Privacy Policy

1. Introduction

Foundry Software LLC (“Foundry,” “we,” “our,” or “us”) operates the Foundry Builders construction management platform available at foundrybuilders.com and related subdomains (“the Service”). This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding that information.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service. This policy applies to all users, including builder (contractor) account holders, their clients who access the Client Portal, and crew members who access the Crew Portal.

Foundry Software LLC is incorporated in the State of Mississippi. Our principal place of business is in Mississippi, United States.

2. Information We Collect

2.1 Account and Registration Information

When you create an account, we collect your name, email address, password (stored as a one-way cryptographic hash), company name, business address, phone number, and subscription plan details.

2.2 Construction Project and Job Data

As part of the core Service, we store the project and operational data you enter, including:

• Job and project information: names, addresses, descriptions, start/end dates, statuses
• Budget and cost data: line items, CSI division codes, estimates, actual costs, markup rates, billing types, and cost-plus calculations
• Change orders, RFIs, and contract modifications
• Daily logs, site notes, weather records, and progress reports
• Schedules, milestones, and Gantt data
• Client selections and allowance items
• Documents and photos uploaded to the Service

2.3 Financial Data

We store financial records you create within the Service, including invoices, bills, payment records, budget line items, and profit-and-loss data. We do not store full payment card numbers. Payment processing for platform subscriptions is handled by Stripe (see Section 6.2). When you connect a QuickBooks account, we store OAuth access tokens and refresh tokens necessary to maintain the integration (see Section 6.4).

2.4 Crew and Team Information

For crew management features, we collect and store employee and subcontractor information you provide, which may include: names, contact information, job titles, pay rates, timecard entries, clock-in/clock-out timestamps, GPS location data associated with time punches (if enabled by the account administrator), and documents such as W-9s or certificates of insurance that you upload.

2.5 Client Portal Information

When you invite clients to access their portal, we collect the client’s name and email address and create a login-gated account for them. We record the selections, approvals, and communications clients make through the portal.

2.6 Usage and Technical Data

We automatically collect certain technical information when you use the Service:

• IP address, browser type, operating system, and device identifiers
• Pages visited, features used, and actions taken within the Service
• Session duration and access timestamps
• Error logs and performance data
• Referring URLs

This data is collected through server logs, cookies, and analytics tools (see Section 7).

2.7 Communications

If you contact us for support or send us email, we retain those communications and any information you provide in them. We may also send you transactional emails (invoices, notifications, account updates) and, with your consent, marketing communications.

2.8 Third-Party Integration Credentials

When you authorize integrations with third-party services (such as QuickBooks Online), we store the OAuth tokens required to operate that integration on your behalf. These tokens are stored securely and are used only to perform the functions you have authorized. See Section 6.4 for QuickBooks-specific disclosures.

3. How We Use Your Information

We use the information we collect to:

• Provide the Service — create and manage your account, store and display your project data, process transactions, and deliver the features you use
• Operate integrations — use OAuth tokens to sync data with connected third-party services (e.g., pushing invoices to QuickBooks) at your direction
• Send transactional communications — deliver invoices, notifications, password resets, and other operational messages your account requires
• Provide customer support — respond to your requests, troubleshoot issues, and improve the Service based on feedback
• Ensure security and prevent fraud — detect unauthorized access, abuse, and policy violations
• Comply with legal obligations — respond to lawful requests from governmental authorities and fulfill our legal and regulatory responsibilities
• Improve the Service — analyze aggregate, de-identified usage patterns to understand how features are used and to develop new capabilities
• Send marketing communications — only with your consent, and you may opt out at any time

We do not use your project data, financial data, or crew data to train artificial intelligence or machine learning models, and we do not sell your data to third parties.

3a. SMS / Text Messaging

When a builder enables crew SMS notifications, Foundry may send transactional text messages to crew members at the mobile phone number their employer entered. Typical messages include the daily job-of-the-day notification (sent at 6am local time) and on-demand timecard confirmation requests. Message frequency varies — typically 1 to 5 messages per crew member per week.

Message and data rates may apply. Foundry does not charge for the texts themselves, but your mobile carrier may. To stop receiving messages at any time, reply STOP to any message you receive from us. To resume, reply START. For help, reply HELP or contact your employer. Your opt-out is honored immediately and applies to all future Foundry crew SMS — your employer cannot override it.

We do not use SMS for marketing. Phone numbers collected for SMS are never sold or shared with third parties for marketing purposes. SMS delivery is provided by Twilio under their standard terms of service.

