Legal
Privacy Policy
Last updated: [DD Month 2026] — draft template, pending counsel review
TradesPilot is operated by Compass AI. This policy explains what we collect when you use the app, why we hold it, who processes it on our behalf, and how we keep one contractor’s data walled off from every other. Plain language, no fine-print games.
What we collect
We collect only what the product needs to keep your trade legal and paid:
- Account data. Your name, email, and password (stored hashed, never in plain text). Used to sign you in and contact you about your account.
- Organization data. Your business name, trade, crew details, and billing tier. Each account belongs to one organization (your shop).
- Job & compliance data. The jobs, contract dates, lien and holdback deadlines, WSIB Form 7 incidents, HST invoices, estimates, schedules, and client records you enter or generate. This is the working record of your business and is yours.
- Job-site photos. Images you upload for AI estimates. Before any model processes them, photos are resized and re-encoded server-side.
- Usage & technical data. Basic logs (sign-in events, errors, AI usage counts for fair-use limits) needed to run the service securely.
How we use it
We use your data to compute and watch your Ontario compliance deadlines, generate invoices and AI drafts, send you alerts, process billing, and support your account. We do not sell your data, and we do not use your business records to train third-party models for anyone else’s benefit.
Per-organization isolation
Every record in TradesPilot carries an organization ID, and the database enforces row-level security (RLS) so that a query can only ever return rows belonging to your own organization. Isolation is enforced at the database, not just the app — one contractor cannot read another’s jobs, deadlines, invoices, or clients. We verify this boundary with cross-tenant tests on every table.
Who processes your data (subprocessors)
We rely on a short list of vetted service providers to run the product. Each receives only the data needed for its job:
| Provider | What it handles |
|---|---|
| Supabase | Database, authentication, file storage (Postgres with row-level security). |
| Stripe | Subscription billing and customer payment processing. Card data is handled by Stripe; we never see or store full card numbers. |
| OpenAI / Google (Gemini) | AI estimate and copilot draft generation. Processed server-side; photos are resized and re-encoded before any model sees them. |
| Twilio | SMS deadline and dispatch alerts. |
| Resend | Transactional email (invoices, reminders, account notices). |
Payment data
Subscription payments are processed by Stripe. We never receive or store your full card number; Stripe handles card data under its own PCI-compliant systems. We retain only the billing status and identifiers needed to keep your plan current.
Data retention
We keep your records for as long as your account is active and as long as the law requires (tax and compliance records carry their own statutory retention periods). You can ask us to export or delete your data, subject to those legal retention obligations.
Your rights
You may access, correct, export, or request deletion of your personal information. To exercise any of these, contact us at the address below and we’ll respond within a reasonable time.
Jurisdiction
TradesPilot is built for Ontario contractors and operated from Ontario, Canada. This policy is governed by the laws of the Province of Ontario and the federal laws of Canada that apply there, including applicable privacy legislation.
Changes to this policy
We may update this policy as the product evolves. Material changes will be reflected in the “Last updated” date above; significant changes will be communicated to account holders.
Contact
Questions about your data, or want to exercise a right above? Email bobby.atwal@fora.travel.
This page is a starting template. Have legal counsel review it before launch. See also our Terms of Service.