Privacy Policy

This Privacy Policy describes how Leads Group LLC, doing business as Biid ("Biid," "we," "us," or "our"), a Florida limited liability company, collects, uses, shares, and protects your personal information when you use the Biid mobile application and related services (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use the Service.

We collect the following categories of information:

Account Information When you create an account, we collect your phone number or email address (depending on your chosen sign-in method), and optionally your display name and profile photo. We also ask how you heard about Biid ("referral source") and store your response to help us understand how users discover the Service.

Linked Social Accounts If you sign in with Apple or Google, we receive the provider-verified identifier for your account (the OAuth "sub" claim) and, depending on the provider and your selections, your email address and display name. We store the provider, the provider account identifier, and the email returned by the provider so that we can recognize you on future sign-ins.

Customer Profile Information If you use the Service as a Customer, you may provide: display name, bio, preferred contact method (phone or email), and address. If you opt to share your location, we may also store geographic coordinates for that address.

Contractor Profile Information If you use the Service as a Contractor, you may provide: company name, company logo, license number, insurance status, background-check status, years of experience, service area (city/area label and geographic coordinates), service-area radius, specialties, bio, business contact phone, business contact email, business website, hourly rate, minimum and maximum job price, completed-job count, and (if you use the in-app business search) a Google Place identifier for your business.

Project Information When you create a project, we collect: project title, description, any notes intended for bidders, location (address or area label and, optionally, geographic coordinates), a privacy-safe neighborhood label derived from your location, material requirements, category and trade associations, structured intake answers from the project wizard, scheduling preferences and available date windows, and the photographs or short videos (up to fifteen seconds) that you upload to illustrate the project.

Photo and Video Metadata When you upload a photo or video, we extract and store technical metadata such as camera make and model, ISO, focal length, f-number, flash status, and capture timestamp. If the file contains GPS coordinates in its EXIF data, those coordinates are stored server-side for fraud and content-integrity checks (for example, flagging listings whose photos were plainly taken somewhere other than the stated project location). GPS coordinates are removed from the image variants that we serve to other users. We also compute and store a SHA-256 content hash so that we can detect duplicate uploads.

Messaging Data When you use the messaging feature, we store the text content of messages, image, video, and document attachments, message timestamps, delivery status, and read-receipt status.

Voice Call Data If you use the in-app call feature, we create a "masked calling session" that routes the call through a third-party carrier (Twilio). We store both parties' real phone numbers, the masked Twilio number assigned to the session, the participating user identifiers, the session kind (user-to-user or support), and call metadata such as start time, end time, and status. We do not record the audio of your calls.

Bid and Review Data We collect bid amounts, proposal descriptions, scope and timeline information, bill-of-materials data you choose to attach, available dates, ratings (1-5 scale), and written review content for both Contractors and Customers.

Device and Technical Information We automatically collect: a device identifier (vendor ID on iOS, Android ID on Android, or a randomly generated value); your IP address and browser/app User-Agent string (recorded when you sign in); your Expo push-notification token; and your device platform (iOS or Android). Our error-monitoring provider (Sentry) collects stack traces, device model, operating system version, HTTP request context, IP address, and your user identifier when an error occurs; see Section 5 for more detail.

Analytics Events We use PostHog to capture a limited set of product-analytics events associated with your user identifier, such as screen views, sign-in and sign-out events, project creation and publication, bid submission, messages sent, contractor hires, and notification taps. We use these events to understand how the Service is used and to improve the product. We do not use them for cross-app tracking or advertising.

Content-Moderation Signals To keep the Service safe, we send uploaded images and sampled frames of uploaded videos to Google Cloud Vision SafeSearch, which returns likelihood scores for categories such as adult, racy, violent, spoof, and medical content. We store those scores and any resulting moderation flags.

Usage Information We record your account creation date, last-active timestamp, login events, and whether you have ever indicated interest in the Contractor role.

We collect information in the following ways:

Directly from you. When you register, sign in (by SMS code, email magic link, Apple Sign-In, or Google Sign-In), create or edit a profile, post a project, submit a bid, send messages, place a masked call, leave reviews, upload photos or videos, or submit a support ticket.

