Privacy Policy

Parapet (“Parapet,” “we,” “us”) is an AI-assisted construction estimation platform operated from Canada. This Privacy Policy explains how we handle personal information across our marketing site at getparapet.com, our application at app.getparapet.com, and the public quote-upload links that estimators send to subcontractors.

Questions about this policy or about your data: email [email protected].

We only collect what we need to operate the service. Categories below reflect what is actually stored or transmitted by the platform today.

Account information

• Email address (used for sign-in, hashed by our auth provider).
• Full name, role within your organization, optional avatar.
• Organization name, slug, optional logo, default margin preferences.

Project and business content

• Project name, client name, project location, building type, square footage, bid deadlines, internal notes.
• Architectural drawings (PDF) you upload, plus the page images and extracted text our pipeline derives from them.
• Subcontractor and client records you create: company name, contact name, email, phone, mailing address, regions served, ratings, interaction history.
• Quote files uploaded by you or by a subcontractor through a time-limited public link, plus the line items our pipeline parses from them.

Billing

• Stripe customer and subscription identifiers, plan, billing period, invoice URLs.
• We do not store full payment instruments. Card data is collected and stored by Stripe directly under their PCI-compliant environment.

Usage telemetry and diagnostics

• Product analytics events (for example, project_created, drawing_uploaded, rod_review_completed) keyed to a user ID and organization ID.
• Error reports (stack traces, request paths, breadcrumbs) tagged with a user ID and organization ID for debugging.
• Standard server logs (IP address, user agent, timestamp) for security and abuse prevention.

Cookies and local storage

• Essential session cookies (HttpOnly, Secure, SameSite) issued by our auth provider so you stay signed in.
• Analytics local storage set by Mixpanel to de-duplicate events for the same browser.
• UI preference flags in browser local storage (for example, “don’t show this prompt again”).

Essential session cookies are required for the Service to function and are always set. We do not use cookies for advertising. To opt out of product analytics, email [email protected] and we will exclude your activity from analytics collection.

We use the information described above to:

• Operate the service: authenticate users, store your projects, run AI analysis on drawings and quotes, generate ROD documents, and export bid packages.
• Send transactional email: account confirmations, password resets, team invitations, quote-upload notifications, billing receipts.
• Bill you for paid plans through Stripe.
• Debug, monitor performance, and protect against abuse.
• Improve the product in aggregate (which features get used, where users get stuck).

We do not sell personal information. We have not and will not in the next twelve months.

We do not use your drawings, quotes, or other customer content to train any AI model — ours or anyone else’s. We send content to AI sub-processors (see below) only to perform the analysis you requested, and only under terms that prohibit training on customer data.

We rely on a small number of vetted vendors to deliver the service. Each one is contractually limited to processing data on our behalf for the purpose listed.

• Supabase — primary database, authentication, and file storage. Receives all account, project, drawing, quote, and CRM data.
• Anthropic — AI inference (Claude models). Receives drawing page images, extracted text, and quote PDFs only during an analysis run. Per Anthropic’s API terms, customer content is not retained after inference and is not used for model training.
• Stripe — billing and payments. Receives your organization name, billing email, and subscription details; handles card data directly.
• Resend — transactional email delivery. Receives recipient email addresses and message contents.
• Railway — hosts our API and worker services and our Redis-backed job queue. Receives whatever data flows through our backend during a request or background job.
• Cloudflare — edge hosting and CDN for the marketing site and application. Receives standard HTTP request metadata.
• Mixpanel — product analytics. Receives event names, user ID, and organization ID. Does not receive drawing or quote content.
• Sentry — error monitoring. Receives stack traces, request paths, user ID, and organization ID when an error occurs.

We will update this list when we add or change a sub-processor. If you would like to receive notice of sub-processor changes, email [email protected].

• Account data — kept while your account exists. Deleted (or de-identified) within 30 days after you close the account or your organization is deleted, except where we must keep it longer to meet a legal obligation.
• Project, drawing, quote, and CRM data — kept while your organization exists. When an organization owner deletes the organization, all of its records cascade-delete and the associated files in storage are removed.
• Billing records — kept for the period required by tax and accounting law (typically seven years).
• Product analytics — retained per our analytics provider’s default (currently up to twelve months).
• Error logs — retained for up to 90 days.

