PRIVACY POLICY

ShedBuilder.ai

Operated by CAIO

Effective Date: March 16, 2026

1. Introduction

CAIO ("we," "us," or "our") operates ShedBuilder.ai (the "Platform"), a software-as-a-service platform for on-site custom shed builders and DIY homeowners. This Privacy Policy explains how we collect, use, disclose, and protect information when you use the Platform, visit our website, or interact with us.

This policy applies to two categories of individuals:

  • Users (including Subscribers and DIY Plan purchasers): Shed builders, businesses, and homeowners who create accounts and purchase a subscription or DIY Plan on the Platform.
  • End Users: Individuals who interact with a Subscriber's client-facing configurator hosted on the Platform.

For End Users: your data is primarily controlled by the Subscriber whose configurator you are using. Please refer to that Subscriber's privacy policy for information about how they handle your data. We process End User data on behalf of Subscribers as described in our Data Processing Addendum.

2. Information We Collect

2.1 Subscriber Account Information

  • Name, email address, phone number, and business name
  • Billing address and payment information (processed and stored by Stripe; we do not store full payment card numbers)
  • Account credentials (passwords are hashed; we never store plaintext passwords)
  • Team member information (names and emails of users invited to your Workspace)

Team member data: Information about team members invited to a Subscriber's Workspace receives the same security protections and access controls as Subscriber account data. Team member personal information is processed solely for the purpose of providing access to the Workspace and delivering the Service. It is not used for marketing purposes or shared with third parties except as necessary to provide the Service.

2.2 Workspace Data

  • Shed designs, configurations, specifications, and saved presets
  • Framing drawings, cut lists, material pick lists, and labor estimates generated by the Platform
  • Client/lead information entered by Subscribers (names, addresses, phone numbers, emails, project details)
  • Quotes, proposals, and job pipeline data
  • Pricing configurations and markup settings
  • Uploaded files (images, documents, site photos)

2.3 End User Configurator Data

When an End User interacts with a Subscriber's configurator, we may collect:

  • Contact information submitted through lead capture forms (name, email, phone, address)
  • Shed configuration selections (size, style, materials, features)
  • Device and browser information (see Section 2.4)

This data is collected on behalf of the Subscriber and stored in the Subscriber's Workspace. We process it as a data processor (see our Data Processing Addendum).

2.4 Automatically Collected Information

  • IP address, browser type and version, operating system, and device identifiers
  • Pages visited, features used, time spent on features, and navigation paths
  • Referring URLs and search terms
  • Cookies and similar tracking technologies (see Section 6)
  • Error logs and performance data

Data minimization: We collect only the automatically collected data that is necessary for operating, securing, and improving the Platform. We do not employ session replay tools, keystroke logging, or screen recording. Click and navigation data is collected in aggregate form for feature usage analytics and is not used to reconstruct individual user sessions.

2.5 Information from Third Parties

  • Payment and billing data from Stripe (transaction confirmations, subscription status)
  • Authentication data if you sign in via third-party providers (Google, GitHub, etc.)

3. How We Use Information

3.1 Subscriber Data

  • Providing the Service: Operating your Workspace, generating designs and estimates, managing your configurator, and delivering Platform features.
  • Billing: Processing subscription payments, sending invoices, and managing your account.
  • Communications: Sending account notifications, feature updates, maintenance notices, and responding to support requests.
  • Marketing: With your consent, sending product updates, feature announcements, and promotional materials. You may opt out at any time.
  • Improving the Platform: Analyzing aggregated, de-identified usage patterns, identifying bugs, and developing new features.
  • Aggregate analytics: Generating anonymized, aggregated insights about Platform usage, industry trends, and benchmarks (see Section 4).
  • Legal compliance: Complying with applicable laws, regulations, and legal processes.

