TSpotBiddr
Sign in

Privacy Policy

Last updated: May 2, 2026

This Privacy Policy describes how SpotBiddr ("we," "our," or "us") collects, uses, and shares information about you when you use our service. By using SpotBiddr, you agree to the collection and use of information as described in this policy.

1. Introduction & Scope

SpotBiddr is a business-to-business SaaS platform operated by VAI Operations LLC ("Company"). This policy applies to all users of our website and application, including contractors and trade professionals who create accounts and use our AI-powered estimating tools. This policy does not apply to third-party websites or services linked from our platform.

2. Information We Collect

Account Data

  • Email address and hashed password (via Supabase Auth)
  • Google profile name and email (if you sign in with Google OAuth)

Business Profile

  • Company name, trade types, and service description
  • License number, payment terms, and warranty language
  • Company logo (image file stored in Supabase Storage)

Estimate Content

  • Job descriptions and scope of work (text input)
  • Uploaded photos and documents (processed via Anthropic Files API)
  • Voice recordings (recorded in-browser, transcribed via OpenAI Whisper, then discarded — not stored)

Payment Data

Payment card details are handled exclusively by Stripe and are never transmitted to or stored on our servers. We store only your Stripe customer ID, subscription plan tier, and subscription status.

Usage & Technical Data

  • Pages visited and features used (via Vercel Analytics, if enabled — no personal identifiers stored)
  • IP address, browser type, and device information (collected by Supabase and Vercel infrastructure for security and performance)
  • User ID and IP address (stored ephemerally in Upstash Redis for rate limiting; not retained after the rate-limit window expires)

3. How We Use Your Information

  • Service delivery: Generating AI-powered project estimates using your input
  • AI inference: Estimate content is sent to Anthropic's Claude API for processing
  • Voice transcription: Audio recordings are sent to OpenAI's Whisper API and discarded after transcription
  • PDF generation: Creating and storing proposal PDFs in Supabase Storage
  • Shared proposals: Generating public share links for proposals you choose to send to clients
  • Email notifications: Sending transactional emails (billing alerts, etc.) via Resend
  • Billing: Managing subscriptions and payments through Stripe
  • Rate limiting: Preventing abuse using Upstash Redis (no personal data is retained)
  • Security & fraud prevention: Detecting and preventing unauthorized access
  • Service improvement: Understanding aggregate usage patterns to improve features

4. Third-Party Service Providers

We share data with the following sub-processors to operate the service. All providers are contractually bound to protect your data.

ProviderPurposeLocation
SupabaseAuthentication, database, file storageUS
StripePayment processing & subscriptionsUS / EU
AnthropicAI estimate generation (Claude API)US
OpenAIVoice transcription (Whisper API)US
ResendTransactional email deliveryUS
VercelApplication hosting & global CDNUS / Global edge
UpstashRate limiting (Redis)US

5. Cookies & Local Storage

SpotBiddr uses a single httpOnly, SameSite=Lax session cookie set by Supabase to maintain your authenticated session. This cookie is strictly necessary for the service to function and cannot be disabled without losing authentication. We do not use tracking, advertising, or analytics cookies. No cookie consent banner is displayed because we only use strictly-necessary cookies, which are exempt from prior consent requirements under the GDPR ePrivacy Directive.

6. Data Retention

  • Account data: Retained while your account is active, plus 30 days after a deletion request
  • Estimate data: Retained while your account is active; you may delete individual estimates at any time
  • Voice recordings: Processed in memory and discarded immediately after transcription — not stored
  • Uploaded files: Stored in Supabase Storage and deleted when the associated estimate or your account is deleted
  • Stripe billing records: Retained per Stripe's legal and financial compliance requirements (up to 7 years)
  • Rate-limit data: Discarded automatically after each sliding-window period (60 seconds)

7. Data Security

We implement industry-standard security measures including TLS encryption for all data in transit, encryption at rest provided by Supabase and Vercel infrastructure, access controls limiting data access to authorized personnel, and regular security reviews. No method of transmission over the internet is 100% secure; while we strive to protect your data, we cannot guarantee absolute security.

8. Your Rights — California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to delete: Request deletion of your personal information, subject to certain exceptions
  • Right to opt out of sale: We do not sell, rent, or share your personal information for monetary consideration
  • Right to non-discrimination: We will not discriminate against you for exercising any CCPA rights

To exercise these rights, contact us at support@vaioperationsllc.com.

9. Your Rights — EU/EEA Residents (GDPR)

We process your data on the following legal bases: performance of a contract (account creation, service delivery, billing) and legitimate interest (security, fraud prevention). If you are located in the EU or EEA, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Data portability
  • Object to processing based on legitimate interest
  • Lodge a complaint with your national data protection supervisory authority

Your data is processed in the United States. For transfers from the EU/EEA, we rely on Standard Contractual Clauses as the lawful transfer mechanism.

10. Children's Privacy

SpotBiddr is a business tool intended exclusively for users 18 years of age or older. We do not knowingly collect personal information from children under 18. If we become aware that we have collected information from a minor, we will delete it promptly. If you believe we have inadvertently collected such information, contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy periodically. For material changes, we will notify you by email or via an in-app notice at least 30 days before the change takes effect. Your continued use of the service after the effective date constitutes acceptance of the updated policy. We encourage you to review this page periodically.

12. Contact Us

For privacy-related inquiries, data access requests, or to exercise your rights, contact us at:

support@vaioperationsllc.com