1. Introduction
OwnerOS ("we," "our," or "us") provides a business management dashboard for contractors and self-employed professionals. This Privacy Policy explains how we collect, use, and protect your information when you use our service.
2. Information We Collect
- Account information: name, email address, phone number, and business name provided during registration.
- Financial data: bank account balances and transactions synced through Plaid (read-only access). We never store your bank login credentials.
- Payment data: invoice and payment information processed through Stripe. We do not store full credit card numbers.
- Business data: jobs, clients, invoices, estimates, expenses, time entries, mileage logs, and daily reports you create within the app.
- Uploaded files: receipt photos, site photos, and vault documents you upload to the service.
3. How We Use Your Information
We use your information to:
- Display your financial overview and cash flow data
- Calculate tax estimates and mileage deductions
- Generate and send invoices and estimates
- Track job profitability and time entries
- Provide reminders for bills and tax deadlines
- Sync calendar events with your Google Calendar (if enabled)
We never sell your personal or financial data to third parties.
4. Third-Party Services
OwnerOS integrates with the following third-party services:
- Plaid: securely connects your bank accounts for read-only transaction and balance data. Plaid's use of your data is governed by Plaid's privacy policy.
- Stripe: processes invoice payments and subscription billing. See Stripe's privacy policy.
- Cloudflare R2: stores uploaded files (receipts, photos, vault documents) in encrypted object storage.
- Twilio: sends SMS verification codes for two-factor authentication. Your phone number is shared with Twilio solely for this purpose.
- Anthropic: processes images for OCR (receipt scanning, calendar import) using the Claude AI model. Images are sent for text extraction and are not stored or used for training by Anthropic.
- Google: provides OAuth sign-in and optional calendar sync. Only the permissions you authorize are accessed.
5. Data Protection
- Sensitive fields (bank tokens, API keys) are encrypted at rest using AES-256 encryption
- All data in transit is protected by TLS 1.2 or higher
- Passwords are hashed using bcrypt (never stored in plain text)
- Each tenant's data is isolated in the database — you cannot access another user's data
- Optional SMS-based two-factor authentication adds an extra layer of security
6. Data Retention & Deletion
Your data is retained for as long as your account is active. Our retention policy:
- Active accounts: all data retained while your subscription is active
- Cancelled subscriptions: data retained for 30 days after cancellation, then permanently deleted
- Self-service deletion: you may permanently delete your account and all associated data at any time from Settings → Danger Zone
- Email requests: you may also request deletion by emailing crafstman_4@startmail.com; we will process the request within 30 days
- Scope of deletion: account deletion removes all business data (jobs, invoices, expenses, time entries, mileage logs, daily reports, photos, vault files, bank connections, and calendar data). Stripe subscription data is retained by Stripe per their retention policy.
This policy is reviewed annually and updated as needed. The effective date at the top of this page reflects the last review.
7. Cookies
OwnerOS uses session cookies exclusively for authentication (managed by Auth.js). We do not use third-party tracking cookies, analytics cookies, or advertising cookies.
8. Children's Privacy
OwnerOS is not directed at children under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
9. Changes to This Policy
We may update this Privacy Policy from time to time. The effective date at the top of this page indicates when the latest changes took effect. Continued use of the service after changes constitutes acceptance of the updated policy.