AI/ML training prohibition: We do not use Subscriber data, Workspace content, interaction data, or any identifiable derivative thereof to train, fine-tune, or develop artificial intelligence or machine learning models, whether proprietary or third-party. Platform improvements referenced above are limited to traditional software development practices (e.g., analyzing aggregated feature adoption to inform product roadmap priorities, identifying systematic bugs from anonymized error logs).

3.2 End User Data

We process End User data on behalf of Subscribers solely for the purpose of providing the Service. We do not use End User data for our own marketing purposes. See our Data Processing Addendum for details on our role as a data processor.

4. How We Share Information

We do not sell personal information. We may share information as follows:

  • Service providers: We share data with third-party vendors who help operate the Platform, including Stripe (payment processing), Vercel (hosting), and analytics providers (see Section 6). These providers are contractually obligated to protect your information and process it only on our instructions.
  • Subscriber access to End User data: End User data collected through a Subscriber's configurator is accessible to that Subscriber within their Workspace. We do not share End User data across Workspaces or with other Subscribers.
  • Legal requirements: We may disclose information if required by law, court order, or government regulation, or to protect our rights, your safety, or the safety of others.
  • Business transfers: In the event of a merger, acquisition, or asset sale, your information may be transferred. We will notify you at least 30 days in advance of any such change.
  • Aggregate data: We may share anonymized, aggregated data that does not identify you or your clients for internal research and generalized industry benchmarking purposes. Aggregated data is derived only from a sufficient number of Subscribers such that no individual Subscriber's data can be inferred or reconstructed. We do not share aggregated data with entities that are direct competitors of our Subscribers.

5. Data Isolation and Security

5.1 Workspace Isolation

Each Subscriber's Workspace is logically isolated. Your data—including designs, client information, and business records—is not accessible to other Subscribers. Our multi-tenant architecture enforces access controls at the application and database layers.

5.2 Security Measures

  • HTTPS/TLS encryption for all data in transit
  • Encryption at rest for stored data
  • Secure payment processing through Stripe (PCI-DSS compliant)
  • Role-based access controls within Workspaces
  • Multi-factor authentication (MFA) for administrative access to production systems
  • Regular security reviews, dependency updates, and vulnerability scanning
  • Secure authentication with hashed password storage
  • Logging and monitoring of access to production systems

Security certifications: We are committed to obtaining SOC 2 Type II certification within 18 months of the effective date of this policy. Upon completion, reports will be made available to Subscribers under NDA. We conduct annual third-party penetration testing of the Platform and will make summary findings available to enterprise Subscribers upon written request.

No system is 100% secure. While we implement industry-standard safeguards, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.

6. Cookies and Tracking

We use cookies and similar technologies for:

————— ———————————————————————————————————————————————— ——————- Type Purpose Duration

Essential Authentication, session management, core functionality. Cannot be disabled. Session / 30 days

Preferences Settings and preferences across sessions. 1 year

Analytics Usage patterns, feature adoption, bug identification. Powered by Plausible Analytics (privacy-respecting, cookieless, no cross-site tracking). Up to 13 months ————— ———————————————————————————————————————————————— ——————-

We do not use advertising or cross-site tracking cookies on the Platform. Our analytics provider (Plausible Analytics) does not use cookies, does not collect personal data, and does not track users across websites. You may control cookies through your browser settings; disabling essential cookies may prevent the Platform from functioning.

Analytics opt-out: Subscribers may opt out of analytics data collection for their Workspace by contacting privacy@shedbuilder.ai. We honor Do Not Track (DNT) signals and Global Privacy Control (GPC) signals sent by your browser.

