Privacy Policy

Leads Group LLC, operating as Biid ("Company", "we", "our", or "us"), is committed to protecting your privacy. This policy describes how we collect, process, retain, and disclose personal data about you when you use our website (biid.app) and the Biid mobile application (our "Services"), and our practices for using, maintaining, protecting, and disclosing that information.

This policy applies only to information we collect:

• Through the Services.
• In communications, including email, text, chat, and other electronic messages, between you and the Services.
• When you interact with our applications on third-party websites and services, if those applications include links to this policy.

It does not apply to information collected by:

• Us offline or through any other means, including on any other website operated by the Company or any third party that does not link to this policy; or
• Any third party, including through any application or content that may link to or be accessible from or through the Services.

We may provide additional or different privacy policies that are specific to certain features, services, or activities.

Please read this policy carefully to understand our policies and practices regarding your information and how we treat it. By using our Services or providing us with your information, you acknowledge that your information will be collected, used, and shared as described in this privacy policy. This policy may change from time to time (see Changes to Our Privacy Policy). We will notify you of material changes as described in that section. Your continued use of the Services after changes are posted constitutes your acceptance of those changes, so please check the policy periodically for updates.

Our Services are intended for adults 18 years of age or older. We do not knowingly collect personal data from minors under 18. If we learn we have collected or received personal data from a minor under 18, we will delete that information.

"Personal data" is information that identifies, relates to, or describes, directly or indirectly, you as an individual, such as your name, email address, telephone number, home address, or payment information (for example, payment card details or billing address).

The types and categories of personal data we collect or process include:

• Account and contact information, including name, address (such as home address, project address, service address, or other address), email address, phone number, username, and other contact information you provide to us.
• Payment information, including payment card details, billing address, and transaction history, collected in connection with purchases or payments made through the Services.
• Location information, including general geographic location and, where you have enabled and consented to location information collection, precise geolocation data.
• Device information, including your IP address, device identifiers, operating system and version, preferred language, hardware identifiers, browser type and settings, and other device information.
• Content and information you elect to provide as part of your profile or through the Services, including: project titles, descriptions, notes, structured intake answers from the project wizard, scheduling preferences, bid amounts, proposal descriptions, scope and timeline information, bill-of-materials data, ratings, and written review content for both contractors and customers. This also includes any information in emails, chats, or other communications sent to us.
• Voice call data, if you use the in-app call feature. Calls are routed through a masked Twilio number so that neither party sees the other's real phone number. We store both parties' real phone numbers, the masked number assigned to the session, participating user identifiers, session kind, and call metadata such as start time, end time, and status. We do not record the audio of your calls.
• Messaging data, including the text content of messages, image, video, and document attachments, message timestamps, delivery status, and read-receipt status, when you use the in-app messaging feature.
• Images, videos, and related metadata collected or stored in connection with the Services, where you have consented to such collection. For photos, GPS coordinates are extracted from the file's data and stored server-side for fraud and content-integrity checks; they are stripped from any images or video provided to other users. For videos, your device's last-known foreground location at the moment recording begins is stored server-side for the same fraud and integrity purposes and is also never embedded in images or video provided to other users.
• Content moderation signals. To keep the Services safe, we send uploaded images and sampled frames of uploaded videos to Google Cloud Vision SafeSearch, which returns automated likelihood scores for categories such as adult, racy, violent, spoof, and medical content. We store those scores and any resulting moderation flags.
• Account activity and login history, including your account creation date, last-active timestamp, login events (including the IP address and device information associated with each sign-in), and account status indicators. We retain this information for the duration of your account for security and abuse-prevention purposes.
• Inferences drawn from the above to create a profile about you, including for fraud detection and platform integrity purposes.

Some of the information identified above, including precise geolocation information and image metadata, may be considered sensitive data under certain laws. If required under applicable law, we will collect and process sensitive personal data only with your consent. If you choose not to provide or allow us to collect some information, we may not be able to provide you with requested features, services, or information.

