Privacy Policy
Effective date: April 10, 2026 · Policy version: 2026-04-10
1. Data We Collect
During the onboarding process and use of our services, we collect:
- Business information: Company name, service types, service areas, certifications, and other details you provide during the onboarding conversation
- Contact details: Your name, email address, and phone number
- Photos and logos: Images you upload for use on your website
- Consent records: Timestamps of when you agreed to our terms and policies
- Usage data: Session information and interactions with the onboarding wizard
- Analytics data: If you accept analytics cookies, we collect pageviews, clicks, form interactions, scroll depth, and session replays (recordings of your screen interactions with mouse movements and click coordinates). Sensitive form inputs are automatically masked in recordings. This data is only collected after you consent via our cookie banner.
- Phone number: When SMS verification is enabled, your phone number is collected for trial signup verification and account recovery
- IP address: Your IP address may be logged at signup for rate limiting and fraud prevention purposes
- Device information: We may collect a lightweight browser fingerprint hash (canvas, WebGL renderer, timezone, screen resolution, language, platform) for anti-abuse monitoring when this feature is active
2. How We Use Your Data
Website Generation
Your business information is processed by AI language models to generate website content including page copy, service descriptions, and market positioning. Photos are analyzed by AI vision models to generate descriptions and determine layout placement.
Market Research
We use your business details (service area, service types) to conduct automated research about your local market, competitors, and industry context. This research informs the content generated for your website.
Content Moderation & Community Safety
Your submitted information, along with user reports and platform usage patterns, is used to detect and prevent abuse, fraud, and violations of our Acceptable Use Policy and Community Content Policy. We may use automated systems and manual review to flag suspicious accounts, verify business legitimacy, and moderate community content (reviews, ratings, testimonials).
Communications
If you opt in to email communications, we may send you updates about your website, product features, and tips for improving your online presence. You can unsubscribe at any time.
3. Data Storage
- Structured data (business information, session data) is stored in PostgreSQL databases on our infrastructure
- Uploaded files (photos, logos) are stored in MinIO object storage on our infrastructure
- Generated websites are stored on our hosting infrastructure
4. Third-Party Services & Subprocessors
We use the following third-party services to provide our platform:
- AI language models (Anthropic Claude, OpenAI): for content generation and onboarding conversation
- Research APIs (Jina, Tavily): for automated market and business research
Data shared with third-party services is limited to what is necessary for their specific function. We do not sell your data to third parties.
The following subprocessors may process your personal data on our behalf:
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic | AI content generation | United States |
| Tavily | Web search research | United States |
| Jina | Web research | Germany |
| Stripe | Payment processing | United States |
| MinIO | File storage (self-hosted) | Self-hosted |
| DigitalOcean | Cloud hosting infrastructure | United States / Canada |
| Umami | Pageview analytics (self-hosted, cookie-free) | Self-hosted |
| PostHog | Product analytics, session replays, heatmaps (consent required) | United States |
4a. AI Data Disclosure
Your business information is processed by AI models (Anthropic Claude) to generate website content including page copy, service descriptions, and market positioning. We do NOT use your data to train AI models. AI-generated content may contain inaccuracies and should be reviewed and verified before publication.
4b. Analytics & Session Replays
We use two analytics services. Umami is self-hosted and cookie-free — it collects anonymous pageview counts without identifying individual users and requires no consent.
PostHog provides product analytics, session replays, and heatmaps. PostHog is only activated after you consent via our cookie banner. If you decline or do not interact with the banner, no PostHog data is collected.
When PostHog is active, it collects:
- Pageviews, clicks, form submissions, and scroll depth
- Session replays: recordings of your interactions including mouse movements and click coordinates. All form inputs are automatically masked in recordings.
- Heatmaps: aggregated click and scroll patterns
PostHog data is processed by PostHog Inc. on their US Cloud infrastructure (Virginia, United States). Analytics data is retained for 1 year; session recordings are retained for 1 month. You can request deletion of your PostHog data by contacting us at privacy@fullstackhvac.com.
We respect the Do Not Track (DNT) browser signal. If your browser sends DNT, PostHog analytics will not run regardless of consent banner choice. See our Cookie Policy for details on specific cookies used.
4c. Cross-Border Data Transfers
Full Stack HVAC is operated from Nova Scotia, Canada. Some of your data may be processed in the United States by our subprocessors (see table above). By using our services, you acknowledge that your data may be transferred to, stored, and processed in jurisdictions outside Canada, including the United States, where data protection laws may differ from those in your jurisdiction.
5. Data Retention
We retain your data for as long as your account and website are active. If you request account deletion, we will remove your personal data and uploaded content within 30 days, except where retention is required by law.
5a. Data Deletion
Upon a verified deletion request, we will permanently delete your data within 30 days. This includes database records, file storage (photos, logos, generated content), and backup systems. Some data may be retained beyond this period where required by applicable law (for example, billing records required for tax compliance).
5b. Breach Notification
In the event of a confirmed data breach that affects your personal information, we will notify all affected customers within 72 hours of becoming aware of the breach, via email to the address on file and via a notice in your account dashboard. The notification will describe the nature of the breach, the data affected, and steps we are taking to contain it.
6. Your Rights
You have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your personal data and uploaded content
- Opt out: Unsubscribe from marketing emails at any time
- Analytics opt-out: Decline analytics cookies via the consent banner, enable Do Not Track in your browser, or clear your
fsh-analytics-consentlocalStorage entry to reset your choice
7. Security
We implement reasonable technical and organizational measures to protect your data, including encrypted connections, access controls, and secure storage. However, no method of transmission or storage is 100% secure.
8. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the email address associated with your account.
9. Related Policies
This Privacy Policy works in conjunction with our other legal documents:
- Cookie Policy: Details on cookies and tracking technologies we use
- Terms of Service: Your rights and responsibilities when using our platform
- Acceptable Use Policy: Rules for platform conduct
- Community Content Policy: How we manage reviews and user-generated content
- DMCA & Content Dispute Policy: How to report copyright or trademark infringement
10. Contact
For privacy-related questions or to exercise your data rights, contact us at privacy@fullstackhvac.com.