Privacy Policy

DRAFT — ATTORNEY REVIEW REQUIRED BEFORE PUBLICATION

This document was assembled by AI from public competitor analysis and design constraints. It is not legal advice. Do not publish, link to, or rely on it before a licensed attorney has reviewed and finalized it.

TradesKit — Field Service Management Software

1. Introduction

Cascade Software Solutions LLC ("Company," "we," "us," or "our") publishes this Privacy Policy to explain how we collect, use, disclose, and protect personal information when you use TradesKit (the "Service"), visit our websites (including tradeskit.io), or otherwise interact with us.

This Privacy Policy applies when we act as the controller of your personal information. When our customers use the Service to process information about their employees, contractors, or end customers, those customers are the controllers of that information and we act as their processor under the Data Processing Addendum. If you are an end customer of a TradesKit customer, please direct privacy questions to that customer in the first instance. See Section 11 for more about this distinction.

Please read this Privacy Policy carefully. By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, do not use the Service.

2. Information We Collect

2.1 Information You Provide

When you sign up for or use the Service, you may provide us with:

| Category | Examples | |----------|----------| | Identifiers | Name, business name, email address, phone number, postal address | | Login credentials | Username, password, two-factor codes | | Employment information | Job title, role, employer, license numbers (where collected) | | Payment information | Billing contact, billing address, last four digits of payment method (full payment details are collected by our payment processor on our behalf and not stored by us) | | Communications | Support tickets, in-app chat messages, recorded calls and transcripts (when you use call recording or AI transcription features) | | Photos and files | Job photos, signatures, attachments, and other files you upload | | AI inputs | Text prompts, voice recordings, and images you submit to AI Features |

2.2 Information We Collect Automatically

When you use the Service, we and our service providers automatically collect:

• Device and connection information: IP address, browser type, operating system, device identifiers
• Usage information: pages and features used, session duration, click paths, search terms, timestamps, error logs
• Location information: approximate location derived from IP address; precise location only if you grant permission to the mobile app
• Cookies and similar technologies: see Section 6 for details

2.3 Information from Third Parties

We may receive information about you from:

• Our affiliates and corporate partners
• Marketing partners, lead-generation vendors, and data enhancement providers
• Public sources (such as business directories)
• Your social-network or single-sign-on providers if you connect them to the Service

2.4 End-Customer Information You Upload

You may upload information about your end customers to the Service (such as names, addresses, phone numbers, service history, and photos). We process that information as your service provider / processor under the Data Processing Addendum. You are the controller of that information. See Section 11.

3. How We Use Information

We use personal information to:

| Purpose | Legal Basis (where required by law) | |---------|--------------------------------------| | Provide, operate, and maintain the Service | Performance of contract | | Authenticate and secure Accounts; prevent fraud | Performance of contract; legitimate interest | | Process payments and manage billing | Performance of contract | | Communicate with you about your Account, support requests, security alerts, and changes to the Service | Performance of contract; legal obligation | | Send marketing communications (subject to your opt-in or opt-out rights) | Consent; legitimate interest | | Personalize and improve the Service, including by analyzing usage patterns | Legitimate interest | | Develop new features and products, including AI Features (subject to the limits in Section 4) | Legitimate interest | | Comply with law, regulatory requirements, and legal process | Legal obligation | | Defend, exercise, or establish legal rights | Legitimate interest |

We do not sell personal information for monetary consideration, and we do not engage in cross-context behavioral advertising of personal information in the senses defined by the CCPA and similar state laws.

4. Artificial Intelligence and Machine Learning

The Service includes AI Features (as defined in our AI Acceptable Use Addendum). When you use AI Features, the AI inputs you submit and the AI outputs the Service generates may be processed by us and by our third-party AI providers (currently including, but not limited to, Anthropic).

We do not use Customer Data to train any AI model unless you affirmatively opt in. We do not authorize our AI providers to use your AI inputs or AI outputs to train their general-purpose models; our agreements with AI providers contain that restriction.

Open question for attorney: Confirm against Anthropic's then-current API terms that the "no-training" representation we are making in this Privacy Policy is supported by the upstream contract. If the upstream contract changes, this Privacy Policy section must be updated.

AI outputs are advisory. You are responsible for reviewing AI outputs before relying on them. See the AI Acceptable Use Addendum for full terms.

