Privacy Policy

Last updated: May 27, 2026

SubVerify ("SubVerify," "we," "us," or "our") operates the subcontractor compliance management platform at getsubverify.com("the Service"). This Privacy Policy explains what personal and business information we collect, how we use it, who we share it with, and your rights regarding your data.

By using the Service, you agree to the collection and use of data as described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name and email address — used to identify your account and communicate with you.
  • Company name and type — general contractor or subcontractor, used to set up your account correctly.
  • Password — stored as a hashed value; we never store your password in plain text.

1.2 Compliance Documents and Business Data

Subcontractors upload compliance documents through the Service. These may include:

  • Certificates of insurance (COI) — General Liability, Workers Compensation, Auto
  • Contractor licenses and business licenses
  • W-9 tax forms (containing business name, address, EIN/SSN)
  • OSHA certifications, bonding certificates, and other compliance documents
  • Document metadata: file names, upload dates, expiry dates

Note: W-9 forms and certain documents may contain sensitive tax identification information. These documents are stored encrypted and access is restricted to authorized users within your organization.

1.3 Billing Information

When you subscribe to a paid plan, payment is processed by Stripe. SubVerify does not collect or store full credit card numbers. We receive and store limited payment metadata from Stripe, including the last four digits of your card, card type, and billing zip code, for account management purposes.

1.4 Usage Data

We automatically collect information about how you use the Service, including:

  • Log data: IP address, browser type, pages visited, timestamps
  • Device information: operating system, screen resolution
  • Actions taken within the platform (document uploads, invitations sent, reports generated)

This data is used to operate, improve, and secure the Service and is not used to build advertising profiles.

1.5 Communications

If you contact us by email or through the Service, we retain those communications to provide support and improve the Service.

2. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Service — including storing your compliance documents, sending compliance status updates, and generating reports.
  • Send automated compliance alerts — email notifications when documents are approaching expiry (30-day advance notice) or have expired.
  • Process payments — billing for subscriptions via Stripe.
  • Send transactional emails — account confirmations, password resets, subcontractor invitations, and compliance alerts via Resend.
  • Improve the Service — analyzing usage patterns to improve features, reliability, and user experience.
  • Security and fraud prevention — monitoring for unauthorized access and abuse.
  • Legal compliance — complying with applicable laws and responding to lawful requests.

We do not sell your personal information or compliance documents to third parties. We do not use your data for advertising or behavioral profiling.

3. Third-Party Services and Data Processors

SubVerify uses the following third-party service providers to operate the platform. Each acts as a data processor on our behalf and is bound by data protection agreements:

Supabase

Database, authentication, and file storage provider. Your account data, compliance documents, and document metadata are stored on Supabase infrastructure hosted in the United States. Supabase is SOC 2 Type II certified. Learn more: supabase.com/privacy

Stripe

Payment processing provider. All payment card data is handled directly by Stripe and is subject to PCI DSS compliance. SubVerify does not process or store raw payment card data. Learn more: stripe.com/privacy

Resend

Transactional email provider. Used to send compliance alerts, subcontractor invitations, and account notifications. Email addresses are transmitted to Resend solely for the purpose of delivering these communications. Learn more: resend.com/legal/privacy-policy

Vercel

Hosting and content delivery infrastructure. The SubVerify web application is hosted on Vercel's edge network. Vercel may process request logs including IP addresses and request metadata. Learn more: vercel.com/legal/privacy-policy

4. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service:

  • Active accounts: All data is retained while your account is active.
  • After cancellation: Your data is retained for 90 days after account cancellation, during which you may request a data export. After 90 days, your data is permanently deleted.
  • Billing records: Payment transaction records are retained for 7 years as required for tax and accounting purposes.
  • Compliance documents: Documents uploaded by subcontractors are owned by the uploading party. Upon account deletion, all associated documents are removed from active storage within 90 days.

If you need to export your data before account deletion, contact us at info@getleadrun.com.

5. Data Security

We implement industry-standard security measures to protect your data, including:

  • HTTPS/TLS encryption for all data transmitted between your browser and the Service
  • Encrypted storage for compliance documents via Supabase (AES-256 at rest)
  • Hashed password storage — passwords are never stored in plain text
  • Row-level security policies limiting data access to authorized account holders
  • Regular security reviews of third-party integrations

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable means to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

6.1 For All Users

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Update or correct inaccurate personal data through your account settings or by contacting us.
  • Deletion: Request deletion of your account and associated personal data, subject to our retention obligations.
  • Data portability: Request an export of your data in a machine-readable format.
  • Opt-out of non-essential emails: Unsubscribe from marketing communications at any time. Note: you cannot opt out of transactional emails (compliance alerts, account notices) while your account is active, as these are necessary for the Service.

6.2 GDPR — European Economic Area (EEA) Users

If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to restrict processing: You may request that we limit how we use your data in certain circumstances.
  • Right to object: You may object to processing of your data based on legitimate interests.
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority.

Our lawful basis for processing your data is: (a) performance of a contract (providing the Service you signed up for), (b) legitimate interests (security, fraud prevention, service improvement), and (c) your consent where applicable. Data transfers outside the EEA rely on Supabase's Standard Contractual Clauses.

6.3 CCPA — California Residents

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know: The categories of personal information collected about you and the purposes for which it is used.
  • Right to delete: Request deletion of personal information we have collected.
  • Right to opt-out of sale: SubVerify does not sell personal information. There is nothing to opt out of.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, contact us at info@getleadrun.comwith the subject line "Privacy Request."

7. Cookies and Tracking

SubVerify uses cookies and similar technologies to operate the Service:

  • Authentication cookies: Used to keep you logged in to your account. These are strictly necessary and cannot be disabled.
  • Session cookies: Temporary cookies that expire when you close your browser.
  • Preference cookies: Used to remember your account preferences.

SubVerify does not use third-party advertising cookies or cross-site tracking cookies. You can control cookies through your browser settings, though disabling authentication cookies will prevent you from logging in.

8. Children's Privacy

The Service is intended for business use only and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will delete such information promptly.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address or by posting a notice within the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the updated policy.

10. Contact Us

For questions, privacy requests, or to exercise your rights under this Privacy Policy, contact us:

SubVerify — Privacy Team

Email: info@getleadrun.com

Subject line: "Privacy Request"

Website: getsubverify.com

We will respond to privacy requests within 30 days (or sooner as required by applicable law).