Legal
Privacy Policy
Last updated: May 26, 2026
This policy explains what data Jobflo collects, how we use it, who we share it with, and the choices you have. We've written it in plain language. If anything is unclear, email us at privacy@jobflo.us.
1. Who we are
Jobflo (a sole proprietorship operated by Nick Watkins, Reno, Nevada; “Jobflo,” “we,” “us”) provides scheduling, dispatch, invoicing, and payments software for service businesses. This policy covers our website, web app, and any Jobflo-branded mobile apps (together, the “Service”).
2. The data we collect
Account information
When you sign up we collect your name, email address, business name, phone number, and a hashed password. If you sign in with Google or another identity provider, we receive your name, email, and a unique identifier from that provider.
Customer and job data you upload
You upload customer records, job notes, photos, invoices, and similar operational data into Jobflo to run your business. You own this data. We process it on your behalf to provide the Service.
Payment information
Subscription payments are handled by Stripe. We don't store full card numbers on our servers. Stripe sends us a token, the last four digits of the card, the brand, and the expiry date so you can manage your billing.
Usage and device data
We collect basic technical information when you use the Service: browser type, operating system, IP address, pages viewed, actions taken, and timestamps. We use this to keep the Service secure, debug problems, and understand which features are useful.
Communications
If you contact support, we keep a record of the conversation so we can help you and improve our help materials.
3. How we use your data
- Provide, operate, and maintain the Service
- Authenticate you and keep your account secure
- Process subscription payments and send billing receipts
- Respond to support requests
- Send transactional emails (account changes, invoices, alerts)
- Send occasional product updates — you can opt out of marketing email at any time
- Improve the Service: diagnose bugs, measure performance, and prioritize new features
- Comply with legal obligations and enforce our Terms of Service
We do not sell your personal information. We don't use your customer or job data to train machine-learning models.
4. Who we share data with
We share data with a small set of sub-processors that help us run the Service. Each is bound by a data processing agreement and only processes data on our instructions. The current list lives at /subprocessors — that page is authoritative and updated whenever a vendor is added or removed.
Today our sub-processors are: Vercel (hosting), Supabase (database + auth), Cloudflare R2 (file storage), Stripe (subscription billing + Connect payments), Resend (email), Mapbox (maps + geocoding), and Anthropic (vision-based invoice template field detection). All are US-based. See /subprocessors for what each touches.
We may also disclose data when required by law, to protect our rights, or to investigate fraud or abuse. If Jobflo is acquired or merged, your data may transfer to the new owner subject to this policy.
5. Your rights and choices
You have rights over your personal data. Depending on where you live, these may include:
- Access — request a copy of the personal data we hold about you
- Correction — ask us to fix data that is inaccurate or incomplete
- Deletion — ask us to delete your account and associated data
- Export — receive your data in a portable, machine-readable format (CSV)
- Restrict or object — limit how we process your data in certain cases
- Withdraw consent — where we rely on consent, you can withdraw it at any time
To exercise any of these rights, email support@jobflo.us. We'll respond within 30 days. California residents have additional rights under the CCPA, and residents of the European Economic Area, United Kingdom, and Switzerland have rights under the GDPR. Where Jobflo is a processor (for example, customer records uploaded by your business), please direct individual requests to the business that uploaded the data; we'll assist them in responding.
6. Data retention
We keep your account data for as long as your subscription is active. If you cancel, we keep your data for 60 days so you can reactivate without losing anything, then we delete it from production systems. Encrypted backups are retained for up to 30 additional days before being overwritten. We may keep limited records longer when required by tax, accounting, or legal obligations.
7. Security
We use industry-standard safeguards: TLS for data in transit, encryption at rest on managed databases and object storage, role-based access controls, and audit logs. For a deeper look, see our Security page. No system is perfectly secure, so we also rely on you to keep your password safe and report anything suspicious to support@jobflo.us.
8. Cookies + Global Privacy Control
We use a small number of strictly necessary cookies to keep you signed in (session token, theme preference, dashboard PIN session flag) plus Stripe’s and Supabase’s own essential cookies during checkout and authentication.
We currently do not run third-party analytics, advertising trackers, fingerprinters, or cross-site tracking technologies. We do not sell or share personal information for cross-context behavioral advertising. Because of this, there is no opt-out for us to honor today — but if you send a Global Privacy Control signal (the Sec-GPC request header), we treat it as a confirmation of these defaults. If we ever add tracking analytics, GPC will be respected as a valid opt-out and this policy will be updated.
9. International data transfers
Jobflo is operated from the United States and our sub-processors are located in the United States. If you access the Service from another country, your data will be transferred to and processed in the U.S. We rely on Standard Contractual Clauses or equivalent safeguards where required.
10. Children
Jobflo is not designed for use by anyone under 16. We don't knowingly collect personal information from children. If you believe a child has provided us data, contact us and we'll delete it.
11. California residents (CCPA / CPRA)
If you're a California resident, the California Consumer Privacy Act as amended by the CPRA gives you specific rights. Some are duplicates of the global rights listed in Section 5 — listing them again here for clarity:
- Right to know — what categories of personal information we’ve collected, where it came from, how we use it, and who we share it with.
- Right to delete — request deletion of your personal information, subject to legal-retention exceptions.
- Right to correct — fix inaccurate personal information.
- Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of today.
- Right to limit use of sensitive personal information — we collect only the limited set in Section 2 and use it for service delivery, security, and legal compliance.
- Right to non-discrimination — we won't penalize you for exercising any of these rights.
Categories of personal information collected: identifiers (name, email, phone, IP address), commercial information (subscription tier, payment history), internet/network activity (pages viewed, actions taken), geolocation (only for route optimization, address-level not GPS), and professional/employment-related information (role, business name).
Authorized agents: you can authorize someone to submit a request on your behalf. We'll verify the agent's permission to act for you.
To exercise any of these rights, email privacy@jobflo.us. We respond within 45 days and may extend an additional 45 days if needed (we'll tell you why if so).
12. Changes to this policy
We may update this policy from time to time. When we do, we'll change the “Last updated” date at the top and, for material changes, notify you by email or in-app message at least 14 days before the change takes effect.
13. Contact us
For privacy questions, rights requests, or complaints, contact us at privacy@jobflo.us. For security issues, email security@jobflo.us. We aim to acknowledge within two business days and respond fully within 30 days (45 for CCPA requests, see Section 11).