Features Pricing Security Contact Sign in Get started
Legal

Privacy Policy

Effective date: February 12, 2026

1. Introduction and Scope

This Privacy Policy ("Policy") describes how Tereda Software LLC ("Tereda," "we," "us," or "our") collects, uses, discloses, retains, and protects information in connection with the ZAFTO platform and all associated applications, websites, and services (collectively, the "Platform"). Tereda Software LLC is a limited liability company organized under the laws of the State of Texas, United States.

This Policy applies to all users of the Platform, including but not limited to:

  • The ZAFTO Web CRM, accessible at zafto.cloud
  • The ZAFTO Contractor App (mobile application for business owners and administrators)
  • The ZAFTO Field App (mobile application for field technicians and apprentices)
  • The ZAFTO Office App (mobile application for office managers)
  • The ZAFTO Employee Portal, accessible at team.zafto.cloud
  • The ZAFTO Client Portal, accessible at client.zafto.cloud
  • All ZAFTO Edge Functions, APIs, and backend services

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you are using the Platform on behalf of an organization, you represent that you have authority to bind that organization to this Policy. If you do not agree with any part of this Policy, you must discontinue use of the Platform immediately.

This Policy does not apply to third-party websites, applications, or services that may be linked from the Platform. We encourage you to review the privacy policies of any third-party services before providing them with your information.

2. Information We Collect

The Platform is a comprehensive business operating system for trades contractors. As such, we collect and process a broad range of information categories necessary to deliver the services described in our Terms of Service. The specific categories are detailed below.

2.1 Account Information

When you create an account on the Platform, we collect:

  • Full legal name
  • Email address
  • Phone number
  • Company name and business address
  • Account role designation (owner, admin, office manager, technician, apprentice, CPA, or super admin)
  • Authentication credentials (hashed passwords or magic link tokens)
  • Profile photo or avatar (if provided)
  • Company logo (if uploaded)

2.2 Financial Information

The Platform provides full accounting, bookkeeping, invoicing, payroll, and payment processing functionality. In connection with these features, we collect or facilitate the collection of:

  • Bank account details, including account numbers and routing numbers, collected through our integration with Plaid Financial Ltd. ("Plaid"). ZAFTO does not store your bank login credentials; Plaid handles authentication directly.
  • Payment card information processed through Stripe, Inc. ("Stripe"). ZAFTO does not store full credit or debit card numbers. All card data is tokenized and processed by Stripe in compliance with PCI DSS Level 1.
  • Transaction history, including deposits, withdrawals, transfers, and reconciled bank feeds
  • General ledger entries, chart of accounts, journal entries, and account balances
  • Invoices, estimates, change orders, and payment records
  • Expense records, receipts, and vendor payment history
  • Payroll data, including gross pay, deductions, tax withholdings, net pay, and pay period records
  • Tax identification information, including Social Security Numbers (SSN) and Employer Identification Numbers (EIN), collected solely for payroll processing, tax reporting, and 1099 generation
  • Direct deposit information, including employee bank account and routing numbers
  • Sales tax rates, tax settings, and tax filing data

2.3 Employee Data

Employer users of the Platform may collect and store information about their employees through the Platform. Tereda processes this data on behalf of the employer (the data controller). Employee data may include:

  • Full legal name, date of birth, and contact information
  • Social Security Number (for payroll and tax purposes)
  • Bank account and routing numbers (for direct deposit)
  • Employment records, including hire date, termination date, job title, and department
  • Pay rates, salary history, bonus records, and commission structures
  • Professional certifications, licenses, and expiration dates
  • Training records and completion certificates
  • Time clock entries, including clock-in and clock-out timestamps
  • GPS coordinates captured at the time of clock-in and clock-out events
  • Performance evaluations and disciplinary records (if entered by the employer)
  • Emergency contact information
  • Vehicle and fleet assignment records
  • Equipment assignment and checkout records