We also collect:

• Statistics or aggregated information. Statistical or aggregated data does not directly identify a specific person, but we may derive non-personal statistical or aggregated data from personal data. For example, we may aggregate personal data to calculate the percentage of users accessing a specific Services feature.
• Technical information. Technical information includes information about your internet connection and usage details about your interactions with the Services, such as clickstream information to, through, and from our Services (including date and time), products that you view or search for; page response times, download errors, length of your visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), or methods used to browse away from a page.
• Push notification tokens. If you enable push notifications, we store your device's push notification token to deliver transactional notifications to your device. This token is shared with Expo solely for notification delivery purposes, as described in the service providers section of this policy.

If we combine or connect non-personal statistical or technical data with personal data so that it directly or indirectly identifies an individual, we treat the combined information as personal data.

You Provide Information to Us

We collect information about you when you interact with our Services, such as when you create or update an account, post or respond to a project, communicate with other users or with us, make or receive a payment, contact customer support, or create, upload, or post content to the Services (including reviews, photos, videos, or other media).

Automatically Through Our Services

As you navigate through and interact with our Services, we may use automatic data collection technologies to collect information that may include personal data. Information collected automatically includes IP addresses, device identifiers, operating system, and browser type, collected through session cookies, product analytics tools, and error monitoring services, including details of your interactions with our Services, such as traffic data, logs, and other communication data, and which resources and Services features you access and use.

Automatic data collection is limited to your use of the Services and is used solely for product analytics, error monitoring, security, and fraud prevention purposes. We do not use automatic collection technologies to track your activities across third-party sites or services, and we do not use advertising trackers.

Using automatic collection technologies helps us to improve our Services and to deliver a better and more personalized experience.

The technologies we use for this automatic data collection may include:

• Calendar Integration. When you tap to add a scheduled project date to your device calendar, we write that single event to your calendar using your operating-system permission. We do not read your existing calendar entries.
• Cookies. A cookie is a small file placed on your device when you interact with the Services. If you access the Services through a web browser, we use HttpOnly secure cookies with SameSite protections solely for authentication session management. We do not use third-party tracking cookies, advertising cookies, or analytics cookies. You may refuse to accept browser cookies by activating the appropriate setting on your browser or device. However, if you select this setting, you may be unable to access certain features of the Services.
• Mobile App Local Storage. The Biid mobile application uses Expo SecureStore (encrypted device keychain) to store authentication tokens, and AsyncStorage for non-sensitive preferences such as theme settings and notification preferences. These values are stored locally on your device only and are not transmitted to third parties or used for tracking or advertising purposes.

We use PostHog to capture product events and analytics and Sentry for error monitoring in order to understand how the Services are used and to improve them. These tools are not used for advertising or cross-app tracking and may automatically collect information about you or your device in connection with providing services to us. To opt out of product analytics collection, please contact us at leadership@biid.app or use the "Contact Us" feature within the Biid app. Please note that some Services features may be unavailable as a result.

Our third-party service providers and their specific roles include:

(a) Twilio: receives your phone number to deliver SMS verification codes and, when you use the in-app call feature, to route masked voice calls. Call audio passes through Twilio's infrastructure.

(b) Mailgun: receives your email address to deliver authentication emails and service communications. We have explicitly disabled email open and click tracking in Mailgun; we do not use tracking pixels or web beacons in our emails.

(c) Google Cloud Platform: provides the database and file storage backing the Services, including Cloud Storage for photos, videos, and document attachments (accessed via time-limited signed URLs); Cloud Vision SafeSearch for automated content moderation; and the Places API for contractor business-search functionality.

(d) Apple and Google (Sign-In): when you use Apple Sign-In or Google Sign-In, the provider returns your provider-verified identifier and, with your selection, your email address and display name.

(e) Expo: receives your push-notification token and notification payload (including message previews of up to 120 characters) to deliver push notifications to your device.

(f) Sentry: receives stack traces, device and operating-system diagnostics, HTTP request context, your IP address, and your user identifier when an application error occurs. Because Sentry's default PII attachment is enabled, Sentry may also receive variable values captured by an error event; we do not intentionally send message bodies, bid contents, or uploaded media to Sentry.

