Plumb Logo

Privacy Policy

Last Updated: April 30, 2026

Previous version: Privacy Policy v2.0 (effective April 20, 2026)

1. Introduction

Welcome to Plumb ("we," "our," or "us"). Plumb Software Inc. is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we process and safeguard your information when you use our construction project management and payment platform.

Plumb’s role. Plumb’s services are provided primarily to business customers — general contractors, subcontractors, and the clients who engage them. For most personal information processed through the Plumb platform on behalf of those customer organizations (including information about their employees, project participants, and end customers), Plumb acts as a data processor and the customer organization that introduced the information into the platform acts as the data controller. Where Plumb determines the purposes and means of processing — for example, in operating and securing the Service, providing customer support, billing, and complying with Plumb’s own legal obligations — Plumb acts as the data controller.

By using Plumb, you agree to the processing of your information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Company Information

Plumb Software Inc., a Delaware corporation

135 N 200 E, Lindon, UT 84042

Email: contact@buildwithplumb.com

For privacy-related inquiries and to exercise your privacy rights, please contact: privacy@buildwithplumb.com

3. Information We Collect

3.1 Information You Provide Directly

We process information that you provide directly to us, including:

  • Account information (name, email address, phone number, company name)
  • Profile information (business details, company size, role)
  • Payment card information (processed securely through Stripe)
  • Bank account information for ACH payments (processed securely through Straddle)
  • Project and work order data (project names, descriptions, timelines, budgets)
  • Communication data (messages, support requests, feedback)
  • Documents and files you upload to the platform

3.2 Information Collected Automatically

When you use our services, we automatically collect:

  • Device information (IP address, browser type, operating system)
  • Usage data (pages visited, features used, time spent on platform)
  • Log data (access times, error logs, performance data)
  • Cookies and similar tracking technologies (see Cookie Policy below)

3.3 Information from Third Parties

We may receive information from third-party services, including:

  • Authentication providers (Supabase)
  • Payment processors (Stripe and Straddle)
  • Logging and monitoring services (Logflare)

4. How We Use Your Information

We process the information we collect to:

  • Provide, maintain, and improve our services
  • Process payments and transactions securely
  • Create and manage your account
  • Enable project and work order management features
  • Communicate with you about your account and our services
  • Provide customer support and respond to your requests
  • Detect, prevent, and address fraud and security issues
  • Comply with legal obligations and enforce our terms
  • Analyze usage patterns to improve user experience
  • Send you important updates, notifications, and administrative messages

5. Payment Processing

Plumb uses third-party payment processors to handle card and ACH transactions. We do not store full payment card numbers or bank account numbers on our own servers.

5.1 Stripe (Card Payments)

We use Stripe to process credit and debit card payments and subscription billing. When you make or receive payments through Plumb via Stripe:

  • Payment card information is collected and processed directly by Stripe in compliance with PCI-DSS standards
  • We do not store your complete payment card information on our servers
  • Stripe’s use of your payment information is governed by their Privacy Policy at https://stripe.com/privacy
  • We receive limited payment information from Stripe (such as the last four digits of your card and transaction status) for account management purposes
  • By using our card payment features, you authorize us to transfer your information to Stripe as necessary to process payments

5.2 Straddle (ACH Payments)

We use Straddle Payments, Inc (“Straddle”), a Nacha-registered Third-Party Sender with offices at 1001 Bannock St Suite 405, Denver CO 80204, to process ACH debits and credits for bank-to-bank payments between contractors, subcontractors, and their clients. ACH funds flow through Straddle’s For Benefit Of (FBO) account held at Valley National Bank, which acts as Straddle’s sponsor bank and Originating Depository Financial Institution (ODFI).

Under our Data Processing Agreement with Straddle, Straddle serves a dual role: as a Data Processor (acting on Plumb’s instructions) when storing transaction information and end-user contact details on Plumb’s behalf, and as an independent Data Controller (making independent decisions) when tokenizing your bank account details, conducting fraud monitoring, performing know-your-customer and anti-money-laundering verification, analyzing platform usage for service improvement, and complying with its legal and regulatory obligations. This distinction affects how deletion, correction, and access requests are handled — see §9.4 below.