We are happy to share more granular retention windows on request.

Estimators using Parapet can send a subcontractor a time-limited public link to upload a quote PDF directly. If you are a subcontractor uploading through one of these links:

• You do not need a Parapet account, and we do not collect a password from you.
• The PDF you upload, its file name, and the time of upload are stored as part of the general contractor’s organization data. The general contractor controls that data.
• If you want a copy of, or want us to delete, the file you uploaded, contact the general contractor that sent you the link. If they do not respond, you may also email [email protected] and we will help facilitate.

You can:

• Access the data tied to your account through the in-app organization and project views.
• Correct account, organization, project, and CRM information directly in the app.
• Delete your entire organization (and all of its associated data) if you are the organization owner, from the organization settings screen. This action cascades through every related record.
• Request any of the above, or any other right you hold under applicable law (right to know, right to delete, right to correct, right to opt out of sale or sharing, right to portable copy), by emailing [email protected]. We aim to respond within 45 days. We will not retaliate or discriminate against you for exercising these rights.

To exercise rights on behalf of someone else, you may use an authorized agent. We will ask for written proof of authorization and may verify the underlying request directly with the data subject.

Parapet is operated from Canada, and we handle personal information in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. We collect, use, and disclose personal information only for the purposes described in this policy, and we rely on your consent (which you may withdraw, subject to legal or contractual restrictions) and on other lawful bases where they apply.

You may request access to the personal information we hold about you, ask us to correct it, or raise a concern about how we handle it, by emailing [email protected]. If you are not satisfied with our response, you have the right to complain to the Office of the Privacy Commissioner of Canada (or your provincial privacy regulator, where applicable).

Cross-border processing. Some of our sub-processors (including our database and AI providers) store and process data on servers located in the United States. By using the Service you acknowledge that your information may be transferred to, stored in, and processed in the United States and other countries, where it may be subject to lawful access requests by courts and authorities in those jurisdictions.

The categories of personal information described in “What we collect” map to the following CCPA / CPRA categories:

• Identifiers — name, email, account ID, IP address.
• Customer records / commercial information — organization name, role, project records, CRM records.
• Internet or other electronic network activity — session and usage logs, analytics events.
• Professional or employment-related information — your role at your employer (estimator, project manager, owner).

We do not knowingly collect categories of “sensitive personal information” as defined by the CPRA (such as government IDs, precise geolocation, racial or ethnic origin, biometric or health data). We do not sell or share personal information for cross-context behavioral advertising.

California residents may exercise the rights described above by emailing [email protected].

Parapet is operated from Canada and built primarily for North American retail general contractors. Our database and most of our sub-processors operate in the United States. Wherever you access the Service from, you consent to your information being transferred to and processed in the United States and other countries, which may have different data-protection standards than your home country.

If you are an EU/EEA, UK, or Swiss data subject, you have the rights described in “Your rights and choices” under applicable local law (including GDPR rights to access, rectify, erase, restrict, port, and object). The same email channel applies.

Parapet is a business tool. The service is not directed at children under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact us and we will delete it.

We describe our technical and organizational safeguards on a dedicated page: Security at Parapet. In short: every table is gated by per-organization Row Level Security at the database layer, file uploads go directly to encrypted storage via signed URLs, AI inference happens server-side only, and webhooks are signature- verified.

If a breach of security safeguards affects your personal information and creates a real risk of significant harm, we will notify the affected individuals and the appropriate regulator (the Office of the Privacy Commissioner of Canada, and any other regulator required by law) as soon as feasible, and we will keep records of breaches as required by applicable law. Where we process personal information on behalf of a customer organization (for example, the data inside their projects), we will also notify that organization without undue delay so that it can meet its own notification obligations. Our technical safeguards are described on our Security page.

We may update this Privacy Policy as the product or the law changes. When we do, we update the “Last updated” date at the top. For material changes, we will give logged-in users notice in the app before the change takes effect.

Privacy questions, requests, or complaints: [email protected].

Mailing address: Parapet, Canada (full address available on request).