Automatically, from your device and the network. When you sign in, we record your IP address and User-Agent string for security and abuse prevention. A device identifier is generated locally on your device and sent with authentication requests for session management and rate limiting.

From our error-monitoring and analytics providers. Our application and server code send error events to Sentry and product-analytics events to PostHog, as described in Section 5.

From our content-moderation provider. Images and video frames that you upload are scanned by Google Cloud Vision SafeSearch as described in Section 5.

We do not use advertising trackers. We have explicitly disabled email open and click tracking in our email service provider.

We use the information we collect for the following purposes:

Providing the Service. Matching Customers with Contractors, displaying project listings and profiles, facilitating messaging and masked voice calls, and delivering push notifications about project updates, new bids, and messages.

Authentication and Security. Verifying your identity through SMS one-time passcodes, email magic links, Apple Sign-In, or Google Sign-In; managing login sessions with secure tokens; applying rate limits to prevent abuse; and detecting and responding to fraudulent behavior.

Service Communications. Sending SMS messages for phone verification, email messages for account verification and magic-link authentication, and push notifications for Service-related alerts.

Displaying User Content. Showing project listings, Contractor profiles, bids, proposals, and reviews to the relevant users of the platform.

Content Moderation and Trust & Safety. Scanning uploaded images and videos for prohibited content, reviewing moderation flags, and taking action against accounts that violate our Terms of Service.

Product Analytics and Improvement. Measuring feature usage and conversion to understand what is working and to prioritize product changes. We do not use this data for advertising.

Calendar Integration. When you tap to add a scheduled project date to your device calendar, we write that single event to your calendar using your operating-system permission. We do not read your existing calendar entries.

Background Processing. Automatically transitioning scheduled projects to active status, cleaning up expired authentication tokens, removing abandoned draft projects, and expiring masked-call sessions.

With Other Users Certain information is shared with other users as part of the Service's core functionality: - Customers can see Contractor profiles, including company name, specialties, location, experience, ratings, and reviews. - Contractors can see project details, including title, description, location, materials, scheduling windows, and project photos and videos. - Both parties in a conversation can see each other's messages, attachments, and display names. - Phone numbers are not shared between Customers and Contractors. When either party places an in-app call, the call is routed through a masked Twilio number; neither party sees the other's real phone number.

With Service Providers We share limited information with the following third-party service providers that help us operate the Service: - Twilio — Receives your phone number to deliver SMS verification codes and, when you use the in-app call feature, to route masked voice calls. Call audio passes through Twilio's infrastructure; we do not record the audio of your calls. - Mailgun — Receives your email address to deliver authentication emails, service communications, and (if you subscribe) mailing-list messages. You may unsubscribe at any time. - Google Cloud Platform — Provides the database and file storage that back the Service, including: (a) Cloud Storage for the photos, videos, and document attachments you upload (accessed by users via time-limited signed URLs); (b) Cloud Vision SafeSearch for automated content moderation of uploaded images and sampled video frames; and (c) the Places API, which receives a business-name query (and, optionally, coordinates near your current location) when you search for your business to attach to your Contractor profile. Google returns a Place identifier that we retain on your Contractor profile. - Apple and Google (Sign-In) — When you choose Apple Sign-In or Google Sign-In, your device exchanges an authorization request with the provider and returns a verified identity token to Biid. The provider receives only the information necessary to complete the sign-in and returns your provider-verified identifier and (with your selection) your email and display name. - Expo — Receives your push-notification token and notification payload (including message previews of up to one hundred and twenty characters) in order to deliver push notifications to your device. - Sentry — Our error-monitoring provider. Sentry receives stack traces, device and operating-system diagnostics, HTTP request context, your IP address, and your user identifier. Because we enable Sentry's default PII attachment, Sentry may also receive any variable values that happen to be captured by an error event; we do not intentionally send message bodies, bid contents, uploaded media, or other user-generated content payloads to Sentry. - PostHog — Receives the product-analytics events described in Section 2, associated with your user identifier.

We Do Not Sell or "Share" Your Personal Information We do not sell, rent, or trade your personal information to third parties for their marketing purposes, and we do not "share" it for cross-context behavioral advertising as defined under California law. We do not share your data with advertisers.

