Privacy Policy

Hank ("we," "our," "us") is a quoting and invoicing platform for solo tradespeople, operated at hankquotes.com and available as the Hank mobile app on iOS and Android. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, how long we keep it, and the rights you have over your data. This policy applies to your use of the Hank mobile apps, the hankquotes.com website, and the customer-facing quote viewer. It does not apply to third-party services you reach from within Hank, such as your customer's email client when they open a quote link. Data controller: Hank, reachable at support@hankquotes.com.

We collect only what we need to deliver the service. Information you provide to us: • Account credentials — email address and password. Passwords are hashed with bcrypt and never stored in plain text. • Business profile — business name, owner name, phone number, email, business address, logo (optional), tax rate, and quote preferences. • Quote and invoice content — customer records (name, email, phone, address) you enter, line items, service library, notes, payment instructions, and the quotes and invoices you generate. • Support correspondence — emails and messages you send us. Information we collect automatically: • Service activity — quotes created, sent, viewed, approved; feature usage; timestamps of key actions. Used for your dashboard, Free-tier quota, and debugging. • Server log data — IP address (briefly, for rate limiting and abuse prevention), browser or device type, operating system version, and request timestamp. Standard web-server logging. Retained up to 30 days. • Aggregate analytics — anonymous, aggregated website visits via Umami. See "Analytics" below. Information we do not collect: • Your payment card number. Stripe handles payment processing on our behalf. We never see, touch, or store card details. • Your customers' data directly. Your customers do not register with Hank. Anything about them comes from you. • Your age, job title, health data, precise location, or device contacts. • Sensitive personal information under the CCPA (race, religion, union membership, biometric data, etc.).

We use your information to: • Provide the Hank service — generate and deliver quotes, track viewings, convert quotes to invoices, and power your dashboard. • Communicate with you — transactional emails such as password resets, approval notifications, billing receipts, and important service updates. • Enforce your subscription tier — count monthly quota on Free, unlock features on Pro. • Process payments via Stripe when you subscribe or renew. • Provide optional AI features — Voice to Quote and Snap to Quote — when you explicitly invoke them (see "AI Features" below). • Provide customer support. • Monitor for abuse, fraud, and security threats. • Comply with legal obligations and respond to lawful requests from authorities. We will never: • Sell your personal information. We have no data-broker relationships. There is no market in which your data is traded. • Show advertising or targeting anywhere in Hank. • Use your data, or your customers' data, to train any AI model ourselves. When you use our AI features, we route your input through third-party providers whose standard API terms also prohibit training on your data — see "AI Features" below for the specifics.

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data under one or more of the following legal bases: • Contract (GDPR Art. 6(1)(b)) — to deliver the service you signed up for. • Legitimate interests (Art. 6(1)(f)) — to secure the service, detect abuse, and improve the product. We balance these interests against your fundamental rights. • Consent (Art. 6(1)(a)) — for optional features such as Voice to Quote and Snap to Quote, which you explicitly invoke each time. • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and anti-fraud laws. You can withdraw consent at any time. Withdrawing consent does not affect processing done before the withdrawal.

We share your information only with the trusted providers required to deliver Hank. Each is bound by a data processing agreement and standard contractual terms consistent with applicable law. • Supabase — account data, quote data, customer records. Authentication, database, and file storage (logos). Infrastructure on AWS in the United States. • Stripe — name, email, billing address for subscription payment processing. Card data never touches our servers. United States. • Resend — customer email address and quote contents for transactional email delivery. United States. • OpenAI — audio recordings for Whisper transcription when you use Voice to Quote. Discarded after transcription. United States. • Anthropic — transcripts, images (Snap to Quote), and a list of your service names for structured extraction via Claude. Discarded after extraction. United States. • Vercel — hosting hankquotes.com and the customer quote viewer. Global CDN with points of presence in the United States. • Umami — privacy-friendly website analytics. Self-hosted by us; no external provider receives your visit data. We do not share your information with any other third party except (a) to comply with a valid legal request, (b) to protect Hank, our users, or others from harm, or (c) as part of a corporate transaction such as a merger, acquisition, or asset sale — in which case you will be notified.

