← Back to JadeTrade

Privacy Policy

Effective: May 7, 2026

This Privacy Policy describes how JadeTrade Marketplace LLC (“JadeTrade,” “we,” “us”), operating under jadetradeapp.com, collects, uses, shares, and protects information when you interact with our website, preview sites, checkout flows, AI Services, or other interactions.

1. Who We Are

JadeTrade Marketplace LLC is a Maine limited liability company located at 1917 Appleton Ridge Rd, Appleton, ME 04862. For privacy questions, contact max@jadetradeapp.com.

2. Categories of Information We Collect

Information you provide directly

CategoryExamplesSource
IdentifiersName, email, phone number, business name, billing addressCheckout, MSA signing, support contacts
Commercial informationServices purchased, transaction history, communication preferencesStripe, our records
Payment informationCard details handled directly by Stripe; we receive only billing metadata (name, last-four, ZIP)Stripe
CommunicationsEmail, SMS, Upwork messages, support requests, callsYou
Consent recordsTimestamp and version of Terms / Privacy Policy you acceptedStripe metadata, our logs

Information from public sources

When building website previews and AI service templates, we collect publicly available business information:

  • Business name, address, phone, hours
  • Services, pricing
  • Photographs published publicly
  • Customer reviews on Google, Yelp, and similar
  • Public business directory listings

We do not access password-protected, private, or non-public information. We do not scrape personal social media accounts.

Information collected automatically

CategoryWhat we collect
CookiesA single persistent cookie (access_granted) on preview sites for authenticated access. Expires after 30 days. No personal data.
Hosting logsVercel collects standard server logs (IP, browser, pages visited, timestamps).
Service usageFor AI Services: API call logs, error rates, configuration changes (operational metadata only).

Information related to AI Services (collected on behalf of our customers)

When a JadeTrade customer deploys our AI services, we collect on the customer's behalf the categories below depending on which archetypes are deployed:

Voice and call data (AI Receptionist, Call Triage):

  • Voice call recordings (only when Recording is opt-in elected by the customer) and transcripts
  • Inbound caller phone numbers (from Twilio's Caller ID)
  • Caller-provided information (name, business name, callback number, reason for call, email if shared)
  • Booking metadata (timestamps, calendar event IDs, Cal.com booking confirmations)
  • AI-generated structured analysis (outcome classification, opt-out flag, intent summary)

SMS and messaging data (SMS Sequencer, Inquiry Responder, Inventory Alert, Check-in / Nurture):

  • Outbound message contents and timestamps
  • Recipient phone numbers and message-status results (delivered, failed, opted out)
  • Inbound replies, including STOP/UNSUBSCRIBE confirmations
  • Recipient-list metadata uploaded by the customer (e.g., name, last-visit date, service tier)

Inquiry/intake data (Inquiry Responder, Document Generator, Text Quote Generator):

  • Web form submissions (any fields the inquirer fills out)
  • Inbound emails to monitored addresses (subject, body, attachments)
  • AI-extracted structured data from intake (parties, scope, dates, amounts, requested service)

Photographic and document data (Photo Quote Generator, Claim Supplement Generator, Document Generator):

  • Customer-uploaded photos (job sites, damage, items for valuation, invoices)
  • Customer-uploaded denial letters, insurance policy excerpts, or other supporting documents
  • AI-extracted measurements, conditions, and structured observations from images
  • Generated PDF outputs (quotes, estimates, scopes, contracts, supplement letters)

Plan and structural data (Blueprint Takeoff, Permit Document Generator):

  • Architectural plans, hand sketches, site plans uploaded by customer
  • AI-extracted quantities, dimensions, materials, code references
  • Generated takeoff bids and permit packages

Health-adjacent data (Insurance Verification, when BAA chain in place):

  • Patient appointment schedule (date, time, provider, service)
  • Payer eligibility responses (in-network status, copay, deductible remaining, prior auth status)
  • Prior auth tracking notes
  • Out-of-pocket text confirmations sent to patients

Marketing platform data (Multichannel Reporting):

  • API-pulled metrics from Google Ads, Meta Ads, GA4, HubSpot, Salesforce, and similar platforms
  • AI-generated commentary and insight summaries
  • Generated PDF reports

Vendor integration data (Vendor Integration):

  • Per-deal: API responses from Client's chosen vendor systems (e.g., COI brokers, queue systems, parts catalogs)

This data is owned by the JadeTrade customer (the business that deployed the AI), processed by us as their service provider, and governed by our Master Services Agreement with them. If you are an inbound caller, customer, patient, or recipient of a business using our AI, that business is the data controller of your information; contact them directly for access, correction, or deletion requests. For PHI specifically, the customer business is the Covered Entity; JadeTrade is a Business Associate only when a BAA is in place.

