Privacy Policy

Effective Date: April 15, 2026  |  Last Updated: April 15, 2026

1. Who We Are

Jones Legacy Creations ("Company," "we," "us," or "our") is a licensed general contractor headquartered in Southern Utah. We operate a proprietary project-management platform ("Platform") that our authorized staff use to manage construction projects, process contractor payments, and integrate with QuickBooks Online ("QBO") for accounting purposes.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal information in connection with the Platform and our public website (joneslegacycreations.com).

Contact: office@joneslegacycreations.com

2. Information We Collect

2.1 Account & Staff Information

  • Name, email address, and hashed password (via Supabase Auth)
  • Role and permission level within the Platform
  • IP address and session metadata for security logging

2.2 Contractor Data

Our staff enters contractor records into the Platform. This may include:

  • Legal name, business/company name
  • Email address, phone number, and mailing address
  • Tax identification numbers — Federal EIN or individual SSN, collected via W-9 forms uploaded to the Platform. This is sensitive personal information.
  • Bank account details — ABA routing number and bank account number, collected for ACH direct-deposit payment processing. This is sensitive financial information.
  • Classification (subcontractor, vendor, employee) and 1099 eligibility status

2.3 Project & Financial Data

  • Project names, addresses, budgets, draw schedules, and progress records
  • Invoices, receipts, and other financial documents uploaded to the Platform
  • Payment amounts, dates, and descriptions
  • AI-assisted categorizations generated from uploaded documents

2.4 QuickBooks Online Data

When a QBO connection is authorized, we access and write data through the Intuit QuickBooks Online API, including vendor records, bills, and bill payments. We access only the data necessary to operate the Platform's accounting sync features. We do not store raw QBO credentials; instead, we store OAuth 2.0 tokens provided by Intuit.

2.5 Website & Technical Data

  • Browser type, operating system, referring URL, and pages visited
  • IP address and approximate geographic location (country/state)
  • Cookies and similar session identifiers (see Section 8)

2.6 Communications

If you contact us via email, contact form, or other means, we retain those communications for customer-service and legal purposes.

3. How We Use Your Information

We use the information described above to:

  • Operate, maintain, and improve the Platform and website
  • Authenticate and authorize users
  • Create and manage contractor vendor records in QuickBooks Online
  • Process contractor payments via ACH bank transfer through QBO
  • Send direct-deposit enrollment invitations to contractors
  • AI-analyze uploaded invoices and documents for categorization and data extraction
  • Generate draw requests, lien waivers, and financial reports
  • Comply with applicable tax-reporting obligations (1099 issuance)
  • Detect, investigate, and prevent fraudulent or unauthorized activity
  • Respond to legal requests and enforce our Terms of Service

We do not sell personal information to third parties. We do not use personal information for advertising or marketing profiling. QuickBooks data accessed through the Intuit API is used exclusively to power the Platform's accounting integration and is not shared with any party other than as described in Section 5.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) or United Kingdom, our legal bases for processing personal data are:

  • Contract performance — processing necessary to provide the services described in our Terms of Service
  • Legitimate interests — security monitoring, fraud prevention, and platform improvement, where those interests are not overridden by your rights
  • Legal obligation — compliance with applicable tax law (e.g., 1099 reporting), financial regulations, and court orders
  • Consent — where we have specifically requested it (e.g., marketing communications)

5. Information Sharing & Subprocessors

We share personal information only with the service providers necessary to operate the Platform ("Subprocessors") and as required by law. Each Subprocessor is contractually required to protect personal information to at least the same standard we apply.

SubprocessorPurposeData Location
Supabase, Inc.Database hosting, authentication, and file storageUnited States (AWS us-east-1)
Vercel, Inc.Web application hosting and edge infrastructureUnited States / Global edge
Resend, Inc.Transactional email delivery (invitations, notifications)United States
Intuit Inc. (QuickBooks Online)Accounting integration — vendor, bill, and payment syncUnited States
Anthropic, PBCAI-assisted document analysis and invoice data extractionUnited States

We may also disclose personal information: (a) to comply with applicable law, court order, or governmental regulation; (b) to enforce our Terms of Service; (c) to protect the rights, property, or safety of Jones Legacy Creations, our users, or the public; or (d) in connection with a merger, acquisition, or sale of business assets, in which case the successor entity will be bound by this Privacy Policy.