5. How We Disclose Information

We disclose personal information to:

• Affiliates of Cascade Software Solutions LLC, for purposes consistent with this Privacy Policy.
• Service providers and sub-processors that we engage to operate the Service (hosting, payments, communications, AI, analytics, customer support). A current list of sub-processors is at Section 7 and updated periodically per the Data Processing Addendum.
• Your authorized contacts and integrations, including third-party applications you choose to connect to the Service.
• Customers (where applicable): if you are an end customer of a TradesKit customer, that customer (the data controller) receives information about your interactions with them through the Service.
• Legal and regulatory recipients when we believe in good faith that disclosure is required by law, regulation, legal process, or to protect rights, property, or safety.
• Successors in interest in a merger, acquisition, financing, reorganization, or sale of substantially all assets.

We do not sell personal information to third parties for monetary consideration, and we do not share personal information for cross-context behavioral advertising.

6. Cookies and Tracking Technologies

We and our service providers use cookies and similar technologies (such as pixel tags, web beacons, and SDKs) to operate the Service, remember preferences, perform analytics, and (where you consent) personalize content.

We respect Global Privacy Control ("GPC") signals on browsers that support them and treat them as a request to opt out of any disclosure that would constitute "sharing" or "sale" under applicable state privacy laws. We currently do not respond to "Do Not Track" browser signals as no industry standard for them exists.

Open question for attorney: GPC honor is adopted (Xplor/FieldEdge precedent; ServiceTitan also honors). DNT non-response is the universal pattern in the audit set except Xplor/FieldEdge. Confirm GPC honor mechanic and its scope.

7. Sub-Processors

We engage the following categories of sub-processors. A current detailed list (including names, purposes, and processing locations) is published at [SUB-PROCESSOR PAGE URL TO BE INSERTED] and updated as described in our Data Processing Addendum.

| Category | Working list (placeholders to be confirmed at publication) | |----------|-----------------------------------------------------------| | Cloud hosting and database | Supabase | | Web hosting and edge compute | Vercel | | Content delivery and security | Cloudflare | | Payment processing | Stripe, Inc. | | AI providers | Anthropic | | SMS and voice | Twilio (if used at GA) | | Transactional and marketing email | SendGrid or equivalent (to be confirmed) | | Error monitoring and logging | Sentry, Datadog, or equivalent (to be confirmed) | | Analytics | To be confirmed | | Customer support and CRM | To be confirmed |

Open question for attorney: Confirm the production list at publication. Add any sub-processor we adopt before GA. The Data Processing Addendum sets the customer notice and objection mechanism for changes.

8. International Transfers

We are based in the United States and process personal information in the United States. If you access the Service from outside the United States, you understand that your personal information will be transferred to and processed in the United States.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards including, where applicable, Standard Contractual Clauses approved by the European Commission and the UK Addendum.

Open question for attorney: Whether to publish the full SCC text or incorporate it by reference; whether the V1 ICP (US + Canada) makes EU/UK/Swiss transfer language load-bearing or precautionary. Currently drafted as precautionary.

9. Data Retention

We retain personal information for as long as needed to provide the Service and as required for our legitimate business purposes and applicable law.

| Data category | Retention window | |---------------|-------------------| | Customer-facing account data (contractor profiles, contact information, business records) | Duration of the Account plus seven (7) years after termination | | Customer Data (work orders, customer records, invoices, photos uploaded by you) | Duration of the Account; 60-day post-termination export window per the Terms of Service; thereafter purged in the ordinary course subject to backup cycles | | Soft-deleted records | Thirty (30) days from soft delete before purge, unless under legal hold | | Telemetry, error logs, security logs | Up to thirteen (13) months in identifiable form | | Marketing engagement data | Up to twenty-four (24) months from last interaction | | Support correspondence | Up to three (3) years | | Payment and tax records | As required by U.S. federal and state tax law (commonly seven (7) years) |

These windows may be extended where required by legal hold, dispute, regulatory request, or applicable law.

Open question for attorney: 7-year customer-facing retention reflects U.S. tax-recordkeeping norms and aligns with the working-numbers in the kickoff. Confirm against state-specific requirements (CA, OR, TX, NY) and against any applicable industry retention obligations for contractor records.

