Privacy Policy

The Contractor Codex is a software product operated by Bulwark Black LLC, a limited liability company organized under the laws of the State of Washington, United States. References in this policy to “we,” “us,” or “the Service” mean Bulwark Black LLC doing business as The Contractor Codex.

For privacy questions, data access requests, or to report a concern, contact support@contractorcodex.com.

This policy covers data we collect when you visit contractorcodex.com, sign up for an account, use the dashboard and admin tools, connect a third-party integration (such as Google Calendar, Stripe, or DocuSign), or correspond with us.

It does not cover data handled solely by third-party services you separately authorize. Their own policies govern that data; we link to the main ones below.

• To provide, operate, and maintain the Service.
• To authenticate users and protect accounts from unauthorized access.
• To sync events between The Contractor Codex and Google Calendar when you have authorized the integration.
• To process payments, send invoices, and manage subscription billing.
• To send transactional messages (receipts, notifications, signing requests, password resets).
• To respond to support requests and improve the Service.
• To comply with legal obligations, enforce our terms, and investigate suspected abuse or fraud.

We do not sell personal information. We do not use Google user data, customer business data, or end-client contact records for advertising. We do not train generalized machine-learning models on your data without your explicit consent.

We share data only with service providers necessary to operate the Service (subprocessors) and only as needed for the described purposes. Our current subprocessors include:

• Clerk. User authentication and session management.
• Stripe. Payment processing, subscription billing, and Stripe Connect onboarding for contractors who collect payments from their own clients.
• Google. Calendar API, when you authorize the integration.
• DocuSign. E-signature processing, when you authorize the integration.
• Resend. Transactional email delivery and inbound mail handling.
• Anthropic. AI chat, AI quote drafter, and admin assistant prompts and context, when AI Features are enabled.
• OpenAI. AI prompts and context when an organization configures OpenAI as its AI provider.
• Deepgram. Voice-to-text transcription for the Report-a-Problem feature and other optional voice inputs.
• Hosting and database providers. The Service runs on dedicated infrastructure in the United States with managed Postgres storage.

Subprocessor changes.If we add or replace a subprocessor that materially changes how Customer Data or end-client data is processed, we will update this list and give you at least thirty (30) days’ notice by email or in-app notice before the change takes effect. If you object to a new subprocessor, you may terminate your subscription at any point in the notice period and request a prorated refund for the unused portion of your then- current billing cycle.

We may disclose data when required by law, valid legal process, or to protect rights, safety, and the integrity of the Service. If we ever sell or merge the business, we will transfer data to the successor entity under the same commitments described here.

We use a small number of cookies and similar technologies to run the Service. We do not use cookies for advertising or cross-site tracking.

• Strictly necessary. Session cookies set by our identity provider (Clerk) to keep you signed in, CSRF-protection cookies during the Google OAuth and signing flows, and a session cookie that scopes admin views to a selected customer in the dashboard.
• Functional. Cookies that remember preferences such as the time zone you selected.
• Analytics. If we add analytics in the future, we will update this policy first and rely on privacy-friendly, aggregated tooling.

You can clear or block cookies through your browser, but the Service will not function correctly without the strictly necessary cookies above.

Data is stored on servers located in the United States. We use industry-standard safeguards including encryption in transit (TLS) on every public endpoint and encryption at rest for the database volume.

Sensitive credentials (including Google OAuth refresh tokens, DocuSign tokens, and other third-party access keys) are additionally encrypted at the application layer using AES-256-GCM with a key stored in the server environment and never exposed to the client.

Access to production systems is limited to authorized personnel and protected by multi-factor authentication. No method of transmission or storage is 100% secure; we do our best to protect your information but cannot guarantee absolute security.

Breach notification. If we discover a security incident affecting your personal information, we will notify you and any applicable regulators in accordance with the timelines and disclosures required by applicable law (for example, within 72 hours under the GDPR, or as soon as practicable under US state breach-notification statutes).

We retain account and business data for as long as your account is active, plus a reasonable period afterward to comply with legal, accounting, and tax obligations. You may request deletion of your account and associated data by emailing support@contractorcodex.com.

Google user data specifically is retained only while you keep the Google Calendar integration connected. When you disconnect the integration in Settings > Calendar, we revoke the refresh token with Google and delete the encrypted tokens and the calendar identifier from our database. Calendar events already created in your portal remain so historical records are not lost; they simply stop syncing with Google.

The following choices are available to all users:

• Access. You can review most of your data directly in the dashboard. For a portable export, email support.
• Correction. You can edit account details, client records, and project data through the application.
• Deletion. You can disconnect integrations at any time. To delete your account and associated data, email support.
• Revoking Google access.You can revoke The Contractor Codex’s access to your Google Account at any time from myaccount.google.com/permissions.
• Marketing. Transactional emails are required to operate the Service. We do not send promotional email unless you have explicitly opted in; if we ever do, each message includes an unsubscribe link.

The Service is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

The Service is hosted in the United States. If you access the Service from outside the United States, your data is transferred to and processed in the United States.

For transfers of personal data out of the EEA, United Kingdom, or Switzerland, we rely on appropriate safeguards including the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and our subprocessors’ certifications under the EU-US Data Privacy Framework where available. By using the Service you consent to these transfers.

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Questions, concerns, or privacy requests? Email support@contractorcodex.com or write to us at the address below.

Bulwark Black LLC
d/b/a The Contractor Codex
522 W Riverside Ave, Ste N
Spokane, WA 99201
United States