2.4 Customer and Client Data

Platform users may store information about their customers and clients, including:

  • Full name and contact information (phone, email, mailing address)
  • Property addresses and service locations
  • Project history, including job types, dates, statuses, and completion records
  • Payment history, outstanding balances, and billing records
  • Communication logs, including call recordings, SMS messages, emails, and fax documents
  • Signed estimates, contracts, change orders, and lien waivers
  • Customer preferences and notes entered by the contractor
  • Client portal authentication credentials (magic link tokens)

2.5 Property Data

The Platform includes property management, satellite reconnaissance, LiDAR scanning, and blueprint analysis features. Property data collected may include:

  • Physical addresses and geolocation coordinates
  • Satellite imagery and aerial measurements obtained through the Recon feature
  • LiDAR scan data, including three-dimensional point clouds and derived floor plans
  • Blueprint files, construction drawings, and architectural plans uploaded for AI-assisted analysis
  • Moisture readings, temperature logs, and environmental measurements
  • Equipment inventories and placement records associated with properties
  • Property condition assessments, before-and-after documentation, and inspection reports
  • Utility information and permit records (if entered by the user)

2.6 Communication Data

The Platform includes an integrated phone system powered by Twilio, Inc. ("Twilio"), supporting voice calls, SMS messaging, fax, and video meetings. Communication data collected includes:

  • Inbound and outbound call recordings and associated metadata (caller ID, duration, timestamps)
  • Voicemail recordings and AI-generated voicemail transcriptions
  • SMS and MMS message content, sender and recipient information, and timestamps
  • Fax documents, including transmitted and received files
  • Video meeting recordings, participant lists, and session metadata
  • Call routing configurations and phone number assignments

2.7 AI Interaction Data

The Platform includes an AI assistant ("Z Intelligence") that provides contextual guidance, equipment identification, and document analysis. AI interaction data collected includes:

  • Text prompts and queries submitted to the AI assistant
  • AI-generated responses and recommendations
  • Photos uploaded for equipment identification or defect analysis
  • Voice commands processed through the AI assistant
  • Contextual metadata associated with AI interactions, including the user's current screen, active job, and role
  • Blueprint and document content submitted for AI-assisted takeoff and analysis

2.8 Field Data

Technicians and field employees may generate the following data through the Platform during the course of their work:

  • Jobsite photographs and video documentation
  • Voice notes and audio recordings
  • Daily work logs and field reports
  • Expense receipts and mileage records
  • Digital signatures captured on estimates, contracts, change orders, and completion certificates
  • Incident reports and safety documentation
  • Punch lists and quality inspection records
  • Material usage logs and inventory consumption records

2.9 Device and Usage Data

When you access the Platform, we automatically collect:

  • IP address
  • Browser type, version, and language preferences
  • Operating system and device type
  • Screen resolution and viewport dimensions
  • Pages visited, features accessed, and actions performed within the Platform
  • Session duration and frequency of use
  • Crash reports, error logs, and performance metrics
  • Referring URLs and exit pages

2.10 Location Data

The Platform collects precise geolocation data in the following contexts:

  • GPS coordinates captured during employee time clock events (clock-in and clock-out)
  • GPS coordinates used for property mapping, satellite reconnaissance, and LiDAR scanning
  • Real-time fleet tracking coordinates for vehicles assigned through the Platform
  • Location data associated with jobsite check-ins and field dispatching

Location data is collected only when the relevant feature is actively in use and when the user or their employer has enabled location services. Employees should consult their employer's policies regarding location tracking during work hours.

