Privacy Policy

1. Introduction

CleanGeek ("we," "us," or "our") operates a multi-tenant software-as-a-service platform for cleaning service companies. This Privacy Policy describes how we collect, use, disclose, and protect information when you use our website, applications, and services (collectively, the "Service").

This policy applies to all users of the Service, including:

• Operators: Cleaning service companies that use CleanGeek to manage their business
• Staff Users: Employees and contractors (admins, dispatchers, technicians) who access the platform through an Operator's account
• End Customers: Customers of Operators who interact with the Service through the customer portal, booking process, or communications
• Visitors: Individuals who browse our marketing website, directory, marketplace, or forum

By using the Service, you consent to the practices described in this Privacy Policy. Please also review our Terms of Service, which govern your use of the Service.

2. Information We Collect

2.1 Account Information

When you register for an account, we collect:

• Company name, address, phone number, and email address
• Owner and staff names, email addresses, and usernames
• Passwords (stored as bcrypt hashes; we never store plaintext passwords)
• Role assignments within the company account
• Company logo and user avatar images

2.2 Business and Customer Data

Operators input business data into the Service, including:

• Customer names, addresses, phone numbers, and email addresses
• Booking details (service type, date, time, location, pricing)
• Invoicing and payment records
• Service notes, internal notes, and communication history
• Before/after service photos and customer signatures
• Damage reports and documentation
• Review and feedback data

Operators are the data controllers for their customer data. CleanGeek acts as a data processor on the Operator's behalf.

2.3 Location Data

We collect location data in the following contexts:

• Technician GPS tracking: When technicians use the mobile application, we collect real-time GPS coordinates to enable dispatch, routing, and ETA features. Location tracking operates during active work sessions.
• Trip logs: Start and end coordinates and timestamps for service appointments, used for mileage calculation and route optimization.
• Service addresses: Customer addresses are geocoded (converted to latitude/longitude) for mapping and routing purposes.

2.4 Usage Data

We automatically collect information about how you interact with the Service:

• Pages viewed, features used, and actions taken
• Device type, browser type, and operating system
• IP address and approximate geographic location derived from IP
• Referring URLs and search terms
• Session duration and access timestamps
• Error logs and performance data

2.5 Payment Information

Payment processing is handled by Stripe. We do not directly collect or store credit card numbers or bank account details. We do store:

• Stripe customer and subscription identifiers
• Transaction records (amounts, dates, invoice status)
• Payment method type (e.g., card brand and last four digits, as provided by Stripe)

2.6 Communication Data

We collect the content of communications sent through the Service, including:

• Portal messages between Operators and their customers
• Internal team messages
• Email campaign content and delivery records
• SMS messages sent via the platform

2.7 Marketplace and Forum Data

If you use the CleanGeek marketplace or community forum, we collect:

• Marketplace user account information (separate from Operator accounts)
• Listing details, photos, and messages between buyers and sellers
• Forum posts, replies, reactions, and flags

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: Operating, maintaining, and delivering the features and functionality of the platform, including booking management, dispatch, invoicing, and customer communication.
• Authentication and Security: Verifying your identity, securing your account, detecting fraudulent or suspicious activity, and enforcing our Terms of Service.
• Billing: Processing subscription payments, calculating platform fees, and managing invoicing.
• Communication: Sending transactional emails (booking confirmations, appointment reminders, invoice notifications), responding to support inquiries, and delivering platform announcements.
• Analytics and Reporting: Generating business reports for Operators (revenue, utilization, customer analytics) and aggregated platform analytics for service improvement.
• Location Services: Enabling technician dispatch, route optimization, ETA notifications, and service area heatmaps.
• Improvement: Understanding how users interact with the Service to improve features, fix bugs, and develop new functionality.
• Legal Compliance: Complying with legal obligations, resolving disputes, and enforcing our agreements.

We do not sell your personal information to third parties. We do not use your data to build advertising profiles or serve targeted advertisements.

4. Data Sharing and Third-Party Services

We share information with third-party service providers solely to operate and deliver the Service. These providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.1 Payment Processing

Stripe (stripe.com/privacy) processes all payments on the platform, including Operator subscription billing and customer invoice payments. Stripe receives payment method details, transaction amounts, and billing addresses.

4.2 SMS Communications

Twilio (twilio.com/legal/privacy) delivers SMS messages on behalf of Operators, including appointment reminders and ETA notifications. Twilio receives phone numbers and message content. Operators may configure their own Twilio credentials for per-company SMS delivery.

4.3 Email Delivery

Transactional and marketing emails are delivered through:

• SendGrid (sendgrid.com/policies/privacy)
• Mailgun (mailgun.com/privacy-policy)

These services receive recipient email addresses, message content, and delivery metadata. Operators may also configure custom SMTP servers for email delivery.

4.4 Mapping and Geocoding

We use mapping services (including Leaflet.js with OpenStreetMap tile providers) to display maps, geocode addresses, and provide routing information. Service addresses and technician locations are transmitted to map tile providers.

4.5 Optional Integrations

Operators may choose to connect third-party integrations, including:

• QuickBooks Online / Xero / FreshBooks / Invoice Ninja for accounting sync
• HubSpot for CRM sync
• Google Business Profile for review management

When an Operator enables an integration, relevant business data (customer records, invoices, bookings) may be shared with that third-party service under the Operator's own account and authorization.

