Privacy Policy

How we protect and handle your data with AI transparency

Privacy Policy

Last updated: August 9, 2025

Data Encryption

All data transmitted and stored using AES-256 encryption standards.

AI Transparency

Clear visibility into how AI processes your roofing data.

1. Data Controller Information

MyRoofGenius LLC

1942 Broadway, Suite 314C, Boulder, CO 80302, United States

Email: privacy@myroofgenius.com

Data Protection Officer: privacy@myroofgenius.com

2. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

Contract Performance (Art. 6(1)(b)): To provide our AI-powered roofing management services
Legitimate Interests (Art. 6(1)(f)): For fraud prevention, service improvement, and security
Consent (Art. 6(1)(a)): For marketing communications and optional AI training
Legal Obligation (Art. 6(1)(c)): For tax records, financial reporting, and compliance

3. Data We Collect & Process

Account Data: Name, email, company name, billing address
Payment Information: Processed securely via Stripe (we do not store card numbers)
Business Content: Roof imagery, project documents, customer data you upload
Usage Data: Tool usage events, feature interactions, credit consumption
AI-Generated Content: Analysis results, estimates, reports, recommendations
Technical Data: IP address, browser type, device information, cookies

4. Data Retention Periods

Active Account Data: Duration of account + 18 months (default, adjustable to 90 days)
Financial Records: 7 years (legal requirement for tax compliance)
Marketing Consents: Until withdrawn or 3 years of inactivity
Technical Logs: 90 days for security and debugging
Backup Data: Purged within 30 days on rolling basis
Anonymized Analytics: Indefinitely (cannot be linked back to you)

AI Training Options

You can opt-out of allowing anonymized project data to improve models. Opt-out does not affect product performance. Your AI analysis results remain fully functional regardless of your training preference.

Security

TLS encryption in transit (minimum TLS 1.2)
Encrypted storage at rest (AES-256)
Least-privilege access controls
Comprehensive audit logs
Regular security assessments

7. Your Privacy Rights

GDPR Rights (EU Residents):

Right to Access (Art. 15): Request copy of your data
Right to Rectification (Art. 16): Correct inaccurate data
Right to Erasure (Art. 17): Delete your account and data
Right to Restrict Processing (Art. 18): Limit how we use your data
Right to Data Portability (Art. 20): Export data in JSON/CSV format
Right to Object (Art. 21): Opt-out of marketing and profiling
Right to Withdraw Consent (Art. 7): Revoke consent at any time

CCPA Rights (California Residents):

Right to Know (§1798.100): Categories and specific pieces of data collected
Right to Delete (§1798.105): Request deletion of personal information
Right to Opt-Out (§1798.120): Opt-out of data sales (we do not sell data)
Right to Non-Discrimination (§1798.125): Equal service regardless of privacy choices
Right to Correct (§1798.106): Correct inaccurate personal information
Right to Limit Sensitive Data (§1798.121): Restrict use of sensitive data

Exercise your rights by emailing privacy@myroofgenius.com or using your account settings. We will respond within 30 days (GDPR) or 45 days (CCPA).

8. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with all sub-processors
Adequacy decisions where applicable
Additional safeguards: encryption, access controls, audits

9. Third-Party Data Processors

We use the following trusted processors, each with their own privacy certifications:

Stripe, Inc.: Payment processing (PCI-DSS Level 1 certified)
Amazon Web Services: Cloud infrastructure (SOC 2, ISO 27001 certified)
OpenAI, L.L.C.: AI analysis (data not used for training by default)
Anthropic, PBC: AI analysis (data not used for training by default)
Supabase, Inc.: Database hosting (SOC 2 Type II certified)
Vercel, Inc.: Application hosting (SOC 2, ISO 27001 certified)

Each processor is bound by Data Processing Agreements (DPAs) compliant with GDPR Article 28.

10. Cookies & Tracking

We use essential cookies for functionality and optional cookies for analytics:

Essential Cookies: Authentication, session management (cannot be disabled)
Analytics Cookies: Usage patterns, feature adoption (can opt-out)
Marketing Cookies: Ad performance tracking (requires explicit consent)

Manage cookie preferences via the cookie banner or account settings.

11. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us immediately at privacy@myroofgenius.com.

12. Data Breach Notification

In the event of a data breach affecting your personal information, we will:

Notify you within 72 hours (GDPR requirement)
Provide details of the breach and affected data
Explain measures taken to mitigate harm
Offer guidance on protective actions you can take

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email 30 days before taking effect. Continued use after changes constitutes acceptance.

14. Contact & Complaints

Data Protection Officer: privacy@myroofgenius.com

Mailing Address: MyRoofGenius LLC, 1942 Broadway, Suite 314C, Boulder, CO 80302, United States

Response Time: 30 days (GDPR) / 45 days (CCPA)

Right to Lodge a Complaint:

EU residents: You have the right to lodge a complaint with your local supervisory authority.

California residents: You may contact the California Attorney General's Office at oag.ca.gov