Privacy Policy
LBCAssist and the lbcassist.com domain are owned and operated by Caveman AI LLC.
- Data scope
- Tenant, user, project, service, billing-adjacent, support, security, and mobile metadata.
- Customer scope
- U.S.-based customers and authorized users only.
- Payment data
- Stripe handles card entry and payment method storage.
1. Scope
This Privacy Policy describes how Provider collects, uses, discloses, stores, and protects personal information and other data processed through the LBCAssist Service. This Privacy Policy applies to the public website, portal, project workflows, assistant features, notifications, APIs, and related support operations.
For this Privacy Policy, "Provider" means Caveman AI LLC, the owner and operator of lbcassist.com and the LBCAssist Service.
2. Information We Collect
- Tenant and business information, including business name, contact number, business email, website, contractor license information, insurance provider information, and account administrator details.
- User account information, including name, email address, username, phone number, permissions, role, password hash, passkey public-key credentials, email-confirmation status, welcome-invitation status, last-login time, forced password-change status, and security settings.
- Billing and payment-adjacent information, including Stripe customer identifiers, subscription identifiers, license package and entitlement records, assigned-license status, scheduled license reductions, price and invoice records, payment and subscription status, billing email, promotion-code attempts, claims, usage, discount amounts, cardless promotional access grants, promotional grant redemptions, tax-related information, and limited masked payment-method descriptors where Stripe provides them.
- Project and property information, including project descriptions, project addresses, mailing addresses, parcel or tax identifiers, owner details, address type, cost estimates, uploaded project files, file versions, file metadata, and project workflow answers.
- File-service records, including file names, content types, sizes, checksums, version history, scan verdicts, retention settings, legal-hold status, open/download/edit/upload/delete events, and related audit metadata.
- Cross-tenant subcontractor collaboration records, including relationship invite metadata, relationship proposals, accepted disclaimer evidence, relationship contact company names, relationship contact user email addresses, contact replacement history, subproject assignments, aggregate status, time totals, mileage totals, task counts, completion status, submitted exchange documents, exchange messages, questions, responses, comments, decisions, scan verdicts, file hashes, audit-pairing metadata, relationship closure events, and platform-admin override records.
- Time, mileage, task, note, comment, audit, and assignment records created through the Service.
- Location and device information when enabled or submitted, including browser geolocation, mobile location updates, notification device identifiers, push tokens, time zone, app version, mobile platform, storefront, mobile-to-web handoff metadata, and related metadata.
- Usage, security, telemetry, and session data, including IP address, user agent, cookies, local browser storage, launch-token session storage, email-confirmation events, welcome-invitation delivery metadata, authentication events, lockout events, legal-acceptance records, service health, API request metrics, session counts, and operational usage counts by tenant, user, service, and feature.
3. Sources of Information
- Directly from you, your administrators, and your authorized users.
- Automatically from devices and browsers interacting with the Service.
- From third-party providers you or the Service use for payment processing, mapping, geocoding, notification delivery, passkeys, security scanning, and diagramming.
- From public or official sources, such as governmental or mapping datasets, when used to support Service features.
4. How We Use Information
- To create and administer accounts, authenticate users, manage tenant settings, enforce billing permissions, and manage license entitlements and assignments.
- To provide the Service, including project, file upload, preview, download, edit, task, time, mileage, notification, diagramming, and document-related functionality.
- To scan uploaded files, quarantine unsafe or unsupported files, enforce file retention and legal hold, and report file activity where available.
- To operate cross-tenant subcontractor collaboration workflows, including relationship setup, disclaimers, scoped subproject assignment, aggregate reporting, document exchange, malware and policy scanning, review comments, questions, responses, send-back decisions, acceptance decisions, relationship closure, post-completion activity notices, audit pairing, and notifications.
- To maintain security, investigate misuse, prevent fraud, prevent duplicate trials or service abuse, enforce our agreements, and create audit records.
- To monitor service health, troubleshoot performance or availability issues, capacity-plan infrastructure, detect service abuse, and alert Provider personnel to operational incidents.
- To communicate with you about the Service, service status, outages, support matters, policy updates, billing matters, payment status, or legal notices.
- To maintain backups, disaster recovery, and operational resilience.
- To comply with applicable law, lawful requests, and legal process.
