Legal
Privacy Policy
Effective: April 19, 2026 · Last updated: April 19, 2026
Plain-English summary
- We collect only what we need to run FirmBase for you.
- We never sell your data. Ever.
- We don't use your project data, photos, or client records to train AI models.
- You can export or delete your data at any time.
- Our sub-processors (Vercel, Neon, Anthropic, Stripe, Resend) are listed below.
1. Who we are
FirmBase is a software-as-a-service product operated by Firm Foundations Asphalt & Concrete, LLC, a Florida limited liability company. This Privacy Policy applies to firmbase.build, the FirmBase app, its subdomains, and any FirmBase-branded mobile or desktop clients.
We are the data controller for your account information and the data processor for Customer Data you upload while using the Service.
2. What we collect
Account data
Name, email, phone (optional), company affiliation, hashed password, MFA secrets, role, and login timestamps.
Customer Data
Everything you upload while using the Service: clients, projects, photos, documents, proposals, invoices, messages, calendars, subcontractor records, daily reports, and similar business records.
Payment data
Billing name, billing address, last 4 digits of your card, and transaction history. Full card numbers are handled by Stripe — we never see or store them.
Usage data
IP address, user agent, pages visited, actions taken (logged in, created a proposal, uploaded a photo), error events, and performance metrics. We use this to debug issues and to improve the product.
Cookies
We use first-party cookies strictly for authentication (firmbase-token, firmbase-portal-token, firmbase-sub-portal-token) and CSRF protection (firmbase-csrf). We do not use advertising or cross-site tracking cookies.
3. How we use it
- Provide the Service — host your data, route notifications, process proposals, run AI features you invoke.
- Support — when you email support we can access your account to help, with an audit trail.
- Security — detect abuse, fraud, scraping, and brute-force attempts.
- Billing — charge for subscriptions, AI credits, and pay-per-use features.
- Product improvement — aggregate/anonymized metrics only. We do not use identifiable Customer Data to build or train models.
- Legal compliance — respond to lawful government requests. We will push back where we can and notify you unless legally prohibited.
4. AI features and third-party models
When you invoke an AI feature (AI proposal generation, photo analysis, card scan, etc.) the relevant prompt — which may include Customer Data — is sent to the foundation model provider. Today we use Anthropic's Claude.
Anthropic contractually agrees not to use API traffic to train public models. We send only what the feature needs (never a wholesale export of your database) and we do not store your prompts at the model provider beyond what's required for their abuse- detection retention (currently 30 days at Anthropic).
You can disable AI features per-feature or org-wide in Settings → Spend limits.
5. Who we share it with
We share data with a short list of sub-processors, each of which is contractually required to handle your data with equivalent care:
| Provider | Purpose | Data |
|---|---|---|
| Vercel | Web hosting + serverless | All request/response data in transit |
| Neon | Managed PostgreSQL | Full database at rest (encrypted) |
| Anthropic | AI model inference (Claude) | AI prompt + response data only |
| Stripe | Payments | Billing name, address, card tokens |
| Resend / SendGrid | Transactional email | Recipient email, subject, body |
| Sentry | Error monitoring | Stack traces, page URL, user id (no PII body) |
We do not sell Customer Data to third parties. We do not allow our sub-processors to use it for their own marketing or model training.
6. Data retention
Customer Data is retained for the lifetime of your subscription. After cancellation we keep it for 30 days to allow export, then delete it. Encrypted backups are overwritten on a 90-day rolling cycle.
Billing records are retained for 7 years to comply with US tax obligations.
Audit logs (who-did-what) are retained for 2 years.
7. Your rights
Depending on where you live, you may have rights to (a) access your personal data, (b) correct inaccurate data, (c) delete it, (d) export it in a portable format, (e) object to processing, or (f) withdraw consent where processing is based on consent.
California residents have rights under the CCPA/CPRA. EU / UK residents have rights under the GDPR / UK-GDPR. To exercise any right, email privacy@firmbase.build. We respond within 30 days.
8. Security
We encrypt data in transit (TLS 1.2+) and at rest (AES-256 on database + backups). Access to production is limited to authorized personnel with MFA. Passwords are hashed with bcrypt.
Report vulnerabilities to security@firmbase.build. Responsible disclosure is appreciated and will be acknowledged.
9. International transfers
Our infrastructure is in the United States. If you access FirmBase from outside the US, your data will be transferred to and processed in the US. We rely on the Standard Contractual Clauses for transfers of EU / UK / Swiss personal data.
10. Children
FirmBase is a B2B product intended for users 18 or older. We do not knowingly collect data from anyone under 13.
11. Changes to this policy
If we make material changes we'll email account owners and post a notice at least 14 days before they take effect. Non-material clarifications may be made without notice.
12. Contact
Privacy questions: privacy@firmbase.build
Security disclosures: security@firmbase.build
Mailing:FirmBase (Firm Foundations Asphalt & Concrete, LLC), Tampa, FL USA