Privacy Policy

CleanForge ("we", "us", "our") operates a platform for managing cleaning crews for short-term rental properties. This Privacy Policy describes what data we collect, how we use it, who we share it with, and your rights regarding that data.

We are committed to collecting only what is necessary to operate the Service and to handling your data with care.

We collect the following categories of data:

We do not collect payment card numbers, bank account details, or government IDs. Payment information is collected and stored directly by Stripe.

Data is collected through the following means:

• Direct input — information you enter when creating properties, cleaners, and jobs
• iCal feeds — calendar event data pulled from Airbnb, VRBO, or other booking platforms you connect
• Cleaner submissions — photos and job status updates submitted by cleaners via the mobile job page
• SMS replies — cleaner responses to job offers received via Twilio webhook
• Authentication provider — basic profile data (name, email) from Clerk upon sign-up

Under the EU General Data Protection Regulation (GDPR) and the Quebec Law respecting the protection of personal information in the private sector (Law 25), we must identify a legal basis for each type of processing we perform. Our legal bases are:

Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing. Withdrawal does not entitle you to refunds for paid services already delivered.

We use the data we collect to:

• Provide and operate the Service (scheduling, notifications, payouts)
• Run AI analysis on cleaning photos to generate quality feedback
• Send SMS messages to cleaners on behalf of hosts via Twilio
• Process and record cleaner payouts through Stripe Connect
• Log agent actions for host audit and transparency
• Detect no-shows and trigger reassignment logic
• Respond to support requests

We do not use your data for advertising, do not sell or share it with third parties for marketing purposes, and do not use it to train AI models.

CleanForge integrates with the following sub-processors. Each has signed a Data Processing Addendum that includes Standard Contractual Clauses where applicable. Each has its own privacy policy.

When you connect an iCal calendar URL, the platform fetches event data from your calendar provider (e.g. Airbnb). CleanForge does not have a direct relationship with those providers for this data — you are responsible for ensuring your use of their calendar feeds is permitted under their terms.

CleanForge operates on infrastructure provided primarily by US-based service providers. Your personal data may therefore be transferred to, stored, and processed outside the European Economic Area, the United Kingdom, and Quebec. Specifically:

• United States: Clerk, Stripe, Twilio, Anthropic, Vercel, Resend, Upstash, and Supabase (depending on the project region selected)
• European Union or Canada: Supabase, where the project region is set to an EU or Canadian region

Where personal data leaves the EEA, the United Kingdom, or Quebec, we rely on the following safeguards as appropriate to the destination country:

• Standard Contractual Clauses (SCCs) adopted by the European Commission, for transfers to countries without an adequacy decision
• UK International Data Transfer Addendum for transfers from the United Kingdom
• Adequacy decisions where the destination jurisdiction has been recognized by the European Commission as providing equivalent protection
• For transfers outside Quebec, the disclosure assessment required under section 17 of Quebec Law 25

Copies of our sub-processor agreements and transfer mechanisms are available on request at privacy@cleanforge.xyz.

Cleaning photos uploaded by cleaners are stored in Supabase Storage and processed by Anthropic's Claude vision model for quality review. Photos are transmitted to Anthropic's API for analysis and are governed by Anthropic's Privacy Policy. We do not use photos for any purpose beyond the quality review requested, and Anthropic does not use the photos to train their models when accessed through their API.

AI-generated scheduling suggestions are produced using job metadata (dates, cleaner reliability scores, hourly/fixed rates). No personally identifying information about cleaners beyond names is shared with the AI provider in scheduling prompts.

Right to human review (GDPR Article 22). The AI photo review constitutes an automated decision that can affect whether a cleaner receives an automatic payout. You have the right to:

• Obtain an explanation of how the AI reached its decision
• Manually override the AI verdict from the job detail page in the dashboard
• Request that a host re-review the photos and override the AI decision if you are a cleaner
• Contest the decision via privacy@cleanforge.xyz

Hosts add cleaner phone numbers to the platform to enable job SMS notifications. CleanForge stores these numbers and uses them to send job-related messages via Twilio. Phone numbers are associated with the host who added them and are not shared with other hosts.

Cleaners who wish to be removed from a host's account should contact that host directly. Hosts can deactivate or delete cleaner records at any time through the Cleaners section of the dashboard.

All application data is stored in Supabase (PostgreSQL) with row-level security enforced on every table. Each row is associated with a host ID, and authenticated requests can only access rows belonging to that user.

Authentication is handled by Clerk using industry-standard JWT tokens. API routes that perform mutations require a valid authenticated session. We use HTTPS for all data in transit and apply standard security headers (HSTS, CSP with per-request nonce, X-Frame-Options DENY, X-Content-Type-Options nosniff).

Breach notification. In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (CNIL for France, CAI for Quebec, your national authority for other EU member states) within 72 hours of becoming aware of it, as required by GDPR Article 33 and Quebec Law 25. We will also notify affected users without undue delay where required by GDPR Article 34, by email and in-app notification.