5. Cookies and Local Device Storage
The web Service uses an authenticated session cookie to keep you signed in for same-origin requests. The web Service also uses browser local storage or session storage for limited client-side functions such as launch tokens, color mode, and tenant-display preferences. Disabling cookies or browser storage may impair Service functionality.
6. Precise Location, Mileage, and Tracking Features
Certain features may collect or process precise or near-precise location data for time, mileage, project, or notification-related functions when enabled by you or your device permissions. You are responsible for ensuring that you have provided all legally required notices and obtained all necessary consents for workforce or other user location tracking and device-based monitoring.
7. Passkeys and Push Notifications
The Service may support passkeys and push notifications. The Service stores public-key passkey credentials and related metadata, not your device biometric template. Push notification support may require storage of device identifiers, push tokens, time zone data, notification preferences, and delivery records.
8. How We Disclose Information
We may disclose information to service providers, infrastructure providers, mapping and geocoding providers, notification providers, security and file-scanning providers, professional advisers, law enforcement, regulators, courts, or transaction partners as reasonably necessary to operate the Service, comply with law, protect rights, or complete a corporate transaction.
When a tenant chooses to use cross-tenant collaboration features, the Service may disclose limited information between the participating tenants as part of that workflow. This may include tenant display names, relationship and subproject status, aggregate time, mileage, and task-count reporting, submitted exchange documents, exchange messages, questions, responses, comments, decisions, completion status, closure status, and audit records. The Service is designed so the owner tenant does not receive the subcontractor tenant's internal task bodies, internal comments, user list, native file records, native file IDs, object keys, or user personally identifiable information through the aggregate reporting workflow unless a separate explicit disclosure feature is later added and accepted.
9. Current Third-Party Service Providers and Data Sources
- Oracle Cloud Infrastructure for hosting, storage, networking, backup, and disaster-recovery operations.
- Stripe for payment-method collection, checkout, subscriptions, invoicing, billing portal functions, promotion-code handling, payment-status events, and related billing operations.
- Google Maps Platform and related Google APIs for address validation, geocoding, places, and related mapping functions.
- U.S. Census geocoding services for fallback address or location-related functions.
- OpenStreetMap tile services for map tile rendering.
- Apple services for passkeys and push notification delivery.
- Google Fonts for interface typography.
- Open-source security scanning components for uploaded file scanning and quarantine workflows.
Provider's application infrastructure is not designed to store, and Provider does not knowingly store, full payment card numbers, card expiration dates, or card security codes, including CVV or CVC values. Stripe may collect, process, and store payment-method details as the payment processor. Provider may store Stripe customer, subscription, invoice, payment-status, and limited masked payment-method data as reasonably needed for billing, reconciliation, fraud prevention, support, audit, tax, dispute, and legal-compliance purposes.
10. Sale or Sharing
We do not sell personal information for money. We do not use customer data for cross-context behavioral advertising. We may disclose data to service providers and processors strictly for business and operational purposes described in this Privacy Policy.
11. Retention
We retain data for as long as reasonably necessary to provide the Service, maintain the account relationship, comply with law, resolve disputes, enforce agreements, and maintain security and audit records. Different categories may have different retention periods.
Project file retention defaults to 180 days unless the tenant changes the account-level setting or a permitted project-level override applies. Project file retention cannot exceed one year in normal service settings. Active legal hold pauses file deletion for the held tenant or project until the hold is released.
We may retain limited account, tenant, contractor, billing, audit, and security identifiers after account closure, trial denial, suspension, termination, deletion, or customer-data purge when reasonably necessary to prevent fraud, duplicate trials, chargeback abuse, account cycling, service abuse, or circumvention of Service limits; enforce agreements; maintain billing and legal evidence; investigate security events; resolve disputes; respond to lawful requests; or comply with applicable law. These retained identifiers may include contractor primary email address, business identity, normalized identity values, Stripe customer or subscription identifiers, billing status history, acceptance records, IP address, user agent, and security/audit metadata.
Backups and disaster-recovery copies may be retained for up to 30 days in two cloud infrastructure regions. If non-payment continues for 14 calendar days after the due date, Service access is subject to termination, and the affected tenant's data is scheduled for purge so that active and backup copies are intended to be purged by day 30 from the original non-payment date, except to the extent law requires preservation or a specific legal hold applies.