Legal Requirements We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Your data is stored in a PostgreSQL database hosted on Google Cloud Platform. Uploaded photos, videos, and attachments are stored in Google Cloud Storage and served to users through time-limited signed URLs. Most signed URLs expire within fifteen minutes; URLs for stable content such as avatars and company logos use longer-lived cacheable windows (approximately seventy minutes). Videos and images are processed server-side (including format conversion, thumbnail generation, and WebP variant creation), and GPS coordinates in EXIF data are stripped from the variants we serve.

We implement the following security measures: - Authentication tokens (including magic-link and refresh tokens) are stored as SHA-256 cryptographic hashes on our servers; we never store raw tokens. - On mobile devices, authentication tokens are stored in Expo SecureStore, which uses the iOS Keychain and the Android Keystore for encrypted storage. - For browser-based access, we use HttpOnly secure cookies with SameSite protections. - Refresh tokens use a rotation mechanism: each time a token is used, it is revoked and replaced with a new one. - Rate limits are applied to authentication, refresh, and other sensitive endpoints to prevent brute-force attacks. - Data in transit is encrypted using TLS. Data at rest in Google Cloud Platform is encrypted using Google-managed encryption keys.

While we take reasonable measures to protect your information, no method of electronic storage or transmission over the Internet is completely secure. We cannot guarantee absolute security.

We retain your information as follows:

Account Data. Retained for as long as your account is active. If you delete your account from within the app, your account is placed into a soft-deleted state for seven (7) days. During those seven days, you can restore your account simply by signing back in. After the seven-day window, your account is permanently purged: authored content such as messages, bids, and reviews is reassigned to an anonymous tombstone identity so that other users' conversations and histories remain intact, and the remainder of your account — owned projects, Customer and Contractor profiles, refresh tokens, push tokens, support tickets, and avatar files in Cloud Storage — is deleted.

Admin-Disabled Accounts. If we disable or ban an account for a Terms of Service violation, the account is retained in a soft-deleted state to preserve abuse records. The phone number and email address associated with the account are cleared so that they can be reused, and any linked Apple or Google accounts are unlinked.

Contractor Profiles. If a Contractor profile is deleted, it is deactivated (soft-deleted) rather than permanently removed, in order to preserve the integrity of historical project and bid records. Deactivated profiles are not visible to other users.

Draft Projects. Draft projects that have not been updated for fourteen (14) days are removed automatically, along with any associated draft uploads.

Authentication Tokens. Magic-link requests expire fifteen (15) minutes after they are created and are single-use. Refresh tokens have a thirty (30) day expiry and are rotated on every use; revoked and expired tokens are cleaned up daily.

Masked Call Sessions. Sessions created by the in-app call feature expire twenty-four (24) hours after creation. Call metadata may be retained for a longer period for abuse and dispute resolution purposes.

IP Address and Login History. Retained for security and abuse-prevention purposes for the duration of your account.

Mailing-List Subscriptions. Retained until you unsubscribe or request removal.

Messages. Retained while the conversation exists. When all participants leave a conversation, the conversation and all associated messages and attachments are permanently deleted.

Content-Moderation Flags. Image and video moderation flags are retained for as long as the associated upload exists, for safety and abuse-review purposes.

You have the following rights and choices regarding your information:

Push Notifications. You can enable or disable push notifications at any time through the app settings or through your operating system's notification controls.

Account Deletion. You can delete your account at any time from within the app. As described in Section 7, a seven-day restore window applies before permanent deletion.

Profile Management. You can view, edit, or update your Customer or Contractor profile information at any time from within the app.

Communication Preferences. You can control notification preferences within the app and unsubscribe from any of our mailing lists via the unsubscribe link included in each email.

Your Rights Under U.S. State Privacy Laws. If you are a resident of a U.S. state with a consumer-privacy statute — including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, Delaware, New Hampshire, New Jersey, Minnesota, Tennessee, or any similar law — you may have the right to: - Know and access the categories and specific pieces of personal information we have collected about you; - Correct inaccurate personal information we hold about you; - Delete personal information we have collected about you, subject to certain legal exceptions; - Receive a portable copy of the personal information you have provided to us; - Opt out of the "sale" of your personal information or of "sharing"/"targeted advertising" (we do not sell or share your personal information for these purposes); and - Not be discriminated against for exercising any of these rights.