Information we do not collect

  • We do not use advertising trackers, social media pixels, or behavioral analytics on jadetradeapp.com or preview sites.
  • We do not sell, rent, or trade personal information.
  • We do not knowingly collect information directly from individuals under 16 through our website or checkout flow. See Section 13 for child information that may be voluntarily provided by adults to AI Services we operate on behalf of customer businesses.

3. How We Use Information

We use information solely to:

  • Build website previews and configure AI Services using your publicly available business information
  • Process payments through Stripe
  • Deliver purchased websites and operate AI Services
  • Send transactional communications (payment confirmations, DNS instructions, service notifications)
  • Send initial commercial outreach to business addresses (you may opt out at any time)
  • Improve our Services through aggregated, de-identified analytics
  • Comply with legal obligations and enforce our Terms

We will not use your email for marketing newsletters unless you explicitly opt in. All commercial outreach complies with CAN-SPAM and includes an opt-out mechanism.

4. Cold Outreach

As part of our business model, we contact business owners about our Services. These communications go to business email addresses obtained from public sources. All outreach complies with the CAN-SPAM Act of 2003 and includes:

  • Our physical mailing address
  • Accurate sender identification
  • Clear identification as commercial communication
  • A working opt-out mechanism (reply “stop” or use the unsubscribe link)
  • Honest subject lines

Opt-outs are honored within ten (10) business days and the business is added to our permanent exclusion list. We will not contact you again across any channel.

For SMS sent to a JadeTrade-controlled number (e.g., +1 (646) 846-8838), we treat any inbound message containing “STOP,” “UNSUBSCRIBE,” “REMOVE,” or similar as a binding opt-out and add the sender to our exclusion list.

For inbound voice calls to our AI receptionist, any verbal opt-out request (“remove me,” “stop calling,” “do not contact me”) is binding and triggers exclusion.

5. Third-Party Service Providers

We share information only with the following service providers, solely to deliver our Services:

ProviderPurpose
Stripe, Inc.Payment processing (PCI-DSS Level 1)
Vercel, Inc.Website hosting and serverless functions
Resend, Inc.Transactional email delivery
Google LLCGoogle Workspace email; Google Calendar integration
Microsoft CorporationOutlook/Microsoft Graph email API for inbox monitoring
LiveKit, Inc.Voice agent infrastructure (WebRTC SFU, hosted agent runtime, SIP trunking, call observability — transcripts, traces, optional audio recording)
Twilio, Inc.Telephony (inbound call routing via Elastic SIP Trunk, SMS)
OpenAI, L.L.C.Realtime voice model (gpt-realtime-2 — speech-to-speech, function calling) and language model inference (gpt-4o-transcribe for proper-noun transcription, gpt-4o-mini for post-call analysis, where used)
Anthropic PBCAI language model inference (where used)
Cal.com, Inc.Scheduling and calendar booking
Discord Inc.Internal operational notifications (no customer data sent)
Dropbox Sign / Adobe SignE-signature for documents generated by Document Generator and similar archetypes (only when Client elects e-signature integration)
Amazon Web Services (S3)Object storage for customer-uploaded photos, plans, and generated PDFs
Availity, Office Ally, eClinicalWorks (or equivalent)Healthcare insurance verification — used only for Insurance Verification archetype customers and only when BAA chain is in place
Google LLC (Google Ads API, Google Analytics)Marketing data ingestion for Multichannel Reporting customers — only when Client connects their account
Meta Platforms, Inc. (Meta Ads API)Marketing data ingestion for Multichannel Reporting customers — only when Client connects their account
HubSpot, Inc. / Salesforce, Inc.CRM data ingestion for Multichannel Reporting customers — only when Client connects their account
Vendor systems specified per dealCustom integrations under the Vendor Integration archetype (e.g., COI brokers, queue management systems, parts catalogs) — only the vendors named in your Vendor Integration Addendum

We do not sell your information to data brokers, advertisers, or any other third parties. We do not share your information for cross-context behavioral advertising.

