Privacy Policy

Last updated: February 2026

1. Information We Collect

We collect only the data necessary to provide and improve the Plinth service:

  • Builder accounts: Email address, company name, and profile information you provide at sign-up.
  • Project data: Project names, addresses, check-in photos, notes, documents, change orders, selections, and punch-list items uploaded by builders.
  • Journal access: We log journal page views (timestamp, anonymized identifiers) to show builders when homeowners last visited. No personal information about homeowners is collected unless voluntarily provided.
  • Billing: Payment processing is handled entirely by Stripe. We store your Stripe customer ID but never see or store credit card numbers.
  • Device and usage data: We collect minimal technical information (browser type, device type, anonymized IP) to maintain service quality and diagnose issues. We do not fingerprint devices or build advertising profiles.

2. How We Use Your Data

  • To provide and maintain the Plinth service.
  • To generate homeowner-facing progress journals from builder check-ins.
  • To send transactional emails (account verification, password resets, billing receipts) via Resend.
  • To improve the product using aggregated, anonymized usage analytics.

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes. Ever.

3. Data Storage and Security

All data is stored in Supabase (PostgreSQL with row-level security) hosted in the United States. Photos and documents are stored in Supabase Storage with access controlled by signed URLs and storage policies.

  • All traffic is encrypted in transit via HTTPS/TLS.
  • Data is encrypted at rest in the database and storage layer.
  • Database access is enforced with row-level security (RLS) policies.
  • Journal links use cryptographically random UUID v4 tokens (122 bits of entropy).
  • Optional PIN protection is verified server-side via secure RPC functions.
  • Admin access and service keys are never exposed to the client.
  • We conduct regular security reviews and follow industry-standard practices for web application security.

4. Homeowner Journal Access

Homeowner journals are read-only views. Homeowners access journals via a shared link generated by their builder. No account creation is required. The builder controls which data is visible to the homeowner via per-item visibility settings. Journals can be optionally protected with a PIN set by the builder.

5. Data Retention and Deletion

Your data is retained as long as your account is active. Builders can delete individual projects, check-ins, and uploaded files at any time. Upon account cancellation, your data remains accessible on the free tier. To request complete account and data deletion, contact us at hello@plinth.build. We will process deletion requests within 30 days and permanently remove all associated data from our systems and backups within 90 days.

6. Third-Party Services

Plinth uses the following third-party services to operate:

  • Supabase — Database, authentication, and file storage.
  • Stripe — Payment processing and subscription management.
  • Resend — Transactional email delivery.
  • Vercel — Application hosting and deployment.

Each service has its own privacy policy. We only share the minimum data necessary for each service to function. We do not use any third-party analytics, advertising, or tracking services.

7. Cookies and Local Storage

We use essential cookies for authentication session management and a service worker for offline functionality. We do not use tracking cookies, third-party advertising cookies, or cross-site tracking of any kind. No data is shared with ad networks. Local storage and IndexedDB are used solely for offline check-in queuing.

8. Your Rights

Regardless of where you are located, we provide the following rights to all users:

  • Access: Request a copy of all personal data we hold about you.
  • Correction: Request correction of inaccurate personal data.
  • Deletion: Request deletion of your account and all associated data.
  • Export: Export your project data from the dashboard at any time.
  • Opt-out: Opt out of non-essential communications at any time.

For California residents (CCPA): We do not sell personal information. We do not share personal information for cross-context behavioral advertising. You may exercise your rights by contacting us at hello@plinth.build. We will respond to all verifiable requests within 45 days.

9. Children's Privacy

Plinth is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected data from a child under 13, please contact us immediately and we will promptly delete it.

10. International Users

Plinth is operated from the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We process all data in accordance with this Privacy Policy regardless of origin.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users by email within 72 hours of becoming aware of the breach. The notification will describe the nature of the breach, the data involved, and the steps we are taking to address it.

12. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. Continued use of Plinth after changes constitutes acceptance of the updated policy.

13. Contact

For privacy questions, data requests, or concerns, contact us at hello@plinth.build.