(g) PostHog: receives the product-analytics events described above, associated with your user identifier.

(h) Stripe: processes payment card transactions made through the Services on our behalf. We do not store full payment card numbers on our servers; payment card data is handled directly by our payment processor in accordance with applicable PCI DSS standards.

These service providers use automated collection technologies solely to support the delivery, monitoring, and improvement of the Services. They do not use your information for interest-based advertising, and they do not track you across unrelated websites or applications.

We do not control these third parties' data practices. For questions about how any of our third-party service providers handle your information, please refer to their respective privacy policies.

From Third-Party Sign-In Providers

We may receive limited personal data about you from third-party authentication providers. If you choose to sign in with Apple or Google, we receive from the provider a verified identifier for your account (the OAuth "sub" claim) and, depending on the provider and your selections, your email address and display name. We do not obtain personal data about you from data brokers, advertising networks, or other third-party marketing or enrichment sources.

Third-Party Websites and Services

The Services may contain links to third-party websites, applications, or services that are not owned or controlled by us. This policy applies only to information collected by us through the Services. We have no control over and assume no responsibility for the privacy practices, content, or data handling of any third-party websites or services. We encourage you to review the privacy policies of any third-party websites or services you visit.

We use information that we collect about you or that you provide to us, including any personal data, to:

• Provide you with the Services and any contents, features, information, products, or services that we make available through the Services.
• Fulfill and manage subscriptions, purchases, orders, and payments.
• Fulfill any other purpose for which you provide it.
• Provide you with notices about your account, including security alerts, account activity notices, and changes to our Services.
• Improve our Services, including by analyzing your information and creating aggregated data derived from your information to develop, maintain, analyze, improve, optimize, measure, and report on our Services and their features and how users interact with them.
• Carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
• Notify you when Services updates are available and about changes to any products or services we offer or provide through them.
• Detect and prevent fraud, abuse, and security threats, including through the use of image metadata and location data as fraud detection signals to ensure users are creating legitimate projects and following platform rules.
• Send you service-related communications, including SMS verification messages, email authentication messages, and push notifications relating to your account activity and the Services.
• For any other purpose with your consent.

The usage information we collect, whether connected to your personal data or not, helps us improve our Services and deliver a better and more personalized experience by enabling us to:

• Estimate our audience sizes and usage patterns.
• Store information about your preferences, allowing us to customize the Services according to your individual needs and interests.
• Speed up your searches.
• Recognize you when you return to our Services.

We may also use your information to contact you directly about our own goods and services that may be of interest to you. We do not share your personal data with third parties for their advertising or marketing purposes. If you do not want us to use your information in this way, you may opt out by clicking the unsubscribe link included in the footer of any marketing email we send you. For more information, see Your Rights and Choices About Your Information.

We do not perform continuous, background, or passive location tracking, and we never request the "always" or "background" location permission from your device. Your geographic coordinates are used only to display project and contractor locations, calculate distances, and guard against location-spoofing abuse.

We may disclose information to vendors, service providers, and other third parties we use to support our organization, who are bound by contractual obligations to keep personal data confidential and use it only for the purposes for which we disclose it to them.

We may also disclose personal data that we collect or you provide as described in this privacy policy:

• To contractors, service providers, and other third parties we use to support our organization, who are bound by contractual obligations to keep personal data confidential and use it only for the purposes for which we disclose it to them. For a detailed description of our named third-party service providers and the specific categories of data each receives, please see the service provider list in the "Automatically Through Our Services" section of this policy.
• To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Leads Group LLC's assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal data held by Leads Group LLC is among the assets transferred.
• To fulfill the purpose for which you provide it. For example, when you post a project on the Services, we will share relevant information about that project with contractors who may be able to perform the requested work.
• For any other purpose disclosed by us when you provide the information.
• With your consent.

We may also disclose your personal data:

• To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
• To enforce or apply our Terms of Use and other agreements, including for billing and collection purposes.
• If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of our organization, our users, or others.

