Privacy Policy

Version 2026-05-10 · v1.0 · Covers Providers, their Clients, and their Crews.

1. Who This Covers

This Privacy Policy describes how Plantburgh® LLC, a Pennsylvania limited liability company and parent of Plantburgh Products ("Plantburgh"), collects, uses, and shares personal data across three roles:

Providers — the businesses that use Plantburgh Portal directly (the account owners).
Provider Clients — the customers of Providers who interact with us indirectly through portals, widgets, and emails the Provider sends.
Crew Members — technicians, employees, and sub-contractors the Provider invites to use the sub-portal.

For Provider Clients and Crew Members: the Provider is the data controller. Plantburgh is the data processor. Direct privacy questions to your Provider in the first instance.

2. What We Collect

Category	Examples	Source
Account data	Name, email, business name, trade, crew size	Provider on signup or waitlist intake
Operational data	Clients, jobs, invoices, photos, schedules, messages	Provider and Crew during use
Provider Client data	Name, email/phone, address, service history, payment records	Provider entering or importing into the Service
Payment data	Card last-4, billing address, Stripe customer ID	Stripe (we never store full card numbers)
Usage telemetry	Page views, feature interactions, crash logs	Browser/app during use
AI conversation logs	Provider AI prompts, widget chat transcripts, attached images	Provider/Provider-Client interaction with AI features

3. How We Use It

Provide the Service (run features, deliver emails, render dashboards).
Improve the Service (anonymized analytics, performance debugging).
AI feature processing (prompts and conversations sent to LLM providers under data-processing agreements; we do not train third-party models on Provider Data).
Communicate with Providers about their account, billing, and product updates.
Comply with law (subpoenas, fraud prevention, dispute resolution).

4. Who We Share With

Stripe — payment processing.
SendGrid — transactional and Provider-authored email delivery.
Anthropic — AI inference (Claude family models). Subject to Anthropic's commercial terms; not used for model training.
Google Cloud / Firebase — hosting, database, authentication.
Provider Clients and Crew Members — data the Provider chooses to share with their own customers and crew via the Service.
Government / law enforcement — only when legally compelled.

We do not sell personal data.

5. Your Rights

You may have the right to:

Access — request a copy of all personal data we hold about you.
Delete — request deletion of your data (subject to legal retention obligations).
Export — receive your data in JSON or CSV.
Rectification — correct inaccurate data.
Restriction — limit processing of your data.
Objection — object to processing for marketing purposes.
Opt out of non-essential communications.

California residents have additional rights to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal data.

Provider Clients and Crew Members should direct requests to the relevant Provider in the first instance. Providers may submit requests to privacy@plantburgh.com.

6. Data Retention

Active accounts: data retained for the duration of the business relationship.
Cancelled accounts: Provider Data retained for 30 days for export, then permanently deleted.
AI conversation logs: retained for 90 days, then automatically purged.
Analytics & server logs: retained for 12 months.
Financial records: retained for 7 years per IRS requirements, even after account deletion.
Service records: retained for the relationship duration plus 7 years (tax and legal purposes).

6A. SMS & Communication Consent

By engaging the Service, Providers consent to receive service-related communications via email, SMS, or phone (account, billing, security, product updates). Provider Clients consent through their Provider's terms. Message types include account notifications, appointment reminders, on-the-way notifications, payment confirmations. Frequency typically 1–4 messages per month. Standard message and data rates may apply. Opt out of SMS by replying STOP; for help reply HELP. Marketing communications require separate opt-in.

7. Security

Encryption in transit (TLS) and at rest (Firestore native). Tenant data isolation enforced via Firestore Security Rules. Multi-tenant audit logging on AI calls. Stripe Connect handles all card data.

8. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected parties within 72 hours of discovery. The notification will include the nature of the breach, data affected, steps taken, and recommended protective actions.

9. International Transfers

Plantburgh is based in the United States. By using the Service, you understand Provider Data may be processed in the U.S. and other jurisdictions where our sub-processors operate. [PLACEHOLDER — Standard Contractual Clauses for EU data subjects pending counsel.]

10. Children

The Service is not directed at children under 18. Providers must not enter children's data without verifiable parental consent.

11. Changes

We will publish material changes here with at least 30 days' notice and prompt re-acceptance. Continued use after the effective date constitutes acceptance.

12. Relationship to Per-Tenant Privacy

This Privacy Policy describes Plantburgh's processing across all Providers. Each Provider may publish their own privacy notice (managed in Settings → Legal & Policies) governing their direct relationship with their Provider Clients. The two operate at different layers and are not in conflict.

13. Contact

Email: privacy@plantburgh.com · Plantburgh LLC, Pittsburgh, PA.