Privacy Policy
Last Updated: March 13, 2026
1. Introduction
Bidroom, Inc. ("Bidroom," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our construction management platform, including our website, mobile applications, and related services (collectively, the "Services").
By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Services.
This Privacy Policy should be read together with our Terms of Service, which governs your use of the platform.
2. Information We Collect
2.1 Personal Information You Provide
- Account Information: Name, email address, phone number, password (stored as a bcrypt hash, never in plaintext), and profile photo
- Business Information: Company name, contractor license numbers, insurance certificates, bond information, business address, and service areas
- Financial Information: Payment card information and bank account details (processed and stored securely by Stripe; Bidroom does not store raw card numbers)
- Project Information: Project details, descriptions, photos, videos, documents, daily logs, milestones, and communications
- Identity Verification: Government-issued ID information, California State License Board (CSLB) license verification data, background check information
- Referral Information: Names and contact information of people you refer to the platform
- Website Builder Content: Business descriptions, services, portfolio images, testimonials, and other content you create for your contractor website
- Communications: Messages exchanged with other users, support requests, and feedback
2.2 Information Collected Automatically
- Device Information: Device type, operating system, unique device identifiers, mobile carrier, and device settings
- Usage Data: Pages visited, features used, search queries, time spent on pages, click patterns, and interaction data
- Location Data: Approximate location from IP address; precise GPS coordinates for project sites (only with your explicit permission)
- Log Data: IP address, browser type and version, access times, referring/exit URLs, and error logs
- Push Notification Tokens: Device tokens for delivering push notifications (if you opt in)
2.3 Information from Third Parties
- License Verification: California State License Board (CSLB) and other state licensing board data
- Background Checks: Criminal history and identity verification results for contractors opting into premium verification
- Payment Processor: Transaction status, payment confirmations, and subscription data from Stripe
- Social Login Providers: If you sign in with Google or Apple, we receive your name, email address, and profile identifier
- Analytics Partners: Aggregated usage data and platform performance metrics
3. How We Use Your Information
We use collected information for the following purposes:
| Purpose | Legal Basis |
|---|
| Provide Services: Create and manage your account, process transactions, facilitate project management, enable messaging | Contract performance |
| Verify Identity: Contractor license verification, identity verification, fraud prevention | Legitimate interest / Legal obligation |
| Process Payments: Handle escrow deposits, milestone payments, subscription billing, and refunds | Contract performance |
| AI Features: Power AI-driven tools including bid analysis, contractor matching, cost estimation, compliance assistance, and document generation | Contract performance / Consent |
| Improve Platform: Analyze usage patterns, diagnose technical issues, develop new features, and enhance user experience | Legitimate interest |
| Communications: Send transactional notifications (milestone updates, payment confirmations), security alerts, and marketing materials (with consent) | Contract performance / Consent |
| Safety & Security: Detect and prevent fraud, abuse, unauthorized access, and security incidents | Legitimate interest / Legal obligation |
| Legal Compliance: Comply with applicable laws, regulations, court orders, and legal processes | Legal obligation |
| Referral Program: Track referrals, calculate rewards, and prevent fraud | Contract performance |
4. How We Share Your Information
We may share your information in the following circumstances:
4.1 With Other Users
- Property owners can see contractor profiles, verification status, reviews, and bid submissions
- Contractors can see project details, property owner names, and project locations for jobs they bid on
- Project managers can see project data for projects they are assigned to
- Public contractor websites are visible to anyone on the internet
4.2 Service Providers
We share information with trusted third-party service providers who assist us in operating our platform:
- Stripe: Payment processing, subscription management, and escrow services
- Mailgun: Transactional and marketing email delivery
- Twilio: SMS notifications and communications
- Google Gemini AI: AI-powered feature processing (bid analysis, cost estimation, etc.)
- Cloud Hosting: Server infrastructure and data storage
- Expo: Mobile application push notifications
All service providers are contractually obligated to handle your data securely and only for the purposes we specify.
4.3 Other Sharing
- Legal Requirements: When required by law, court order, subpoena, or government request
- Safety: When we believe disclosure is necessary to protect the rights, property, or safety of Bidroom, our users, or the public
- Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, in which case your information may be transferred as part of the transaction
- With Your Consent: When you give us explicit permission to share information
- Aggregated/De-identified Data: We may share aggregated or de-identified data that cannot reasonably be used to identify you
We Never Sell Your Personal Information. Bidroom does not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not participate in data broker services.
5. AI Data Processing
When you use our AI-powered features, your data is processed as follows:
- What is sent: Text prompts, project descriptions, photos (for photo analysis), bid details, and other content you explicitly submit to AI features
- Third-party processing: AI features are powered by Google Gemini. Your submitted data is sent to Google's API for processing
- No model training: Your data is not used to train AI models. It is processed solely to generate your requested output
- Data retention: AI inputs and outputs are logged for quality assurance and credit tracking. Logs are retained for 90 days unless you request earlier deletion
- Opt-out: You can choose not to use AI features. AI features are optional and not required for core platform functionality
Sensitive Information: Do not submit sensitive personal information (Social Security numbers, financial account credentials, medical information) to AI features. AI features are designed for construction project data only.
6. Data Security
We implement industry-standard security measures to protect your information:
- Encryption in Transit: TLS/SSL encryption for all data transmitted between your device and our servers
- Password Security: Passwords are hashed using bcrypt with salt rounds; we never store plaintext passwords
- Payment Security: PCI-DSS compliant payment processing via Stripe; Bidroom never stores raw credit card numbers
- Access Controls: Role-based access controls restrict employee and system access to user data
- Security Headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and other security headers are enforced
- Rate Limiting: API rate limiting protects against brute-force attacks and abuse
- Input Validation: All user inputs are validated and sanitized to prevent injection attacks
- Regular Monitoring: System health monitoring, connection pool monitoring, and error alerting
While we strive to protect your information using commercially reasonable safeguards, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at security@bidroom.io.