The categories of personal data we may disclose include:

• Account and contact information.
• Payment information.
• Account history, including information about your account, transactions, projects, and payments.
• Location information, including general geographic location and precise geolocation.
• Device information.
• Content and information you elect to provide to us.
• Images and related metadata collected or stored in connection with the Services, where you have consented to such collection.
• Voice call data, messaging data, and content moderation signals, as described in "The Personal Data That We Collect or Process" section of this policy.

This section describes mechanisms you can use to control certain uses and disclosures of your information and rights you may have under state law, depending on where you live.

Cookies, Tracking, and Marketing Choices

• Cookies and Other Tracking Technologies. You can set your browser to refuse all or some browser cookies or other tracking technology files, or to alert you when these files are being sent. If you disable or refuse cookies or similar tracking files, some Services features may be inaccessible or not function properly. Some browsers include a "Do Not Track" (DNT) setting that can send a signal to the online services you visit indicating you do not wish to be tracked. Because there is not a common understanding of how to interpret the DNT signal, our Services may not respond to all browser DNT signals. Instead, you can use the range of other tools to control data collection and use, including the cookie controls and advertising controls described in this policy.
• Promotions by the Company. If you do not wish us to use your information to promote our own products or services, you can opt out by clicking the unsubscribe link in the footer of any marketing email we send you or by emailing us at leadership@biid.app.
• Targeted Advertising. We do not use your data to deliver targeted or behavioral advertising on third-party platforms and we do not share your personal data with advertising networks for such purposes. We do not sell, rent, or trade your personal data with unaffiliated or non-agent third parties for their marketing purposes. We do not "share" your personal data for cross-context behavioral advertising as defined under California law (CCPA/CPRA). Because we do not engage in these activities, there is no data sale or sharing to opt out of. If you have questions about how your data is used, you may contact us at leadership@biid.app or use the "Contact Us" feature within the Biid app.

Location Data Choices

• Location Data. You can choose whether or not to allow the Services to collect and use real-time information about your device's location through the device's privacy settings. If you block the use of location information, some Services features may become inaccessible or not function properly.

Your State Privacy Rights

Depending on your state of residency, you may have certain rights related to your personal data, including:

• Access and Data Portability. You may confirm whether we process your personal data and access a copy of the personal data we process. To the extent feasible and required by state law, depending on your state, data will be provided in a portable format. Depending on your state, you may have the right to receive additional information and it will be included in the response to your access request.
• Correction. You may request that we correct inaccuracies in your personal data that we maintain, taking into account the information's nature and processing purpose.
• Deletion. You may request that we delete personal data about you that we maintain, subject to certain exceptions under applicable law.
• Non-Discrimination. We will not discriminate against you for exercising any of your privacy rights. This means we will not deny you goods or services, charge you different prices, or provide a different level or quality of Services as a result of you exercising your rights under applicable privacy law.

Important: The exact scope of these rights varies by state. There are also several exceptions where we may not have an obligation to fulfill your request.

To exercise any of these rights, please email us at leadership@biid.app or use the "Contact Us" feature within the Biid app. We will respond to your request within thirty (30) days. To appeal a decision regarding a consumer rights request, please contact us at the same address with the subject line "Rights Request Appeal."

Authorized Agents. In some jurisdictions, you may designate an authorized agent to submit a consumer rights request on your behalf. To use an authorized agent, please contact us at leadership@biid.app. We may require the agent to provide written proof of authorization and may require you to verify your identity directly with us before we process the request.

Some browsers and browser extensions support the Global Privacy Control ("GPC"), which can send a signal indicating your preference to opt out of certain types of data processing, including data "sales" as defined under certain laws. When we detect such a signal, we will make reasonable efforts to respect your choices indicated by a GPC setting as required by applicable law.