When you make or receive ACH payments through Plumb:

  • Bank account information (routing number, account number) is retrieved via regulated Data Aggregator Networks and held directly by Straddle. Plumb stores only the masked last four digits, the bank name, and an opaque identifier (a Straddle paykey) used to reference the account with Straddle.
  • Straddle does not have access to the login credentials you use to link your bank account, and does not retrieve your historical account activity or transaction history. Straddle retrieves only current account information (such as current available balance, account ownership, and routing and account numbers) necessary to facilitate your payment request.
  • We transfer your name, masked bank account information, and transaction details (amount, date, counterparty) to Straddle as necessary to originate and settle the ACH transaction.
  • For business account holders, we also transfer KYB (Know Your Business) and KYC (Know Your Customer) information — including company name, business address, beneficial owner identities, and tax identifiers — to Straddle to satisfy their regulatory onboarding obligations.
  • Straddle does not transfer or store End User Information outside the United States.
  • Straddle’s use of your information is governed by its Privacy Policy at https://legal.straddle.com/privacy-policy-24. Straddle publishes its list of sub-processors and security certifications at https://trust.straddle.com.
  • Authorization records for ACH transactions — including the exact text you agreed to, a timestamp, your IP address, and the version of these Terms in effect at the time — are retained for at least two (2) years after the final transaction, as required by Nacha Operating Rules.
  • By using our ACH payment features, you authorize Straddle to execute the debit or credit you initiate, and authorize Plumb to transfer the information described above to Straddle as necessary to complete the transaction.

6. How We Disclose Your Information

We may disclose your information in the following circumstances:

6.1 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

6.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Valid legal requests by public authorities
  • Court orders or subpoenas
  • Requests to comply with legal process
  • Situations involving potential threats to safety

6.3 With Your Consent

We may transfer your information for other purposes with your explicit consent.

6.4 Sub-Processors and Data Categories

The following table lists our sub-processors, the purpose for which we engage each one, the categories of data they process on our behalf, and the country in which the processing occurs:

Sub-ProcessorPurposeData CategoriesLocation
StripeCard payment processing, subscription billingPayment card info (last 4 + masked PAN), payment amounts, customer name and emailUnited States
StraddleACH payment processing (Nacha-registered Third-Party Sender), bank account verification, KYB/KYC complianceBank account info, customer name, payment amounts, KYB/KYC dataUnited States
SupabaseAuthentication, database hostingUser credentials, account profile data, project dataUnited States
GigalixirApplication hostingAll application data passed through the backendUnited States
VercelFrontend hosting and edge servingWeb traffic logs, no user data storedUnited States
LogflareApplication log management and monitoringApplication logs (no personally identifiable information is written to logs by convention)United States

We review our sub-processors before engagement and require that each maintain security and confidentiality practices consistent with this Privacy Policy. We will update this list and notify affected users before adding a new sub-processor that materially changes how your data is processed. Straddle, as our ACH payment processor, maintains its own list of sub-processors and current security certifications at https://trust.straddle.com.

7. Data Security

We implement appropriate technical and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction:

  • Encryption of data in transit using SSL/TLS protocols
  • Encryption of sensitive data at rest
  • Regular security assessments and audits
  • Access controls and authentication mechanisms
  • Employee training on data protection and security best practices

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

8. Data Retention

We retain your information for the following periods, after which it is securely deleted or anonymized unless a legal hold applies:

  • ACH authorization records: at least two (2) years after the final transaction (Nacha requirement).
  • Transaction records (payments, transfers, status history): at least two (2) years after the final transaction (Nacha requirement).
  • Revocation requests: at least two (2) years after revocation (Nacha requirement).
  • Account and user records: lifetime of the account plus one (1) year after account closure.
  • Project and work order data: lifetime of the account plus one (1) year.
  • Support tickets and communications: three (3) years.
  • Application logs (no personally identifiable information): retained according to the default retention periods of Plumb’s hosting and logging providers (Gigalixir, Vercel, Supabase, and Logflare).
  • Authentication and security events: retained by Plumb’s identity provider (Supabase) per its account retention policy.

Records subject to a legal hold are exempt from automatic deletion until the hold is lifted. Tax, accounting, and other records we are required by law to retain may be kept for longer periods to satisfy those requirements.

When we no longer need your information, we will securely delete or anonymize it.

9. Your Privacy Rights

9.1 General Rights

You have the following rights regarding your personal information:

  • Access: Request access to the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information
  • Data Portability: Request a copy of your data in a structured, machine-readable format
  • Objection: Object to our processing of your personal information
  • Restriction: Request restriction of processing of your information

9.2 California Privacy Notice

This California Privacy Notice supplements the foregoing sections of this Privacy Policy and applies to "consumers" as that term is defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"), Cal. Civ. Code §§ 1798.100 et seq., and its implementing regulations. Capitalized terms used but not defined in this section have the meanings given to them under the CCPA.