The names, emails, phone numbers, and addresses you enter for your customers are your records. Under data-protection law, you are the controller of that information and Hank is the processor acting on your instructions. This means: • You must have a lawful basis to hold and contact your customers. Usually that basis is an existing business relationship or their explicit consent. • You are responsible for complying with CAN-SPAM (United States), CASL (Canada), GDPR, and any other applicable laws when communicating with them using Hank. • We will not use your customers' information for anything beyond delivering the quotes you instruct us to send. • If one of your customers contacts Hank directly about their data, we will refer them to you as the controller and, where appropriate, notify you of the request.

Hank Pro includes two optional AI features. Each is activated only when you tap the Ask Hank button. • Voice to Quote. Your audio recording is sent to OpenAI (Whisper API) for transcription and then to Anthropic (Claude API) along with the names and prices of your saved services for structured extraction. • Snap to Quote. Your image is sent to Anthropic (Claude API) for analysis along with the names and prices of your saved services. Data handling by Hank: we discard the original audio or image as soon as we receive the extraction response. Hank does not store it, log it, or use it for any further purpose. Data handling by OpenAI and Anthropic: under their standard API terms, which apply to Hank's usage, your data is not used to train their models. Both providers may retain API inputs and outputs for up to 30 days for abuse monitoring and safety review, after which the data is automatically deleted (unless their safety review is triggered, in which case retention may be extended). For their full data-handling policies, see openai.com/policies/privacy-policy and anthropic.com/legal/privacy. Declining to use these features has no effect on your access to any other Hank functionality.

Hank Pro subscriptions are processed by Stripe, Inc. When you subscribe, Stripe collects your card number, expiration date, CVV, and billing address directly on their servers. Hank never receives, sees, or stores any of this card data — we only receive a customer token and subscription status from Stripe. All billing records (invoice dates, amounts, subscription tier) are retained for seven years as required by tax and accounting law. Stripe's privacy policy: stripe.com/privacy.

• Account and profile data — until you delete your account. • Quote and customer data — until you delete your account. • Generated PDF files — 90 days, then automatically deleted. Quote data remains; PDFs can be regenerated. • AI audio recordings — not retained (discarded immediately after transcription). • AI images — not retained (discarded immediately after extraction). • Server access logs — 30 days. • Billing records — 7 years (tax and accounting law). • Encrypted database backups — 90 days from the date of the backup, then automatically overwritten. When you delete your account, production data is removed within 30 days. Backup copies containing your data are overwritten within 90 days after that.

We take data security seriously. Safeguards include: • TLS 1.2+ for all connections to Hank. • Encryption at rest for databases and file storage provided by our hosting providers. • Supabase Row-Level Security enforces per-user isolation at the database level — no user can query another user's data, even if our application code had a bug. • Passwords are hashed with bcrypt. Service-role credentials are server-side only and never shipped to client apps. • API secrets (HMAC keys, third-party credentials) are rotated on a scheduled basis. • The public quote viewer requires an HMAC verification code in addition to the unguessable quote ID, preventing URL-enumeration attacks. If we detect a personal-data breach affecting your information, we will notify you and applicable regulators without undue delay, and in any event within 72 hours where required by GDPR Art. 33 or analogous law.

Hank is operated by a Canadian entity. Our primary database (Supabase) runs on AWS in the United States. If you are in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with cross-border transfer rules, your personal data is transferred to the United States under the Standard Contractual Clauses (SCCs) published by the European Commission, together with the supplementary technical and organizational measures described in our Data Processing Agreement. You can request a copy of the relevant SCCs by emailing support@hankquotes.com.