While we take reasonable steps to protect your data, no system is completely immune to security risks. We encourage you to use a strong, unique password, enable two-factor authentication, and to notify us immediately at security@cleanforge.xyz if you believe your account has been compromised.

We retain personal data only for as long as needed for the purposes described above. Specific retention periods are shown in the table in Section 2. Highlights:

• Cleaning photos: 90 days after the job is closed (automatically purged by the cleanup cron)
• Job records and agent event logs: 24 months and 12 months respectively
• SMS message metadata: 12 months after the job (raw message content is held by Twilio per their policy)
• Stripe payout records and subscription invoices: 7 years to comply with Canadian, US, and EU tax and accounting law
• Account information: until you request account deletion

You may delete individual records (properties, cleaners, jobs) at any time through the dashboard. To request full account deletion and erasure of all associated data, contact us at privacy@cleanforge.xyz. Records subject to a legal retention obligation (e.g. Stripe transfer IDs and tax invoices) will be retained for the period required by law even after account deletion.

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request erasure of your data ("right to be forgotten")
• Portability — request your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interest
• Restriction — request that we restrict processing while a request is being reviewed
• Human review of automated decisions — see Section 8

To exercise any of these rights, contact us at privacy@cleanforge.xyz from the email address associated with your account. We will respond within 30 days under GDPR (extendable by 60 days for complex requests) or within the time limits set by your local law.

Right to lodge a complaint. If you believe we have failed to comply with applicable data protection law, you have the right to lodge a complaint with a supervisory authority:

• France: Commission nationale de l\'informatique et des libertés (CNIL) — cnil.fr
• Quebec: Commission d\'accès à l\'information du Québec (CAI) — cai.gouv.qc.ca
• Canada (federal): Office of the Privacy Commissioner of Canada — priv.gc.ca
• Other EU/EEA member states: your national data protection authority
• United Kingdom: Information Commissioner\'s Office (ICO) — ico.org.uk

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA. We do not use or disclose your information for cross-context behavioral advertising.

California residents have the right to:

• Know what personal information we collect, use, disclose, and retain
• Delete personal information we have collected (subject to certain exceptions)
• Correct inaccurate personal information
• Limit the use of sensitive personal information (we do not use sensitive personal information beyond what is strictly necessary to provide the Service)
• Non-discrimination for exercising any of the above rights

To submit a verifiable request, email privacy@cleanforge.xyz from the email address associated with your account. We will respond within the 45-day period required by CCPA, extendable by 45 additional days where reasonably necessary, with notice.

California residents may also designate an authorized agent to make requests on their behalf. We may require proof of the agent's authorization and your identity before processing the request.

CleanForge uses only strictly necessary cookies — those required for the application to function. We do not use advertising cookies, tracking pixels, analytics cookies, or any cookies that share data with third parties for marketing purposes.

Cookies

Browser localStorage (not cookies)

We also use the browser's localStorage API to remember your preferences. This data stays on your device and is never transmitted to our servers as part of normal use. You can clear it at any time via your browser's site-data tools.

Because the cookies listed above are strictly necessary for the service to operate, we do not require your consent to set them under ePrivacy Directive exemptions. You may disable cookies in your browser settings, but doing so will prevent you from logging in or using the dashboard.

We may collect basic server-side request logs via Vercel (IP address, request path, timestamp) for error monitoring and uptime purposes. These logs are not linked to individual user identities and are retained for a maximum of 30 days.

CleanForge is intended for adult business users. We do not knowingly collect personal data from any individual below the age of digital consent applicable in their country. In the EU this is typically 16 (with some member states permitting 13–15); in the United States it is 13 under COPPA; in Canada and Quebec, the platform is restricted to users aged 18 and over due to the contractual nature of the Service.

If you believe a minor has provided us with personal information, please contact privacy@cleanforge.xyz and we will promptly delete it.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes affecting your rights, we will make reasonable efforts to notify you via in-app notification or email at least 30 days before the change takes effect. Continued use of the Service after changes constitutes acceptance of the updated policy.

Data controller. The data controller responsible for your personal information is [CleanForge Inc. / your registered legal entity name], a company registered in the Province of Quebec, Canada, registered office at [registered address].

Data Protection Officer (GDPR Article 37). Given our current scale and the categories of data we process, we have not formally appointed a Data Protection Officer. Privacy questions and requests should be directed to our designated privacy contact at privacy@cleanforge.xyz, who will respond within the time limits required by applicable law.

Quebec — Person in charge of personal information protection. Under An Act respecting the protection of personal information in the private sector (Quebec Law 25), the person responsible for protecting personal information at CleanForge is the privacy contact listed above. You may contact them with any question, complaint, or access request.

EU representative (GDPR Article 27). If our scale grows to require designation of an EU representative, we will update this section to publish their contact details.

Note: bracketed placeholders above must be replaced with the operator's actual registration details before this page is considered legally finalized.

For privacy-related questions or requests, contact us at privacy@cleanforge.xyz.