Categories of personal information collected. In the preceding twelve (12) months, Plumb has collected the following categories of Personal Information about California consumers:

Statutory Category (Cal. Civ. Code §1798.140(v))Examples of Information Plumb Collects
IdentifiersReal name, postal address, email address, telephone number, IP address, online identifier, account login identifier
Categories described in Cal. Civ. Code §1798.80(e)Name, signature, postal address, telephone number, employment information, and bank account information limited to the bank name and the last four digits of the account number — full account and routing numbers are held directly by Straddle, not by Plumb
Commercial InformationRecords of services obtained or considered, transaction history, project and work-order details, payment amounts and dates, counterparty identity
Internet or Other Electronic Network Activity InformationBrowsing activity within the Plumb application, page-view and feature-use data, application performance and error logs, cookies and similar identifiers
Professional or Employment-Related InformationJob title or trade specialty, company name, role within an organization (general contractor, subcontractor, client)

Plumb does not intentionally collect Personal Information falling within the following statutory categories: characteristics of protected classifications under California or federal law; biometric information; precise geolocation data; audio, electronic, visual, thermal, olfactory, or similar information not provided by the consumer; non-public education records; or inferences drawn to create a profile of a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.

Sources of personal information. Plumb collects Personal Information from the following sources:

  • Directly from you when you create or use a Plumb account, link a payment method, manage a project, send a message through the platform, contact our support team, or upload documents.
  • Automatically from your device and browser when you interact with the Plumb platform, through cookies, server logs, and application telemetry.
  • From other Plumb account holders who add you to a project, work order, or payment as a counterparty (for example, a general contractor adding a subcontractor's email address to a work order).
  • From our service providers and payment processors (Supabase, Stripe, Straddle, Logflare) acting on Plumb's behalf or in their independent capacity as described in §5 and §6 above.

Purposes for collecting and processing personal information. Plumb collects and processes Personal Information for the business and commercial purposes disclosed in §4 of this Privacy Policy, including: providing and maintaining the Service; processing payments and transactions; managing your account; enabling project and work-order management; communicating with you about your account; providing customer support; detecting and preventing fraud and abuse; complying with legal, regulatory, audit, and tax obligations; and analyzing and improving the platform.

Sensitive personal information. Plumb does not knowingly collect Sensitive Personal Information ("SPI") as defined by Cal. Civ. Code §1798.140(ae). Specifically, Plumb does not knowingly collect or hold:

  • Social Security numbers, driver's license numbers, state identification card numbers, or passport numbers
  • Account login or financial account credentials
  • Precise geolocation data (latitude/longitude with a radius of 1,850 feet or less)
  • Racial or ethnic origin, religious or philosophical beliefs, or union membership
  • The contents of mail, email, or text messages not directed to Plumb
  • Genetic data
  • Biometric information processed for the purpose of uniquely identifying a consumer
  • Information concerning a consumer's health, sex life, or sexual orientation

For business account holders required to complete Know Your Business or Know Your Customer ("KYB/KYC") verification, sensitive identifiers — including taxpayer identification numbers and beneficial-owner government-issued ID information — are collected directly by Straddle through Straddle's embedded onboarding form and are held by Straddle, not by Plumb. Plumb's contractual restrictions with Straddle prohibit transmission of SPI to Straddle outside of those KYB/KYC fields specifically permitted under our Data Processing Agreement.

Plumb does not require uploading or processing of sensitive personal information to use our Services. If you upload sensitive personal information to our Services, you consent to our processing of that information.

Because Plumb does not knowingly collect SPI, the right to limit the use and disclosure of Sensitive Personal Information described in Cal. Civ. Code §1798.121 does not apply to data Plumb holds.

No sale, no sharing, no targeted advertising. Plumb does not knowingly sell Personal Information for monetary or other valuable consideration, and Plumb does not knowingly "share" Personal Information for cross-context behavioral advertising, in each case as those terms are defined by the CCPA. Plumb has not engaged in either practice in the preceding twelve (12) months and has no current plans to begin doing so.

Plumb does not knowingly collect, sell, or share the Personal Information of consumers under sixteen (16) years of age. The Plumb Service is not directed to and is not made available to minors; account holders must be at least eighteen (18) years of age (see Terms of Service §1).

