← Back to SubTracker

Privacy Policy

Last updated: March 10, 2026

SubTracker ("we", "us", "our") takes your privacy seriously. This policy explains what data we collect, how we use it, who we share it with, and how you can control it. Plain English — no legal walls.

1. What We Collect

General Contractor accounts

  • Name, email address, and password (or OAuth token)
  • Company name and billing information (via Stripe — we never store raw card numbers)
  • Usage data: pages visited, features used, timestamps

Subcontractor data (uploaded by GCs)

  • Sub name and email address
  • Uploaded compliance documents (COIs, licenses, safety certifications)
  • Extracted data from documents: coverage dates, policy numbers, carrier names

Automatically collected

  • IP address and browser type (for security and debugging)
  • Error logs and performance traces

2. How We Use It

  • To provide the SubTracker service: store documents, track compliance status, and compute expiration timelines
  • To send expiration alert emails to GCs (at 90, 60, and 30 days before a document expires)
  • To send magic-link invitation emails to subcontractors on behalf of GCs
  • To run AI-assisted extraction of dates and policy fields from uploaded PDFs and images (using the Anthropic Claude API)
  • To process payments and manage your subscription (via Stripe)
  • To diagnose bugs, improve reliability, and develop new features

We do not sell your data. We do not use your compliance documents to train AI models.

3. Third-Party Services

SubTracker uses the following third-party providers. Each has its own privacy policy governing how they handle data:

ProviderPurpose
SupabaseDatabase, authentication, and document storage
VercelApplication hosting and edge delivery
StripePayment processing and subscription management
ResendTransactional emails (alerts and invitations)
Anthropic (Claude API)AI-powered extraction of dates and fields from compliance documents
SentryError monitoring and performance tracing

4. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account closure upon request.
  • Uploaded documents: Retained for the duration of your subscription plus 90 days. After that, deleted from storage automatically.
  • Subcontractor data: Retained as long as the associated GC account is active. GCs can delete individual sub records at any time.
  • Logs and traces: Retained for 90 days for debugging and security purposes, then purged.

5. Your Rights

California residents (CCPA)

You have the right to know what personal information we collect, request deletion of your data, and opt out of any sale of your data (we don't sell it, but the right exists). To exercise these rights, email privacy@subtracker.io.

EEA/UK residents (GDPR)

You have the right to access, correct, or delete your personal data, object to processing, and request data portability. Our lawful basis for processing is contract performance (to deliver the service) and legitimate interests (to improve the platform). To submit a request, email privacy@subtracker.io. We respond within 30 days.

6. Security

We use industry-standard security practices: TLS in transit, encrypted storage at rest, access controls, and regular security reviews. That said, no system is perfectly secure. If you discover a vulnerability, please report it to security@subtracker.io.

7. Changes to This Policy

We'll notify you by email if we make material changes to this policy, at least 14 days in advance. The updated policy will always be at subtracker.io/privacy.

8. Contact

Privacy questions or requests: privacy@subtracker.io
General: hello@subtracker.io