10. Your Privacy Rights

Depending on where you live and the law that applies, you may have one or more of the following rights regarding your personal information:

• Right to know / access — request a copy of personal information we hold about you
• Right to correct — request that we correct inaccurate information
• Right to delete — request deletion of personal information
• Right to portability — request a portable copy of certain information
• Right to opt out of "sale" or "sharing" for cross-context behavioral advertising
• Right to limit the use of sensitive personal information (where applicable)
• Right to appeal a denied request (where applicable)
• Right to non-discrimination for exercising privacy rights

To exercise these rights, contact us at privacy@tradeskit.io or use the in-Service privacy controls. We may need to verify your identity before responding. If you are an Authorized User of a TradesKit customer, direct your requests to that customer in the first instance; we will assist as the processor under the Data Processing Addendum.

Open question for attorney: privacy@ alias to be provisioned on the tradeskit.io domain. In-Service privacy-controls UI is built but not legally wired per kickoff §"Privacy policy specifics."

10.1 California Residents (CCPA / CPRA)

If you are a California resident, you have the rights described above and:

• The right to know what categories of personal information we collect, the categories of sources, the business or commercial purpose, and the categories of recipients.
• The right to opt out of any "sale" or "sharing" of personal information as defined by California law. We do not sell personal information for monetary consideration and do not share personal information for cross-context behavioral advertising. We honor GPC signals as an opt-out request.
• The right to limit the use of sensitive personal information.
• The right to non-discrimination for exercising your rights.
• The right to authorize an agent (with verified written authority) to exercise rights on your behalf.

Categories of personal information collected (CCPA framework): identifiers; commercial information; internet or other electronic network activity; geolocation data (approximate; precise only with permission); audio, electronic, or visual information (call recordings, photos, transcripts); professional or employment-related information; inferences drawn from the foregoing.

California "Shine the Light" (Civ. Code § 1798.83): We do not disclose personal information to third parties for those third parties' direct marketing purposes.

10.2 Virginia Residents (VCDPA)

If you are a Virginia resident, in addition to the general rights, you have the rights to confirm processing, access, correct, delete, obtain a copy in a portable format, and opt out of (a) targeted advertising, (b) the sale of personal data, and (c) profiling in furtherance of decisions producing legal or similarly significant effects. You have the right to appeal a denied request. To appeal, email privacy@tradeskit.io with subject "VCDPA Appeal."

10.3 Colorado Residents (CPA)

If you are a Colorado resident, in addition to the general rights, you have the rights to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, the sale of personal data, and certain profiling. You have a right to appeal a denied request.

10.4 Connecticut Residents (CTDPA)

If you are a Connecticut resident, in addition to the general rights, you have the rights to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, the sale of personal data, and certain profiling. You have a right to appeal a denied request.

10.5 Utah Residents (UCPA)

If you are a Utah resident, in addition to the general rights, you have the rights to access, delete, obtain a portable copy, and opt out of targeted advertising and the sale of personal data.

10.6 Oregon Residents (Oregon Consumer Privacy Act)

If you are an Oregon resident, in addition to the general rights, you have the rights to confirm processing, access, correct, delete, obtain a portable copy, opt out of targeted advertising, the sale of personal data, and certain profiling. You also have the right to a list of the specific third parties (other than natural persons) to which we have disclosed your personal data.

Open question for attorney: Oregon DPA went into effect July 2024. Cascade Software Solutions LLC is an Oregon entity, so Oregon DPA's processor and controller obligations attach by operating jurisdiction in addition to consumer residency. Confirm the specific-third-parties disclosure mechanism this section commits us to is operationally tractable.

10.7 Other State Laws

We honor analogous rights for residents of Delaware, Iowa, Indiana, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Rhode Island, Tennessee, Texas, and other states with comprehensive privacy laws to the extent those laws apply to our processing.

10.8 European Economic Area, United Kingdom, and Switzerland

If you are in the EEA, UK, or Switzerland, in addition to the general rights you have the right to restrict or object to certain processing, to withdraw consent at any time (without affecting the lawfulness of prior processing), and to lodge a complaint with a supervisory authority. The data controller for your information is Cascade Software Solutions LLC at the address in Section 14.

Legal bases for processing are as set out in the table in Section 3.

Open question for attorney: Whether to formally appoint an EU representative (Art. 27 GDPR) given low EU ICP exposure at V1. Probably not necessary unless EU shops materialize.

11. Notice to End Customers

If your information is processed through the Service because a TradesKit customer (such as a contractor whose services you have engaged) is using the Service to manage their business, that customer is the data controller of your information and we are the data processor. Please direct privacy inquiries — including requests to access, correct, delete, or restrict use of your information — to that customer in the first instance.

