Privacy Policy

1. Scope and who we are

This Privacy Policy describes how RoofProof ("RoofProof", "we", "us", "our") collects, uses, and protects personal information when you visit roofproof.io, contact us, or subscribe to our services. We act as a data controller for information you provide to us directly. We act as a data processor for personal information of leads and customers that we process on behalf of our clients (roofing contractors) under our service agreement. Information about the legal entity behind RoofProof, our principal place of business, and applicable cross-border data transfer safeguards is provided in Section 9 below.

2. Information we collect

2.1 Information you provide directly

• Contact information: name, email address, phone number, business name, business website, business location.
• Billing information: billing address and tax ID. Payment card details are collected and stored by our payment processors (Paddle, Stripe), not by us.
• Account credentials: when you grant us administrator access to your Google Ads, Meta Business, or Google Business Profile accounts, you do so through those platforms' own authorization flows. We do not see or store your passwords.
• Communication content: emails, chat messages, support requests, and any documents you send us.

2.2 Information collected automatically

• Usage data: pages visited on roofproof.io, time spent, referring URL, approximate location (city level), device type, browser type, language. We use Cloudflare Web Analytics, which is cookieless and does not fingerprint visitors.
• Server logs: IP address (truncated), HTTP request data, error logs, retained for up to 30 days for security and abuse prevention.

2.3 Information about leads (data we process for clients)

When we run advertising campaigns for our clients, the campaigns generate leads — typically homeowners interested in roofing services. These leads submit forms or initiate phone calls. The information we collect about leads (typically: name, phone, email, address, type of inquiry, source campaign) is processed on behalf of our clients. Clients are the data controller for this information; RoofProof is the data processor.

3. How we use your information

We use the information we collect to:

• Provide our services to you (set up campaigns, build landing pages, run reports);
• Process payments and prevent fraud;
• Communicate with you about your account, service updates, and support requests;
• Respond to your inquiries from contact forms or emails;
• Improve our website, marketing materials, and service quality;
• Comply with applicable legal obligations, including tax, accounting, and anti-money-laundering requirements;
• Enforce our Terms of Service and protect against abuse.

We do not sell your personal information. We do not share it for cross-context behavioral advertising as defined by the California Consumer Privacy Act.

4. Legal basis for processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar laws, our legal basis for processing your personal information depends on the purpose:

• Contract: processing necessary to provide services you requested (e.g., setup, billing).
• Legitimate interest: processing necessary for our reasonable business purposes (e.g., security, fraud prevention, improving services), where these interests are not overridden by your rights.
• Consent: when you explicitly opt in (e.g., for marketing communications). You may withdraw consent at any time.
• Legal obligation: processing required by applicable law (e.g., tax, accounting, anti-money-laundering).

5. Who we share information with

We share personal information only with the following categories of recipients, and only as necessary:

Service	Purpose	Data shared
Paddle	Subscription billing and tax compliance (Merchant of Record)	Name, email, billing address, payment details
Stripe	Payment processing	Name, email, billing address, payment details
Wise	Bank transfers and currency conversion	Name, business name, banking details
Google Workspace	Email and document storage	Email content and attachments
Cloudflare	Website hosting, DNS, security	IP address (truncated), HTTP request data
Loom	Video communications (audits and tutorials)	Email if you watch a video link
Calendly	Meeting scheduling	Name, email, scheduling preferences
DocuSign / PandaDoc	Contract signing	Name, email, signature, business details

We may also disclose personal information when required by law, in response to valid legal requests, to protect our rights or the rights of others, or in connection with a business transfer (merger, acquisition, sale of assets) — in which case the recipient will be required to provide equivalent privacy protections.

6. Cookies and tracking

We use the minimum tracking technology necessary to operate our website. Currently, our website uses:

• Cloudflare Web Analytics — a cookieless analytics service that does not identify individual visitors and does not require a consent banner under GDPR.
• Functional cookies set by our payment processors on their checkout pages (managed by Paddle and Stripe under their own privacy policies).

We may add additional analytics or advertising tools in the future. If we do, we will update this policy and present a cookie consent notice to visitors from regions where one is required.

7. Data retention

We retain personal information only as long as necessary to fulfill the purposes for which it was collected:

• Account and billing data: for the duration of your subscription, plus seven (7) years thereafter to comply with tax and accounting obligations.
• Communication records: up to three (3) years from last contact.
• Server logs: 30 days.
• Lead data (processed for clients): retained while we provide services to that client; deleted or returned within 30 days after termination, unless a longer retention is required by law.

You may request earlier deletion at any time, subject to overriding legal obligations.

8. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you.
• Correction: request that we correct inaccurate or incomplete information.
• Deletion: request that we delete your personal information ("right to be forgotten" under GDPR).
• Restriction: request that we limit how we use your information.
• Objection: object to processing based on legitimate interest.
• Portability: receive your information in a portable format.
• Withdraw consent: for processing based on consent.
• Lodge a complaint: with a supervisory authority in your country (e.g., your national data protection authority in the EU/UK).

To exercise any of these rights, email margo@roofproof.io with your request. We will respond within 30 days. We may need to verify your identity before fulfilling certain requests.

8.1 California residents (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect and disclose, the right to delete personal information, the right to correct inaccurate information, and the right to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising. RoofProof does not sell or share personal information for these purposes.

9. International transfers

RoofProof is operated by Pushaev Artem, a sole proprietor based in Europe. Most of our service providers (Paddle, Stripe, Cloudflare, Google, etc.) are based in the United States, the European Union, or other jurisdictions. When personal information is transferred internationally, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses where applicable. Our specific country of establishment is disclosed on request to data subjects exercising their rights and to regulators.

10. Security

We use reasonable technical and organizational measures to protect personal information from unauthorized access, alteration, disclosure, or destruction. This includes:

• Encryption in transit (HTTPS/TLS for all web traffic);
• Encryption at rest for data stored with our service providers (Google Workspace, Stripe, Paddle, etc.);
• Access controls limited to authorized personnel and tooling;
• Two-factor authentication on all critical accounts;
• Regular security reviews and prompt patching of known vulnerabilities.

No method of transmission or storage is 100% secure. If we become aware of a security breach affecting your personal information, we will notify you and the relevant authorities in accordance with applicable law.

11. Children's privacy

Our services are intended for businesses and individuals aged 18 and over. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected information from a minor, please contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the date of the most recent change. For material changes, we will provide at least thirty (30) days' advance notice by email or by posting a prominent notice on our website. We encourage you to review this policy periodically.

13. Contact

For privacy questions, requests to exercise your rights, or concerns about how we handle your information, contact us:

• Email: margo@roofproof.io (subject line: "Privacy")
• Web: https://roofproof.io
• Mailing address available on request.

If you are in the European Union, you also have the right to lodge a complaint with your local data protection authority. A list of national authorities is available at edpb.europa.eu/members.

© 2026 RoofProof. All rights reserved.