7. Data Retention
We retain your information for as long as your account is active or as needed to provide Services. Specific retention periods:
| Data Type | Retention Period | Reason |
|---|
| Account profile data | Deleted within 30 days of account deletion | Service provision |
| Project records and contracts | 7 years after project completion | Legal/tax compliance, warranty periods |
| Financial transaction records | 7 years | Tax and accounting obligations |
| Escrow and payment records | 7 years | Financial regulations |
| AI usage logs | 90 days | Quality assurance and credit tracking |
| Communication logs | Duration of account + 1 year | Dispute resolution |
| Server and access logs | 90 days | Security and debugging |
| Anonymized analytics | Indefinitely | Product improvement |
| Backup copies | Purged within 90 days of data deletion | Disaster recovery |
If you request account deletion, we will delete your personal data within 30 days, except for data we are legally required or permitted to retain.
8. Your Rights and Choices
8.1 California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the categories of third parties with whom we share it
- Right to Delete: Request deletion of your personal information, subject to certain exceptions (legal obligations, ongoing transactions, security)
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: Opt out of the sale or sharing of personal information for cross-context behavioral advertising. Note: Bidroom does not sell personal information
- Right to Limit Use of Sensitive Information: Limit the use and disclosure of sensitive personal information to what is necessary to provide the Services
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights (no denial of service, different pricing, or reduced quality)
To exercise these rights, contact us at privacy@bidroom.io or use the privacy request tools in your account settings. We will verify your identity before processing requests and respond within 45 days (extendable by an additional 45 days for complex requests).
Categories of Personal Information Collected (CCPA Disclosure):
- Identifiers (name, email, phone, IP address)
- Commercial information (transaction history, subscription records)
- Internet/electronic activity (usage data, device information)
- Geolocation data (with consent)
- Professional/employment information (contractor licenses, business information)
- Inferences drawn from the above categories
8.2 Other U.S. State Privacy Rights
Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights to access, delete, correct, and opt out of data processing. Contact privacy@bidroom.io to exercise these rights. We will respond within the timeframe required by your state's law.
8.3 European Economic Area (EEA) and UK Residents (GDPR)
If you are located in the EEA or UK, you have additional rights under the General Data Protection Regulation (GDPR):
- Right of Access: Obtain a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete personal data
- Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data in certain circumstances
- Right to Restrict Processing: Request limitation of how we process your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
- Right to Lodge a Complaint: File a complaint with your local data protection authority
Our legal bases for processing are: contract performance, legitimate interests, legal obligation, and consent (as detailed in Section 3).
8.4 All Users
- Access and Download: View and download your data from account settings
- Update Information: Edit your profile, preferences, and notification settings at any time
- Marketing Opt-Out: Unsubscribe from marketing emails via unsubscribe links or account settings. You will continue to receive transactional and security-related communications
- Push Notification Control: Manage push notifications through your device settings
- Location Data: Revoke location permissions through your device settings at any time
- Delete Account: Request complete account deletion by contacting privacy@bidroom.io
9. Cookies and Tracking Technologies
Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|
| Essential | Authentication, session management, security (CSRF protection) | Session / 7 days |
| Functional | User preferences, language settings, theme selection | 1 year |
| Analytics | Platform usage analysis, feature adoption tracking, performance monitoring | 2 years |
Do Not Track
Some browsers offer a "Do Not Track" (DNT) setting. There is no universally accepted standard for how to respond to DNT signals. Currently, we do not respond to DNT browser signals but we honor opt-out requests made through our platform settings.
Managing Cookies
You can control cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified when a cookie is set. Disabling essential cookies may affect core platform functionality such as authentication.
10. Children's Privacy
Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@bidroom.io. If we discover we have collected information from a child under 18, we will promptly delete it.
11. International Data Transfers
Bidroom is based in the United States. If you access our Services from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.
By using our Services, you consent to the transfer of your information to the United States. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to ensure adequate protection for data transfers.
12. Third-Party Links and Services
Our platform may contain links to third-party websites, services, or applications. This Privacy Policy does not apply to third-party services. We recommend reviewing the privacy policies of any third-party services you interact with. Third-party services we integrate with include but are not limited to:
13. Data Breach Notification
In the event of a data breach that compromises your personal information, we will:
- Notify affected users via email and platform notification within 72 hours of discovering the breach (or as required by applicable law)
- Notify relevant regulatory authorities as required by law (e.g., California Attorney General for breaches affecting 500+ California residents)
- Provide details about the nature of the breach, the data affected, steps we are taking to address it, and recommended actions for affected users
- Offer appropriate remediation measures, which may include credit monitoring services
14. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technologies, or legal requirements. When we make changes:
- We will update the "Last Updated" date at the top of this page
- For material changes, we will send an email notification to the address associated with your account at least 30 days before the changes take effect
- We will post a prominent notice on our platform
Your continued use of our Services after the effective date of the updated Privacy Policy constitutes acceptance of the changes. If you do not agree with the updated policy, you should stop using the Services and request account deletion.
15. Authorized Agent
You may designate an authorized agent to submit privacy requests on your behalf. To do so, provide a signed, written authorization to the agent and have them contact us at privacy@bidroom.io. We may require verification of both your and the agent's identity before processing the request.