Paint My Curb

Privacy Policy

Effective May 11, 2026

1. Overview

This Privacy Policy explains how Paint My Curb (“Platform,” “we,” “us,” or “our”) collects, uses, shares, retains, and protects your personal information. It applies to homeowners and residents who book a service (“Customers”) and to independent service providers who accept work through the Platform (“Painters”).

The Platform is operated from the United States and is intended for use by U.S. residents. We do not sell your personal information.

For service-related Terms (booking, payment, refunds, completion verification), see our Terms & Conditions.

2. Data We Collect

From Customers

  • Booking & contact information: name, email address, service address, optional phone number, and the transaction identifiers associated with each booking.
  • Communication content: messages you send through the “Contact Your Painter” flow or to support, and any review text you post about a Painter.

From Painters

  • Account & profile information: business name, username, public profile photo, service area, contact email, and the Stripe Connect account identifier used to receive payouts.
  • Job artifacts: completion photos uploaded after each job (these are sent to the Customer and retained as service evidence).
  • Payout records: dates, amounts, and status of transfers made to your Stripe Connect account. We do not see or store your bank account details — those are held by Stripe.

Automatic collection (everyone)

  • Device information: browser user-agent string, used to classify the type of device (mobile, tablet, desktop). We do not collect precise hardware identifiers.
  • Activity logs: timestamps of key actions such as booking confirmations, photo uploads, review submissions, and dispute filings.
  • Payment data: handled by Stripe, Inc. We store only transaction identifiers; full card details never reach our servers. See Stripe’s Privacy Policy.
  • Analytics & advertising data: through Google Analytics, Google Ads, and the Reddit Pixel — see Section 5 for details and opt-out links.

3. How We Use Your Data

  • Operate the Platform — accounts, bookings, payments, completion verification
  • Send transactional notifications (booking confirmations, completion emails, dispute alerts, payout notices)
  • Detect and prevent fraud, abuse, or violations of our Terms
  • Improve the product (anonymized usage analysis through Google Analytics)
  • Measure the effectiveness of advertising campaigns
  • Comply with tax, accounting, and other legal obligations
  • Respond to support inquiries and resolve disputes

4. How We Share Your Data

We do not sell your personal information. We share specific data with sub-processors that help us operate the Platform:

  • Stripe, Inc. — payment processing, Stripe Connect payouts, and fraud detection.
  • Supabase — managed Postgres database and authentication.
  • Resend — transactional email delivery (booking confirmations, completion notifications, dispute alerts).
  • Render — web application and cron-job hosting.
  • Cloudflare — DNS, edge network, and email forwarding.
  • Google LLC — Google Analytics (usage analytics) and Google Ads (advertising and conversion measurement).
  • Reddit, Inc. — Reddit Pixel for advertising conversion measurement.

Each sub-processor handles data under its own privacy policy. We share the minimum necessary for the service they provide.

We may also share information when required by law (subpoena, court order, lawful regulatory request) or to protect rights, property, or safety.

5. Cookies & Tracking Technologies

The Platform uses cookies and similar technologies for the following purposes:

  • Session management: to keep you logged in and maintain session state.
  • Preference storage: to remember choices, such as dismissing the cookie notice.
  • Analytics — Google Analytics: collects anonymized information about how visitors interact with the Platform (pages visited, session duration, general geographic region). Opt out at any time with the Google Analytics Opt-out Browser Add-on.
  • Advertising — Google Ads: remarketing and conversion tracking. Manage personalized advertising at Google Ads Settings.
  • Advertising — Reddit Pixel: measures the performance of our Reddit ads. May collect hashed (one-way encrypted) versions of email addresses entered on the Platform, solely for matching ad conversions. No personal information is shared in plain text. See Reddit’s Privacy Policy.

Most browsers allow you to control or delete cookies through their settings. Disabling cookies may affect Platform functionality. By continuing to use the Platform you consent to our use of cookies as described here.