4. Legal Basis for Processing

Where applicable law requires a legal basis for processing personal information, we rely on the following:

• Contract performance — processing necessary to provide the Service you have subscribed to
• Legitimate interests — improving the Service, security, fraud prevention, and internal analytics, where those interests are not overridden by your rights
• Legal obligation — compliance with applicable laws and regulations
• Consent — for marketing emails and any processing you have specifically opted into; you may withdraw consent at any time

5. How We Share Your Information

We share your information only as described below. We do not sell your personal information to third parties.

• Service providers and sub-processors — vendors who help us operate the Service (see Section 6 for specifics). These providers are contractually required to use your data only to provide services to us.
• Authorized integrations — when you connect a third-party service (e.g., QuickBooks), we share only the data you have explicitly authorized for that integration.
• Legal disclosures — when required by law, court order, or governmental authority, or when necessary to protect the rights, property, or safety of Foundry, our users, or the public.
• Business transfers — in connection with a merger, acquisition, or sale of substantially all of our assets. We will provide notice before your data becomes subject to a different privacy policy.

6. Third-Party Services and Sub-processors

6.1 Supabase (Database and Authentication)

All application data — including account information, project data, financial records, and crew information — is stored in a PostgreSQL database hosted by Supabase, Inc. on Amazon Web Services (AWS) infrastructure in the United States. Supabase also handles authentication (account login, password management, and session tokens). Supabase processes data as our data processor under our direction. See Supabase’s Privacy Policy.

6.2 Stripe (Payment Processing)

Subscription billing and payment processing for Foundry platform fees are handled by Stripe, Inc. When you subscribe to a paid plan, payment details are submitted directly to Stripe. Foundry does not store full payment card numbers or CVV codes. Stripe may store payment method details for recurring billing purposes in accordance with PCI-DSS standards. See Stripe’s Privacy Policy.

Note: Stripe is used exclusively for Foundry’s platform subscription fees. Invoices you send to your own clients are managed within Foundry and are not processed by Stripe unless you separately configure a Stripe integration for client payments.

6.3 Vercel (Hosting and Infrastructure)

The Foundry web application is hosted on Vercel, Inc.’s infrastructure. Vercel processes request logs and may collect technical data such as IP addresses and browser information as part of serving the application. Vercel Analytics may be used to collect aggregate, anonymized usage data. See Vercel’s Privacy Policy.

6.4 Intuit QuickBooks (Accounting Integration)

Foundry integrates with QuickBooks Online, a product of Intuit Inc., to allow you to sync financial data between Foundry and your QuickBooks account. This integration is optional and must be explicitly authorized by you.

OAuth Authorization: We use the OAuth 2.0 protocol to connect to your QuickBooks account. When you authorize the integration, Intuit issues an access token and a refresh token to Foundry. We store these tokens securely in our database (hosted on Supabase/AWS, encrypted at rest) to maintain persistent access to your QuickBooks data on your behalf.

Data We Access from QuickBooks: Depending on the scopes you authorize, we may read and/or write customers, invoices, bills, vendors, chart of accounts, and financial reports in your QuickBooks company file. We access only the data necessary to provide the sync features you have enabled.

Data We Send to QuickBooks: At your direction, Foundry may push data from your Foundry account to QuickBooks, including invoices, cost records, and customer/vendor records. You control which data is synced.

No Unauthorized Sharing: QuickBooks data accessed through the integration is used solely to provide the features you have authorized. We do not share QuickBooks data with any third party other than as described in this policy, and we do not use it for advertising, profiling, or any purpose unrelated to operating your Foundry account.

Token Security: OAuth tokens are stored encrypted at rest and are transmitted only over HTTPS. Access tokens are short-lived and automatically refreshed using the refresh token when needed. You may revoke the integration at any time through Foundry account settings or directly in your Intuit account, which will invalidate all stored tokens immediately.

Data Retention for Integration Tokens: OAuth tokens are retained only while the integration is actively authorized. Tokens are permanently deleted when you disconnect the integration or close your Foundry account.

Your use of QuickBooks is also governed by Intuit’s Privacy Statement.

6.5 Resend (Transactional Email)

Transactional emails (such as invoice delivery, password resets, and notifications) are sent through Resend, Inc. Resend processes the recipient email address, subject, and email body as necessary to deliver messages. Builders may also configure their own Resend API key or SMTP credentials, in which case email processing is handled by their chosen provider. See Resend’s Privacy Policy.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service:

• Session cookies — required to keep you logged in and maintain your session state. Deleted when you close your browser.
• Persistent cookies — store preferences such as dark/light mode so they persist across sessions.
• Analytics — aggregate, anonymized data about how the Service is used (e.g., Vercel Analytics). We do not use third-party advertising cookies.