4.6 Legal and Safety Disclosures

We may disclose information if required to do so by law, in response to a valid legal process (subpoena, court order, or government request), or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of CleanGeek, our users, or the public.

5. Multi-Tenant Data Isolation

CleanGeek is built as a multi-tenant platform with strict data isolation between Operator accounts. Key safeguards include:

• Query-Level Scoping: Every database query is scoped by company identifier (derived from the authenticated user's JWT token). No Operator can query, view, or modify data belonging to another Operator.
• API Enforcement: All API endpoints validate that the requesting user's company matches the data being accessed. Cross-tenant access attempts are logged and rejected.
• Upload Isolation: Uploaded files (photos, logos, documents) are stored with company-scoped identifiers to prevent unauthorized access.
• Superadmin Access: Platform administrators have the ability to access Operator accounts for support and troubleshooting purposes. All superadmin actions are recorded in an immutable audit log.

6. Cookies and Tracking Technologies

We use the following technologies to operate and improve the Service:

6.1 Essential Cookies and Storage

• Authentication tokens: JWT access and refresh tokens stored in localStorage, required for the Service to function.
• Theme preference: Light/dark mode preference stored in localStorage.
• Session data: Temporary data needed to maintain your session state.

6.2 Analytics

We may use privacy-respecting analytics to understand aggregate usage patterns (page views, feature adoption, error rates). We do not use third-party advertising trackers or cross-site tracking cookies.

6.3 Managing Cookies

You can manage or delete cookies through your browser settings. Note that disabling essential cookies or localStorage will prevent the Service from functioning correctly.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specific retention periods include:

• Active accounts: Data is retained for the lifetime of the account.
• Cancelled accounts: Data is retained for 30 days after account termination to allow for export and recovery, after which it may be permanently deleted.
• Audit logs: Retained for a minimum of 2 years for security and compliance purposes.
• Backup data: Database backups are retained for up to 90 days and then purged.
• Payment records: Transaction records are retained for 7 years as required by applicable tax and financial regulations.
• IP ban records: Automatically expire after the configured ban duration (default 30 minutes).

When data is deleted, we make commercially reasonable efforts to remove it from our active systems. Residual copies in backups will be overwritten according to the backup retention schedule.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

8.1 Right of Access

You have the right to request a copy of the personal information we hold about you. Operators can export their data at any time through the reporting and export features of the Service.

8.2 Right to Correction

You can update your account information directly through the Service at any time. If you believe any information we hold is inaccurate, you may contact us to request correction.

8.3 Right to Deletion

You may request deletion of your personal information by contacting us at support@cleangeek.app. We will process deletion requests within 30 days, subject to any legal obligations that require us to retain certain records.

8.4 Right to Data Portability

You have the right to receive your data in a structured, commonly used, machine-readable format. The Service provides CSV and PDF export capabilities for bookings, customer records, and financial data.

8.5 Right to Object

You may object to processing of your personal information for direct marketing purposes. All marketing emails include an unsubscribe mechanism.

8.6 End Customer Rights

If you are an end customer of an Operator using CleanGeek, your data is controlled by that Operator. Please direct data access, correction, or deletion requests to the Operator (cleaning company) that services your account. We will cooperate with Operators to fulfill such requests.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information.
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• No Sale of Personal Information: We do not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising.

To exercise your CCPA rights, contact us at support@cleangeek.app with the subject line "CCPA Request." We will verify your identity before processing your request and respond within 45 days.

10. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information promptly.

If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at support@cleangeek.app so that we can take appropriate action.

Users must be at least 18 years of age (or the age of majority in their jurisdiction) to create an Operator account on the platform.

11. International Data Transfers

CleanGeek is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers maintain facilities.

By using the Service, you consent to the transfer of your information to the United States and other countries that may have different data protection laws than your country of residence. We take appropriate safeguards to ensure that your information remains protected in accordance with this Privacy Policy.

12. Security Measures

We implement technical and organizational measures designed to protect your information from unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: All data transmitted between your device and our servers is encrypted using TLS/SSL. Passwords are hashed using bcrypt.
• Authentication: JWT-based authentication with HS256 algorithm pinning, token refresh rotation, and session revocation capabilities. Optional WebAuthn (passkey) support for passwordless authentication.
• Rate Limiting: Multi-tier rate limiting to prevent brute force attacks (login: 5 attempts per 15 minutes; global: 200 requests per minute).
• Intrusion Detection: Automated detection and temporary banning of suspicious activity, including honeypot endpoints for common attack vectors.
• Access Controls: Role-based access control (owner, admin, dispatcher, technician) with principle of least privilege. All superadmin actions are logged.
• Upload Validation: File uploads are validated for MIME type and size, with unguessable filenames to prevent enumeration.
• Audit Logging: Sensitive actions (impersonation, password resets, plan changes, data exports) are recorded in an immutable audit log.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice within the Service at least 15 days before the changes take effect.

We will update the "Last updated" date at the top of this page to reflect the date of the most recent revision. We encourage you to review this Privacy Policy periodically.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

CleanGeek
Email: support@cleangeek.app

For data protection inquiries, please include "Privacy" in the subject line of your email. We aim to respond to all privacy-related inquiries within 30 days.