XRoof

Privacy Policy

Last updated: April 7, 2026

1. Introduction

XRoof (“we,” “us,” or “our”) operates the XRoof platform at xroof.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

2. Information We Collect

Account Information: When you create an account, we collect your name, email address, phone number, company name, and service area.

Business Data: Information you enter into the platform including customer names, addresses, job details, estimates, contracts, invoices, and photos.

Payment Information: Payment processing is handled by Stripe. We do not store credit card numbers on our servers. Stripe's privacy policy governs payment data.

Usage Data: We automatically collect information about how you interact with the platform, including pages visited, features used, and device information.

Communications: Messages sent through the customer portal and emails sent via Resend are processed through third-party services.

3. Homeowner Data Collected Through Contractor Landing Pages

XRoof provides a landing page builder that roofing contractors use to collect leads from homeowners. When a homeowner submits a form on a contractor's landing page, we collect the homeowner's name, phone number, email address (if provided), property address, city, ZIP code, and project type.

Data Controller: The roofing contractor who created the landing page is the data controller for homeowner data collected through their pages. The contractor determines how this data is used and is responsible for complying with all applicable data protection and communication laws.

Data Processor: XRoof acts as a data processor, storing and transmitting homeowner data on behalf of the contractor. We process this data solely to operate the Service — storing leads, notifying the contractor, and enabling the contractor to follow up.

No Sale of Data: XRoof does not sell, rent, or share homeowner data with any third parties beyond what is necessary to operate the Service (see Section 5 below).

Deletion Requests: Homeowners may request deletion of their personal data by contacting support@xroof.io. We will process deletion requests within 30 days.

4. How We Use Your Information

  • To provide and maintain the XRoof platform
  • To process transactions and send related information (estimates, invoices, contracts)
  • To send automated follow-up emails on your behalf
  • To provide customer support
  • To send service-related announcements and updates
  • To monitor platform usage and improve our services
  • To detect and prevent fraud or abuse

5. Data Sharing and Sub-Processors

We do not sell your personal information. We share data only with the following service providers (sub-processors):

  • Supabase: Database hosting, authentication, and storage of all platform data including homeowner lead data collected through contractor landing pages
  • Stripe: Payment processing for contractor subscriptions
  • Resend: Email delivery for contractor communications and automated follow-ups, including emails sent to homeowner leads
  • Google Maps/Satellite: Satellite imagery for roof measurements
  • Vercel: Application hosting

We may also disclose information if required by law or to protect the rights and safety of our users.

6. Data Security

We implement industry-standard security measures including encrypted connections (HTTPS/TLS), authenticated API access with JWT tokens, and role-based access controls. However, no method of electronic transmission or storage is 100% secure.

6a. XRoof Staff Access to Your Account

For support, troubleshooting, and platform reliability, authorized XRoof staff may access your account data — including the pages, jobs, customer records, and contracts you create. Specifically:

  • Support requests: when you report a bug or request help, our staff may view the relevant pages of your account to reproduce or resolve the issue.
  • Investigating platform issues: we may access individual accounts to diagnose system errors, debug failed payments, or audit unusual activity.
  • Legal obligations: when required by law, valid subpoena, or to protect the safety of users or the public.
  • Account abuse / fraud prevention: to detect and stop unauthorized use, payment fraud, or violations of our Terms.

XRoof staff are bound by confidentiality obligations and access is logged. We do not read your customers' personal information for marketing purposes, share it with third parties, or use it for any purpose other than running the service for you. You can request a record of admin access to your account by emailing privacy@xroof.io.

6b. Aggregated & Anonymized Data — Platform Improvement

We use aggregated and anonymized data to improve XRoof for everyone. Aggregated/anonymized data is information that cannot reasonably identify you, your business, or your customers — for example: the percentage of contractors who use a feature, average time-to-quote across the platform, common error patterns, or the most-used job types. Specifically we use this data to:

  • Measure feature usage and identify what to build, improve, or retire.
  • Detect bugs and performance bottlenecks.
  • Train internal product roadmap decisions.
  • Publish industry benchmarks (e.g., "average roofing-job close rate") in marketing or research, only when data is aggregated across many contractors.

We will never share, sell, or disclose identifiable data about you, your business, or your customers without your consent or a legal obligation. Aggregated/anonymized data is not considered personal data under the GDPR/CCPA when no individual can be re-identified, and we apply that standard rigorously before any external publication. Our legal basis for this processing under GDPR is our legitimate interest in improving the service we provide to you, balanced against your privacy rights through the anonymization process.

If you would prefer your usage data not be included in aggregated improvement analyses, email privacy@xroof.io. Note that some operational data (counts, timing, error rates) is essential to running the service and cannot be opted out of.

7. Data Retention

We retain your account data for as long as your account is active. Business data (jobs, estimates, invoices) is retained for the duration of your subscription plus 90 days after cancellation. You may request deletion of your data at any time by contacting us.

8. Your Rights (CCPA / CPRA / GDPR)

Depending on your jurisdiction, you have the right to:

  • Access / Right to Know: a copy of the personal data we hold about you and how we use it.
  • Rectification / Correct: correct inaccurate personal data.
  • Erasure / Delete: request deletion (subject to certain legal-retention exceptions).
  • Portability: export your data in a machine-readable format.
  • Restrict / Object: limit how we process your data.
  • Opt out of "sale" / "sharing": California residents may opt out via Do Not Sell or Share My Personal Information.
  • Withdraw consent: for any processing we do based on your consent.
  • Non-discrimination: we will not deny you service for exercising any of these rights.

To exercise a right, submit a request via /do-not-sell or email privacy@xroof.io. We respond within 45 days (with one 45-day extension if needed). We may need to verify your identity before fulfilling the request.

8a. Legal Basis for Processing (GDPR Art. 6)

For users in the EU/UK/EEA, our legal basis for each processing activity:

  • Contract performance: account creation, billing, providing the service you signed up for, support.
  • Legal obligation: tax records, anti-fraud, lawful-request response.
  • Legitimate interest: security monitoring, product improvement (aggregated/anonymized), preventing abuse.
  • Consent: marketing emails, optional analytics cookies, voluntary survey data. You may withdraw consent at any time.

8b. Retention Periods by Category

  • Account profile: while your account is active; 90 days after closure (then deleted).
  • Business records (jobs, estimates, contracts, invoices): 7 years after creation (tax/accounting standard) or until account deletion + 90 days, whichever is longer.
  • Signed contracts: retained as long as legally enforceable (up to 10 years per state statute of limitations).
  • Server logs: 90 days, then anonymized.
  • Payment records: as required by Stripe + tax authorities (typically 7 years).
  • Marketing consent records: until withdrawn + 4 years (TCPA defense).

8c. Data Processing Agreement (Contractors as Controllers)

When XRoof contractors collect personal data from their homeowner customers (names, addresses, phone numbers, photos), the contractor is the Data Controller and XRoof is the Data Processor. A Data Processing Agreement governing this relationship is available at /legal/dpa and is incorporated by reference into our Terms of Service. EU/UK contractors should review and counter-sign the DPA before processing EU/UK homeowner data.

9. Cookies

We use essential cookies for authentication (Supabase session tokens stored in localStorage). We do not use third-party tracking cookies or advertising cookies.

10. Children's Privacy

XRoof is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date.

12. Contact Us

If you have questions about this Privacy Policy, please contact us at support@xroof.io.