Privacy Policy

Last updated: April 6, 2026

1. Introduction

SubLien LLC ("SubLien," "we," "us") operates the SubLien platform at sublien.com. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our lien waiver management and COI compliance services ("Service").

2. Information We Collect

2.1 Account Information

When you register, we collect your name, email address, company name, and role. If you authenticate through Procore OAuth, we receive your Procore user profile and associated company information.

2.2 Transaction Data

To generate lien waivers and track COI compliance, the Service processes: project names, vendor/subcontractor names and email addresses, contract amounts, payment periods, state and jurisdiction information, and insurance certificate details.

2.3 Signature Data

When a document is electronically signed, we collect: the signer's name and title, email address, IP address, user agent string, timestamp of signature, consent to electronic signature, and a cryptographic hash of the signed document for integrity verification.

2.4 Usage Data

We automatically collect: IP addresses, browser type, device information, pages visited, and interaction timestamps. This data is used for security, rate limiting, and service improvement.

2.5 Uploaded Documents

Users may upload insurance certificates (ACORD 25 forms), notarized lien waivers, and other compliance documents. These files are stored securely and processed only to provide the Service.

3. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Generate lien waiver documents using state-aware templates and workflows
  • Facilitate electronic signature workflows
  • Track and verify COI compliance status
  • Send transactional emails (signature requests, verification codes, signed copies, compliance alerts)
  • Maintain audit trails required for legal compliance
  • Detect and prevent fraud, abuse, and unauthorized access
  • Comply with legal obligations

4. Information Sharing

We do not sell your personal information. We share data only in the following circumstances:

  • Between parties to a transaction: When a general contractor sends a lien waiver, the subcontractor receives the waiver details. When signed, the general contractor receives the signed document and audit trail.
  • Service providers: We use Vercel (hosting and file storage), Neon (database), Resend (email delivery), and Anthropic (AI-powered document parsing). These providers process data on our behalf under data processing agreements. Uploaded COI documents and vendor data may be processed by AI services for automated data extraction purposes.
  • Procore integration: When connected, project and vendor data flows between Procore and SubLien as authorized by the user.
  • Legal requirements: We may disclose information if required by law, subpoena, court order, or to protect our rights and safety.

5. Data Storage and Security

Data is stored on servers in the United States using Neon (PostgreSQL database) and Vercel Blob (file storage). All data is encrypted in transit (TLS 1.2+) and at rest. Signed documents and audit trails are append-only and cannot be modified through the application.

We implement industry-standard security measures including: rate limiting on sensitive API endpoints (authentication, signature verification, and payment processing), cryptographic hashing (SHA-256) for document integrity, OTP-based email verification for signers, XSS sanitization on rendered content, and parameterized SQL queries to prevent injection.

6. Data Retention

Records are retained in accordance with applicable state lien waiver and insurance requirements. Contact us at privacy@sublien.com for data export or deletion requests. Account data is retained for the duration of your subscription and a reasonable period thereafter to allow for data export. Usage logs and IP addresses collected for rate limiting are retained for no more than 30 days.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of personal data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data, subject to legal retention requirements
  • Export: Receive your data in a portable format
  • Withdraw consent: Withdraw consent to electronic signatures (contact legal@sublien.com)
  • Opt out: Opt out of non-essential communications

To exercise these rights, contact us at privacy@sublien.com. We will respond within 30 days.

8. Cookies and Tracking

SubLien uses only essential cookies required for authentication and session management. We do not use advertising cookies, third-party tracking pixels, or analytics services that track individual users across websites.

9. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA): the right to know what personal information is collected and how it is used, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected information from a child under 18, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy-related questions or to exercise your rights:

SubLien LLC
Email: privacy@sublien.com