We collect the minimum data needed to run the Service. We use it only to operate TradeStack. We do not sell your data to third parties. Worker PII is encrypted and access-controlled. You can request data deletion at any time.
01Data Collection
We collect information you provide directly when you create an account, create a project, or input worker data. This includes:
Business Information
Company name, business address, contact email, phone number, and subscription billing details.
Worker PII (Personally Identifiable Information)
Worker names, addresses, SSN fragments (last 4 digits only — used exclusively for WH-347 certified payroll reports as required by federal law), job classifications, wage rates, and hours worked.
Usage Data
Login timestamps, feature usage patterns, device type, browser type, and IP address. We also collect GPS coordinates when the field time-tracking feature is actively in use (with worker awareness).
Offline Data
Time logs and field data may be temporarily stored on the user's device via the progressive web app (IndexedDB) before syncing to our servers when connectivity is restored.
02How We Use Your Data
We use the data strictly to operate the Service:
- ▸Generating PDF compliance reports (WH-347 Certified Payroll)
- ▸Calculating payroll totals, fringe benefit breakdowns, and Total Rewards visualizations
- ▸Processing subscription payments via Stripe
- ▸Providing time tracking with GPS verification for project compliance
- ▸Sending transactional emails (account confirmation, billing receipts, compliance alerts)
- ▸Improving the Service through aggregated, anonymized usage analytics
✓ We do not sell your data to third parties. Ever.
03Sub-Processors & Third Parties
To operate the Service, we share data with the following trusted infrastructure providers. Each processes only the minimum data necessary for their function:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting & authentication | All application data (encrypted at rest) |
| Vercel | Application hosting & CDN | Server-side request logs, IP addresses |
| Stripe | Payment processing | Billing name, email, payment method |
| Clerk | User authentication & session management | Email, name, login sessions |
We do not use any advertising networks, tracking pixels, or third-party analytics that would expose your data to advertisers.
04Data Security
We implement industry-standard security measures to protect your data:
- ▸All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
- ▸Row-level security (RLS) ensures each tenant can only access their own data
- ▸SSN fragments are stored separately with additional access controls
- ▸Role-based access control limits data visibility by user role (Owner, Controller, Foreman, Worker)
- ▸Regular security reviews of infrastructure and dependencies
No system is 100% secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security.
05Data Retention
Active Accounts: We retain your data for the duration of your active subscription to provide the Service.
After Cancellation: Upon account cancellation, we retain your data for 30 days to allow for reactivation or data export requests. After this window, your data is permanently deleted from our production systems within 90 days.
Compliance Records: Certified payroll reports and audit trail logs may be retained for up to 3 years after account termination, as these records may be required for Department of Labor compliance review periods. This retention period aligns with federal record-keeping requirements for prevailing wage projects.
Backups: Encrypted database backups are cycled every 30 days. Deleted data may persist in backup systems for up to 30 additional days before being permanently removed.
06Data Breach Notification
In the event of a data breach that affects your personally identifiable information or worker PII, we will notify affected account holders via email within 72 hours of discovering the breach. The notification will include the nature of the breach, the data affected, the steps we are taking to address it, and recommendations for protecting yourself. We will also notify relevant regulatory authorities as required by applicable state and federal law.
07GPS & Location Data
TradeStack collects GPS coordinates during active time-tracking sessions (clock-in and clock-out) to verify worker presence at designated project sites. This supports prevailing wage compliance by documenting that workers were physically present at the specified job location.
GPS data is collected only during active punch events — we do not continuously track worker location. GPS data is associated with individual time log entries and is accessible to account administrators through the compliance dashboard.
08Cookies & Local Storage
We use essential cookies and local storage for authentication sessions, user preferences, and offline functionality (IndexedDB for the progressive web app). We do not use third-party advertising cookies, social media tracking pixels, or cross-site tracking technologies. The Service functions without non-essential cookies.
09Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- ▸Access: Request a copy of the personal data we hold about you or your workers
- ▸Correction: Request that we correct inaccurate or incomplete data
- ▸Deletion: Request that we delete your personal data, subject to legal retention requirements
- ▸Export: Request a machine-readable export of your data (CSV format)
- ▸Opt-Out: Opt out of non-essential communications at any time
To exercise any of these rights, contact us at privacy@gettradestack.com. We will respond within 30 days.
10California Residents (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides additional rights:
Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you in the last 12 months.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions (such as compliance record retention).
No Sale of Data: We do not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising.
Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
11Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a minor, we will take steps to delete that information promptly.
12Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date. For significant changes affecting how we handle worker PII, we will provide at least 30 days' advance notice via email.
13Contact
Questions about this Privacy Policy? Contact us at privacy@gettradestack.com