Privacy Policy

1.Information We Collect#

Account information

When an account is created for you (ContractorLedger is invite-only), we collect your name and email address, your password (stored only as a salted hash — we never see or store it in plain text), your role within your organization, and which organization you belong to.

Customer content

The business data you and your team enter into the application: projects, quotes, subcontracts, vendors, expenses, payments, retainage, draw documents (G702/G703), lien waivers, company profile/settings, and uploaded documents. This data belongs to your organization (see the Terms of Service) and may incidentally include personal information you choose to enter, such as vendor contact details.

Technical information

Like most web services, we automatically receive IP addresses, browser/device information, and request logs when you use the Service. We use this for security (e.g., rate limiting sign-in attempts), troubleshooting, and operating the Service. We do not use analytics trackers or advertising pixels.

2.How We Use Information#

• To operate the Service — authenticate you, store and display your data, generate the documents and reports you request, and keep backups.
• Transactional email — sign-in codes, invitations, password resets, and important service or account notices. We do not send marketing email to app users without consent.
• Support — responding when you contact us, and investigating issues you report.
• Security and legal compliance — protecting the Service and its users, and meeting legal obligations.

What we do not do:

• We do not sell or rent your personal information or customer content. Ever.
• We do not use your data for advertising, and we serve no third-party ads.
• We do not use your customer content to train artificial-intelligence or machine-learning models.

3.How We Share Information#

We share data only with the service providers (subprocessors) we need to run ContractorLedger, and only to the extent needed:

Beyond subprocessors, we may disclose information if required by law (we will notify you where legally permitted), to protect the rights and safety of the Service and its users, or as part of a merger or sale of the business (in which case this policy continues to apply to your data). We may share aggregated, de-identified usage statistics that cannot identify you or your organization.

4.Cookies#

The application uses session cookies for authentication only — they keep you signed in and protect your account. We do not use tracking cookies, advertising cookies, or third-party analytics cookies, and the marketing site sets no cookies at all. Because we use no non-essential cookies, there is no cookie consent banner — there is nothing to consent to.

5.Data Retention#

• Active accounts: we keep your account information and customer content for as long as your organization's account is active.
• Backups: automated backups are retained for up to 60 days on a rolling basis.
• Deletion: on written request (or after account termination), we delete customer content from production systems within 30 days; copies in backups age out within the 60-day backup cycle. We may retain minimal records (e.g., billing records) where required by law.
• Export first: for 30 days after termination you can request an export of your data before deletion — see the Terms of Service.
• Logs: technical request logs are short-lived and rotate automatically.

6.Security#

We take reasonable, industry-standard measures to protect your data:

• Encryption in transit — all connections to the Service use TLS (HTTPS).
• Encryption at rest — data is stored on infrastructure that encrypts data at rest (managed by our hosting provider, Cloudflare).
• Tenant isolation — every organization's data is logically separated and every data query is scoped to your organization; we test these boundaries with an automated cross-tenant security test suite.
• Access controls — role-based permissions within your organization (e.g., view-only roles), hashed passwords, rate-limited sign-in, and production access limited to authorized BlackGlass personnel.

No system is perfectly secure, and we do not currently hold formal certifications such as SOC 2 or ISO 27001. If we become aware of a confirmed security breach affecting your data, we will notify affected customers without undue delay (within 72 hours where we have committed to that timeline in a signed agreement).

7.Your Rights#

You can access, export, correct, or delete your information. Much of this is built into the app (your data is visible and exportable in-product, and account admins manage user records). For anything else — including full data export, account deletion, or questions about specific personal information — email zakeeb@blckglass.com. We respond to verified requests within 30 days.

Note that ContractorLedger is a business tool: if you are a user invited by your employer, your organization's administrator controls the account and its data, and we may direct requests about customer content to them.

8.Children#

The Service is a business application for construction professionals and is not intended for anyone under 18. We do not knowingly collect information from minors; if you believe a minor has provided us information, contact us and we will delete it.

9.Changes to This Policy#

We may update this Privacy Policy from time to time. For material changes, we will notify account holders by email before the change takes effect and update the "Last updated" date above. The current version always lives at contractorledger.app/privacy.

10.Contact#

Privacy questions or requests: BlackGlass Consulting LLC, 5900 Balcones Drive STE 100, Austin, TX 78731, USA — zakeeb@blckglass.com. We aim to respond within 30 days.