6. Sensitive Data Handling

Certain categories of data we handle are classified as sensitive under applicable law:

  • Tax Identification Numbers (SSN / EIN): Collected from W-9 forms submitted by contractors. Stored encrypted at rest in Supabase. Accessed only by authorized staff with a legitimate business need. Transmitted only to QBO for 1099 reporting purposes.
  • Bank Account Numbers: Collected for ACH direct-deposit setup. Stored encrypted at rest. Transmitted to QBO over TLS. We never log or display full account numbers beyond the masked last-4 digits in the Platform UI after initial entry.

Access to sensitive data is restricted to authenticated, authorized staff on a need-to-know basis. All access is logged for audit purposes.

7. Data Retention

  • Project and financial records — retained for a minimum of 7 years from project close to comply with IRS record-keeping requirements and applicable state contractor regulations.
  • W-9 / tax documents — retained for a minimum of 4 years following the tax year of filing, consistent with IRS guidelines for 1099 issuance.
  • Contractor records — retained while the contractor relationship is active and for 7 years thereafter.
  • Staff account data — retained for the duration of employment plus 2 years, unless a longer retention period is required by law.
  • Website analytics / logs — retained for 90 days, then purged.

When data is deleted, we remove it from active systems within 30 days. Backup copies may persist for up to 90 additional days before being overwritten.

8. Cookies & Tracking Technologies

Our public website and Platform use the following types of cookies and similar technologies:

  • Strictly necessary cookies — Session authentication cookies set by Supabase Auth to keep you logged in. These are required for the Platform to function and cannot be disabled.
  • Functional cookies — Preferences such as theme (light/dark mode) and UI state stored in localStorage or sessionStorage. These are not transmitted to any third party.
  • Analytics — We do not currently use third-party analytics trackers (e.g., Google Analytics) on the Platform or public website.

Because we use only strictly necessary and functional cookies, a cookie consent banner is not required under the EU ePrivacy Directive for our current implementation. Should we add analytics or marketing cookies in the future, we will obtain consent prior to setting those cookies.

You may clear cookies at any time through your browser settings. Note that clearing authentication cookies will log you out of the Platform.

9. Security

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the data we process, including:

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for data at rest (Supabase / AWS)
  • Role-based access control (RBAC) limiting data access to authorized staff
  • Row-Level Security (RLS) policies enforced at the database layer
  • HMAC-SHA256 verification of all incoming QuickBooks webhook events
  • Multi-factor authentication available for staff accounts
  • Automated secret rotation for API credentials
  • Activity logging for sensitive data access and payment operations

In the event of a data breach involving your personal information, we will notify affected individuals and, where required, regulatory authorities within 72 hours of becoming aware of the breach, as required by the GDPR and applicable U.S. state laws.

Despite these measures, no system is 100% secure. If you believe your account or information has been compromised, contact us immediately at office@joneslegacycreations.com.

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Right to access — Request a copy of the personal data we hold about you.
  • Right to correction — Request correction of inaccurate or incomplete data.
  • Right to deletion — Request deletion of your personal data, subject to our legal retention obligations.
  • Right to data portability — Receive your data in a structured, machine-readable format (GDPR / CCPA).
  • Right to restrict processing — Request that we limit how we use your data in certain circumstances.
  • Right to object — Object to processing based on legitimate interests.
  • Right to opt out of sale / sharing — We do not sell or share personal information for cross-context behavioral advertising, so this right does not apply; however, you may contact us to confirm.

Utah residents: The Utah Consumer Privacy Act (UCPA) provides rights to access, deletion, portability, and opt-out of sale of personal data. To exercise these rights, please submit a request to office@joneslegacycreations.com with "Privacy Request" in the subject line. We will respond within 45 days. California residents may also submit requests under CCPA/CPRA.

Note: Certain personal information is retained by law (e.g., IRS records) and cannot be deleted upon request. We will explain any such limitations when we respond to your request.

11. Children's Privacy

The Platform is intended solely for use by authorized business personnel and contractors age 18 and older. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected information from a child under 13, we will promptly delete it.

12. Accessibility

We are committed to making our website and Platform accessible to all users, including those with disabilities. We target conformance with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. If you encounter an accessibility barrier, please contact us at office@joneslegacycreations.com and we will work to resolve it promptly.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes to our practices, legal requirements, or services. Material changes will be communicated via email to registered Platform users at least 14 days before taking effect. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related questions, requests, or concerns:

Jones Legacy Creations

Southern Utah, USA

Email: office@joneslegacycreations.com