You can configure your browser to refuse cookies, but doing so may prevent parts of the Service from functioning correctly. We do not respond to browser “Do Not Track” signals, but we do not track users across unaffiliated websites.

8. Data Retention

We retain your data as follows:

• Active accounts — all account, project, financial, and crew data is retained for the duration of your active subscription.
• After cancellation — we retain your data for 90 days following account cancellation to allow you to export it or reactivate. After 90 days, your data may be permanently deleted from production systems. Backup copies may persist for up to an additional 90 days before being purged.
• Inactive accounts — accounts with no activity for 24 consecutive months may be flagged for deletion with 30 days’ prior notice.
• QuickBooks OAuth tokens — deleted immediately upon disconnection of the integration or closure of your account.
• Legal holds — we may retain data longer if required by applicable law, litigation hold, or regulatory requirement.
• Aggregated/de-identified data — anonymized, aggregate data may be retained indefinitely for analytics and product improvement.

You may request deletion of your data at any time by contacting us at privacy@foundrybuilders.com.

9. Data Security

We implement industry-standard security measures to protect your information:

• All data is transmitted over HTTPS/TLS encryption
• Database data is encrypted at rest by our hosting providers (Supabase/AWS)
• OAuth tokens and credentials are stored encrypted at rest
• Access to production systems is restricted to authorized personnel only
• Row-level security (RLS) policies enforce strict tenant data isolation — one builder’s data is not accessible to another
• Passwords are stored as one-way cryptographic hashes (bcrypt); plaintext passwords are never stored
• Client portal users can access only the specific jobs they have been explicitly invited to

Despite these measures, no system is completely secure. In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law.

10. Construction-Industry Data Handling

Foundry is purpose-built for the construction industry. We recognize that construction companies handle sensitive business and financial information, and we have designed the Service with the following specific protections:

• Tenant isolation — each builder’s data is stored in dedicated database partitions with row-level security. No builder can access another builder’s jobs, crew, financials, or clients.
• Client confidentiality — client portal users can only see the specific jobs they have been invited to. They cannot see other clients, other jobs, or any internal financial data you have not explicitly shared.
• Crew data protection — employee records, pay rates, timecards, and personal information are accessible only to authorized users within the builder’s account. Crew portal users can view only their own records.
• Financial data segregation — cost, margin, and financial data is never exposed to client portal users unless you explicitly share a specific invoice or cost report.
• Document storage — files and photos you upload (plans, specifications, photos, contracts, lien waivers) are stored in a private, authenticated object store. Direct URLs are not publicly accessible.
• Subcontractor records — vendor, subcontractor, and supplier information you enter is accessible only within your account and is never shared with other tenants or third parties.
• GPS data — if you enable GPS time-punch logging for crew, location data is associated with individual time entries and is accessible only to account administrators within your builder account.

11. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you
• Correction — request that we correct inaccurate or incomplete information
• Deletion — request that we delete your personal information, subject to legal retention requirements
• Portability — request your data in a machine-readable format (CSV or JSON export)
• Objection / Restriction — object to or request restriction of certain processing activities
• Withdraw consent — withdraw consent for any processing based on consent, including marketing emails
• Opt out of marketing — use the unsubscribe link in any marketing email, or contact us directly

To exercise any of these rights, contact us at privacy@foundrybuilders.com. We will respond within 30 days. We may need to verify your identity before processing your request. You will not be discriminated against for exercising your privacy rights.

12. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our purposes, and the categories of third parties we share it with.
• Right to Delete — request deletion of personal information we have collected, subject to certain exceptions.
• Right to Correct — request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing — we do not sell or share personal information for cross-context behavioral advertising. No opt-out is needed.
• Right to Limit Use of Sensitive Personal Information — we do not use sensitive personal information beyond what is permitted by the CPRA without your consent.
• Right to Non-Discrimination — we will not discriminate against you for exercising CCPA/CPRA rights.

To submit a California privacy request, contact us at privacy@foundrybuilders.com. We will verify your identity and respond within the timeframes required by law (generally 45 days, with a possible 45-day extension).

Categories of Personal Information Collected (Past 12 Months):

• Identifiers (name, email address, IP address)
• Commercial information (transaction records, subscription data)
• Professional or employment-related information (company name, business address, crew/employee records)
• Internet or other network activity (usage logs, browser data)
• Geolocation data (if crew GPS time-punch is enabled)
• Financial information (invoices, cost records — not payment card numbers)

Categories of Sources: Directly from you, automatically through use of the Service, and through authorized third-party integrations (e.g., QuickBooks).

