Privacy Policy

1. Who is the data controller

NexDev Systems is the personal information controller (PIC) for the ContractorXP service. You can reach our Data Protection Officer at privacy@nexdevsystems.io.

2. What information we collect

We only collect the information needed to operate the platform on your behalf.

Information you provide directly

• Account information: full name, email address, password (hashed), company name, role.
• Company & project data: client records, project budgets, estimates, invoices, daily reports, photos, punch lists, timesheets, and any other information you choose to enter.
• Team & worker information: names, contact details, roles, and clock-in/clock-out records of personnel you add.
• Payment information: when you subscribe, our payment processor (PayMongo) collects card or e-wallet details. We never see or store your full card number. We retain only the transaction reference, amount, and last-4 digits supplied by PayMongo.
• Files you upload: drawings, takeoff PDFs, photos, supporting documents.
• Support correspondence: messages you send us by email, in-app message, or phone.

Information collected automatically

• Usage logs: IP address, browser type, device type, pages visited, actions taken, request timestamps.
• Cookies: a session cookie from Supabase to keep you signed in; a small number of preference cookies to remember UI choices. We do not use third-party advertising cookies.
• PWA / offline data: when workers use the portal offline, clock-in events are buffered in localStorage and synced when the device reconnects. This data lives only on the device and our servers.

3. Why we use it (lawful basis)

• To provide the service you signed up for (contract).
• To bill you and process payments (contract + legal obligation under BIR receipting rules).
• To prevent fraud and abuse (legitimate interest).
• To send transactional notifications — invoice receipts, plan changes, password resets (contract).
• To improve the product by analysing aggregate, de-identified usage patterns (legitimate interest).
• To comply with legal requests from competent Philippine authorities (legal obligation).

We do not sell your data, and we do not use your project data to train AI models.

4. AI features (Estimate Review & AI Takeoff)

When you use the AI Estimate Review or AI Takeoff features, the relevant inputs (line-item descriptions, drawing image bytes) are sent to Anthropic's API for processing. Anthropic processes these inputs as a sub-processor under their data-processing terms and does not retain or train on your data when called via the API.

You can disable AI features for your company in Settings → AI Features at any time.

5. Sub-processors we share data with

To operate the service we share strictly necessary data with the following sub-processors. Each is bound by a data-processing agreement:

• Supabase, Inc. — database, authentication, file storage. Hosted in Asia-Pacific.
• Vercel, Inc. — application hosting and CDN.
• PayMongo Philippines, Inc. — payment processing for PHP transactions.
• Anthropic, PBC — AI inference for the AI Estimate Review and AI Takeoff features.
• Resend / your configured SMTP provider — transactional email delivery for invoices and password resets.

We do not transfer your data outside this list, except where required by law.

6. Data retention

• Active accounts: we keep your data for as long as your subscription is active.
• Cancelled accounts: data is retained for 90 days after cancellation so you can reactivate without loss, then permanently deleted, except for invoices and payment records which we retain for 10 years as required by Philippine tax law.
• Worker clock-in records: retained for the life of the company account, since they may form part of payroll records.
• Server logs: 30 days, then aggregated and de-identified.

7. Your rights

Under the Philippine Data Privacy Act and equivalent regulations you have the right to:

• Be informed about the processing of your personal data.
• Access the personal data we hold about you.
• Correct or update inaccurate data.
• Object to processing or withdraw consent for non-essential processing.
• Erase or block data that is no longer needed (subject to our retention obligations above).
• Data portability — request a machine-readable export of your data.
• Lodge a complaint with the National Privacy Commission (NPC) at privacy.gov.ph.

To exercise any of these rights, email privacy@nexdevsystems.io. We will respond within 15 business days.

8. Security

We use industry-standard technical and organisational safeguards: TLS 1.3 in transit, AES-256 encryption at rest (via Supabase), hashed passwords (bcrypt via Supabase Auth), least-privilege service-role keys, audit logging, and PIN + AES-GCM encryption for offline portal sessions. No system is 100% secure — if we ever experience a breach affecting your data we will notify you and the National Privacy Commission within 72 hours of discovery, as required by law.

9. Children

ContractorXP is intended for businesses and is not directed at individuals under 18. We do not knowingly collect data from minors.

10. Changes to this policy

If we change this policy materially we will notify you by email and post a banner inside the application at least 30 days before the change takes effect. The “Last updated” date at the top of this page always reflects the current version.

11. Contact

NexDev Systems · Data Protection Officer
Email: privacy@nexdevsystems.io
For general support: support@nexdevsystems.io