2.11 Insurance and Claims Data

The Platform supports insurance restoration and claims management workflows. Insurance-related data collected may include:

  • Insurance claim numbers, policy numbers, and carrier information
  • Adjuster names, contact information, and correspondence
  • Carrier communications and claim status updates
  • Damage documentation, including photographs, moisture readings, and environmental logs
  • Drying logs, equipment deployment records, and monitoring schedules
  • Supplement requests, approval records, and payment amounts
  • Scope of work documents and line-item estimates formatted for insurance submission

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery. To provide, operate, maintain, and improve the Platform and all of its features, including CRM, job management, dispatching, estimating, invoicing, accounting, payroll, phone system, AI assistant, property management, client portal, employee portal, document generation, and all other Platform functionality.
  • Account Management. To create and manage user accounts, authenticate users, enforce role-based access controls, and maintain session security.
  • Billing and Payments. To process subscription payments, generate invoices, manage billing cycles, and facilitate payment transactions between contractors and their customers through Stripe.
  • Payroll Processing. To calculate wages, withhold taxes, generate pay stubs, process direct deposits, and produce tax documents including W-2s and 1099s on behalf of employer users.
  • Communication Facilitation. To route phone calls, deliver SMS messages, transmit faxes, facilitate video meetings, and provide voicemail and transcription services through Twilio.
  • AI-Powered Features. To process user prompts, analyze uploaded images and documents, generate recommendations, and provide contextual assistance through Z Intelligence. We may send anonymized, de-identified interaction patterns to our AI infrastructure providers to improve response quality. We do not use your proprietary business data to train general-purpose AI models.
  • Analytics and Improvement. To analyze usage patterns, identify feature adoption trends, diagnose technical issues, and improve Platform performance, reliability, and user experience.
  • Security and Fraud Prevention. To detect, investigate, and prevent unauthorized access, security breaches, fraud, and other harmful activities. This includes monitoring audit trails, analyzing access patterns, and enforcing authentication policies.
  • Legal Compliance. To comply with applicable laws, regulations, legal processes, and governmental requests, including tax reporting obligations, financial record-keeping requirements, and data protection laws.
  • Customer Support. To respond to inquiries, troubleshoot issues, and provide technical support.
  • Transactional Communications. To send service-related notifications, including account confirmations, security alerts, billing notices, and feature updates. These are not marketing communications and cannot be opted out of while maintaining an active account.

4. How We Share Your Information

We do not sell your personal information to third parties. We do not rent, lease, or trade your data for marketing purposes. We share your information only in the following circumstances:

4.1 Third-Party Service Providers (Sub-processors)

We engage the following third-party service providers to operate the Platform. Each provider processes data solely on our behalf and in accordance with their respective privacy and security commitments:

  • Supabase, Inc. Database hosting, authentication, file storage, real-time data synchronization, and serverless Edge Functions. Data is stored in managed PostgreSQL databases on AWS infrastructure in the United States.
  • Vercel, Inc. Web application hosting and deployment for all four ZAFTO web portals (Web CRM, Employee Portal, Client Portal, and Ops Portal). Vercel processes HTTP requests and serves application code.
  • Cloudflare, Inc. DNS management, content delivery, DDoS protection, and web application firewall services for all ZAFTO domains and subdomains.
  • Stripe, Inc. Payment processing, subscription billing, credit and debit card tokenization, fraud detection, and payout disbursement. Stripe is PCI DSS Level 1 certified.
  • Plaid Financial Ltd. Bank account linking, credential-less authentication, and read-only transaction data retrieval. Plaid is SOC 2 Type II certified. ZAFTO never receives or stores your bank login credentials.
  • Twilio, Inc. Voice calling, SMS messaging, fax transmission, phone number provisioning, call recording, voicemail, and video meeting infrastructure.
  • OpenAI, Inc. and/or Anthropic, PBC. Large language model inference for Z Intelligence features, including text generation, document analysis, equipment identification, and blueprint reading. Prompts and responses are transmitted to these providers for processing. We contractually prohibit these providers from using your data to train their general-purpose models.

4.2 Employer-Employee Data Sharing

When an employer uses the Platform to manage employees, the employer (as data controller) determines what employee data is collected, accessed, and retained. Employees using the Platform should direct data access and deletion requests to their employer. Tereda processes employee data on behalf of the employer in accordance with our Data Processing Agreement.