6. Call Recording (AI Services)

Recording is enabled only when the JadeTrade customer (the business operating the AI receptionist) has affirmatively elected Recording ON in their Statement of Work. When recording is OFF, no audio is captured or stored — only intake fields the caller provides verbally are converted to text by the speech-to-text layer for the operational purpose of routing the call.

When recording is ON:

  • The opening message includes the disclosure: “Calls are recorded for quality. If you'd prefer not to be recorded, please hang up now and call back during our staffed hours.”
  • Continuing the call after this disclosure (staying on the line) constitutes consent to recording in jurisdictions where consent may be inferred from continued participation. JadeTrade maintains a per-call audit log of the disclosure timestamp, the timestamp the caller continued the conversation, and the call ID, available on request as evidence of consent.
  • Transcripts and (when Recording ON) audio clips are stored in LiveKit's agent-observability infrastructure for the duration of the JadeTrade customer's service plus thirty (30) days post-termination, then deleted. LiveKit's default observability retention window is 30 days; recordings retained beyond that are migrated to JadeTrade-managed storage (AWS S3 US-region, encrypted at rest) for the customer service term plus 30 days, then deleted.
  • Recordings are available to the JadeTrade customer via dashboards or on request, and may be reviewed by JadeTrade only for quality assurance, debugging, model improvement using de-identified data, or upon customer request.

State-specific notice for callers. Several U.S. states (including CA, CT, DE, FL, IL, MD, MA, MI, MT, NV, NH, PA, WA, and others) require all-party consent for recording. If you do not consent to being recorded, you may hang up after the disclosure and call back during the business's staffed hours, or contact the business through a non-recorded channel. A per-call mid-call opt-out is not currently supported; this Privacy Policy will be updated when that capability becomes available. To request deletion of a specific recording, contact the business that operates the AI receptionist or email max@jadetradeapp.com with the date and approximate time of your call.

7. Categories, Purposes, and Retention

The table below maps each category of personal information we collect to the purpose for which it is used and the retention period applied to it.

CategoryPurpose(s)Retention
IdentifiersService delivery, billing, support, outreach, exclusion listActive customer + 3 years; outreach exclusion list is permanent
Commercial informationBilling, service delivery7 years (tax / accounting)
Payment informationPayment processingPer Stripe's retention; we retain transaction metadata 7 years
CommunicationsSupport, recordkeeping3 years from last interaction
Audio recordings (AI Services)Service operation, quality, auditCustomer service term + 30 days, then deleted
Caller intake data (AI Services)Service operation (routing, booking)Customer service term + 30 days, then deleted
Internet activitySecurity, debuggingPer Vercel's retention (typically 30-90 days)
CookiesSession authentication on previews30 days
Consent recordsRecordkeeping, compliance7 years
Operational logs (de-identified)Service improvement, debugging12 months rolling
Inferences (call analysis)Service operation, exclusion listCustomer service term + 30 days
SMS message dataService operation, opt-out tracking, auditCustomer service term + 30 days
Inquiry / intake contentService operation, document generation, hot-lead routingCustomer service term + 30 days
Photographic and document dataService operation, draft document generationCustomer service term + 30 days
Plan and structural dataService operation, draft takeoff generationCustomer service term + 30 days
Generated outputs (PDFs)Service delivery, auditCustomer service term + 30 days
Health-adjacent data (BAA-gated)Insurance Verification archetype only, under BAAPer BAA — typically Customer service term + 30 days, encrypted
Marketing platform dataMultichannel Reporting archetype onlyCustomer service term + 30 days
Vendor integration dataVendor Integration archetype only — per Vendor Integration AddendumPer addendum
Recipient-list metadataService operationCustomer service term + 30 days

Sensitive personal information

Depending on what callers voluntarily disclose, the AI Services may receive sensitive personal information including: precise geolocation (if a caller states their address), health information (if a caller mentions a medical condition or appointment context), financial information (if a caller mentions account or balance details), insurance information, account credentials (if mistakenly shared), and information of household members or minors (e.g., a parent calling on behalf of a child for childcare or pediatric services).

