobile application (iOS and Android) and the website roofforge.app (collectively, the "Service"). This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and the choices you have regarding your data.

By downloading or using the Service, you agree to the collection and use of information as described in this Policy. If you do not agree, please do not use the Service.

This Policy applies to all users of the Service, including roofing contractors, company administrators, inspectors, and sales representatives.

Data We Collect

We collect the following categories of information when you use the Service:

2.1 Account & Identity Information

  • Full name — used to identify you within your organization
  • Mobile phone number — used for SMS one-time password (OTP) authentication; required to create an account
  • Email address — used for bid delivery, notifications, and account recovery
  • Company name and location — used to populate bids and invoices
  • Contractor license number — optionally provided; displayed on bid documents
  • Profile photo / company logo — optionally uploaded; displayed in bids and the approval portal
  • Team role — Owner, Admin, Inspector, or Sales Rep; controls feature access

2.2 Job & Business Data

  • Job addresses and customer information — names, phone numbers, and property addresses entered by you
  • Inspection records — roof type, pitch, damage checklists, notes, and AI-generated summaries
  • Bid line items, pricing, and totals — all financial data you enter or generate
  • Insurance claim details — carrier, claim numbers, adjuster contacts, approved amounts, supplements
  • E-signature events — timestamp and approval status when a customer signs a bid

2.3 Photos & Media

  • Inspection and job-site photographs — images you capture or upload during inspections
  • GPS coordinates — latitude and longitude recorded at the moment of photo capture (when location permission is granted) to provide chain-of-custody verification for insurance adjusters
  • File hash (SHA-256) — a cryptographic fingerprint of each photo used to verify the photo has not been modified
  • Device metadata — optional EXIF data (device model, capture time) embedded in photos

2.4 Device & Usage Information

  • Push notification token — generated by your device's OS to deliver job and bid alerts; you may revoke permission at any time in device settings
  • Crash and error logs — anonymized technical errors used to improve app stability; does not include personal data
  • App version and OS version — used for compatibility troubleshooting

2.5 Payment Information

Subscription payments are processed by Stripe, Inc. We do not store credit card numbers, CVCs, or bank account details on our servers. Stripe provides us only with a subscription status, plan tier, and billing email. See Stripe's Privacy Policy.

Data type Required? Purpose
Phone numberYesOTP login, bid SMS delivery
Name & emailYesAccount, bid documents, notifications
Company & locationYesBid headers, org record
Job photosApp functionInspection documentation
GPS coordinatesOptionalPhoto evidence verification
Customer infoApp functionBid delivery, job records
License numberOptionalDisplayed on bid PDFs
Push tokenOptionalJob & bid notifications
Payment dataPaid plansHandled entirely by Stripe

How We Use Your Data

We use collected information only to operate and improve the Service. Specifically:

  • Authentication — to verify your identity via phone OTP and maintain your session
  • App functionality — to create, store, and display jobs, inspections, bids, and claims within your organization's workspace
  • Document generation — to populate bid PDFs, email templates, and the customer approval portal with your company and job data
  • Communication delivery — to send bid notifications to customers via SMS or email on your behalf
  • GPS evidence — to embed coordinates into photos so adjusters can verify damage location; coordinates are stored with the photo and never used for tracking your movements
  • Push notifications — to alert you when a bid is approved, a claim is updated, or a new lead is assigned
  • AI features — to generate inspection summaries and bid recommendations using the data you enter; AI outputs are for reference only and are never stored or used to train models without your consent
  • Billing — to manage your subscription through Stripe
  • Support — to diagnose issues and respond to support requests
  • Security — to detect fraud, unauthorized access, or abuse

We will NEVER:

  • Sell, rent, or trade your personal data or your customers' data to any third party
  • Use your job photos, customer information, or business data for advertising purposes
  • Share your data with other RoofForge customers or organizations
  • Use GPS data to track your location continuously or outside of photo capture events
  • Train AI models on your proprietary data without explicit written consent

Storage & Security

All data is stored in Supabase, a managed cloud database platform hosted on AWS infrastructure in the United States. Supabase is SOC 2 Type II compliant. See Supabase Security.

Encryption

  • In transit: All data between the app and our servers is encrypted using TLS 1.2 or higher
  • At rest: Database and storage volumes are encrypted using AES-256
  • Photos: Stored in Supabase Storage (S3-compatible) with per-organization access controls; each org's files are isolated and inaccessible to other tenants
  • Authentication tokens: Stored in your device's encrypted AsyncStorage using PKCE (Proof Key for Code Exchange) flow

Access Controls

  • Row-Level Security (RLS) policies enforce that users can only access data belonging to their own organization
  • RoofForge employees access production data only for support purposes and only with audit logging enabled
  • No employee can access your photos, job data, or customer information without a documented support ticket

Incident Response

In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware of the incident via the email address on your account, as required by applicable law.