During an active subscription, and during any limited post-suspension window that Provider elects to make available before a non-payment termination takes effect, the tenant default administrator may be able to download a tenant-scoped customer-data export from the account area of the Service. Those exports are intended to provide portable access to customer records in a structured format, but they may omit or redact password hashes, session tokens, push tokens, transient authentication challenges, and similar security-sensitive material.
Cross-tenant relationship and exchange records may be retained by both participating tenants for business records, liability, dispute resolution, compliance, audit, and security purposes. Unless a longer legal hold, tenant or project retention setting, backup retention, preservation obligation, or applicable law requires otherwise, redeemed relationship records, accepted disclaimer evidence, subproject records, completion records, exchange threads, messages, submitted document metadata, version metadata, file hashes, scan verdicts, and paired audit references are retained for 365 days after the later of relationship closure, subproject completion, final exchange acceptance, or tenant account termination scheduling. Clean exchanged document bytes are retained for 365 days after final exchange acceptance or relationship closure, whichever is later. Unredeemed relationship invites expire after 14 days and invite metadata is retained for 180 days. Infected, blocked, or scan-failed files are not promoted for cross-tenant review; related metadata and security evidence may be retained as described in the Terms and security policies. Legal hold pauses deletion for the affected tenant-specific copies and related metadata.
12. Security
We use administrative, technical, and organizational measures intended to protect data appropriate to the nature of the Service, and we may use commercially reasonable or best-effort security, backup, monitoring, restoration, and incident-response measures.
No system is perfectly secure, no transmission or storage environment is immune from compromise, and we cannot guarantee absolute security, uninterrupted availability, successful restoration, or prevention of data loss, data theft, data corruption, data exfiltration, deletion, destruction, ransomware, or unauthorized access, disclosure, alteration, or misuse.
TO THE MAXIMUM EXTENT PERMITTED BY LAW, AND EXCEPT TO THE EXTENT A LIMITATION OR DISCLAIMER IS PROHIBITED, Caveman AI LLC IS NOT RESPONSIBLE FOR LOSS, THEFT, DISCLOSURE, CORRUPTION, ALTERATION, DELETION, DESTRUCTION, OR UNAVAILABILITY OF DATA CAUSED IN WHOLE OR IN PART BY CRIMINAL ACTS, SECURITY INCIDENTS, OR THE ACTS OR OMISSIONS OF MALICIOUS EMPLOYEES, CONTRACTORS, INSIDERS, VENDORS, SERVICE PROVIDERS, ATTACKERS, CUSTOMERS, USERS, OR OTHER THIRD PARTIES, EVEN WHERE BEST-EFFORT PREVENTION, RESPONSE, CONTAINMENT, OR RESTORATION MEASURES ARE ATTEMPTED. We may comply with applicable legal obligations regarding security-incident investigation and notice.
Uploaded exchange documents may be scanned for malware, active content, script content, executable content, archive-policy violations, signature mismatches, unsupported types, and similar security or policy risks before a cross-tenant reviewer may access them. Automated scanning is a security control, not a guarantee that a file is safe, complete, legally authorized, suitable for use, or free of hidden defects.
13. State Privacy Rights
To the extent required by applicable U.S. privacy law, eligible individuals may have rights to request access, correction, deletion, portability, or appeal of certain decisions regarding personal information. We will not unlawfully discriminate for exercising rights provided by applicable law.
Requests may be submitted to privacy@lbcassist.com. We may require reasonable verification before acting on a request and may limit our response where permitted by law, including where rights do not apply to business-to- business records, employee records, security records, or other exempt data.
14. California-Specific Disclosures
For California users, this Privacy Policy is intended to function as our public privacy notice and notice at collection to the extent required by California law. We collect identifiers, commercial information, internet or network activity, geolocation data, professional or employment-related information, and other information described above for the business purposes described in this Privacy Policy.
15. Children
The Service is not directed to children under 13 and is not intended for minors. Do not use the Service if you are under 18. If you believe a child has provided information to the Service, contact us so we can review and delete it where appropriate.
16. Changes
We may update this Privacy Policy from time to time. The current version will be posted in the Service with an updated version number or effective date.