To exercise any of these rights, please contact us at leadership@biid.app. For your protection, we may need to verify your identity before responding to your request by confirming information associated with your account. If we deny your request in whole or in part, you have the right to appeal that decision by replying to our response; we will review appeals and respond within the time period required by applicable law.

Authorized Agents. In some jurisdictions, you may designate an authorized agent to submit requests on your behalf. We may require the agent to provide proof of authorization and may require you to verify your identity directly.

We collect location information only when you voluntarily provide it or take an action that requires it: - When you create a project, you provide the project location (address or area label, and optionally geographic coordinates). - When you set up a Contractor profile, you provide your service-area location and radius. - When you choose to auto-fill your location, we request your device's foreground location with your explicit permission. - When you upload a photo or video, any GPS coordinates embedded in the file's EXIF metadata are stored server-side for fraud and integrity checks, but are stripped from the image variants we serve to other users.

We do not perform continuous, background, or passive location tracking. We never request the "always" or "background" location permission. Your geographic coordinates are used only to display project and contractor locations, to calculate distances between them, and to guard against location-spoofing abuse.

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information. If you believe we have inadvertently collected information from a child under 18, please contact us at leadership@biid.app.

Browser Access. If you access the Service through a web browser, we use HttpOnly secure cookies solely for authentication session management. We do not use third-party tracking cookies, advertising cookies, or analytics cookies.

Mobile App. The mobile app uses Expo SecureStore (encrypted device keychain) to store authentication tokens, and AsyncStorage for non-sensitive preferences such as theme settings and notification preferences. These values are stored locally on your device only.

We do not currently use artificial intelligence or automated decision-making to process your personal data, evaluate bids, or produce decisions that produce legal or similarly significant effects on you. If we introduce AI-powered features in the future, we will update this Privacy Policy before those features take effect and, where required by law, obtain your consent.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this policy and notify you through the Service or by other reasonable means.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the Service and contact us to delete your account.

Biid respects the intellectual-property rights of others and expects users of the Service to do the same. We respond to notices of alleged copyright infringement that comply with the Digital Millennium Copyright Act ("DMCA"), 17 U.S.C. § 512.

Filing a DMCA Notice If you believe that material made available through the Service infringes your copyright, you may send a written notice to our designated agent that includes each of the following: (a) a physical or electronic signature of a person authorized to act on behalf of the owner of the exclusive right that is allegedly infringed; (b) identification of the copyrighted work claimed to have been infringed (or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works); (c) identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit us to locate the material (for example, a screenshot, a direct link within the app, or a project identifier); (d) information reasonably sufficient to permit us to contact you, such as an address, telephone number, and email address; (e) a statement that you have a good-faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law; and (f) a statement, made under penalty of perjury, that the information in the notification is accurate and that you are authorized to act on behalf of the owner of the exclusive right that is allegedly infringed.

Send your notice to our designated agent at leadership@biid.app with the subject line "DMCA Notice." We may register our designated agent with the U.S. Copyright Office, and any updated registration information will be reflected on this page.

Counter-Notification If you believe that your material was removed or disabled in error or as a result of misidentification, you may send us a written counter-notification that includes: (a) your physical or electronic signature; (b) identification of the material that has been removed or to which access has been disabled and the location at which the material appeared before it was removed or disabled; (c) a statement under penalty of perjury that you have a good-faith belief that the material was removed or disabled as a result of mistake or misidentification; and (d) your name, address, and telephone number, together with a statement that you consent to the jurisdiction of the United States District Court for the judicial district in which your address is located (or, if your address is outside the United States, for any judicial district in which Biid may be found) and that you will accept service of process from the person who provided the original notification or an agent of that person.

Repeat-Infringer Policy We will, in appropriate circumstances, terminate the accounts of users who are determined to be repeat infringers of copyright or other intellectual-property rights.

Knowing Material Misrepresentations Under 17 U.S.C. § 512(f), any person who knowingly materially misrepresents that material is infringing, or that material was removed or disabled by mistake or misidentification, may be liable for damages.

If you have any questions about this Privacy Policy, your personal data, or wish to exercise any of your rights, please contact us at:

Leads Group LLC Email: leadership@biid.app