⚡ TL;DR
We collect your email for auth, your project data to make the app work, and your payment info goes straight to Stripe (we never see your card number). We don't sell your data. We don't run ads. You can delete everything from Settings. That's it.
This Privacy Policy explains how Tacked LLC ("we," "us," "our") collects, uses, and protects your information when you use Tacked ("the Service") at app.tacked.io and related mobile applications.
1. Information We Collect
Information You Provide
| Data | Why We Collect It | Where Stored |
|---|---|---|
| Email address | Account creation, login, password reset, service notifications | Supabase Auth |
| Password | Account authentication (hashed, never stored in plain text) | Supabase Auth |
| Jurisdiction selection | Scope code answers to your city and state | Browser localStorage + Supabase |
| Project data | Notes, daily logs, drawings, photos, punch lists, contacts, checklist progress | Browser localStorage + Supabase |
| Photos | Jobsite documentation, photo annotation | Browser localStorage + Supabase Storage |
| Code questions | Provide jurisdiction-scoped answers with citations | Processed via Anthropic API; not permanently stored server-side |
| Company name / logo | Branded PDF exports (Pro/Team plans) | Browser localStorage + Supabase |
| Team member emails | Team invitations and shared project access | Supabase |
Information Collected Automatically
| Data | Why |
|---|---|
| Usage analytics | Tool usage counts, feature engagement — to improve the product. No personal data attached. |
| Device type / browser | Responsive layout and bug fixing |
| Error logs | Identify and fix crashes |
Information We Do NOT Collect
- Credit card numbers or financial account details (handled entirely by Stripe)
- Social Security numbers or government IDs
- Precise GPS location (we use your selected city/state, not your phone's GPS)
- Contacts from your phone's address book
- Microphone audio (voice notes are processed locally via your browser's Speech Recognition API — audio is never sent to our servers)
2. How We Use Your Information
- Provide the Service: Store your projects, sync across devices, deliver code answers scoped to your jurisdiction, enable team collaboration
- Process payments: Via Stripe. We receive confirmation of subscription status but never see your card number.
- Send service emails: Password resets, subscription confirmations, critical product updates. No marketing spam.
- Improve the product: Anonymized usage patterns (which tools are used most, common question topics) help us prioritize features
- Provide inspection reminders: Local notifications scheduled on your device. We do not operate a push notification server — reminders are managed entirely by your phone's OS.
3. How We Share Your Information
We do not sell your data. We do not share your data with advertisers. We do not run ads.
We share data only with the service providers necessary to operate Tacked:
| Provider | What They Receive | Why |
|---|---|---|
| Supabase | Account data, project data, photos | Authentication, database, file storage |
| Stripe | Email, payment method | Subscription billing |
| Anthropic (Claude API) | Code questions (text only) | AI-powered code answers, plan review, code comparison |
| AWS Lambda | API requests (proxied) | API routing |
| Vercel | Static assets | Web hosting |
Each provider processes data under their own privacy policies. We select providers with strong security practices and data protection standards.
4. Team Features and Shared Data
When you use the Team plan:
- Owners can see all shared projects and manage team members
- Admins can view and edit shared projects but cannot manage the team or delete the account
- Members can view and contribute to shared projects but cannot delete content
Team members can see project notes, daily logs, photos, drawings, punch lists, and activity added by other team members. Only the project owner can delete projects.
When a team member is removed, their access to shared projects is revoked immediately. Content they contributed to shared projects remains in the project.
5. Data Storage and Security
- Local storage: Project data is cached in your browser's localStorage for fast access and offline availability
- Cloud storage: Supabase (hosted on AWS) with Row Level Security (RLS) ensuring users can only access their own data
- Photo storage: Supabase Storage with access policies per user and team
- Encryption: All data transmitted over HTTPS/TLS. Supabase encrypts data at rest.
- Authentication: Email/password with bcrypt hashing. OAuth via Google (optional). Login rate limiting to prevent brute force.
- OWASP hardening: Input sanitization, SVG sanitization on uploads, HTML entity escaping, control character stripping, DEV_MODE protections
6. AI and Your Code Questions
When you ask a code question, your question text is sent to Anthropic's Claude API to generate an answer. We send:
- Your question text
- Your selected city and state (for jurisdiction scoping)
- Recent conversation context (for follow-up questions)
We do NOT send your name, email, project data, photos, or any other personal information to the AI. Anthropic's data retention policy applies to API inputs — see anthropic.com/privacy.
If you use photo analysis (Pro feature), the photo is sent to the API for that specific analysis and is not permanently stored by the AI provider.
7. Cookies and Local Storage
Tacked uses browser localStorage (not cookies) to store:
- Your jurisdiction settings
- Project data (for offline access)
- Authentication tokens
- Theme preference (light/dark)
- Recently used tools list
- Dismissed UI hints
We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
8. Your Rights
Access and Export
All your data is visible within the app. Projects, notes, photos, and logs can be exported via the PDF Export tool.
Deletion
You can delete your account and all associated data from Settings → Danger Zone → Delete Account. This action is permanent and removes your account, projects, photos, and all other data from our systems.
Correction
You can edit your project data, notes, and settings at any time within the app.
Data Portability
Project data can be exported as PDF. We are working on additional export formats.
9. Children's Privacy
Tacked is not intended for use by anyone under 18. We do not knowingly collect information from children. If you believe a minor has created an account, contact us at admin@tacked.io and we will delete it.
10. California Privacy Rights (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it's used
- Request deletion of your personal information
- Opt out of the sale of personal information — we do not sell personal information
- Non-discrimination for exercising your rights
To exercise these rights, email admin@tacked.io or use the account deletion feature in Settings.
11. International Users
Tacked is operated from the United States. If you access the Service from outside the US, your data will be transferred to and processed in the United States. By using Tacked, you consent to this transfer.
12. Data Retention
- Active accounts: Data retained as long as your account exists
- Deleted accounts: All data removed within 30 days of deletion request
- Cancelled subscriptions: Account and data retained (you keep your data, just lose Pro/Team features)
- Payment records: Retained by Stripe per their data retention policy for legal/tax purposes
13. Changes to This Policy
We may update this Privacy Policy from time to time. We'll notify you of material changes via email. The "Last Updated" date at the top reflects the most recent revision.
14. Contact
Questions about your privacy? Contact us:
- Email: admin@tacked.io
- Web: tacked.io
Tacked LLC · Massachusetts, USA · tacked.io