4.3 Contractor-Client Data Sharing

When a contractor grants a client access to the Client Portal, certain project-related information (including project status, invoices, estimates, documents, and communication history) is shared with the client. The contractor controls the scope of information visible to each client.

4.4 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request, including:

  • Subpoenas, court orders, or search warrants
  • Requests from law enforcement agencies with proper legal authority
  • Tax reporting requirements imposed by the Internal Revenue Service or state tax authorities
  • Regulatory inquiries from financial services regulators

Where legally permissible, we will attempt to notify affected users before disclosing their information in response to legal process.

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar transaction involving Tereda Software LLC, your information may be transferred to the acquiring or successor entity. We will provide notice of any such transfer and any changes to this Policy resulting from the transaction.

4.6 With Your Consent

We may share your information with third parties when you have given us explicit, informed consent to do so.

5. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information against unauthorized access, alteration, disclosure, or destruction. Our security architecture includes the following measures:

5.1 Encryption

  • At Rest. All data stored in the Platform database and file storage is encrypted using AES-256 encryption.
  • In Transit. All data transmitted between your device and our servers is encrypted using TLS 1.3. All API calls, webhook deliveries, and inter-service communications use encrypted channels.

5.2 Access Controls

  • Row-Level Security (RLS). Every table in the database enforces row-level security policies at the PostgreSQL engine level. Users can only access data belonging to their own company. This isolation is enforced regardless of the application layer.
  • Role-Based Access Control (RBAC). The Platform supports seven distinct roles (owner, admin, office manager, technician, apprentice, CPA, super admin), each with precisely scoped permissions. Technicians cannot view payroll data. Apprentices cannot modify financial records. CPAs have read-only accounting access.
  • JWT Authentication. Every API request is authenticated using JSON Web Tokens containing the user's identity, company ID, and role. Tokens are validated on every request. Expired or tampered tokens are rejected.

5.3 Audit Trails

Every business table in the database has an audit trigger that records the user, action, timestamp, and changed values for every insert, update, and delete operation. Audit logs are immutable and retained for the lifetime of the account. Soft delete architecture ensures that deleted records remain recoverable and auditable.

5.4 File Storage

All uploaded files (photos, voice notes, signatures, receipts, documents, blueprints, and company logos) are stored in private storage buckets. Files are accessible only through time-limited signed URLs generated by authenticated API requests. There is no public access to any storage bucket.

5.5 Infrastructure Security

  • Database hosted on managed AWS infrastructure with automatic failover and point-in-time recovery
  • DDoS protection provided by Cloudflare at the network edge
  • Web Application Firewall (WAF) rules enforced on all inbound traffic
  • Automatic SSL certificate provisioning and renewal on all domains
  • Zero-downtime deployments with automatic rollback capability

5.6 Organizational Security

  • Principle of least privilege enforced for all internal access to production systems
  • Multi-factor authentication required for administrative access to infrastructure providers
  • Regular security reviews of codebase, dependencies, and infrastructure configurations
  • Incident response procedures documented and maintained

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

6. Data Retention

6.1 Active Accounts

While your account remains active, we retain all data associated with your account indefinitely, unless you request deletion of specific records. Soft delete architecture means that records marked as deleted by users are retained in a recoverable state and remain subject to audit trail retention.

6.2 Account Cancellation

Upon cancellation of a subscription or account, we retain your data for ninety (90) days to allow for account reactivation. After the 90-day retention period, your data is permanently purged from all primary databases. Backup systems may retain encrypted copies for up to an additional thirty (30) days before automatic expiration.

6.3 Financial Records

Certain financial records, including payroll data, tax documents, 1099 records, and general ledger entries, may be retained for up to seven (7) years in accordance with Internal Revenue Service record-keeping requirements, regardless of account status. We will notify you if financial data is retained beyond the standard 90-day post-cancellation period.

