TimberFax Privacy Policy

1. Plain-language summary

• We collect the minimum information needed to operate TimberFax: your account details, the homes and service events you record, photos you upload, and basic technical logs.
• We do not sell your information.
• You can request a copy of your data, or its deletion, by emailing [email protected].

2. Information we collect

You provide

• Account information: name, email address, password (stored only as a salted scrypt hash), role (admin / contractor / homeowner).
• Contractor application information: business name, trade, contact details, license number, service area, optional cover message.
• Home and service records: home label and address, build details, service events, materials used, and any notes you enter.
• Photographs you upload to a home record.

Collected automatically

• Authentication metadata: timestamp and outcome of sign-in attempts, source IP, and account identifier (used solely for rate-limiting). Records older than 48 hours are pruned automatically.
• Application logs: structured event logs (page render, API call, errors) used to diagnose issues. Logs are retained by our hosting provider for up to 30 days and do not include passwords or photo contents.
• Cookies: a single first-party session cookie (HTTP-only, SameSite=Lax, signed) used to keep you signed in. We do not use third-party analytics or advertising cookies.

3. How we use information

• Operate, maintain, and improve the Service.
• Authenticate you and prevent abuse (rate-limiting, audit logging).
• Send transactional email: account verification, password reset, contractor application updates, owner invitations.
• Comply with applicable law and respond to lawful requests.

We do not use your information to send marketing email and we do not display advertising.

4. How we share information

• Other TimberFax users: contractors you log work as can see the home record they touched; homeowners can see their own home records and the contractors that worked on them; admins can see all accounts and records.
• Service providers: Amazon Web Services (hosting + database + photo storage), Cloudflare (content delivery + DNS), and Resend (transactional email). Each only receives the minimum information needed to perform its function and is contractually required to protect your data.
• Legal compliance: when required by law, court order, or to protect rights and safety.

We do not sell, rent, or trade your personal information.

5. Where data is stored

The application database, photo storage, and application logs are hosted on Amazon Web Services in the United States (us-east-1). Email is handled by Resend (also U.S.). If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S.

6. Data retention

• Account records: kept while your account is active and for up to 90 days after deletion to support audit and dispute resolution.
• Photos: kept while the linked home record is active. Deletion of a home record removes the photos from active storage; backups age out over 30 days.
• Login attempts: pruned automatically after 48 hours.
• Magic-link tokens: invalidated on first use or after their natural expiry (1 hour for password reset, 24 hours for verification, 7 days for invitations).

7. Your rights

You can:

• Request a copy of the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your account and personal information (subject to legal retention obligations).
• Withdraw consent or object to processing where processing is based on consent.
• Lodge a complaint with the data-protection authority in your jurisdiction.

To exercise any of these rights, email [email protected]. We respond within 30 days.

8. Children

The Service is not directed to children under 13 (or under 16 in jurisdictions where the applicable age is higher). We do not knowingly collect personal information from children. If you believe a child has provided us with information, contact [email protected] and we will delete it.

9. Security

We use industry-standard safeguards: TLS in transit, scrypt-hashed passwords with per-user salt, signed and HTTP-only session cookies, rate-limited sign-in, defense in depth on file uploads, separate IAM credentials for storage, and least-privilege access for service operators. No system is perfectly secure; if you discover a vulnerability, please report it responsibly to [email protected].

10. Changes

We may update this Privacy Policy from time to time. Material changes will be announced via the Service or email when reasonably possible. The “Effective” date at the top of this page reflects the most recent revision.

11. Contact

Privacy questions and requests: [email protected].