Privacy Policy

At SteadyManager, operated by Steady Scaling LLC, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our service. By using SteadyManager, you agree to the practices described in this policy.

1. Information We Collect

1.1 Information You Provide

When you create an account or use SteadyManager, we collect:

• Account Information: Email address, password (encrypted), and account preferences
• Lead Data: Names, contact information, companies, notes, and other details you add about your prospects
• Task Information: Task titles, descriptions, due dates, and completion notes
• Business Data: Estimates (client info, line items, pricing, photos), Jobs (materials, labor costs, profit margins, project details), and Goals (targets, progress tracking)
• Settings and Preferences: Theme preferences, notification settings, and display options

1.2 Automatically Collected Information

When you use our service, we automatically collect:

• Usage Data: Pages visited, features used, time spent on the platform
• Device Information: Browser type, operating system, IP address, and device identifiers
• Session Information: We track all login sessions including device type, browser, operating system, IP address, geographic location (country/city), login timestamps, and last activity time. This information is used to:
  • Enforce single-device access (all users limited to 1 active device at a time)
  • Detect and flag suspicious activity (e.g., logins from multiple countries within a short time)
  • Allow you to view recent login activity (last 24 hours) in your Settings page
  • Automatically disconnect the previous session when you log in from a new device
• Cookies: Authentication cookies and preference storage (see Section 6)

1.3 Payment Information

We use Stripe to process payments for Professional subscriptions. We do not store your credit card information on our servers. Stripe collects and processes your payment information in accordance with their Privacy Policy.

2. How We Use Your Information

We use the information we collect to:

• Provide the Service: Create and manage your account, store your leads and tasks, and deliver core CRM functionality
• Improve User Experience: Personalize your dashboard, remember your preferences, and optimize performance
• Send Communications: Email verification, password resets, billing notifications, and important service updates
• Security and Fraud Prevention: Detect and prevent unauthorized access, abuse, and fraudulent activity
• Analytics and Development: Understand how users interact with the platform and identify areas for improvement
• Legal Compliance: Comply with applicable laws, regulations, and legal processes

3. How We Share Your Information

We do not sell your personal information to third parties. We may share your information in the following limited circumstances:

3.1 Service Providers

• Supabase: Our database and authentication provider (see Supabase Privacy Policy)
• Stripe: Our payment processor for subscriptions (see Stripe Privacy Policy)
• Railway: Our hosting provider for the backend server (see Railway Privacy Policy)

These providers are bound by contractual obligations to protect your data and only use it to provide services to us.

3.2 Legal Requirements

We may disclose your information if required to do so by law, court order, subpoena, or to protect the rights, property, or safety of Steady Scaling LLC, our users, or the public.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new owner. We will notify you via email or dashboard notification before your information is transferred and becomes subject to a different privacy policy.

4. Data Security

Data security is our highest priority. We've implemented multiple layers of protection to ensure your information remains private and secure. Here's exactly what we do:

4.1 Authentication & Access Control

• Multi-Factor Authentication (MFA): Optional TOTP-based two-factor authentication using industry-standard RFC 6238 protocol. When enabled, MFA is required for password resets and email changes to prevent unauthorized account takeover.
• Password Security: All passwords are hashed using bcrypt with salt before storage. We never store or have access to your plaintext password. Passwords must meet strict complexity requirements: minimum 8 characters with lowercase, uppercase, numbers, and symbols.
• Email Verification: Required before dashboard access to prevent unauthorized account creation and ensure account ownership.
• Secure Password Reset: Password reset links expire after 1 hour and are single-use only. If MFA is enabled, you must verify your authenticator code before resetting your password (AAL2 session requirement).
• Secure Email Change: Email changes require both password verification and MFA verification (if enabled), plus confirmation from your new email address to prove ownership.
• Session Management: Automatic session timeout after 60 days. Access tokens refresh every hour for security without interrupting your workflow.

4.2 Data Protection

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS 1.3, the same encryption used by banks.
• Encryption at Rest: Your data is stored in encrypted databases with AES-256 encryption.
• Row-Level Security (RLS): Database-level policies ensure users can only access their own data. Even if our application layer is compromised, the database prevents unauthorized data access.
• XSS Protection: All user-generated content is sanitized to prevent cross-site scripting attacks. We use Content Security Policy (CSP) headers to block malicious scripts.
• CSRF Protection: Built-in cross-site request forgery protection prevents unauthorized actions on your behalf.
• Input Validation: All data is validated on both client and server side to prevent injection attacks and data corruption.