6.4 Audit Logs

Audit trail records are retained for the lifetime of the associated account. Following account cancellation and the expiration of the 90-day retention period, audit logs are purged along with all other account data, except where required for legal compliance.

6.5 Legal Holds

If we receive a legal hold, preservation request, or litigation hold notice, we will suspend deletion of affected data until the hold is lifted, regardless of any other retention period described in this Policy.

6.6 Communication Records

Call recordings, voicemail recordings, SMS messages, and fax documents are retained for the duration of the active account. Upon account cancellation, communication records follow the standard 90-day retention period. Users may delete individual communication records at any time during the active account period, subject to audit trail retention.

7. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

7.1 Right of Access

You have the right to request a copy of the personal information we hold about you. We will respond to verified requests within thirty (30) days.

7.2 Right to Correction

You have the right to request correction of inaccurate or incomplete personal information. You may update most account information directly through the Platform. For corrections that cannot be made through the Platform, contact us at legal@zafto.app.

7.3 Right to Deletion

You have the right to request deletion of your personal information, subject to certain exceptions. We may retain information necessary to comply with legal obligations, resolve disputes, enforce agreements, or complete transactions. Deletion requests will be fulfilled within thirty (30) days of verification. Note that deletion of employer-managed employee data must be requested through the employer.

7.4 Right to Data Portability

You have the right to request a copy of your data in a structured, commonly used, machine-readable format. We will provide data exports in JSON or CSV format within thirty (30) days of a verified request.

7.5 Right to Opt Out of Sale

We do not sell your personal information. Accordingly, there is no sale from which to opt out. If our practices change in the future, we will provide an opt-out mechanism as required by applicable law.

7.6 Right to Restrict Processing

You have the right to request that we restrict processing of your personal information under certain circumstances, including when you contest the accuracy of the data, when processing is unlawful, or when we no longer need the data but you require it for legal claims.

7.7 Right to Object

You have the right to object to processing of your personal information for purposes based on our legitimate interests. If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

7.8 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"). These include:

  • The right to know what categories and specific pieces of personal information we have collected about you
  • The right to know the categories of sources from which your personal information was collected
  • The right to know the business or commercial purpose for collecting your personal information
  • The right to know the categories of third parties with whom we share your personal information
  • The right to delete your personal information, subject to certain exceptions
  • The right to correct inaccurate personal information
  • The right to opt out of the sale or sharing of your personal information (we do not sell or share personal information as defined under CCPA)
  • The right to non-discrimination for exercising your privacy rights

To exercise any CCPA right, submit a verifiable consumer request to legal@zafto.app. We will verify your identity before processing the request and respond within forty-five (45) days.

7.9 European Economic Area, United Kingdom, and Switzerland Residents (GDPR Readiness)

While the Platform is primarily operated in the United States and targeted to US-based businesses, we are committed to respecting the data protection rights established by the General Data Protection Regulation (GDPR) and the UK GDPR. If you are located in the EEA, UK, or Switzerland, you may exercise any of the rights described in Sections 7.1 through 7.7 by contacting legal@zafto.app. We will process your request in accordance with applicable data protection law.

7.10 How to Exercise Your Rights

To exercise any of the rights described above, contact us at legal@zafto.app with the subject line "Data Rights Request." Please include your full name, email address associated with your account, and a description of the right you wish to exercise. We may require additional information to verify your identity before processing the request.

8. Children's Privacy

The Platform is designed for business use by trades contractors and their employees, customers, and clients. The Platform is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from anyone under the age of eighteen. If we become aware that we have collected personal information from a person under eighteen, we will take immediate steps to delete that information. If you believe that we have inadvertently collected information from a person under eighteen, please contact us at legal@zafto.app.

