Privacy Policy
Last updated: June 16, 2026
SubVerify ("SubVerify," "we," "us," or "our") operates the subcontractor compliance management platform at getsubverify.com("the Service"). This Privacy Policy explains what personal and business information we collect, how we use it, who we share it with, and your rights regarding your data.
By using the Service, you agree to the collection and use of data as described in this Privacy Policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Name and email address — used to identify your account and communicate with you.
- Company name and type — general contractor or subcontractor, used to set up your account correctly.
- Password — stored as a hashed value; we never store your password in plain text.
1.2 Compliance Documents and Business Data
Subcontractors upload compliance documents through the Service. These may include:
- Certificates of insurance (COI) — General Liability, Workers Compensation, Auto
- Contractor licenses and business licenses
- W-9 tax forms (containing business name, address, EIN/SSN)
- OSHA certifications, bonding certificates, and other compliance documents
- Document metadata: file names, upload dates, expiry dates
Note: W-9 forms and certain documents may contain sensitive tax identification information. These documents are stored encrypted and access is restricted to authorized users within your organization.
1.3 Billing Information
When you subscribe to a paid plan, payment is processed by Stripe. SubVerify does not collect or store full credit card numbers. We receive and store limited payment metadata from Stripe, including the last four digits of your card, card type, and billing zip code, for account management purposes.
1.4 Usage Data
We automatically collect information about how you use the Service, including:
- Log data: IP address, browser type, pages visited, timestamps
- Device information: operating system, screen resolution
- Actions taken within the platform (document uploads, invitations sent, reports generated)
This data is used to operate, improve, and secure the Service and is not used to build advertising profiles.
1.5 Communications
If you contact us by email or through the Service, we retain those communications to provide support and improve the Service.
1.6 Audit Log and Activity Data
SubVerify collects and retains a comprehensive audit log of user activity within the platform. This audit log includes:
- Login history — timestamp, IP address, device type, and location data for each login event
- Document upload history — who uploaded a document, when it was uploaded, and what document type was uploaded
- Document download and view history — who accessed, viewed, or downloaded a compliance document and when
- Document export history — who exported compliance data, reports, or documents and when
- Invitation activity — invitations sent, accepted, declined, or revoked, and by whom
- User account actions — role changes, password resets, account bans, and permission changes
- Administrative actions — administrative changes made within the platform
- Compliance status changes — when a document was marked compliant, expired, or non-compliant, and what triggered the change
This audit log data is used for: security monitoring, fraud prevention, compliance audit trails, platform troubleshooting, legal compliance, and responding to lawful requests. Audit logs are retained for the duration of the active account plus 7 years after account closure.
2. How We Use Your Information
We use the information we collect to:
- Provide and operate the Service — including storing your compliance documents, sending compliance status updates, and generating reports.
- Send automated compliance alerts — email notifications when documents are approaching expiry (30-day advance notice) or have expired.
- Process payments — billing for subscriptions via Stripe.
- Send transactional emails — account confirmations, password resets, subcontractor invitations, and compliance alerts via Resend.
- Improve the Service — analyzing usage patterns to improve features, reliability, and user experience.
- Security and fraud prevention — monitoring for unauthorized access and abuse.
- Maintain audit trails — retaining logs of user activity for security, compliance, and legal purposes.
- Legal compliance — complying with applicable laws and responding to lawful requests.
We do not sell your personal information or compliance documents to third parties. We do not use your data for advertising or behavioral profiling.
3. Document Access Logging
SubVerify maintains detailed logs of all document access activity within the platform. Specifically, we log and retain records of:
- Who viewed a compliance document, including the user's name, company, and timestamp
- Who downloaded a compliance document
- Who exported compliance data, reports, or summaries
- Who uploaded, replaced, or deleted a compliance document
These access logs serve as a compliance audit trail and a security monitoring tool. These logs may be provided to:
- The general contractor who owns or manages the project associated with the document, in connection with their legitimate use of the Service
- Law enforcement agencies or government authorities presenting a valid legal process (subpoena, court order, or equivalent)
- Parties involved in legal proceedings where such access logs are relevant and required by law or court order
Document access logs are retained for the duration of the active account plus 7 years after account closure.