Depending on where you live, you may have some or all of the following rights. To exercise any of them, email support@hankquotes.com. All users: • Access a copy of your data — export from the app or email us. • Correct inaccurate data — edit your profile or contact us. • Delete your account — from Settings → Subscription, or by email. EEA / UK / Swiss users (GDPR): • Data portability — receive your data in a machine-readable format (CSV or JSON). • Restrict processing — ask us to pause processing in specific circumstances. • Object to processing based on legitimate interests. • Withdraw consent where processing is based on consent. • Lodge a complaint with your local data protection authority. California residents (CCPA / CPRA): • Right to know — what personal information we have collected and how it is used. • Right to delete — subject to exceptions for legal, security, and fraud-prevention purposes. • Right to correct — inaccurate personal information. • Right to opt out of sale or sharing — we do not sell or share personal information for behavioral advertising; there is nothing to opt out of. • Right to limit use of sensitive personal information — we do not collect sensitive personal information under the CCPA definition. • Non-discrimination — we will not deny service, charge different prices, or provide a different quality of service because you exercised your rights. We may need to verify your identity before fulfilling a request. We will respond within 45 days, with a possible 45-day extension where warranted. Authorized agents may submit requests on your behalf with written authorization. California "Shine the Light" (Cal. Civ. Code § 1798.83): we do not share personal information with third parties for their own direct-marketing purposes. California residents can confirm this by emailing support@hankquotes.com.

• Essential cookies. hankquotes.com sets a signed session cookie when you sign in, so you stay logged in across page loads. No tracking, no advertising. • Local storage. We store your session token and in-progress quote drafts in your browser's or device's local storage so you don't lose work on a refresh. This data never leaves your device. • Web beacons. Umami Analytics (see below) uses a small pixel-style beacon to record anonymous visits. No cookies, no persistent identifiers. We do not use Google Analytics, Facebook Pixel, or any advertising or cross-site tracking technologies.

We use Umami, a privacy-friendly, open-source analytics tool, on hankquotes.com. Umami: • Does not set cookies. • Does not store IP addresses. • Does not track users across websites. • Does not collect any data that can identify you individually. Umami records the page you visited, the referrer, your device category, and the country your IP address maps to (but the IP itself is not stored). This helps us understand which content is useful. Umami is GDPR, CCPA, and PECR compliant by design.

Hank does not perform the kind of tracking that Do Not Track (DNT) browser headers were designed to disable, so there is nothing for DNT to change. We respect Global Privacy Control (GPC) signals where applicable — but because we do not sell or share personal information for behavioral advertising, a GPC signal has no additional effect on our practices.

The Hank mobile app requests the following device permissions, only when you use the feature that needs them: • Microphone — for Voice to Quote. The recording is streamed to OpenAI for transcription, then discarded. • Camera — for Snap to Quote and for taking a photo of your business logo. • Photo library — to pick images from your library for Snap to Quote or logo upload. Your operating system (iOS or Android) asks for each permission the first time you use the feature. You can revoke permissions from your device settings at any time. Revoking microphone or camera access disables Voice to Quote or Snap to Quote respectively but does not affect the rest of the app. Hank does not request GPS, contacts, calendar, or any other device permissions.

Hank is not directed to children under the age of 16, and we do not knowingly collect personal information from: • Children under 13 in the United States (COPPA), or • Children under 16 in the European Economic Area (GDPR Art. 8). If you believe a child has provided us with personal information, please contact support@hankquotes.com and we will delete it promptly.

Hank may contain links to third-party websites — for example, Stripe's billing portal or your customer's own website. We do not control those sites and are not responsible for their privacy practices. Please review their own policies before providing any information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for operational reasons. When we make material changes, we will: • Post the updated policy here at hankquotes.com/privacy with a revised effective date. • Notify you by email or in-app notification at least 14 days before changes take effect. • If the changes significantly affect your rights, ask you to expressly accept them before continuing to use Hank.

Questions, concerns, or requests regarding this Privacy Policy or your personal information can be sent to: Hank Email: support@hankquotes.com If you are in the European Economic Area or the United Kingdom and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection authority.