9. Third-Party Services

The Platform integrates with the following third-party services. Each service has its own privacy policy governing its collection and use of data. We encourage you to review these policies:

  • Stripe, Inc. Payment processing. PCI DSS Level 1 certified. SOC 2 Type II certified. Privacy policy: stripe.com/privacy
  • Plaid Financial Ltd. Bank account linking and transaction data. SOC 2 Type II certified. Privacy policy: plaid.com/legal
  • Supabase, Inc. Database, authentication, storage, and serverless functions. SOC 2 Type II certified. Privacy policy: supabase.com/privacy
  • Vercel, Inc. Web application hosting and deployment. SOC 2 Type II certified. Privacy policy: vercel.com/legal/privacy-policy
  • Cloudflare, Inc. DNS, CDN, and security services. SOC 2 Type II certified. Privacy policy: cloudflare.com/privacypolicy
  • Twilio, Inc. Voice, SMS, fax, and video communication infrastructure. SOC 2 Type II certified. Privacy policy: twilio.com/legal/privacy
  • OpenAI, Inc. Large language model inference for AI features. Privacy policy: openai.com/policies/privacy-policy
  • Anthropic, PBC. Large language model inference for AI features. Privacy policy: anthropic.com/privacy

We maintain data processing agreements with each sub-processor that contractually obligate them to protect your data in accordance with standards no less protective than those described in this Policy.

10. Cookies and Tracking Technologies

10.1 What We Use

The Platform uses the following cookies and tracking technologies:

  • Essential Cookies. Required for authentication, session management, and security. These cookies are strictly necessary for the Platform to function and cannot be disabled.
  • Authentication Tokens. JSON Web Tokens stored in secure, HTTP-only cookies or local storage for session persistence across page loads.
  • Analytics Cookies. We may use first-party analytics to understand usage patterns and improve the Platform. We do not use third-party advertising trackers.
  • Preference Cookies. Store user preferences such as theme settings, sidebar state, and display configurations.

10.2 What We Do Not Use

  • Third-party advertising cookies or tracking pixels
  • Cross-site tracking technologies
  • Behavioral advertising profiles
  • Data broker integrations

10.3 Managing Cookies

You may configure your browser to reject cookies or alert you when cookies are being sent. Note that disabling essential cookies will prevent you from using the Platform. For instructions on managing cookies, consult your browser's help documentation.

11. International Data Transfers

The Platform is operated from the United States. All primary data processing and storage occurs in US-based data centers. If you access the Platform from outside the United States, your information will be transferred to, stored in, and processed in the United States.

By using the Platform, you consent to the transfer of your information to the United States, which may not provide the same level of data protection as your jurisdiction of residence. We apply the security and privacy safeguards described in this Policy to all data regardless of origin.

For users in the European Economic Area, United Kingdom, or Switzerland, we rely on the following transfer mechanisms as applicable: your explicit consent, the necessity of the transfer for the performance of a contract, and standard contractual clauses where required. If you have questions about international data transfers, contact us at legal@zafto.app.

12. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, the Platform's features, or applicable law. When we make changes, we will:

  • Update the "Effective date" at the top of this Policy
  • Post the revised Policy on this page
  • For material changes, send a notification to the email address associated with your account at least thirty (30) days before the changes take effect
  • For material changes affecting the processing of sensitive data (financial, employee PII, or health-related information), provide prominent in-app notice in addition to email notification

Your continued use of the Platform after the effective date of a revised Policy constitutes your acceptance of the changes. If you do not agree with the revised Policy, you must discontinue use of the Platform before the effective date.

13. Contact Information

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, contact us at:

Tereda Software LLC
Email: legal@zafto.app
Website: zafto.app

For data protection inquiries, please include "Privacy Inquiry" in the subject line. We will acknowledge receipt of your inquiry within five (5) business days and provide a substantive response within thirty (30) days.

If you are not satisfied with our response to your privacy concern, you may have the right to lodge a complaint with your local data protection authority.