4.3 Infrastructure Security

• Secure Hosting: Hosted on Railway and Supabase, enterprise-grade platforms with strong security practices.
• Database Backups: Automated daily backups with point-in-time recovery capabilities.
• DDoS Protection: Built-in protection against distributed denial-of-service attacks.
• Regular Updates: Security patches and updates applied promptly to all dependencies and infrastructure.
• Monitoring & Logging: Real-time monitoring of suspicious activity with automated alerts for potential security incidents.

4.4 Privacy by Design

• Cookie Consent: Analytics cookies require your explicit consent. Essential authentication cookies are clearly disclosed.
• Minimal Data Collection: We only collect data necessary to provide the service. No tracking pixels, no third-party ads, no data brokers.
• Transparent Practices: This privacy policy clearly explains what we collect, why we collect it, and how we protect it.
• User Control: You control your data—export it anytime, delete it permanently, or update it as needed.

Important: While we implement industry-leading security measures, no system is 100% secure. We continuously improve our security posture and will notify you immediately if any security incident affects your data. You can help protect your account by enabling MFA, using a strong unique password, and keeping your login credentials confidential.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide the service. If you delete your account, we will permanently delete your data within 30 days, except where we are required to retain it for legal or compliance purposes.

You can export your data at any time through the dashboard before deleting your account.

6. Cookies and Tracking

We use cookies to provide essential functionality:

• Authentication Cookies: To keep you logged in and verify your identity (required)
• Preference Cookies: To remember your theme and settings (optional)

We do not use third-party advertising or analytics cookies. You can disable preference cookies in your browser settings without affecting core functionality.

7. Your Rights and Choices

You have complete control over your data. Here are your rights and how to exercise them:

7.1 Access & Update Your Data

• View: Access your profile, leads, tasks, goals, estimates, and all other data anytime through your dashboard.
• Edit: Update your account settings, email address, preferences, and all CRM data in real-time.
• Export: Download your leads, tasks, goals, estimates, and jobs as CSV files for backup or migration purposes (available in Settings - Export Data). Photos can be saved individually by right-clicking where they are displayed.

7.2 Delete Your Data

You can permanently delete your account and all associated data at any time. Here's exactly what happens:

• What Gets Deleted: All your leads, tasks, goals, estimates, jobs, notes, account settings, and personal information will be permanently erased from our systems within 30 days.
• What We Keep: We may retain transaction records for legal compliance (tax, accounting) for up to 7 years as required by law. These records are anonymized and cannot be tied back to your identity.
• How to Delete: Go to Dashboard - Settings - Danger Zone - Delete Account. You'll be asked to confirm your password and will receive a confirmation email. This action is irreversible.
• Before You Delete: Export your data if you want to keep a copy. Once deleted, we cannot recover your information.
• Cancellation vs Deletion: Canceling your Professional subscription does not delete your account—you'll be downgraded to the Free tier. You must explicitly delete your account to remove all data.

No Form Required: You can delete your account directly from the dashboard without contacting support. If you encounter any issues, email josh@steadyscaling.com and we'll process your deletion request within 48 hours.

7.3 Other Privacy Rights

• Opt-Out of Analytics: You can enable "Do Not Track" in your browser settings.
• Unsubscribe from Emails: You can unsubscribe from marketing emails (we don't send them yet). Security-critical emails (verification, password resets, billing) cannot be opted out of.
• Portability: Export your data in standard CSV format to move to another CRM if needed.
• Questions or Requests: Contact us at josh@steadyscaling.com for any data-related requests or concerns.

8. Children's Privacy

SteadyManager is not intended for users under the age of 18. We do not knowingly collect personal information from children. If we discover that we have inadvertently collected information from a child, we will delete it immediately. If you believe a child has provided us with personal information, please contact us at josh@steadyscaling.com.

9. International Data Transfers

SteadyManager is operated in the United States. If you are accessing the service from outside the U.S., your information may be transferred to, stored, and processed in the United States. By using the service, you consent to the transfer of your information to the United States.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes, we will update the "Last Updated" date at the top of this page and notify you via email or dashboard notification. Your continued use of the service after changes constitutes acceptance of the updated policy.

Your Responsibility: You are responsible for periodically reviewing this Privacy Policy and our Terms of Service to stay informed of any updates. We recommend checking this page regularly for changes. If you do not agree with any modifications, you must discontinue use of the service immediately.

11. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

• Email: josh@steadyscaling.com
• Company: Steady Scaling LLC