Privacy Policy

1. Our Roles in Data Processing

Because ShortStack is a B2B SaaS platform, we operate in two distinct capacities:

• As a Data Controller: When we collect and process the personal and business information of our direct clients (trade businesses using ShortStack).
• As a Data Processor: When we process and store the information of homeowners/leads submitted via the custom questionnaires on behalf of our clients.

2. Information We Collect

We collect only what the platform needs to run your lead pipeline, send notifications, take deposit payments, and support you. Nothing more.

Account data (you, the trade business):

• Name, email, role, and profile avatar.
• Business details: industry, website, contact email, contact phone, service country and city, and branding colours (logo, primary, secondary, accent).

Lead PII (homeowners submitting through your questionnaire):

• First and last name, email, phone, address, city.
• Questionnaire answers, job timeline, and category classification.
• Priority score, pricing estimates, activity log, and deposit status.

Payment data:

• Stripe customer ID and subscription ID, deposit payment link and amount.
• We never store full card details. Card data is handled directly by Stripe.

Telegram messages:

• Raw message text is stored for up to 12 months and then automatically purged.
• Structured intent classification and the actions taken from each message are retained permanently so historical activity stays intact.

Voice notes:

• Voice audio is sent to OpenAI Whisper for transcription.
• The resulting transcript is stored for 90 days, then automatically scrubbed.
• The structured intent output (e.g. “update lead status”) is retained permanently.

File attachments:

• Images you or your leads upload are sent to OpenAI Vision for asset identification (e.g. make, model, condition of a heat pump or switchboard).
• Scan results are stored permanently against the lead.
• Raw images are stored in Supabase Storage, access-controlled to your client workspace.

Analytics:

• Vercel Analytics collects page views, Core Web Vitals, browser/device information, and country/city.
• No personally identifiable information is transmitted to Vercel Analytics.

Error monitoring:

• Sentry captures error reports with stack traces and breadcrumbs so we can fix bugs.
• User email and IP address are explicitly stripped from every Sentry event before transmission.

IP addresses:

• Captured ephemerally by Upstash Redis for rate limiting — held only for the rate-limit window, then discarded.
• Captured permanently in admin audit logs as part of the audit trail for regulated actions (billing changes, data purges, access grants).

CRM integration credentials:

• OAuth access and refresh tokens for Tradify, Fergus, and ServiceM8 are encrypted at rest.
• Tokens are used only to sync leads and jobs with your connected CRM on your behalf.

NPS responses:

• Satisfaction score (0–10) and optional free-text comment, linked to your user and client.

Completed jobs and maintenance contracts:

• Customer first/last name, email, phone, address, job type, and value — retained so ShortStack can send service reminders and process maintenance-contract invoicing on your behalf.

3. How We Use the Information

As a Data Controller (your account data):

• To provide, maintain, and improve the ShortStack Service.
• To process subscription payments and send billing-related emails.
• To send service updates and (where you have not opted out) product announcements.

As a Data Processor (your leads' data):

• We process lead data strictly to provide the Service to you.
• We do not sell, rent, or mine lead data for our own marketing, and we do not share it with your competitors.
• You remain the Data Controller for your leads' information.

4. How We Secure Information

We apply industry-standard security controls, including Row-Level Security (RLS) policies within our database so that one client cannot read another client's data. Secrets and OAuth tokens are encrypted at rest. Card payments are handled directly by Stripe — we never see or store full card numbers. No internet-based service can guarantee 100% security, and we cannot guarantee absolute immunity from unauthorised access.

5. Third-Party Processors

We share data only with trusted service providers required to run the platform. Each processor handles only the data they need to deliver their slice of the Service:

• Stripe — payment processing and subscription billing; receives customer name, email, and billing address.
• OpenAI — voice transcription (Whisper) and image analysis (Vision). We maintain a Data Processing Agreement with OpenAI — see their DPA.
• Sentry — error monitoring; user PII (email, IP) is stripped before transmission. We maintain a Data Processing Agreement with Sentry — see their DPA.
• Vercel — application hosting and Vercel Analytics (aggregate traffic data only, no PII).
• Supabase — primary database, authentication, and file storage (raw attachments).
• Upstash — ephemeral Redis used for rate limiting.
• Telegram — message delivery for the ShortStack bot you can optionally connect to your account.

We do not sell your data to any party, and we do not use lead data to train public AI models.

6. Data Retention & Deletion

• Lead and client data: Deleted within 30 days of account cancellation. After the 30-day grace period, all associated client and lead data is permanently removed from our primary servers.
• Demo lead data: Deleted within 30 minutes of submission. Demo submissions never persist beyond the live sandbox session.
• Voice transcripts: Purged 90 days after the voice note was processed. Structured intent output is retained.
• Telegram raw messages: Purged 12 months after receipt. Structured intent classification and actions are retained.
• IP addresses in audit logs: Retained permanently as part of the regulated audit trail.
• Analytics data: Governed by Vercel's retention policy.
• Soft-deleted leads: Remain in the database for recovery purposes unless explicitly purged by an admin.

7. Your Rights

Under the New Zealand Privacy Act 2020 and the Australian Privacy Act 1988, you have the right to:

• Access the personal information we hold about you.
• Correct any inaccurate or out-of-date information.
• Request deletion (erasure) of your personal information.

If you are a trade business client, you can manage most of this directly in your dashboard, or email us at support@shortstack.co.nz.

If you are a homeowner/lead, please contact the trade business that collected your information (the Data Controller). We will assist them in fulfilling your request.

8. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page or via email.

9. Contact Us

For any privacy-related queries, email support@shortstack.co.nz or .