We will provide reasonable assistance to TradesKit customers in responding to end customer requests under our Data Processing Addendum.

12. Security

We implement administrative, technical, physical, and organizational measures designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include encryption in transit, encryption at rest for sensitive data, access controls, employee training, vendor diligence, and incident-response procedures.

No system is perfectly secure. You are responsible for keeping your account credentials confidential and for using available security features (such as two-factor authentication).

13. Children's Privacy

The Service is not directed to or intended for use by children. We do not knowingly collect personal information directly from children under the age of 16. If you are a TradesKit customer and you upload information about end customers who are minors (for example, when recording a parent or guardian as a contact for a residential service call where a minor is also present), you are responsible for complying with applicable children's privacy laws (including the U.S. Children's Online Privacy Protection Act where applicable).

If you believe a child under 16 has provided us with personal information, contact us at privacy@tradeskit.io and we will take steps to delete it.

14. Contact

For privacy questions, requests, or complaints, contact us:

`` Cascade Software Solutions LLC Attn: Privacy 5441 S Macadam Ave, Ste N Portland, OR 97239 USA Email: privacy@tradeskit.io ``

You also have the right to lodge a complaint with your local data protection authority.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised Privacy Policy on our website and updating the "Last Updated" date, and where required by law by sending you a direct notice. Your continued use of the Service after a change becomes effective constitutes acceptance.

Open Questions for Attorney Review

Items flagged during drafting. The competitor-audit synthesis at _legal/_research/competitor-audit-synthesis.md §6 (privacy policy patterns) and §9 expands on each.

1. GPC honor mechanic. Section 6 commits us to honoring GPC. Confirm Xplor/FieldEdge's per-browser-per-device implementation pattern is the right operational mechanic.
2. Sub-processor list at publication. Section 7 contains a working placeholder list. Confirm the actual production list before publication.
3. EU/UK transfer language. Section 8 currently treats EU transfers as precautionary. Confirm whether to keep SCCs language load-bearing or to scope down to "no EU customers at V1" disclaimer.
4. 7-year retention working number. Section 9 uses 7 years for customer-facing data. Confirm against contractor-recordkeeping obligations, state-specific tax record retention, and any HVAC/Plumbing/Electrical regulatory retention overlays.
5. VCDPA / CPA / CTDPA / UCPA / Oregon state-specific section coverage. Sections 10.2-10.6 ship explicit state sections. The audit shows ServiceTitan is the only competitor that does this comprehensively (§6.2). Confirm depth.
6. Oregon DPA processor + controller obligations. Section 10.6 flags operating-entity-jurisdiction relevance. Confirm whether additional Oregon-specific notices are required.
7. Texas Data Privacy and Security Act (TDPSA), effective 2024. Section 10.7 mentions Texas. Confirm whether to add a Texas-specific subsection given V1 ICP TX-state weight (HVAC TX-top-5, Plumbing TX-top-1, Electrical TX-top-1).
8. Children threshold: 13 vs 16. Section 13 uses 16 (CCPA-aligned, ServiceTitan / HCP / Xplor pattern). Confirm vs COPPA-13 floor.
9. In-Service privacy-controls UI legal wire-up. Per kickoff, the UI is built but not legally wired. Confirm publication blocks on UI completion or use email-only fallback at publication.
10. EU representative appointment (Art. 27 GDPR). Section 10.8 flags low V1 priority. Confirm.
11. California Shine the Light response. Section 10.1 declines third-party direct-marketing disclosure. Confirm operational truth (no marketing-data sharing for third parties' own marketing).
12. Pre-publication sub-processor notice to existing customers. If we publish this Privacy Policy with a Section 7 list that differs from current operational reality, confirm whether customer notice is required.
13. No-AI-training representation. Section 4 promises no Customer Data is used to train models without opt-in, and that our AI providers do not use AI inputs/outputs for general-model training. Confirm Anthropic's then-current API terms support this representation. Update if the upstream contract changes.
14. legal@ / privacy@ alias provisioning. Sections 10, 14 use privacy@tradeskit.io. Confirm Migadu routing per project memory's email infrastructure pattern (domain-segregated, not Gmail) before publication.

By using TradesKit, you acknowledge that you have read and understood this Privacy Policy.