Privacy Policy

1. Who we are

"Foremann," "we," "us," and "our" refer to the company operating the Foremann product — a mobile and web service that provisions a dedicated business phone number for tradespeople and drafts reply suggestions for inbound text messages. If you're a solo plumber, landscaper, electrician, or other contractor using Foremann, you're the "contractor" or "user." The people who text your business number (your customers) are "clients" in this policy.

2. What we collect

2.1 Information you give us as a contractor

• Account details: name, email, personal phone number, time zone, and authentication credentials managed through our auth provider (Supabase).
• Business profile: business name, trade, service area, crew size, job types you typically take or exclude, pricing notes, availability, communication style preferences, phrases to "always say" or "never say," and example messages you've written.
• Client records you create: the names, phone numbers, addresses, and notes you save about your customers.
• Billing information: your plan, subscription status, and Stripe customer identifier. We do not store your full card number; Stripe handles that.
• Device tokens: push notification tokens (Expo) so we can alert you when a client texts.

2.2 Information that flows through your business line

• SMS content: the full body of every inbound and outbound text message sent to or from your Foremann business number, with timestamps and delivery status.
• Caller phone numbers: the phone number of any client who texts or calls your business line.
• Voice calls: we do not record or store voice calls. Inbound calls hear a short "please text this number instead" message and are disconnected.

2.3 AI-generated content

• Draft replies, follow-ups, and summaries produced by our AI model provider (Anthropic), including token usage counts.
• Your interactions with those drafts: whether you accepted, edited, or dismissed them.

2.4 Automatically collected

• Standard request logs (IP address, user agent, timestamps) captured by our hosting provider (Railway) for security and debugging.
• Usage counters (messages sent, AI suggestions generated per month) so we can enforce plan limits and show you your usage.

2.5 Cookies and analytics

• Session cookies: our web app uses cookies strictly necessary to keep you logged in and maintain your session. No session cookie = you get logged out.
• Preference storage: we use local storage to remember in-app preferences (such as your last-viewed thread) so the app feels consistent across visits.
• Marketing site analytics: our public marketing site (foremann.app) uses privacy-respecting, cookieless analytics to understand aggregate traffic patterns (pages visited, referral source, general geography). We do not use Google Analytics or any analytics tool that tracks individuals across sites or builds behavioral profiles.
• No advertising cookies: we do not use behavioral advertising cookies, retargeting pixels, or third-party tracking scripts that follow you around the web.

You can control session cookies through your browser settings, but disabling them will prevent you from staying logged in. Cookieless analytics cannot be blocked because they don't use cookies.

3. How we use it

We use the data above only to:

• Run the Foremann service — deliver your texts, draft your replies, sync your inbox to your phone.
• Train your specific foreman to sound like you. The business profile and example messages you provide are included as context each time we generate a draft for you. We do not use your data to train shared or foundation models.
• Bill you and prevent fraud or abuse of the system.
• Send you account-related email and push notifications (usage warnings, billing receipts, critical service notices). You can disable push notifications in your device settings.
• Send you optional product updates, tips, and marketing communications, but only if you have opted in. Every marketing email includes a one-click unsubscribe link. You can also opt out by emailing privacy@foremann.app.
• Improve the product — in aggregated, de-identified form only.
• Comply with legal obligations and enforce our Terms.

3A. Lawful basis for processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following lawful bases:

• Contract performance: processing necessary to deliver the Service you signed up for — your account, your business number, SMS delivery, AI drafts, and billing.
• Legitimate interests: security monitoring, fraud prevention, product analytics (aggregated/de-identified), and enforcing our Terms — where these interests are not overridden by your rights.
• Legal obligation: retaining billing records and cooperating with valid legal requests.
• Consent: optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.

If you have questions about our legal bases or wish to object to any processing based on legitimate interests, email privacy@foremann.app.

4. The AI model provider

Draft replies, summaries, and follow-up suggestions are generated by Anthropic's Claude models via the Anthropic API. To generate a draft, we send the relevant conversation thread and your business profile to Anthropic as a prompt. Anthropic processes the prompt, returns the draft, and — per their API terms — does not use API inputs or outputs to train their models. We use prompt caching to reduce cost, which means portions of your business profile may sit in Anthropic's short-lived cache for a few minutes at a time.

5. How we share it

We share your data only with service providers that make Foremann work, and only as needed:

• Twilio — to send and receive SMS and to provision and manage your business phone number.
• Anthropic — to generate AI drafts, as described in Section 4.
• Supabase — our database and authentication provider; stores the data listed in Section 2.
• Railway — hosts our application servers.
• Stripe — processes subscription payments.
• Expo — delivers push notifications to your phone.

We do not sell your data. We do not share it with advertisers. We do not share it with other Foremann customers.

