Legal

Privacy Policy

Effective date: March 6, 2026. This policy explains what data we collect, how we use it, and your rights. We keep it plain English because contractors don’t have time for legalese.

1. Information We Collect

We collect information you provide directly and information generated automatically when you use the Service.

Account information

Name, business name, email address, and password (hashed, never stored in plaintext).
Billing information processed and stored by Stripe. We never see or store full card numbers.
Business details such as license numbers or contact information you add to your profile.

Usage data

Log data: IP address, browser type, pages visited, and timestamps.
Feature usage: which tools you use, estimate counts, and session duration.
Crash reports and error logs used to diagnose and fix issues.

QuickBooks OAuth tokens

If you enable the QuickBooks integration, we store your OAuth 2.0 access and refresh tokens. These tokens are encrypted at rest using AES-256-GCM encryption. We never store your QuickBooks login credentials.

2. How We Use Information

We use the information we collect to:

Provide, operate, and maintain the PAVR platform.
Process your subscription payments through Stripe.
Send transactional emails such as receipts, account alerts, and password resets.
Diagnose bugs, improve reliability, and develop new features.
Respond to your support requests.
Comply with legal obligations.

We do not use your data for advertising. We do not build audience profiles or sell your information to data brokers.

3. QuickBooks Data

When you connect QuickBooks Online, PAVR accesses your QBO account solely to provide the sync features you enable. Specifically:

Tokens: OAuth access tokens and refresh tokens are stored encrypted using AES-256-GCM. The encryption key is stored separately from the encrypted data.
Customer and invoice data: We read or write customer names, invoice data, and line items only to perform the sync you configure. This data is processed in your account context only.
No cross-tenant sharing: Your QBO data is never visible to, shared with, or used for the benefit of any other PAVR customer. Tenant isolation is enforced at the database and application level.
Never sold: We do not sell, rent, or share your QuickBooks data with any third party for any purpose other than operating the sync you authorized.

You can disconnect QuickBooks at any time from your account settings. Upon disconnection we immediately revoke our token and delete it from our systems.

4. Data Storage & Security

Your data is stored in Google Cloud infrastructure (Cloud SQL / PostgreSQL) located in the United States. We apply the following security controls:

AES-256 encryption at rest for all database storage.
TLS 1.2+ encryption in transit for all data transmitted between your browser and our servers.
Role-based access controls limiting data access to authorized personnel only.
Regular backups with point-in-time recovery.
Our infrastructure runs on Google Cloud Platform, which maintains SOC 2 Type II and ISO 27001 compliance. PAVR itself is working toward SOC 2 compliance.

While we take security seriously, no system is 100% secure. If you discover a security vulnerability, please report it to support@pavr.app.

5. Data Retention

Active accounts: Your data is retained for as long as your account is active and you maintain a subscription.
After cancellation: Your data remains accessible for 30 days after your subscription ends so you can export it.
Deleted accounts: Upon account deletion, your personal data and business data are purged from our systems within 30 days, except where we are required to retain it for legal or tax compliance purposes.
Billing records: We retain transaction records as required by applicable law (typically 7 years for tax purposes). This data is stored with Stripe.

6. Third-Party Services

PAVR uses a limited set of third-party services to operate the platform. Each has its own privacy policy:

Google Cloud (Google) provides hosting and cloud storage. Google Cloud Privacy Notice
Stripe handles payment processing and subscription billing. Stripe Privacy Policy
Google Maps API used for job site location features. Google Privacy Policy
QuickBooks Online (Intuit) optional accounting integration. Intuit Privacy Statement

We do not use analytics platforms that track behavior across other websites (such as Google Analytics with cross-site tracking). Any analytics we use are limited to product telemetry within our own platform.

7. Cookies

We use cookies strictly to operate the Service:

Session cookies: Used to keep you logged in during your browser session. These expire when you close your browser or log out.
Authentication tokens: A short-lived token stored in an HTTP-only cookie to maintain your authenticated session.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not participate in cross-site behavioral advertising.

8. Your Rights

You have the following rights regarding your data:

Access: You can view and download your account data at any time from your account settings.
Export: You can export your estimates and job data in a machine-readable format from within the platform, or by contacting us.
Correction: You can update your account information at any time from account settings.
Deletion: You can request deletion of your account and associated data by emailing support@pavr.app. We will complete the deletion within 30 days.
Objection: You may object to certain processing activities. Contact us and we will respond within 30 days.

To exercise any of these rights, email support@pavr.app.

9. Children’s Privacy

PAVR is a business-to-business platform intended for use by adults operating paving or construction businesses. The Service is not directed at, and we do not knowingly collect personal data from, anyone under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at support@pavr.app and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 30 days before the changes take effect. The “Effective date” at the top of this page reflects when the current version was last updated.

Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes. If you disagree with any changes, you should stop using the Service and may request account deletion as described in Section 8.

11. Contact

If you have questions, concerns, or requests related to this Privacy Policy or your data, please contact us:

PAVR LLC
Email: support@pavr.app
We aim to respond to all privacy-related inquiries within 5 business days.