4. Access Control and Data Visibility
SubVerify is designed with strict data isolation to ensure that users can only access data they are authorized to view:
- General Contractors — can view, manage, and download compliance documents for subcontractors within their own projects and working relationships only. GCs cannot access documents belonging to projects or relationships they are not party to.
- Subcontractors — can upload, view, update, and manage their own compliance documents only. Subcontractors cannot access documents or data belonging to other subcontractors.
- Company administrators — control all user accounts, permissions, and data access within their own company account only.
- SubVerify staff — access user data only when required for customer support, security investigation, legal compliance, or platform maintenance. All such access is subject to internal access controls and audit logging.
Row-level security is implemented in the SubVerify database to enforce these access boundaries at the data layer, not just the application layer.
5. Third-Party Services and Data Processors
SubVerify uses the following third-party service providers to operate the platform. Each acts as a data processor on our behalf and is bound by data protection agreements:
Supabase
Database, authentication, and file storage provider. Your account data, compliance documents, and document metadata are stored on Supabase infrastructure hosted in the United States. Supabase is SOC 2 Type II certified. Learn more: supabase.com/privacy
Stripe
Payment processing provider. All payment card data is handled directly by Stripe and is subject to PCI DSS compliance. SubVerify does not process or store raw payment card data. Learn more: stripe.com/privacy
Resend
Transactional email provider. Used to send compliance alerts, subcontractor invitations, and account notifications. Email addresses are transmitted to Resend solely for the purpose of delivering these communications. Learn more: resend.com/legal/privacy-policy
Vercel
Hosting and content delivery infrastructure. The SubVerify web application is hosted on Vercel's edge network. Vercel may process request logs including IP addresses and request metadata. Learn more: vercel.com/legal/privacy-policy
6. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service:
- Active accounts: All data is retained while your account is active.
- After cancellation: Your data is retained for 90 days after account cancellation, during which you may request a data export. After 90 days, your data is permanently deleted from active storage.
- Billing records: Payment transaction records are retained for 7 years as required for tax and accounting purposes.
- Audit logs: Activity and access logs are retained for the duration of the account plus 7 years for legal compliance, fraud prevention, and security purposes.
- Compliance documents: Documents uploaded by subcontractors are owned by the uploading party. Upon account deletion, all associated documents are removed from active storage within 90 days.
Backup copies: Deleted information may remain in encrypted backup storage after deletion from active systems. Backup copies are retained for disaster recovery purposes and are typically rotated out within 30 days of the normal backup rotation cycle. Data in backup storage is encrypted and is not accessible for normal platform operations.
You may request confirmation that deletion has been completed from active storage, including confirmation that backup rotation has completed, by contacting us at contact@warrenandsabb.com.
If you need to export your data before account deletion, contact us at contact@warrenandsabb.com.
7. Data Security
We implement industry-standard security measures to protect your data, including:
- HTTPS/TLS encryption for all data transmitted between your browser and the Service
- Encrypted storage for compliance documents via Supabase (AES-256 at rest)
- Hashed password storage — passwords are never stored in plain text
- Row-level security policies ensuring GCs can only see their own subcontractors' documents, and subcontractors can only see their own documents
- Regular security reviews of third-party integrations
- Access controls and audit logging for SubVerify staff access to user data
No method of electronic transmission or storage is 100% secure. While we use commercially reasonable means to protect your data, we cannot guarantee absolute security.
7.1 Security Incident Response
In the event of a security incident affecting your personal information, SubVerify will:
- Investigate and contain the incident as quickly as possible
- Notify affected users within 72 hours of discovery, as required by applicable law, with details about the nature of the incident and data affected
- Cooperate with law enforcement and regulatory authorities as required
- Take remediation steps to prevent recurrence and mitigate harm to affected users
8. International Users and Data Transfers
SubVerify is operated from the United States. All data stored and processed by SubVerify, including compliance documents, account data, and audit logs, is stored and processed in the United States.
If you are located outside the United States, including in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data protection laws that differ from U.S. law, you acknowledge and consent to the transfer of your personal data to the United States for processing and storage.