6. Data Retention

How long we keep your data depends on its category:

  • Booking, payment, and tax records: retained for at least 7 years after the transaction to comply with IRS and state tax recordkeeping rules. We cannot delete these earlier even on request, but we will delete or anonymize the associated marketing and analytics identifiers.
  • Customer account data: retained while your account is active. Deleted within 30 days of account closure or a verified deletion request, except for the transaction-record carve-out above.
  • Painter account data: retained while your Painter account is active. Completion photos are retained for 7 years as service evidence (they may be needed to defend a chargeback dispute or respond to a customer concern).
  • Communication content: support emails and Customer-Painter messages are retained for 2 years for dispute resolution, then deleted.
  • Analytics & advertising identifiers: retention is controlled by Google and Reddit per their respective policies; we do not store these on our own servers beyond session-level use.
  • Backups: automated database backups are purged on a 30-day rolling cycle. A deletion request is fully effective once the corresponding backups have rolled out of the cycle (no later than 30 days after the live data is deleted).

7. Your Privacy Rights

You have the right to:

  • Know what personal information we collect about you and how we use it
  • Access a copy of the personal information we hold about you
  • Correct inaccurate personal information
  • Delete your personal information (subject to the 7-year transaction-record carve-out)
  • Opt out of the sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising)
  • Non-discrimination: we will not deny service, charge a different price, or provide a different quality of service because you exercised your privacy rights

To exercise these rights, email [email protected]. We will respond within 45 calendar days, as required by California law. If we need additional time (up to another 45 days) we will tell you why.

Before we act on a deletion or access request we will verify your identity to prevent unauthorized disclosures. Verification is typically a confirmation email from the address on file or a recent transaction identifier.

You may use an authorized agent to submit a request on your behalf. We will require written authorization from you and verification of your identity directly.

8. California Residents (CCPA / CPRA)

California residents have all the rights in Section 7 above, plus the specific CCPA/CPRA rights to:

  • Know the categories and specific pieces of personal information we have collected about you in the prior 12 months
  • Know the categories of sources from which we collected the information
  • Know the business purposes for collecting it
  • Know the categories of third parties with whom we shared it
  • Limit the use and disclosure of sensitive personal information (we do not collect sensitive PI categories such as SSN, government ID, biometric data, or precise geolocation)

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. The data we send to Google Analytics, Google Ads, and the Reddit Pixel is for operational measurement of our own advertising — not for third-party sale.

California residents can submit privacy requests by emailing [email protected]. We respond within 45 days as described in Section 7.

9. Global Privacy Control (GPC)

Some browsers and browser extensions transmit a Global Privacy Control signal that expresses an opt-out of the sale or sharing of personal information. Because we do not sell or share personal information for cross-context behavioral advertising, GPC signals do not change how we handle your data. We honor the underlying opt-out preference by default for everyone.

10. Children’s Privacy (COPPA)

The Platform is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, contact us at [email protected] and we will delete it promptly.

11. International Users

The Platform is operated from the United States and is intended for use by U.S. residents. If you access the Platform from outside the U.S., your data will be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the Platform you consent to this transfer.

The Platform is not designed to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, or similar regimes outside the United States. If you are located in those jurisdictions, do not use the Platform.

12. Security

We use industry-standard practices to protect your data, including encryption in transit (HTTPS / TLS 1.2+), encryption at rest on our managed Postgres database, row-level security for tenant isolation, and two-factor authentication on internal operational accounts.

No system is perfect. If you discover a security vulnerability, please report it responsibly to [email protected]. We appreciate good-faith reports and will not pursue legal action against researchers who follow standard responsible-disclosure practices.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The revised version will be posted on this page with a new effective date. For material changes (a new category of data, a new sub-processor, a change to retention) we will make reasonable efforts to notify you by email or through a notice on the Platform before the change takes effect.

By continuing to use the Platform after the revised Policy is posted, you accept the update.

14. Contact Us

Privacy questions or requests: [email protected]

Security issues: [email protected]