Business or Commercial Purposes: To provide and improve the Service, process transactions, provide customer support, ensure security, and comply with legal obligations.

Categories of Third Parties with Whom We Share Information: Service providers (Supabase, Stripe, Vercel, Resend) as data processors; Intuit for QuickBooks integration when you authorize it; government authorities when legally required.

13. European Privacy Rights (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and/or the UK GDPR may apply to our processing of your personal data. This section describes how those rights are handled.

13.1 Data Controller and Data Processor

For your Foundry account data, Foundry Software LLC acts as a data controller. When you upload client, project, or crew data into Foundry, you (the builder) act as the data controller for that data and Foundry acts as a data processor on your behalf. A separate Data Processing Addendum (DPA) is available on request — contact privacy@foundrybuilders.com.

13.2 Your Rights Under GDPR / UK GDPR

In addition to the rights described in Section 11, GDPR/UK GDPR data subjects have the right to:

• Access — obtain confirmation of whether we process personal data about you and a copy of that data
• Rectification — correct inaccurate or incomplete personal data
• Erasure (“right to be forgotten”) — request deletion of your personal data, subject to legal retention requirements
• Restriction of processing — limit how we use your data in certain circumstances
• Data portability — receive your data in a structured, machine-readable format and transmit it to another controller
• Objection — object to processing based on our legitimate interests, including direct marketing
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing
• Lodge a complaint — file a complaint with your local data protection supervisory authority

To exercise these rights, contact privacy@foundrybuilders.com. We will respond within one month of receiving a verifiable request. The response period may be extended by up to two additional months for complex or numerous requests, in which case we will inform you of the extension and the reasons.

13.3 Legal Bases for Processing (Article 6 GDPR)

Where GDPR applies, we rely on the following legal bases, as also outlined in Section 4:

• Contract (Art. 6(1)(b)) — processing necessary to deliver the Service you have subscribed to
• Legitimate interests (Art. 6(1)(f)) — operating, securing, and improving the Service, where those interests are not overridden by your rights
• Legal obligation (Art. 6(1)(c)) — compliance with applicable laws
• Consent (Art. 6(1)(a)) — for marketing communications and any other processing you specifically opt into

13.4 International Transfers Out of the EEA / UK

Because our infrastructure is hosted in the United States, personal data of EEA/UK users is transferred to the U.S. We rely on the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA) with our sub-processors where applicable. Additional safeguards include encryption in transit (TLS) and at rest, tenant isolation via row-level security, and contractual restrictions on sub-processor use of personal data.

13.5 Supervisory Authority

We do not currently have an EU-appointed representative under Article 27 GDPR. EEA/UK data subjects may file a complaint with their national supervisory authority. For UK residents this is the Information Commissioner’s Office (ICO).

13.6 Automated Decision-Making

Foundry does not make decisions based solely on automated processing — including profiling — that produce legal or similarly significant effects concerning you.

14. Sub-processor List

Foundry engages the following sub-processors to deliver the Service. Each sub-processor is bound by contractual obligations to process data only as directed by Foundry and to maintain appropriate security measures. We will provide notice of material changes to this list at least 30 days in advance and give controllers the opportunity to object.

An always-current list of sub-processors is available on request from privacy@foundrybuilders.com.

15. Data Processing Addendum (DPA)

Builders who require a Data Processing Addendum — for example, to comply with GDPR, UK GDPR, the CCPA/CPRA service-provider provisions, or internal procurement policies — may request our standard DPA by emailing legal@foundrybuilders.com. The DPA, once executed, supplements this Privacy Policy and the End-User License Agreement and incorporates the Standard Contractual Clauses and UK IDTA where applicable.

16. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, Foundry will notify affected account administrators without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where required by applicable law, we will also notify competent supervisory authorities within the timeframes required by law. Notifications will describe the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to address the breach.

17. Children’s Privacy

The Service is intended for business use by adults and is not directed to children under the age of 13 (or 16 where applicable under local law). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us at privacy@foundrybuilders.com and we will promptly delete it.

18. International Data Transfers

Foundry is based in the United States and the Service is intended primarily for users in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We take steps to ensure that data transfers comply with applicable law and that your data is afforded adequate protection.

19. Links to Other Sites

The Service may contain links to third-party websites or services that are not operated by us. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new “Last updated” date, and by sending an email notification to registered account holders. We encourage you to review this policy periodically. Your continued use of the Service after any changes become effective constitutes your acceptance of the updated policy.

21. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We are committed to working with you to resolve any privacy concerns and will respond to all inquiries within 30 days.