We use commercially reasonable administrative, physical, and technical measures designed to protect your personal data from accidental loss or destruction and from unauthorized access, use, alteration, and disclosure. These measures include:

(a) authentication tokens (including magic-link and refresh tokens) are stored as SHA-256 cryptographic hashes on our servers - we never store raw tokens;

(b) on mobile devices, authentication tokens are stored in Expo SecureStore, which uses the iOS Keychain and the Android Keystore for encrypted storage;

(c) for browser-based access, we use HttpOnly secure cookies with SameSite protections;

(d) refresh tokens use a rotation mechanism - each time a token is used, it is revoked and replaced with a new one;

(e) rate limits are applied to authentication, refresh, and other sensitive endpoints to prevent brute-force attacks; and

(f) data in transit is encrypted using TLS, and data at rest in Google Cloud Platform is encrypted using Google-managed encryption keys.

However, no website, mobile application, system, electronic storage, or online service is completely secure, and we cannot guarantee the security of your personal data transmitted to, through, using, or in connection with the Services. In particular, email, texts, and chats sent to or from the Services may not be secure, and you should carefully decide what information you send to us via such communications channels. Any transmission of personal data is at your own risk.

The safety and security of your information also depends on you. You are responsible for taking steps to protect your personal data against unauthorized use, disclosure, and access.

We keep the categories of personal data described in this policy for as long as reasonably necessary to fulfill the purposes described or as otherwise legally permitted or required, such as maintaining the Services, operating our organization, complying with our legal obligations, resolving disputes, and for safety, security, and fraud prevention. This means that we consider our legal and business obligations, potential risks of harm, and nature of the information when deciding how long to retain personal data.

As a general matter, we retain account and profile information for the duration of your account. If you request deletion of your personal data or delete your account, your account is placed into a soft-deleted state for seven (7) days, during which you can restore your account by signing back in. After the seven-day window, your account is permanently purged: authored content such as messages, bids, and reviews is reassigned to an anonymous tombstone identity so that other users' histories remain intact, and the remainder of your data - owned projects, profiles, tokens, and uploaded files - is deleted. Specific retention periods for other data categories include: (a) draft projects not updated for fourteen (14) days are removed automatically along with associated draft uploads; (b) magic-link requests expire fifteen (15) minutes after creation and are single-use; (c) refresh tokens have a thirty (30) day expiry and are rotated on every use; (d) masked call sessions expire twenty-four (24) hours after creation, though call metadata may be retained longer for abuse and dispute resolution purposes; (e) messages are retained while the conversation exists - when all participants leave a conversation, the conversation and all associated messages and attachments are permanently deleted; (f) if we disable or ban an account for a Terms of Service violation, the account is retained in a soft-deleted state to preserve abuse records, and the phone number and email address associated with the account are cleared so that they can be reused; (g) if a Contractor profile is deleted, it is deactivated rather than permanently removed in order to preserve the integrity of historical project and bid records, and deactivated profiles are not visible to other users; and (h) mailing-list subscription preferences, if you subscribe to marketing communications from us, are retained until you unsubscribe or request removal.

We may retain certain limited information for longer periods where reasonably necessary to comply with our legal obligations (for example, tax, accounting, or regulatory recordkeeping), to resolve disputes, to enforce our agreements, or to detect and prevent fraud, abuse, or security incidents. At the end of the applicable retention period, personal data will be deleted, destroyed, or deidentified.

We do not currently use artificial intelligence or automated decision-making to process your personal data, evaluate bids, or produce decisions that have legal or similarly significant effects on you. If we introduce AI-powered features in the future, we will update this Privacy Policy before those features take effect and, where required by law, obtain your consent.

We may update this policy from time to time, and we will provide notice of any such changes to the policy as required by law. The date the privacy policy was last updated is identified at the top of the page. We will notify you of changes to this policy by updating the "last updated" date and posting the updated policy on the Services. We may email or otherwise communicate reminders about this policy, but you should check our Services periodically to see the current policy and any changes we have made to it.

To exercise your rights or ask questions or comment about this privacy policy or our privacy practices, contact us at:

Leads Group LLC 6462 Hyde Grove Ave., Jacksonville, Florida 32210 Email: leadership@biid.app

To register a complaint or concern, please email us at leadership@biid.app with the subject line "Privacy Complaint" and we will respond within thirty (30) days.