Privacy Policy

What we collect

From the public site

• When you request a quote ("Submit a Quote"): your name, email address, phone number, property address, project type, and any notes you write us. Stored in ourleads database with a created-at timestamp and the IP address that submitted the form (used to detect spam and abuse — see "Diagnostic data" below).
• When you build a self-quote estimate: the rooms, dimensions, and surface choices you select. Stored in ourestimate_shares database tied to a long-lived but revocable share-link URL.
• When you email yourself an estimate: the recipient email and a snapshot of the estimate. We mail it via our email provider (see "Sub-processors").

When you sign in

• Your email address (used as your account identifier).
• Short-lived sign-in tokens ("magic links" and 6-digit OTP codes) sent to your inbox. These expire within 1 hour and are single-use.
• An HTTP-only session cookie set by Supabase Auth on successful sign-in. Used only to identify you on subsequent requests.

If Ed adds you as a customer manually

• Your name, email, phone numbers, property addresses, and any notes Ed writes in your customer record.
• We automatically create your sign-in account using the email Ed entered, so you can log into your customer portal without a password.

Diagnostic data

• Standard web-server logs (IP address, user agent, URLs visited, timestamps) for security and debugging. Retained for up to 30 days unless we're investigating an incident.
• IP address and browser user-agent on sign-in attempts and lead submissions, to detect abuse. Retained with the related record; we plan to truncate IPs to /24 (anonymize the last octet) in a future update.

What we do NOT collect

• No payment card information. We use Stripe for business payouts only. We do not currently take card payments from customers; if we add that, Stripe handles all card data and we never store or see card numbers.
• No third-party advertising trackers. No Google Analytics, no Meta pixel, no marketing cookies.
• No precise location data. We work from the property address you give us; we do not track GPS.

Why we collect it

• To prepare and send you a paint quote.
• To schedule and perform painting work at your property.
• To invoice you for completed work and process payment.
• To message you about your project (text or email).
• To keep your customer history so we can serve you better next time.
• To detect abuse and secure our systems (sign-in IPs, server logs).

Sub-processors we use

We rely on the following service providers to operate the site and the app. Each handles a slice of the data above under their own privacy policies.

• Vercel — web hosting (policy).
• Supabase — database, authentication, file storage (policy).
• Resend — outbound email delivery (policy).
• Stripe — business payouts only; no customer card data yet (policy).

We do not sell or rent your information to anyone. We do not share it with advertisers.

How long we keep it

• Sign-in tokens (magic links, OTP codes): 15 minutes after issue, or 1 hour for the underlying Supabase token, whichever is shorter.
• Cross-device handoff records ("auth_handoffs"): automatically purged within 24 hours after expiry.
• Estimate share records: 90 days, then auto- deleted unless converted to an active quote.
• Quote requests / leads we never convert into customers: kept for up to 24 months, then deleted.
• Active customers and project history: kept as long as the relationship is active. You can request deletion at any time (see "Your rights").
• Web server logs: 30 days.

Your rights

Regardless of which state you live in, you can ask us to:

• Tell you what personal information we have about you (a copy of your records).
• Correct any information you believe is wrong.
• Delete your information, subject to limited business-record requirements (we may keep invoices and tax records as required by law).
• Stop sending you marketing emails or texts (transactional messages like quote confirmations and schedule updates may still go out as long as you have an active project with us).

Email us at privacy@edslegacypaints.com from the address on your account and we'll respond within 45 days. If you live in California, Virginia, Colorado, or another state with a comprehensive privacy law, you have the same rights under those laws.

Children

Our service is for adults arranging painting work on their property. We do not knowingly collect personal information from children under 13. If you believe a child has submitted information through our site, email us and we will delete it.

Updates to this policy

If we change the data we collect or how we use it, we'll update this page and bump the "Effective" date at the top. Significant changes will be summarized in our release notes inside the customer portal.