We use sensitive personal information only for the purpose for which it was provided (operating the Services on behalf of our customer). We do not use it for inferences about you, for advertising, or to identify your characteristics. You may request that we limit use of sensitive personal information to what is reasonably necessary to perform the Services.

You may request deletion at any time per Section 9.

8. Data Security and Storage Locations

We implement reasonable technical and organizational security measures:

  • All transmission encrypted via TLS/SSL
  • Payment processing handled by Stripe (PCI-DSS Level 1)
  • Access controls limit who can view customer data (access is restricted to JadeTrade personnel and authorized contractors with a need-to-know basis)
  • Third-party providers selected for security posture (SOC 2, ISO 27001 where applicable)
  • Authentication on admin systems with multi-factor authentication where supported

Storage locations. Customer data is stored in the following locations depending on category:

  • Voice recordings, transcripts, and call analysis: LiveKit infrastructure (US-region, encrypted at rest with AES-256 / TLS 256-bit in transit) for active observability window; OpenAI infrastructure (US-region) transiently during the realtime model session itself; AWS S3 US-region for any audio retained beyond LiveKit's observability window
  • SMS message content and delivery logs: Twilio infrastructure (US-based cloud provider, encrypted at rest)
  • Generated PDFs, photos, plans, and other uploaded documents: Amazon Web Services S3 (US-region buckets, encrypted at rest with AWS-managed keys), Vercel-hosted storage where applicable, and/or local processing infrastructure operated by JadeTrade in the United States, encrypted at rest, with access restricted to authorized personnel
  • Operational logs and per-deal configuration: Local processing infrastructure operated by JadeTrade in the United States, with daily backups, encrypted at rest
  • Payment records: Stripe infrastructure
  • Email communications: Microsoft 365 (Outlook) infrastructure
  • Calendar and booking data: Cal.com infrastructure

Backups. Operational data is backed up daily to a separate location. Backups are encrypted, retained for 30 days, then rotated.

Customer requests for data location specifics for a particular engagement should be directed to max@jadetradeapp.com.

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

In the event of a confirmed breach affecting personal information, we will notify affected parties and applicable authorities without unreasonable delay and in accordance with the timeframes required by applicable law.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the right to:

RightWhat it meansHow to exercise
Access / KnowRequest a copy of personal information we hold about youEmail max@jadetradeapp.com
CorrectionRequest correction of inaccurate informationSame
DeletionRequest deletion of your personal informationSame
PortabilityReceive your data in a portable format (JSON or CSV)Same
Opt-out (sale/share)We do not sell or share for cross-context advertising. N/A by design.N/A
Limit use of sensitive personal infoRestrict how we use sensitive info (e.g., health, location)Email
Opt-out of communicationsStop receiving outreachReply STOP, unsubscribe link, or email
Non-discriminationWe will not discriminate against you for exercising these rightsAutomatic
AppealAppeal a denial of your requestReply to our denial within 30 days

We will respond to requests within forty-five (45) days (extendable by another 45 days for complex requests, with notice). We may verify your identity by email confirmation or, for sensitive requests, additional confirmation. Requests are free where required by law; in particular, Virginia residents may submit at least two (2) free requests per twelve-month period under the VCDPA, and California residents may submit at least one (1) free request per twelve-month period under the CCPA/CPRA. We may charge a reasonable fee or refuse manifestly unfounded or excessive repeat requests, where permitted by law.

If you authorize an agent to act for you, we may require the agent to provide proof of authorization.

10. California Residents (CCPA/CPRA)

If you are a California resident, you have the rights listed in Section 9 under the California Consumer Privacy Act and California Privacy Rights Act.