7. Data Retention

  • Active accounts: Data is retained for the duration of your subscription.
  • After subscription cancellation: Workspace data is retained in read-only state for 90 days, then permanently deleted (see Terms of Service, Section 5.4).
  • DIY Plan: Design data is retained in perpetual read-only mode after the Design Access Period expires. Data is deleted 30 days after account deletion.
  • Billing records: Retained for 7 years for tax and legal compliance.
  • Automatically collected data: Automatically collected data (IP addresses, device identifiers, navigation data) is retained for a maximum of 13 months from the date of collection, after which it is permanently deleted or irreversibly anonymized. You may request earlier deletion of automatically collected data associated with your account by contacting privacy@shedbuilder.ai.
  • Analytics data: Aggregated analytics data (which does not identify individuals) may be retained indefinitely.
  • End User data: Retained within the Subscriber's Workspace for the duration of the Subscriber's account, then deleted per the schedule above.
  • Support correspondence: Retained for 3 years after the last interaction.

8. Your Rights

8.1 Subscriber Rights

  • Access and export: You may access and export your Workspace data at any time through the Platform's export features. Exports are available in machine-readable formats (JSON, CSV, PDF).
  • Correction: You may update your account information and Workspace data directly through the Platform.
  • Deletion: You may delete specific data within your Workspace at any time. To delete your entire account, contact us at privacy@shedbuilder.ai.
  • Opt-out of marketing: Unsubscribe from marketing emails at any time via the link in any marketing email.
  • Data portability: You may request a machine-readable export of your data in JSON and CSV formats.

8.2 End User Rights

If you are an End User who interacted with a Subscriber's configurator, you should contact that Subscriber directly to exercise your privacy rights. They control your data. If you are unable to reach the Subscriber, you may contact us at privacy@shedbuilder.ai and we will make reasonable efforts to assist.

8.3 California Residents (CCPA/CPRA)

California residents have additional rights under the CCPA/CPRA:

  • Right to know what personal information we collect and how we use it.
  • Right to delete personal information, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.
  • Right to non-discrimination for exercising your privacy rights.

To exercise these rights, contact us at privacy@shedbuilder.ai. We will verify your identity before processing requests. We will respond to verified requests within 45 days, with a possible 45-day extension upon notice.

Global Privacy Control and opt-out signals: We honor Global Privacy Control (GPC) signals and other legally recognized universal opt-out preference signals as valid requests to opt out of the sale or sharing of personal information, as required under CPRA and applicable state privacy laws.

8.4 Other U.S. State Privacy Laws

Residents of Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Montana, and other states with consumer privacy laws may have similar rights to access, correct, delete, and port their personal data. Contact us at privacy@shedbuilder.ai to exercise these rights. We will respond within the timeframes required by applicable law (typically 30--45 days).

9. Children's Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected such information, we will delete it promptly. Contact us at privacy@shedbuilder.ai if you believe we have inadvertently collected information from a minor.

10. International Data

The Platform is hosted in the United States. If you access the Platform from outside the U.S., your information will be transferred to and processed in the U.S. We apply the same security protections to all data regardless of origin.

Transfer mechanisms: If you or your End Users are located in the European Economic Area (EEA), United Kingdom, or Switzerland, and applicable data protection laws require additional transfer mechanisms, we will work with you to implement appropriate safeguards, including EU Standard Contractual Clauses (SCCs, EU Commission 2021 version) or other transfer mechanisms recognized under applicable law. Subscribers requiring SCCs should contact legal@shedbuilder.ai to request execution.

Data residency: All primary data storage and processing occurs within the United States.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or in-app notification at least 30 days before taking effect. We encourage you to review this policy periodically.

12. Breach Notification

In the event of a data breach affecting Subscriber personal data (account information, team member information) where CAIO is the data controller, we will notify affected Subscribers within 72 hours of becoming aware of the breach, consistent with our obligations under the Data Processing Addendum for End User Data. Notification will include: (a) the nature of the breach, (b) categories and approximate number of individuals affected, (c) likely consequences, and (d) measures taken or proposed to address the breach.

For breaches affecting End User Data (where CAIO is the data processor), see the Data Processing Addendum, Section 9.

13. Contact Us

For privacy questions, data requests, or concerns:

CAIO

Email: privacy@shedbuilder.ai

Website: https://shedbuilder.ai