For data transfers from the EEA to the United States, SubVerify relies on Standard Contractual Clauses (SCCs)as the legal mechanism for such transfers, including through Supabase's Standard Contractual Clauses. By using the Service, EEA users acknowledge that their data will be transferred to and processed in the United States, which may have different data protection standards than those in the EEA.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
9.1 For All Users
- Access: Request a copy of the personal data we hold about you.
- Correction: Update or correct inaccurate personal data through your account settings or by contacting us.
- Deletion: Request deletion of your account and associated personal data, subject to our retention obligations.
- Data portability: Request an export of your data in a machine-readable format.
- Opt-out of non-essential emails: Unsubscribe from marketing communications at any time. Note: you cannot opt out of transactional emails (compliance alerts, account notices) while your account is active, as these are necessary for the Service.
9.2 Identity Verification for Data Requests
Before fulfilling any access, deletion, correction, or export request, SubVerify will verify the identity and authority of the requestor. To protect against unauthorized disclosure or deletion of data, requests must be:
- Submitted from the email address on the account of record, or
- Accompanied by other satisfactory proof of identity as determined by SubVerify
For requests made on behalf of a company, the requestor must also demonstrate authority to act on behalf of the business entity. SubVerify will respond to verified requests within 30 days (or sooner as required by applicable law).
9.3 GDPR — European Economic Area (EEA) Users
If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):
- Right to restrict processing: You may request that we limit how we use your data in certain circumstances.
- Right to object: You may object to processing of your data based on legitimate interests.
- Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority.
Our lawful bases for processing your data under GDPR are: (a) performance of a contract — providing the Service you signed up for; (b) legitimate interests — security, fraud prevention, service improvement, and audit log maintenance for fraud detection and legal compliance; and (c) legal obligation — compliance with applicable laws, including data breach notification requirements. Audit logs and activity data are retained on the basis of legitimate interests (fraud prevention and security) and legal obligation. Data transfers outside the EEA rely on Standard Contractual Clauses.
9.4 Additional State Privacy Rights
Residents of the following states have additional rights under their respective state privacy laws:
- Virginia (VCDPA): Rights to access, correct, delete, and obtain a portable copy of personal data; right to opt out of certain processing.
- Colorado (CPA): Rights to access, correct, delete, and obtain a portable copy of personal data; right to opt out of targeted advertising, sale of personal data, and profiling.
- Connecticut (CTDPA): Rights to access, correct, delete, and obtain a portable copy of personal data; right to opt out of certain processing.
- Utah (UCPA): Rights to access and delete personal data; right to obtain a portable copy of personal data; right to opt out of sale of personal data and targeted advertising.
To exercise any of these rights, submit your request to contact@warrenandsabb.com with the subject line "State Privacy Request." Requests will be processed within the timeframes required by applicable law.
9.5 CCPA — California Residents
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know: The categories of personal information collected about you and the purposes for which it is used.
- Right to delete: Request deletion of personal information we have collected.
- Right to opt-out of sale: SubVerify does not sell personal information. There is nothing to opt out of.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise any of these rights, contact us at contact@warrenandsabb.com with the subject line "Privacy Request."
10. Cookies and Tracking
SubVerify uses cookies and similar technologies to operate the Service:
- Authentication cookies: Used to keep you logged in to your account. These are strictly necessary and cannot be disabled.
- Session cookies: Temporary cookies that expire when you close your browser.
- Preference cookies: Used to remember your account preferences.
SubVerify does not use third-party advertising cookies or cross-site tracking cookies. You can control cookies through your browser settings, though disabling authentication cookies will prevent you from logging in.
11. Children's Privacy
The Service is intended for business use only and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will delete such information promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address or by posting a notice within the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the updated policy.
13. Contact Us
For questions, privacy requests, or to exercise your rights under this Privacy Policy, contact us:
SubVerify — Privacy Team
Email: contact@warrenandsabb.com
Subject line: "Privacy Request"
Website: getsubverify.com
We will respond to privacy requests within 30 days (or sooner as required by applicable law).