Sharing & Disclosure

We do not sell your data. We share information only in these limited circumstances:

5.1 Service Providers

We use the following sub-processors who may process your data on our behalf:

  • Supabase — database, storage, and authentication hosting
  • Stripe — payment processing; handles billing data only
  • Twilio — SMS delivery for OTP login and bid notifications (phone number only; not stored by Twilio beyond delivery)
  • Resend / Amazon SES — transactional email delivery (email address and bid content)

All sub-processors are bound by data processing agreements consistent with applicable privacy law.

5.2 Your Organization

If you are a team member (Inspector, Sales Rep) within an organization, your name, role, and job activity are visible to Owners and Admins of that organization. No data is shared across organizations.

5.3 Customer-Facing Bid Portal

When you send a bid, your company name, logo, license number, contact information, and bid line items are shared with the customer via a unique approval link. This sharing is initiated by you and is required for the core function of the Service.

5.4 Legal Requirements

We may disclose your information if required to do so by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of RoofForge, our users, or the public.

5.5 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred as part of that transaction. We will notify you by email before your data is subject to a different privacy policy.

Data Retention

We retain your data for as long as your account is active. After account deletion:

  • Your profile, jobs, bids, inspections, and claims are deleted within 30 days
  • Photos stored in Supabase Storage are deleted within 30 days
  • Billing records required by tax law are retained for 7 years (Stripe-held)
  • Anonymized, aggregated usage statistics (no personal data) may be retained indefinitely for product improvement
  • Backup snapshots are purged within 90 days following deletion

If your subscription lapses (not deleted), your data is retained in a read-only state for 90 days to allow you to export or reactivate. After 90 days of non-payment, data is scheduled for deletion with 14 days' email notice.

Your Rights

Regardless of where you are located, you have the following rights with respect to your personal data:

Access

You may request a copy of all personal data we hold about you. Email support@roofforge.app with the subject "Data Access Request." We will respond within 30 days.

Correction

You may correct inaccurate or incomplete data at any time directly in the app (Profile screen) or by contacting support.

Export (Data Portability)

You may request a machine-readable export of your jobs, bids, inspections, claims, and photos. Email support@roofforge.app with the subject "Data Export Request." We will provide a downloadable archive within 30 days.

Deletion ("Right to be Forgotten")

You may request permanent deletion of your account and all associated data. Email support@roofforge.app with the subject "Account Deletion Request" from the email on your account. Deletion is completed within 30 days, subject to the retention obligations described in Section 6.

Objection & Restriction

You may object to or request restriction of specific processing activities by contacting us. Where we rely on legitimate interests as a legal basis, you may object, and we will cease processing unless we can demonstrate compelling legitimate grounds.

California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information is collected, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising CCPA rights. To exercise these rights, contact us at support@roofforge.app.

EEA / UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, you have rights under GDPR including access, rectification, erasure, portability, and the right to lodge a complaint with your local supervisory authority. Our lawful basis for processing is contract performance (operating the Service you subscribed to) and legitimate interests (security and fraud prevention).

Children's Privacy

The Service is intended for use by roofing professionals and is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we learn that we have collected information from a child under the applicable age threshold, we will delete it promptly. If you believe we have collected such data, please contact support@roofforge.app.

Cookies & Tracking

The RoofForge mobile app does not use browser cookies. Authentication tokens are stored in your device's secure AsyncStorage.

The RoofForge website (roofforge.app) uses only essential first-party cookies necessary for the site to function (session state). We do not use advertising cookies, cross-site tracking pixels, or third-party analytics without consent. The customer-facing bid approval portal (approve?bid=...) does not set any cookies.

Third-Party Services

The Service integrates with the following third-party services. Their privacy practices govern their handling of your data:

We are not responsible for the privacy practices of third-party services you choose to connect or link to through the app.

Policy Changes

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Send an in-app notification and email to all active account holders
  • Require acknowledgment within the app for changes that affect how we use your data

Continued use of the Service after the effective date of a revised Policy constitutes acceptance of the new terms. If you disagree with changes, you may delete your account before the effective date.

Previous versions of this Policy are available upon request by emailing support@roofforge.app.

Contact Us

For any questions, data requests, or privacy concerns, please contact our privacy team:

RoofForge, LLC

📧 support@roofforge.app

🌐 roofforge.app

Subject line for requests:
· Data Access Request
· Data Export Request
· Account Deletion Request
· Privacy Concern

We aim to respond to all privacy-related requests within 5 business days and to complete requests within 30 days.