Your California rights. If you are a California resident, you have the following rights with respect to the Personal Information Plumb holds about you:

  • Right to Know. You may request information about the categories and specific pieces of Personal Information Plumb has collected about you, the categories of sources from which the information was collected, the business or commercial purposes for which Plumb collected the information, the categories of third parties with whom Plumb disclosed the information, and the categories of Personal Information disclosed for a business purpose during the twelve (12) months preceding the request. You may also request that Plumb extend the look-back period beyond twelve months for Personal Information collected on or after January 1, 2022, and Plumb will accommodate the request unless doing so is impossible or would require disproportionate effort.
  • Right to Access. You may request a copy of the specific pieces of Personal Information Plumb holds about you, in a portable, readily-usable, machine-readable format.
  • Right to Delete. You may request that Plumb delete Personal Information it has collected about you, subject to the statutory exceptions set out in Cal. Civ. Code §1798.105(d). For payment-related and authorization records subject to the Nacha Operating Rules' two-year retention requirement (see §8 above), deletion will be effected at the conclusion of the regulatory retention period.
  • Right to Correct. You may request that Plumb correct inaccurate Personal Information it holds about you.
  • Right to Opt Out of Sale or Sharing. As described above, Plumb does not sell or share Personal Information; this right is preserved but does not currently apply to data Plumb holds.
  • Right to Limit Use of Sensitive Personal Information. As described above, Plumb does not collect SPI; this right is preserved but does not currently apply to data Plumb holds.
  • Right to Non-Discrimination. Plumb will not discriminate against you for exercising any of your CCPA rights. Plumb will not deny goods or services, charge different prices or rates, provide a different level or quality of services, or suggest that you will receive different goods or services as a consequence of your having exercised any of these rights.

Submitting a request. To submit a request to exercise any of the rights described above, please contact Plumb by email at privacy@buildwithplumb.com. Your request should describe the right you are seeking to exercise and provide enough information for Plumb to verify your identity and to confirm that the request relates to you (or to an individual on whose behalf you are authorized to act).

Plumb will acknowledge receipt of your request within ten (10) business days. Plumb will respond substantively within forty-five (45) calendar days of receipt. If Plumb requires additional time to respond, Plumb will inform you of the reason and the extension period — which will not exceed an additional forty-five (45) calendar days — in writing within the initial forty-five-day period.

For requests requiring identity verification, Plumb may ask you to verify information already on file with Plumb (for example, the email address associated with your account) or, for requests seeking specific pieces of information, may ask you to attest under penalty of perjury that you are the consumer to whom the information relates. Plumb does not require you to create an account with Plumb solely to make a verifiable consumer request. Plumb does not retain any Personal Information collected in connection with a verifiable consumer request beyond what is necessary to process and respond to the request.

Authorized agents. You may designate an authorized agent to make a request on your behalf. To designate an authorized agent, the agent must provide Plumb with (i) written permission signed by you authorizing the agent to act on your behalf, and (ii) verification of the agent's identity. Plumb may additionally require you to verify your own identity directly with Plumb and to confirm that you have provided the agent with permission to submit the request.

Shine the Light disclosure (Cal. Civ. Code §1798.83). California Civil Code §1798.83 entitles California residents who have an established business relationship with Plumb to request information about Plumb's disclosure of Personal Information to third parties for those third parties' direct marketing purposes during the immediately preceding calendar year. Plumb does not knowingly disclose Personal Information to third parties for those third parties' direct marketing purposes. To request a Shine-the-Light disclosure for any future calendar year in which Plumb may engage in such disclosures, please contact privacy@buildwithplumb.com.

Notice of financial incentives. Plumb does not offer any financial incentive or price or service difference in exchange for the collection, sale, or sharing of Personal Information.

Retention of personal information. The retention periods for each category of Personal Information that Plumb collects are described in §8 of this Privacy Policy. Plumb retains Personal Information only for as long as is reasonably necessary to fulfill the purposes for which it was collected, including to satisfy any legal, regulatory, audit, accounting, or reporting requirements.

Updates to this California Privacy Notice. Plumb will review this California Privacy Notice and, as necessary, update it at least once every twelve (12) months.

9.3 GDPR Rights (European and UK Residents)

The Regulation (EU) 2016/679 (General Data Protection Regulation) made effective in Europe on May 25, 2018 ("GDPR") requires that we clearly describe to data subjects the data we process and how we use that data. This Privacy Policy does that and if you have any questions for us regarding our data processing, please contact us at privacy@buildwithplumb.com. We comply with the GDPR requirements to the extent they apply to us.