We may disclose information if required by law, subpoena, or valid government request, or to protect the safety, rights, or property of Foremann, our users, or the public. If we ever merge with, are acquired by, or sell assets to another company, your data may be transferred as part of that transaction; you'll be notified before it moves.

Data Processing Agreements (DPA). If your business is subject to the GDPR, CCPA, or similar data protection laws and you require a formal DPA with Foremann, email privacy@foremann.app. We will execute a DPA with you on reasonable, standard terms.

6. Your clients' data

When a client texts your Foremann business number, we store the message, their phone number, and any name, address, or note you attach to their record. You are the data controller for your client list — the decisions about who to message, what data to collect about your customers, and how long to keep it are yours. Foremann acts as a data processor on your behalf: we store and process that client data only to provide you the Service, not for our own purposes.

You are responsible for having the right to contact those clients under applicable law (including the TCPA in the United States). If a client asks to be removed, archive them in the app and stop messaging them; you can also delete the client and their conversation from your account. If a client contacts us directly about their data, we will route the request to you as the business that collected it, and we will cooperate with any deletion or access request you direct us to fulfill.

7. Retention

• Active accounts: we keep your messages, client records, and business profile for as long as your account is active.
• Cancelled accounts: we retain your data for 90 days after cancellation so you can reactivate, then delete it (or de-identify it for aggregate analytics). This 90-day window includes your client records and conversation history.
• Billing records: retained for the period required by tax and accounting law (typically seven years in the U.S.).
• Backups: deleted data may persist in encrypted backups for up to 30 additional days before rotating out.
• Deletion requests: if you request deletion of your account before the 90-day window, we'll delete it within 30 days of your request, subject to our legal retention obligations for billing records.

8. Security

We use encryption in transit (TLS) for all traffic between your device, our servers, and our subprocessors. Data at rest in Supabase is encrypted. Access to production systems is restricted to a small set of employees and is credential-protected. We validate Twilio webhook signatures on every inbound message. No system is perfect, though — if we experience a security incident that affects you, we'll notify you as required by law.

9. Your rights

Depending on where you live (California, Colorado, Virginia, the EU/UK, and others), you may have the right to:

• Access the personal information we hold about you.
• Correct or update it.
• Delete it (subject to our legal retention obligations).
• Export it in a portable format.
• Object to or restrict certain processing.
• Withdraw consent you previously gave (including consent to marketing emails).
• Opt out of any sale or sharing of your personal information (see California section below).

To exercise any of these rights, email privacy@foremann.app. We'll respond within 30 days (or 45 days if we notify you of an extension). We won't retaliate against you for exercising your rights. We may need to verify your identity before acting on your request.

California residents (CCPA/CPRA): we do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA, and we have not done so in the preceding 12 months. We do not use sensitive personal information for purposes beyond those necessary to provide the Service. The categories of personal information we collect are listed in Section 2; the purposes are in Section 3. You have the right to know, delete, correct, and opt out. To submit a verifiable consumer request, email privacy@foremann.app or use the deletion option in the app settings. We will not discriminate against you for exercising these rights. California's "Shine the Light" law (Civil Code § 1798.83) allows residents to request disclosure of personal information shared with third parties for direct marketing purposes in the prior year; we do not share personal information for direct marketing and have no disclosures to make.

Marketing opt-out: every marketing email we send includes a one-click unsubscribe link. You can also opt out at any time by emailing privacy@foremann.app. Opting out of marketing does not affect account-essential communications (billing, security, service notices).

10. SMS, A2P, and carrier rules

U.S. carriers require that application-to-person (A2P) messaging be registered and that senders have permission to text recipients. When you use Foremann to send SMS, you are the sender in the eyes of the carriers, and you agree to follow all applicable rules, including the TCPA and CTIA Messaging Principles. Standard message and data rates from the recipient's carrier may apply. Recipients can reply STOP at any time to opt out; we'll block further messages from your number to that recipient automatically.

11. Children

Foremann is a business tool and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us data, email us and we'll delete it.

12. International users

Foremann is operated from the United States. If you're accessing the service from outside the U.S., your data will be transferred to and processed in the U.S. and in the regions where our subprocessors operate. By using Foremann, you consent to that transfer.

EEA/UK users: if you are accessing the Service from the EEA or United Kingdom, transfers of your personal data to the United States are covered by appropriate safeguards, which may include Standard Contractual Clauses (SCCs) approved by the European Commission or the UK International Data Transfer Agreement. To request a copy of the applicable transfer mechanism, email privacy@foremann.app.

13. Changes to this policy

We'll update this page when our practices change. If the change is material, we'll notify you by email or in the app before it takes effect. The "Last updated" date at the top reflects the current version.

14. Contact

Questions, requests, or complaints?
Email: privacy@foremann.app
General: hi@foremann.app