Privacy Policy
Last updated: April 12, 2026
This Privacy Policy explains how SmartTakeoffs (“we,” “us,” or “our”) collects, uses, and safeguards information when you use our web application and related services (the “Service”). We built SmartTakeoffs for commercial foodservice equipment dealers, and we try to collect only what we actually need to run the product.
1. Scope and definitions
This policy applies to personal data we process when you visit smarttakeoffs.com, create an account, or use the Service. It does not cover third-party sites we link to, or the independent privacy practices of our customers when they use the Service to process their own project data.
In this policy, “personal data” means information that identifies or can reasonably be linked to an individual. “Customer” means the company that holds a SmartTakeoffs account. “User” means an individual authorized by a Customer to use the Service. When a Customer uploads bid documents that contain personal data (for example, names and emails of manufacturers' reps), the Customer is the controller of that data and SmartTakeoffs acts as a processor on their behalf.
2. Who we are
SmartTakeoffs is operated out of Texas, USA. If you have questions about this policy or about data we hold on you, email us at hello@smarttakeoffs.com. We do not currently employ a dedicated Data Protection Officer; privacy inquiries are handled by the same address.
3. Information we collect
Account information
When you create an account, we collect your name, email address, company, and authentication identifiers. Account creation and sign-in are handled by Clerk, our authentication provider.
Uploaded bid documents
To perform a takeoff, you upload project manuals, drawings, and addendums (usually PDFs). These files are stored in tenant-isolated cloud storage and processed by our takeoff engine.
Generated deliverables
The Service produces takeoff spreadsheets (Excel), spec-section PDFs, rendered drawing sheets, quote emails, and AutoQuotes-compatible project files (.aqproj). We store these alongside your project so you can return to them later.
Usage and telemetry
We record basic product usage: takeoff counts, feature interactions, error events, and similar metrics. This helps us understand what is working and prioritize fixes. We may create aggregated and de-identified statistics from this data for benchmarking and product development.
Technical data
Like most web applications, we log technical information such as IP address, browser type, device type, and request timestamps. This is used for security, abuse prevention, and debugging.
Communications
If you email us or submit a form, we retain that correspondence so we can respond and keep a record of the conversation.
4. How we use your data
- To provide the Service and generate the outputs you ask for.
- To improve the product — including refining our extraction prompts, catching bugs, and measuring accuracy.
- To respond to support requests and communicate with you.
- To protect the Service against abuse, fraud, and unauthorized access.
- To comply with applicable legal obligations and enforce our Terms of Service.
We do not sell your personal data or share it for cross-context behavioral advertising. We do not use your bid documents to train general-purpose AI models on behalf of third parties.
5. Legal bases for processing (EEA/UK)
If you are in the European Economic Area or the United Kingdom, we process your personal data on one or more of the following legal bases under the GDPR:
- Contract— to provide the Service you or your company signed up for.
- Legitimate interests— to secure, maintain, and improve the Service, and to communicate with you about it, where those interests are not overridden by your rights.
- Consent— where we ask for it, for example for optional marketing emails. You can withdraw consent at any time.
- Legal obligation— to comply with laws that apply to us.
6. Third-party subprocessors
We rely on a small set of trusted vendors to operate the Service. Your data may be processed by these providers in their role as subprocessors:
- Anthropic— powers the AI extraction that reads your spec and drawings.
- Supabase— database hosting for account and project metadata.
- Backblaze B2— object storage for uploaded documents and generated deliverables.
- Clerk— user authentication and session management.
- Stripe(future) — payment processing once paid plans go live.
- Resend(future) — transactional email delivery.
- Cloudflare Turnstile— bot protection on forms.
This list is current as of the “Last updated” date at the top of this page and may be updated as our infrastructure evolves. Where we add or replace a subprocessor that materially changes how Customer data is handled, we will update this page and, where appropriate, notify Customers by email or in-app notice.
7. International data transfers
SmartTakeoffs is based in the United States and primary data processing occurs in the U.S. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. and potentially in other countries where our subprocessors operate. For transfers of personal data from the EEA, UK, or Switzerland, we rely on mechanisms permitted under applicable law, including Standard Contractual Clauses where appropriate, and we commit to taking reasonable steps to ensure your data receives an equivalent level of protection.
8. Data retention
We keep your bid documents and generated deliverables as long as your account is active, so you can revisit past projects. You can delete individual projects or your entire account at any time from your settings; deleted data is removed from our primary systems within a reasonable window, though residual copies may remain in encrypted backups for a short period before being overwritten. We may retain limited records longer where required to comply with legal obligations, resolve disputes, or enforce our agreements.
9. Security
Data is encrypted in transit (TLS) and at rest. Uploaded documents are stored in tenant-isolated buckets so one customer cannot access another's files. We use role-based access controls internally and limit production access to the smallest team necessary. No system is perfectly secure, but we take reasonable steps to keep your data protected.
If we become aware of a security incident that compromises your personal data, we will notify affected Customers without undue delay and in line with applicable legal requirements, and will share what we know about scope, impact, and remediation.
10. Your rights
Depending on where you live, you may have rights to access, correct, delete, or export the personal data we hold about you, and to object to or restrict certain processing. To exercise any of these rights, email hello@smarttakeoffs.com. We will respond within the timeframes required by applicable law, and we will not discriminate against you for exercising these rights.
If you are in the EEA, UK, or Switzerland (GDPR)
You have the right to access, rectify, erase, restrict processing of, object to processing of, and port your personal data, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority.
If you are a California resident (CCPA/CPRA)
You have the right to know what personal information we collect and how we use it, to request deletion, to correct inaccurate information, to limit the use of sensitive personal information, and to opt out of “sale” or “sharing” of personal information as those terms are defined under California law. We do not sell or share personal information as defined by the CCPA/CPRA. You may designate an authorized agent to make a request on your behalf.
Other U.S. states (Virginia, Colorado, Connecticut, and similar laws)
Residents of states with comprehensive privacy laws have similar rights of access, correction, deletion, and opt-out of targeted advertising or profiling. We honor these rights on the same basis described above.
We do not make formal claims of GDPR or CCPA certification at this stage; we aim to honor the substance of those rights in good faith.
11. Cookies and tracking
We use cookies and similar local storage for authentication session management and basic product functionality. We do not use cookies for advertising tracking or cross-site behavioral profiling. The main categories we use are:
- Strictly necessary— authentication, session, and security (including Clerk and Cloudflare Turnstile).
- Functional— remembering preferences and UI state.
- Analytics— basic, first-party usage metrics to improve the product.
We honor Global Privacy Control (GPC) signals sent by your browser as an opt-out of any “sale” or “sharing” of personal information under applicable U.S. state laws. Because we do not engage in targeted advertising tracking, there is no advertising cookie to disable. You can also clear or block cookies through your browser settings; some parts of the Service may not work if you do.
12. Marketing communications
We may send you occasional product updates, announcements, or tips related to the Service. You can unsubscribe from marketing emails at any time via the link in the message or by contacting us. We will still send you operational messages (for example, billing receipts, security notices, and material changes to this policy).
13. Children's privacy
SmartTakeoffs is a business tool and is not directed at children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us and we will delete it.
14. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top and, where appropriate, notify you by email or in-app notice at least before the change takes effect. Continued use of the Service after an update means you accept the revised policy.
15. Contact
Privacy questions, data requests, or security concerns: hello@smarttakeoffs.com.