ForgeCore
ForgeCore

Privacy Policy

Effective date: April 22, 2026  ·  Last updated: April 22, 2026

1. Who we are

This Privacy Policy describes how Michael Bartlett Construction, a Tennessee sole proprietorship owned by Michael Bartlett ("we," "us," "our"), collects, uses, discloses, and protects information when you use our web application at contractor.bartlettlabs.dev(the "Service").

The Service is used by a general contractor to estimate construction projects, manage subcontractor relationships, schedule jobs, track documents (business licenses, workers' compensation certificates, liability insurance, IRS Form W-9), and — on an opt-in basis — pay subcontractors via ACH transfer.

Business address: 1031 Sugartree Pt, Cookeville, TN 38501
Contact: bartlettinvestmentstn@gmail.com · 931-261-1353

2. Information we collect

We collect the following categories of information:

From account owners (contractors using the Service)

  • Email address (used as the login identifier)
  • Authentication codes sent to your email (hashed before storage)
  • Session identifiers stored in cookies on your device
  • Project information you enter (addresses, square footage, land cost, rate cards, material selections, schedule data)
  • Trade / subcontractor contacts you add to your roster
  • When financial connections are added through Plaid: bank-account metadata provided by Plaid (account name, account type, institution name, masked account number, Plaid-issued access tokens)

From subcontractors (when contacted through the Service)

  • Name, company name, phone number, email address (entered by the contractor)
  • Specialty categories and notes added by the contractor
  • Documents uploaded by the contractor (business license, workers' compensation certificate, liability insurance certificate)
  • Information you voluntarily submit via a time-limited, signed link: IRS Form W-9 data (legal name, business name, tax classification, address, Taxpayer Identification Number) and your electronic signature
  • Text-message replies you send to the contractor's business number (stored to provide reschedule / confirmation / quote responses)

Automatically collected

  • Server logs (IP address, request path, user agent) retained by Cloudflare for up to 7 days
  • Timestamps of access to sensitive fields (e.g., TIN reveals) for audit purposes

3. How we use your information

  • Authenticate you and keep you signed in
  • Generate cost estimates and project schedules on your behalf
  • Deliver SMS or email messages you approve (schedule notices, quote requests, W-9 links)
  • Produce IRS Form W-9 PDFs for your records
  • Maintain audit trails of actions affecting subcontractor data
  • Initiate and reconcile ACH payments you explicitly approve (through Plaid, when enabled)
  • Comply with legal obligations including IRS 1099 reporting and Tennessee state breach-notification requirements (T.C.A. § 47-18-2107)

We do not sell personal information. We do not use personal information for advertising. We do not use personal information to train AI models; when we use Groq LLC's inference API to analyze blueprints or draft SMS responses, data is sent only for that single request and is not retained by Groq for training.

4. Plaid disclosure

If you connect a bank account to the Service, we use Plaid Inc.("Plaid") to gather financial information from the relevant financial institution. By connecting your account, you acknowledge and agree that your information may be transferred, stored, and processed by Plaid in accordance with the Plaid End User Privacy Policy.

Plaid may access your financial institution on your behalf to retrieve account and routing numbers, transaction information, and identity information to enable payment transfers you initiate in the Service. We only retain Plaid-issued access tokens and account metadata necessary to display connected accounts and send ACH transactions you approve; we do not store your online banking credentials.

5. How we share your information

We share information only with the following categories of service providers, each contractually bound to use your data solely to provide their service to us:

  • Cloudflare, Inc. — application hosting, database (D1), object storage (R2), DNS, and CDN
  • Twilio Inc. — SMS delivery for schedule notices, quote requests, and signed W-9 links
  • Resend, Inc. — email delivery for login codes and system notifications
  • Groq LLC — AI model inference used to analyze uploaded blueprints and draft SMS replies (no training on your data)
  • Plaid Inc. — bank-account linking and ACH payment rails, upon opt-in

We may also disclose information when required by law (e.g., subpoena, court order, or law-enforcement request), when necessary to protect the rights, property, or safety of our business or others, or in connection with a sale, merger, or bankruptcy proceeding affecting the business. We do not otherwise share personal information with third parties.

6. How long we keep it

  • Account data: retained while your account is active and for up to 12 months after deactivation, then deleted.
  • Subcontractor W-9 records and payment history: retained for a minimum of 4 years after the last payment to comply with IRS 1099 recordkeeping requirements, then purged.
  • Magic-code login tokens and upload-link tokens: retained only until used or expired, then deleted on their normal schedule.
  • Cloudflare server logs: retained by Cloudflare for up to 7 days.
  • Plaid access tokens: retained only while the corresponding bank account is actively connected; revoked and deleted when the connection is severed.

7. Security

Security is described in detail in our Information Security Policy (available on request). Highlights: TLS 1.3 in transit; AES-GCM-256 encryption of Taxpayer Identification Numbers at rest; SHA-256 hashing of login tokens, session tokens, and upload-link tokens; per-tenant authorization on every database query; mandatory two-factor authentication on administrator accounts for Cloudflare, Twilio, Resend, and (upon enrollment) Plaid. In the event of a data breach affecting personal information of Tennessee residents, we will notify affected individuals in accordance with T.C.A. § 47-18-2107.

8. Your rights

You may request at any time that we correct inaccurate information, delete your account, or provide a copy of the personal information we hold about you. To make a request, contact us at bartlettinvestmentstn@gmail.com. We respond within 30 days.

Subcontractors who provided information via a signed W-9 link may additionally request that their submission be voided and deleted, except where retention is required by IRS 1099 recordkeeping rules.

Residents of states with specific consumer privacy rights (including Tennessee under TIPA, where applicable) may have additional rights such as access, correction, deletion, and data portability. Contact us at the address above to exercise these rights.

9. Children's privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us information, contact us at the address above and we will delete it promptly.

10. International users

The Service is operated from the United States. If you are located outside the United States, be aware that information we collect will be transferred to, stored, and processed in the United States, where data-protection laws may differ from those in your jurisdiction.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top and, if the changes are material, provide notice through the Service or by email to account owners. Your continued use of the Service after the changes take effect constitutes acceptance of the revised policy.

12. Contact us

Michael Bartlett Construction
1031 Sugartree Pt
Cookeville, TN 38501
bartlettinvestmentstn@gmail.com · 931-261-1353