Categories of personal information collected in the past 12 months:

  • Identifiers (name, email, phone, business name, billing address, callback numbers from inbound callers, recipient phone numbers from Client-provided SMS lists)
  • Commercial information (transactions, services purchased, communication preferences)
  • Financial information (card last-four and billing ZIP, processed by Stripe; bank or transaction metadata where Client provides for accounting reports)
  • Audio recordings (AI service callers — see Section 6) and call transcripts
  • Inquiry and intake content (web form submissions, inbound emails, AI-extracted structured fields)
  • Photographic and document data (uploaded photos, denial letters, invoices, plans, sketches, generated PDF outputs)
  • Health-adjacent data (BAA-gated, Insurance Verification archetype only — appointment schedules, payer eligibility responses, prior auth status)
  • Internet activity (Vercel hosting logs — IP, browser, pages visited)
  • Geolocation (only if voluntarily disclosed by an inbound caller; not collected via device sensors)
  • Professional information (business name and role)
  • Inferences (AI-generated structured analysis of calls and inquiries — outcome classification, opt-out flag, intent summary)
  • Marketing platform data (API-pulled metrics from Google Ads, Meta Ads, GA4, HubSpot, Salesforce — Multichannel Reporting customers only, with Client's connected account credentials)
  • Vendor integration data (API request/response data from Client's chosen vendor systems for Vendor Integration archetype customers — only when Client has signed a Vendor Integration Addendum naming the specific vendors)

Sources: directly from you, from public business directories, from our service providers, and from JadeTrade-customer Clients on whose behalf we operate AI Services (e.g., recipient lists Client uploads for SMS sequences).

Purposes: as listed in Section 3.

Disclosure to third parties: only to the service providers in Section 5, under contracts limiting their use.

No sale or sharing. We do not sell personal information for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising.

Sensitive personal information. As described in detail in Section 7, the AI Services may receive sensitive personal information from inbound callers and customer-business uploads. We use sensitive information only for the purpose for which it was provided and never for advertising, profiling, or characterizing you. California residents may request that we limit our use of sensitive information per CPRA § 1798.121.

11. Other State Privacy Laws (VA, CO, CT, UT, TX, OR, MT, IA, TN, IN, DE, NJ, NH, and others)

Residents of states with comprehensive consumer privacy laws — including but not limited to Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (DPDPA), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire (NHDPA), and any equivalent comprehensive privacy law enacted after the Effective Date — have substantially the same rights listed in Section 9. We will respond to verifiable requests within the timeframes required by your state law (typically 45 days). Appeals are addressed within the timeframes required by your state law (typically 45-60 days).

12. International Users (GDPR / UK GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, our lawful bases for processing are: contract (to provide services you requested), legitimate interests (to operate and improve our Services, send commercial outreach to businesses), and consent (where required for cookies or marketing).

You have the rights of access, rectification, erasure, restriction, portability, and objection. You may lodge a complaint with your local supervisory authority. For data transfers outside the EEA, we rely on Standard Contractual Clauses with our processors where applicable.

13. Children's Information

Our website (jadetradeapp.com) and direct services are not directed to individuals under 16, and we do not knowingly collect personal information from children through our website or checkout flow.

The AI Services we configure for customer businesses may, however, be deployed on phone lines belonging to businesses that serve families or children — for example, childcare centers, tutoring services, pediatric or family practices, music schools, and similar. In those contexts, callers may voluntarily provide a child's name, age, or scheduling preferences to facilitate booking or intake.

When this occurs:

  • We process the information solely to provide the Services to the customer business that operates the AI receptionist (the data controller of the child's information)
  • We do not use child information for advertising, profiling, or any purpose beyond the immediate operational task requested by the caller
  • The customer business is responsible for compliance with COPPA (for under-13 information), state-level child-privacy laws, and any parental-consent requirements applicable to its industry
  • A parent or guardian may contact max@jadetradeapp.com to request deletion of a child's information; we will coordinate with the operating customer business to comply within thirty (30) days

If a customer business intends to operate the AI Services in a way that knowingly collects information from children under 13, we require additional contractual protections including the customer's representation that COPPA-compliant parental consent has been obtained. Otherwise, the AI is configured to capture only the minimum information needed to route the call and is instructed not to solicit further information from minors.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified to active customers by email at least thirty (30) days in advance. Non-material changes are effective immediately upon posting. The “Effective” date at the top reflects the most recent revision.

15. Contact

For privacy questions, requests, or complaints:

JadeTrade Marketplace LLC
1917 Appleton Ridge Rd
Appleton, ME 04862
max@jadetradeapp.com

← Terms of ServiceAcceptable Use Policy →
Back to JadeTrade