Privacy Policy
1. Introduction
Integration Partners LLC ("SubLien," "we," "us") operates the SubLien platform at sublien.com. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our lien waiver management and COI compliance services ("Service").
2. Information We Collect
2.1 Account Information
When you register, we collect your name, email address, password (stored only as a salted hash), and company name. Organization roles are assigned within the Service after registration. If you authenticate through Procore OAuth, we receive your Procore user profile and associated company information. If you connect QuickBooks Online, we receive your QuickBooks company identifier and OAuth authorization tokens from Intuit.
2.2 Transaction Data
To generate lien waiver workflow records and track COI and W-9 status, the Service processes: project names; names, email addresses, phone numbers, and business addresses of vendors/subcontractors and their contacts; contract amounts, payment periods, state and jurisdiction information, insurance certificate details, W-9 status, W-9 file metadata, and limited W-9 metadata entered by users such as legal name, tax classification, and TIN last four digits. This information may be entered by users or imported from connected systems (Procore, Intuit QuickBooks Online).
2.3 Signature Data
When a document is electronically signed, we collect: the signer's name and title, email address, IP address, approximate geolocation derived from the IP address (city, region, country, and approximate latitude/longitude), user agent string, timestamp of signature, consent to electronic signature, the drawn or typed signature image, and a cryptographic hash of the signed document for integrity verification.
2.4 Usage Data
We automatically collect: IP addresses, browser type, device information, pages visited, and interaction timestamps. This data is used for security, rate limiting, and service improvement.
2.5 Uploaded Documents
Users may upload insurance certificates (ACORD 25 forms), lien waiver templates, signed or notarized lien waivers, contracts, purchase orders, change-order documents, logos, and other compliance documents. These files are stored securely and processed only to provide the Service.
Users may upload W-9 files. The uploaded W-9 file itself (which contains the full TIN) is stored encrypted with access-controlled delivery, and is transmitted to our AI provider for parsing. AI-assisted extraction may prefill review fields (legal name, business name, tax classification, and TIN last four digits — extraction never requests the full TIN, and the structured fields SubLien records keep only the last four digits); a human reviews and accepts or rejects every W-9. The workflow does not provide IRS validation or taxpayer identification verification.
2.6 Error Reporting and Diagnostics
When the application encounters an error, SubLien may capture the visible page text (truncated, with obvious personal-data patterns redacted), along with technical details such as the page URL, your account email, and browser information. Screenshots are not collected. This diagnostic data is processed by Anthropic for automated triage and emailed to SubLien staff via Resend so we can diagnose and fix the problem.
3. How We Use Your Information
We use collected information to:
- Provide, maintain, and improve the Service
- Generate lien waiver workflow documents using state-aware templates and customer-approved workflows
- Facilitate electronic signature workflows
- Track W-9 request, receipt, storage, acceptance, and rejection status
- Track and verify COI compliance status
- Send transactional emails (signature requests, verification codes, signed copies, compliance alerts)
- Maintain audit trails required for legal compliance
- Detect and prevent fraud, abuse, and unauthorized access
- Comply with legal obligations
4. Information Sharing
We do not sell your personal information. We share data only in the following circumstances:
- Between parties to a transaction: When a general contractor sends a lien waiver, the subcontractor receives the waiver details. When signed, the general contractor receives the signed document and audit trail.
- Service providers: We use Vercel (hosting and file storage), Neon (database), Supabase (encrypted database backup / disaster-recovery standby, United States), Resend (email delivery), Anthropic (AI-powered document parsing), Stripe (payment and billing processing), HubSpot (sales CRM — demo-request contact details), and Cloudflare Turnstile (bot protection on public forms; processes IP address and browser signals). These providers process data on our behalf under data processing agreements. Uploaded COI, bond, license, and W-9 documents and vendor data may be processed by AI services for automated data extraction purposes (the uploaded W-9 document contains the full TIN and is transmitted to Anthropic for parsing; extraction captures the TIN last four digits only, and SubLien's structured fields never hold more than the last four).
- Procore integration: When connected, project and vendor data flows between Procore and SubLien as authorized by the user.
- QuickBooks Online integration: When connected, vendor, purchase order, and bill data flows from Intuit QuickBooks Online to SubLien as authorized by the user, and SubLien may write compliance status notes and executed waiver attachments back to the corresponding QuickBooks Online bills. Connecting sends OAuth authorization requests and API queries to Intuit.
- Legal requirements: We may disclose information if required by law, subpoena, court order, or to protect our rights and safety.
5. Data Storage and Security
Data is stored on servers in the United States using Neon (PostgreSQL database) and Vercel Blob (file storage), with an encrypted disaster-recovery backup held at Supabase (United States). All data is encrypted in transit (TLS 1.2+) and at rest. Signed documents and audit trails are append-only and cannot be modified through the application.
We implement industry-standard security measures including: rate limiting on sensitive API endpoints (authentication, signature verification, and payment processing), cryptographic hashing (SHA-256) for document integrity, OTP-based email verification for signers, XSS sanitization on rendered content, and parameterized SQL queries to prevent injection.
6. Data Retention
Records are retained in accordance with applicable state lien waiver, insurance, tax, accounting, contractual, and evidence-preservation requirements. Contact us at privacy@sublien.com for data export or deletion requests. Account data is retained for the duration of your subscription and a reasonable period thereafter to allow for data export. Usage logs and IP addresses collected for rate limiting are retained for no more than 30 days.
Signed lien waiver documents and associated signature evidence are retained for a minimum of 10 years, unless the account that sent the documents is closed or their deletion is requested, in which case they may be deleted earlier (an evidence export is taken before any such deletion, and signers receive a copy of the executed document by email at signing). COI documents are retained for 3 years after expiry unless a longer retention period is required by contract or law. W-9 records are retained while the account is active and for a reasonable period thereafter to support customer export, deletion, and legal or accounting retention obligations.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access: Request a copy of personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data, subject to legal retention requirements
- Export: Receive your data in a portable format
- Withdraw consent: Withdraw consent to electronic signatures (contact legal@sublien.com)
- Opt out: Opt out of non-essential communications
To exercise these rights, contact us at privacy@sublien.com. We aim to respond within 30 days (or sooner when required by applicable law).
8. Cookies and Tracking
SubLien uses essential cookies required for authentication and session management. We do not use advertising cookies or third-party tracking pixels.
We use Vercel Analytics (vercel.com/analytics) to collect aggregated, anonymized usage statistics such as page views, referrers, and country-level location. Vercel Analytics does not use cookies and does not track individual users across websites. It is strictly privacy-first: no personal identifiers are collected.
9. California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA): the right to know what personal information is collected and how it is used, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information.
10. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected information from a child under 18, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent revision.
12. Contact
For privacy-related questions or to exercise your rights:
Integration Partners LLC
Email: privacy@sublien.com