BidBook

Legal

Privacy Policy

Effective June 14, 2026 · Version 1.0

BidBook is invoicing, estimating, and contract software with built-in e-signature, made for trade contractors — masons, plumbers, electricians, HVAC techs, general contractors, and remodelers. This policy explains what we collect, why, who we share it with, how long we keep it, and how to get your data out or deleted. It covers getbidbook.com, the BidBook web app, and the BidBook mobile apps for Android and iOS.

BidBook is a product of Swiss Masonry LLC, 4974 Beechwood Rd, Cincinnati, OH 45244. For any privacy question or to exercise a right, email business@swissmasonry.org.

Who's who in your data

BidBook is multi-tenant. A contractor's account is their own workspace. That matters for who controls what:

  • The data a contractor types in about their own clients — names, phone numbers, email addresses, job-site addresses, line items, photos — belongs to that contractor. The contractor decides what goes in and what comes out. BidBook stores and processes it on the contractor's behalf. If you're a homeowner or a contractor's customer and you want something changed or removed, ask the contractor you hired first; we'll help them do it.
  • The data about the contractor's own account — sign-up details, billing, how they use the app — is controlled by BidBook, and this policy governs it directly.

What we collect

You give us:

  • Account data: your name, email, password (stored hashed, never in plain text), and phone number.
  • Business profile: company name, business address, logo, license or tax details you choose to add, and your default estimate/invoice settings.
  • Customer and job data you enter: your clients' contact info, job addresses, estimates, invoices, change orders, contracts, line items, and notes. You control this; we hold it for you.
  • Job-site photos: images you attach to expenses, change orders, or jobs — including photos taken with your device camera when you grant the mobile app camera permission.
  • Support messages: anything you send us when you ask for help.

Stripe handles your payment data, not us:

  • Payments (card and ACH) run through Stripe. Full card numbers and full bank account numbers go straight to Stripe — they never touch BidBook's servers and we never store them. We receive only payment and payout status (paid, pending, failed) and the identifiers Stripe gives us to match a payment to an invoice.

We collect automatically:

  • Usage and diagnostics: pages and screens viewed, actions taken, the device and browser you use, IP address, timestamps, and server-side error logs. We use this to run, secure, and improve BidBook. We do not collect device location.
  • E-signature evidence: when someone signs a document, we capture the signer's name and email, IP address, device and browser, and the timestamp of each action — plus the signature bytes themselves (the typed text or the drawn strokes). See "E-signature records" below.

We don't run third-party advertising trackers, and we don't sell your data.

Cookies, local storage, and PWA storage

  • We use strictly necessary cookies to sign you in and keep your session secure. Turn these off and sign-in breaks.
  • BidBook is an installable Progressive Web App (PWA). To work offline and to hold drafts, it stores data on your device using your browser's local storage and cache. The iOS and Android apps store the same kinds of offline data on the device. You can clear this through your browser or by removing the app.
  • We use privacy-respecting product analytics to understand usage. We do not use cross-site advertising cookies.

Processors and subprocessors

We rely on a short list of vendors to run BidBook. Each is under a written contract with confidentiality and security obligations. We'll update this list before adding or swapping any vendor that handles personal data.

VendorWhat it doesData involved
CloudflareHosts and delivers the app and marketing site (Workers / OpenNext), CDN, securityRequest metadata, IP addresses, served content
Cloudflare R2Object storage for job photos and generated PDFsUploaded images, generated estimate / invoice / contract PDFs, signed documents
SupabaseApplication database (Postgres with row-level security) and authenticationAccount data and all contractor-entered records; auth events
StripeCard and ACH payment processing and payouts (Stripe Connect)Billing identifiers, payment / payout status; full card and bank details go directly to Stripe
ResendTransactional email delivery (signature requests, receipts, reminders, notices)Recipient email address and message content

Apple and Google operate the app stores you may download the mobile apps from; their own privacy terms cover what they collect at download and install. Push notifications you opt into on mobile are delivered through Apple's and Google's push services.

E-signature records and audit trail

BidBook's e-signature is native — there's no third-party signing vendor in the loop. When a document is signed:

  • We capture the signature itself (typed name or drawn strokes) and retain those signature bytes.
  • We record an audit trail: signer name and email, IP address, device and browser, and the date and time of every signing action.
  • We generate an audit certificate and store it alongside the signed document so the signature can be reproduced and verified later.

We retain signed documents, signature bytes, and audit certificates so they hold up as legal evidence. Because they're legal records, we keep them longer than ordinary account data, and we may keep them after an account closes to defend or prove an agreement. See the E-Sign Consent disclosure shown to signers for the full ESIGN/UETA terms.

Why we use your data

  • To provide, run, and secure the service and keep tenants isolated from each other.
  • To process payments and payouts through Stripe.
  • To send transactional email — signature requests, receipts, reminders, and security notices.
  • To generate estimates, invoices, contracts, and branded PDFs.
  • To answer support requests.
  • To detect and prevent fraud and abuse.
  • To meet legal obligations and enforce our agreements.

How long we keep it

We keep personal data only as long as we need it, then delete or anonymize it. As a guide:

  • Account and profile: for the life of the account, then deleted within about 30 days after closure.
  • Contractor-entered records: per the contractor's instructions; deleted on request or after account closure.
  • Signed contracts, signature bytes, and audit certificates: retained as legal records, typically at least 7 years, and sometimes longer where a dispute or law requires.
  • Billing and tax records: as long as the law requires, typically about 7 years.
  • Usage and diagnostic logs: a limited, rolling window, generally 12–24 months.
  • Backups: rolling, overwritten on a regular cycle.

Getting your data out, or deleted

You can export and delete your data.

  • Export: request a copy of your account and business records by emailing business@swissmasonry.org, or use in-app export where available.
  • Delete: ask us to delete your personal data at business@swissmasonry.org. We'll verify it's really you first. We may need to keep some records (for example, signed contracts and tax records) where the law requires it.
  • Homeowners and contractors' customers: if a contractor entered data about you, that contractor controls it. Ask them first; we'll support their response.

We honor Global Privacy Control (GPC) signals where the law requires.

Your privacy rights

Depending on where you live (for example, California, Colorado, Connecticut, Virginia, and other U.S. states with privacy laws), you may have the right to know what personal data we hold, to access or correct it, to delete it, to opt out of "sale" or "sharing" (we do neither), and to not be discriminated against for exercising these rights. To make a request, email business@swissmasonry.org. We'll respond within the time the applicable law requires.

Children

BidBook is a business tool. It is not directed to children, and we don't knowingly collect data from anyone under 18. If you believe a minor has given us personal data, contact business@swissmasonry.org and we'll delete it.

Security

We isolate each tenant's data at the database layer using row-level security, encrypt data in transit and at rest, limit access to a need-to-know basis, and route all payment capture to Stripe so full card and bank numbers never reach us. No system is perfectly secure and we can't promise absolute security, but we work to protect your data.

International users

BidBook is operated from, and stores data in, the United States. If you use BidBook from outside the U.S., you understand your data is processed in the U.S.

Legal and corporate disclosures

We may disclose data to comply with the law, respond to lawful requests, protect people's rights and safety, or in connection with a merger, acquisition, or sale of the business — in which case this policy continues to apply.

Changes to this policy

We may update this policy. When we do, we'll change the effective date at the top and, for material changes, tell you by email or an in-app notice.

Contact

Email business@swissmasonry.org for any privacy question or to exercise a right. Mailing address: Swiss Masonry LLC, 4974 Beechwood Rd, Cincinnati, OH 45244.

Swiss Masonry LLC · business@swissmasonry.org