Legal

Privacy Policy

Effective date: 22 February 2026

1. Introduction

SubShare ("we", "us", "our") operates the SubShare platform — a service that enables General Contractors to share job-site documents with subcontractors via time-limited access links. We are committed to protecting your personal data and respecting your privacy.

This policy explains what data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable European data protection law. It applies to all users of the SubShare web application.

By using SubShare you acknowledge that you have read and understood this policy.

2. Data We Collect

Account data (General Contractors)

Email address — used for authentication and account communications
Company name — displayed within the platform
Encrypted password — managed by Supabase Auth; we never see your plaintext password

Project data

Project name, description, and site access information (e.g. lockbox codes)
Site address — entered manually or via Google Maps autocomplete
GPS coordinates (latitude/longitude) — derived from the selected address for map display

Subcontractor data

Name — entered by the General Contractor at invite creation
Phone number — used solely to deliver the magic link SMS; stored in our database until the link is deleted
First-visit timestamp — recorded the first time a subcontractor opens their magic link

Documents

File name, type, and size
File content — stored securely in Supabase Storage
Converted PDF version (where applicable) — generated by CloudConvert and stored alongside the original

Payment data

Billing is processed entirely by Stripe. We do not store or handle card numbers or banking details.
We store only: your Stripe customer ID, subscription plan, subscription status, and billing period dates.

Usage and notification data

In-app notifications (e.g. "link visited", "link expiring") including related metadata
Read and dismissed timestamps for notifications

Browser-side cache (subcontractor devices)

Project metadata is cached in IndexedDB on the subcontractor's device for offline access
Document files are cached in the browser's Origin Private File System (OPFS)
This data stays on the subcontractor's device and is managed by the browser; we have no access to it

3. Legal Basis for Processing

Under GDPR Article 6, we rely on the following legal bases:

Performance of a contract (Art. 6(1)(b)) — processing necessary to provide the SubShare service, including storing projects, documents, and magic links
Legitimate interests (Art. 6(1)(f)) — security monitoring, fraud prevention, expiry notifications, and improving the service
Consent (Art. 6(1)(a)) — sending SMS messages to subcontractors; General Contractors confirm they have obtained the subcontractor's consent before creating an invite
Legal obligation (Art. 6(1)(c)) — retaining payment records as required by financial regulations

4. Third-Party Processors

We share your data with the following processors solely to provide the SubShare service. Each processor is bound by a Data Processing Agreement.

Processor	Purpose	Location
Supabase (supabase.com)	Database, authentication, file storage	EU (AWS EU-West)
Stripe (stripe.com)	Payment processing, billing management	US — SCCs apply
Twilio (twilio.com)	SMS delivery of magic links	US — SCCs apply
CloudConvert (cloudconvert.com)	Document-to-PDF conversion	Germany / EU
Google Maps Platform	Address autocomplete, geocoding	US — SCCs apply

5. International Data Transfers

Some of our processors are based in the United States (Stripe, Twilio, Google Maps Platform). Transfers to these processors are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an equivalent level of data protection.

Supabase and CloudConvert operate EU-based infrastructure, so transfers to these processors do not leave the European Economic Area.

6. Data Retention

Account data: retained for the lifetime of your account, plus 30 days following a deletion request to allow for recovery and finalise billing
Projects and documents: retained until you delete them
Magic links and subcontractor phone numbers: retained until the link is deleted by the General Contractor
Payment records: retained for 7 years to comply with financial and tax legislation
Browser cache (IndexedDB / OPFS): controlled entirely by the subcontractor's browser; we cannot access or delete it remotely

7. Your Rights Under GDPR

If you are located in the European Economic Area or United Kingdom, you have the following rights:

Right of access — request a copy of the personal data we hold about you
Right to rectification — request correction of inaccurate or incomplete data
Right to erasure — request deletion of your personal data
Right to data portability — receive your data in a structured, machine-readable format
Right to restriction — request that we restrict processing of your data in certain circumstances
Right to object — object to processing based on legitimate interests
Right to withdraw consent — where processing is based on consent (e.g. SMS), you may withdraw at any time without affecting prior processing
Right to lodge a complaint — with your national supervisory authority (e.g. the ICO in the UK, or your national DPA in the EU)

8. Cookies & Local Storage

SubShare does not use tracking cookies or third-party advertising cookies.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be notified via email or an in-app notice at least 14 days before taking effect. Continued use of SubShare after the effective date constitutes acceptance of the updated policy. The current version is always available at this URL.