Skip to main content

Privacy Policy

Last updated: February 20, 2026

1. Overview

Candel Quote LLC (“we,” “us,” “our”) operates the Candel Quote platform, a SaaS tool for roofing contractors. This Privacy Policy explains what data we collect, how we use it, and your rights with respect to that data. By using our Service, whether as a roofing contractor or as a homeowner submitting an estimate form, you agree to this policy.

2. Data We Collect

Contractor Account Information

  • Name and email address
  • Password (managed securely via Supabase Auth)
  • Business name and public-facing slug
  • Billing information processed by Stripe (we never store raw card numbers)
  • Calendar OAuth tokens (Google or Microsoft) for scheduling features
  • Pricing configurations, service areas, workflow settings, and email templates you create

Homeowner Lead Information

When a homeowner submits an estimate form on a contractor's funnel page, we collect:

  • Full name
  • Email address
  • Phone number
  • Street address
  • Roof details, including type, approximate square footage, and zip code
  • Insurance claim status (yes/no)
  • Inspection booking date and time (if scheduled)

This data is stored on behalf of the roofing contractor who owns the funnel. The contractor is the data controller for homeowner lead data. Candel Quote acts as a data processor on the contractor's behalf.

Usage and Technical Information

  • Log data and error reports (via Sentry)
  • Usage metrics such as lead counts and workflow executions
  • IP addresses used for rate limiting and fraud prevention
  • Device, browser, and session data necessary to operate, secure, and improve the Service

3. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and secure the Service. These may include:

  • Essential cookies for authentication and session management
  • Security-related cookies and logs for fraud prevention and rate limiting
  • Infrastructure logs via Vercel

We do not use advertising trackers, behavioral profiling tools, or sell browsing data. Users may manage cookies through their browser settings. If additional analytics or tracking tools are implemented in the future, this Privacy Policy will be updated accordingly.

4. How We Use Your Data

We use collected data to:

  • Provide the Service, including estimate generation, lead capture, calendar booking, and workflow automation
  • Send automated communications on behalf of contractors, including SMS confirmations, follow-ups, and reminders
  • Process subscription payments via Stripe
  • Monitor reliability and diagnose issues through error tracking
  • Prevent fraud, enforce our Terms of Service, and protect platform integrity

We do not sell personal information. We do not use homeowner lead data for our own marketing purposes.

5. Legal Basis for Processing (For EEA and UK Users)

If you are located in the European Economic Area or United Kingdom, we process personal data under the following legal bases:

  • Performance of a contract (providing the Service)
  • Consent (for SMS or email communications initiated through contractor funnels)
  • Legitimate interests (security, fraud prevention, and product improvement)
  • Compliance with legal obligations

Data may be processed in the United States or other jurisdictions where our service providers operate.

6. SMS and Email Communications

When a homeowner submits an estimate form, they consent to being contacted by the roofing contractor via SMS and email regarding their inspection.

SMS messages are sent via Twilio. Every SMS includes opt-out instructions (Reply STOP to opt out).

Contractors are responsible for ensuring that their use of automated messaging complies with the Telephone Consumer Protection Act (TCPA) and other applicable laws.

7. Third-Party Service Providers

We use trusted service providers to operate the platform:

  • Supabase — Authentication and database infrastructure
  • Stripe — Payment processing
  • Twilio — SMS delivery
  • Resend — Transactional email delivery
  • Google and Microsoft — Calendar integration (OAuth)
  • Sentry — Error monitoring
  • Vercel — Hosting and edge network infrastructure

Each provider maintains its own privacy policy. We may update or replace subprocessors as our Service evolves. Any material changes will be reflected in this Privacy Policy.

8. Data Retention

Contractor account data is retained for the duration of the subscription and for 30 days after account termination, after which it is permanently deleted.

Homeowner lead data stored on behalf of a contractor follows the same retention timeline. When a contractor account is deleted, associated lead data is also deleted.

Homeowners may request deletion of their data by contacting the contractor directly or emailing privacy@candelquote.com.

9. Security

We use industry-standard safeguards, including:

  • Encryption in transit (TLS)
  • Encryption at rest
  • Row-level security policies
  • Access controls ensuring contractors can only access their own data

We use Sentry to detect and respond to system errors. No system is perfectly secure. Users should maintain strong, unique passwords and enable two-factor authentication where available.

10. Data Breach Notification

In the event of a confirmed data breach that materially affects personal data, we will notify affected contractors and, where required by law, impacted individuals without undue delay. Notifications will be delivered via email and will include information about the nature of the incident and recommended protective steps.

11. U.S. State Privacy Rights

Residents of certain U.S. states may have specific privacy rights under applicable state privacy laws. Depending on your state of residence, you may have the right to:

  • Request access to the personal information we collect about you
  • Request correction of inaccurate personal information
  • Request deletion of personal information
  • Request a copy of your personal information in a portable format
  • Opt out of the sale or sharing of personal information (we do not sell personal information)
  • Opt out of targeted advertising (we do not use personal data for targeted advertising)
  • Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects

We will not discriminate against you for exercising your privacy rights.

To exercise any applicable rights, contact privacy@candelquote.com. We may need to verify your identity before processing your request. We will respond within the timeframe required by applicable law.

12. Do Not Track Signals

Our Service does not currently respond to browser Do Not Track signals.

13. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we learn that we have collected personal data from a minor, we will delete it promptly.

14. Business Transfers

In the event of a merger, acquisition, restructuring, financing, or sale of assets, user data may be transferred as part of that transaction. Any acquiring entity will be required to honor the commitments in this Privacy Policy.

15. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or restrict processing of your personal data. To exercise these rights, contact privacy@candelquote.com. We will respond within 30 days or as required by applicable law.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active users by email before material changes take effect. The Last updated date at the top of this page reflects the most recent revision.

17. Contact

Questions about this Privacy Policy? Contact privacy@candelquote.com.