GDPR & Data Processing

Last updated: August 9, 2025

1) Who We Are & Our Roles

Contractor Plus, Inc. ("Contractor+," "we," "us") provides field service management software, Contractor+ Voice (telephony), and related services.

Controller for account, billing, usage, marketing, and website analytics data.
Processor for customer/end‑customer data you upload or connect (e.g., contacts, jobs, invoices, recordings) where you are the Controller.

Primary contact for EU/UK privacy matters: gdpr@contractorplus.app (or legal@contractorplus.app).

2) EU/UK Representative (Article 27)

If Article 3(2) GDPR or the UK GDPR applies to us (i.e., we offer services to or monitor individuals in the EEA/UK while not established there), we will appoint a formal EU/UK Representative and update this page with their name, address, and email. Note: a simple inbox is not enough—the rep must be a person or company established in the EEA/UK and authorized in writing to act for us before regulators and data subjects.

Status today: No EU/UK Representative appointed. If/when our activities trigger Article 27, we'll designate one and publish full details here.

3) Legal Bases (GDPR Art. 6)

Contract – to provide the Services you request (accounts, core app features, integrations).
Legitimate Interests – service security, fraud prevention, product improvement, quality assurance for Voice (e.g., call routing/analytics).
Consent – marketing communications; optional features like certain call recordings where local law requires consent.
Legal Obligation – payments, tax/AML/KYC compliance, recordkeeping.

4) Your EU/UK Rights

Email gdpr@contractorplus.app to exercise your rights:

Access/Portability (Art. 15/20)
Rectification (Art. 16)
Erasure (Art. 17)
Restriction/Objection (Arts. 18–21)
Withdraw Consent at any time
Object to direct marketing at any time

We will respond within one month (extendable in complex cases). You may also lodge a complaint with your local supervisory authority.

5) Sub‑Processors (we use to run the Service)

These vendors process personal data on our behalf. We vet them, sign data‑processing terms, and use transfer safeguards where needed. We'll update this list and, where contractually required, give prior notice before additions.

Amazon Web Services, Inc. (AWS)

Cloud hosting, storage, backups (app, DB, files).

Data: account data, user content, logs.
Location: primarily USA (with regional options).

Twilio, Inc.

Contractor+ Voice (telephony: SIP/voice/SMS); may include call recording/transcription features you enable.

Data: phone numbers, call/SMS metadata, audio/recordings.
Location: USA/EU (varies by routing).

Finix Payments, Inc.

Payments processing and KYC/AML facilitation for Contractor+ Pay.

Data: payment tokens, identifiers, transaction metadata, business/KYC info.
Location: USA.

Plaid Inc.

Bank connectivity and account verification (where you connect it).

Data: bank identifiers/tokens, account and transaction metadata.
Location: USA.

Intercom R&D Unlimited Company

In‑app support, messaging, helpdesk.

Data: account/contact details, usage context, support content.
Location: EU/USA.

Userback Pty Ltd

Feedback collection (screenshots, console info you submit).

Data: contact details, page metadata, screenshots.
Location: Australia/EU/USA.

Google LLC

Google Analytics & Google Workspace — Website/app analytics; corporate email/docs.

Data: analytics identifiers, usage events; communications metadata.
Location: USA/EU.

OpenAI, L.L.C.

AI inference for optional features (e.g., Estimatic/assistants).

Data: prompts/content you submit for the feature.
Location: USA.

ElevenLabs, Inc.

Text‑to‑speech / voice synthesis for optional Voice features.

Data: text snippets, generated audio.
Location: USA.

Slack Technologies, LLC

Internal collaboration (limited PII in support escalations).

Data: names, emails, ticket snippets.
Location: USA/EU.

Not Sub‑Processors (Customer‑Directed Integrations / Independent Controllers)

When you connect or sync with these, you act as Controller directing data flows; their own policies apply: QuickBooks Online (Intuit), Lowe's (for SKU pricing and ordering), Zapier, CompanyCam, and other integrations you choose to enable.

6) International Transfers

We host primarily in the United States. For EEA personal data we use the European Commission 2021 Standard Contractual Clauses (SCCs), plus supplementary measures where necessary. For UK personal data we use the ICO's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.

7) Security

We implement technical and organizational measures appropriate to risk, including:

Encryption in transit (TLS 1.2+) and at rest (e.g., AES‑256)
Access controls (RBAC/least‑privilege), audit logging
Network isolation, key management, and regular third‑party testing
Secure SDLC, vulnerability management, and employee training

8) Retention

We keep personal data for the life of the account and as needed for our legal/operational obligations (e.g., tax/AML). Call recordings default to 24 months unless you delete sooner. Backups are time‑bound and purge on a rolling basis.

9) Breach Notification

If we become aware of a personal‑data breach, we will notify the relevant supervisory authority within 72 hours when required, and affected customers without undue delay, including information necessary to help you meet your own obligations.

10) Automated Decision‑Making & Profiling

We do not make decisions producing legal or similarly significant effects solely by automated means. We may use risk signals (e.g., fraud/abuse flags) to protect the Service; you can contact us to contest or request human review where applicable.

11) Data Processing Addendum (DPA)

Need a signed DPA (Art. 28/46)? Email dpa@contractorplus.app and we'll provide our standard DPA with SCCs/UK Addendum.

12) Changes

We'll update this page as our data practices evolve and will provide advance notice of material changes where legally required.