We are based in the United States. By accessing or using the Services or otherwise providing information to us, you understand that your information will be subject to processing in and to the United States and in our other locations.

Due to the nature of our Services, we typically act as a "Processor" as defined under the GDPR. If you believe that this role should be defined differently, please contact us at privacy@buildwithplumb.com.

Pursuant to the GDPR, residents of the EU (and the EEA, as applicable) have the right to obtain our confirmation of whether we maintain personal information relating to them in the United States. If you are a resident of Europe, upon request from you, we will provide you with access to the Data that we process about you. Please contact us if you have any questions.

Further, if you are a resident of the United Kingdom ("UK"), to the extent the GDPR as incorporated into UK law pursuant to s.3 of the European Union (Withdrawal Act) 2018 (as amended, the "UK GDPR") applies to us, we will follow all supplemental requirements under the UK GDPR and you have all rights as a UK citizen under the UK GDPR.

If you are located in the European Economic Area (EEA) or the UK, you have the following rights under the GDPR (and the UK GDPR, as applicable):

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with a supervisory authority

9.4 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@buildwithplumb.com. We may need to verify your identity before processing your request. Most requests to access, correct, or delete personal information Plumb holds directly are handled within thirty (30) days. In all cases, Plumb will respond to your request within the time limits required by applicable law.

Requests involving data handled by our payment processors require additional coordination and may take longer:

  • Data Straddle holds on Plumb’s behalf as a Data Processor — including transaction details Plumb initiated and end-user contact information stored to facilitate transactions: Plumb will forward your request to Straddle at legal@straddle.com. Under the Data Processing Agreement between Plumb and Straddle, Straddle will notify Plumb within five (5) business days of receiving the request and will respond substantively only when instructed by Plumb.
  • Data Straddle holds as an independent Data Controller — including tokenized bank account details, fraud risk scores, know-your-customer and anti-money-laundering records, and platform analytics: Plumb cannot delete or correct this data on your behalf. To exercise your rights over this data, please contact Straddle directly at legal@straddle.com or 1 (833) 810-1008. Under Straddle’s Privacy Policy, Straddle will respond within forty-five (45) days, with a possible forty-five (45) day extension where required by law.
  • Data Stripe holds as Plumb’s payment processor is subject to Stripe’s own Privacy Policy; deletion or export requests for Stripe-held data may similarly require coordination with Stripe.

Payment-related data may also be subject to mandatory retention periods under the Nacha Operating Rules (see §8). Plumb will not delete linked references to Straddle-held records until Straddle confirms the corresponding record is eligible for deletion under those Rules.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our platform and hold certain information. Cookies are files with small amounts of data that are sent to your browser from a website and stored on your device.

Types of Cookies We Use:

  • Essential Cookies: Required for the platform to function properly (authentication, security)
  • Performance Cookies: Help us understand how users interact with our platform (analytics)
  • Functionality Cookies: Remember your preferences and settings

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our platform.

Third-party services we use that may set cookies include:

  • Stripe (for payment processing)

11. Children’s Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and you become aware that your child has provided us with personal information, please contact us. If we become aware that we have collected personal information from children without verification of parental consent, we will take steps to remove that information from our servers.

12. Third-Party Links

Our platform may contain links to third-party websites or services that are not owned or controlled by Plumb. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.

13. International Data Transfers

Your information may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ. Our servers and service providers are primarily located in the United States.

ACH-related information shared with Straddle Payments, Inc is not transferred or stored outside the United States.

By using our services, you consent to the transfer of your information to the United States and other countries where we operate. We will take reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy.

14. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this policy.

We will notify you via email and/or a prominent notice on our platform prior to the change becoming effective. You are advised to review this Privacy Policy periodically for any changes.

Changes to this Privacy Policy are effective when they are posted on this page. Your continued use of the platform after any modifications to the Privacy Policy will constitute your acknowledgment of the modifications and your consent to abide by the modified Privacy Policy.

15. Do Not Track Signals

We do not currently respond to Do Not Track (DNT) signals from browsers. We may adopt a DNT standard if and when one is established for internet-wide use.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Plumb Software Inc., a Delaware corporation

135 N 200 E, Lindon, UT 84042

General Inquiries: contact@buildwithplumb.com

Privacy Rights: privacy@buildwithplumb.com