Privacy Policy

This policy applies to information Tibly collects through our website at tibly.ai (the marketing site at the root and the signed-in product at /dashboard), our transactional emails, and any other surface where this policy is linked. Tibly does not currently expose a public API; if we ever do, this policy will be updated before it goes live. It covers two distinct categories of people:

• Users — people who sign up for a Tibly account, visit the marketing site, or request access through one of our forms.
• Subjects — third-party individuals (general contractors, architects, owners, executives at companies named on construction permits or planning agendas) whose business contact information appears in the product because they are referenced in public records or because our customers have asked us to look them up through a licensed data provider. We do not have a direct relationship with these individuals; we describe their rights and how to exercise them in section 8.

If you contact us by email or phone, we receive whatever you put in the message. This policy treats that the same as anything else you give us through a form.

We collect three broad categories of information:

Account information you give us

Your name, email address, an optional password (you can sign in with a magic link or Google instead), your billing details (handled by Stripe — see section 5), the website of the company you sell into, your seller context (free-text notes about who you target, used by our drafting models), and anything you type into a Matrix research column, a Signals template, or a project note.

Usage information we observe

Pages and screens you visit, the features you use, the device and browser you use, your IP address, and the rough geographic region that IP resolves to. We also record a session replay (a video-like reconstruction of how the page rendered for you) — but only for signed-in users, only after you authenticate, and only for a 10% sample of authenticated sessions. Marketing-site visitors are never loaded into Mixpanel and are never session-recorded. Mixpanel masks form inputs marked as sensitive by default (passwords, payment fields). Internal Tibly employee accounts (any email ending in @tibly.ai) are opted out of analytics entirely at identify time.

Public-record and licensed business data

Construction permits, planning agendas, contractor licenses, OSHA enforcement records, federal awards, state corporate registrations, employment-website job postings, and similar government records. When you click "Reveal" on a project or contractor, we also retrieve business contact information about employees of that company from our licensed data providers (Apollo and Lusha). Where any of this information names a real individual it is "personal information" under most US state laws; we treat it as such even when the underlying source is public.

We use the information we collect to:

• Provide the product — show you projects on the map, run AI research columns on the contractors you save, send the Signals digest you've subscribed to, and answer the questions you ask. Free-text inputs (research column queries, agent-chat prompts, seller context) are forwarded to the LLM and search providers listed in section 5 to generate a response.
• Run the account — create your login, process payments through Stripe, enforce plan limits, and send you transactional email like magic-link sign-in messages and password resets.
• Improve the product — measure which features are used, find and fix bugs (this is what session replay is for), and shape what we build next.
• Communicate with you — respond to your messages, send you Signals digests if you have those enabled, and occasionally tell you about changes to the product or these policies.
• Comply with law and protect the service — enforce our Terms of Service, detect abuse and fraud (including rate-limit decisions on sign-in and magic-link endpoints), and meet legal obligations like tax reporting or responding to lawful requests.

We do not use the third-party business contact information described in section 2 to market Tibly to those individuals.

For visitors and users protected by the GDPR or the UK GDPR, the lawful bases on which we process personal data are: (a) performance of a contract — providing the product to you under our Terms of Service; (b) legitimate interests — operating, securing, and improving the product; (c) compliance with a legal obligation; and (d) consent, where you have given it (for example, by continuing to use the marketing site after a cookie banner is shown). You can withdraw consent at any time by contacting privacy@tibly.ai.

We do not sell personal information for money. We do share information with the service providers that make Tibly work, and we describe each of them below. Each provider is bound by their published terms of service; we have written agreements with the providers that handle the most sensitive data.

We may also share information when required by law (subpoena, warrant, or other lawful process), to protect rights or safety, or in connection with a corporate transaction such as a merger or acquisition (in which case the acquirer steps into our shoes under this policy). We do not share the user data described in section 2 with third parties for their own marketing.

We use a small set of cookies, local-storage entries, and similar technologies to operate the product. The complete list, including each one's purpose and lifespan, lives on our cookie notice at /cookies. The short version: a session cookie keeps you logged in, an attribution cookie remembers how a paid campaign brought you to the marketing site, and Mixpanel and Google Analytics set local-storage and cookie identifiers used to keep their session and visitor ids consistent across visits.

We keep information for as long as your account is active or as needed to provide the product. Specifically:

• Account records — kept for the life of your account, plus a short tail (typically 30 days) after deletion so we can recover from accidental cancellations and meet our financial-records obligations.
• Billing records — retained for the period required by tax law in the jurisdictions we operate in (in the United States, typically seven years).
• Third-party contact records returned through Reveal — cached so we don't pay our enrichment providers twice for the same person; refreshed against the underlying provider on a rolling basis. We do not have a fixed deletion window for these records; we will remove a record on request from the named individual (see section 8).
• Email logs — retention is governed by Resend's policy as our email-delivery provider (see section 5).
• Backups — encrypted database backups are retained on a rolling window managed by our hosting provider and our construction-graph backup job. A deletion may persist in those backups until they age out in the ordinary rotation; we will not restore a deleted record from backup except to recover from an outage.

Depending on where you live, you may have some or all of the rights described below. The rights apply to users and to third-party subjects equally; the only difference is the path to exercise them.

Right to know / access

Ask us what personal information we hold about you, where we got it, who we shared it with, and the business purpose for processing it.

Right to correct

Ask us to correct personal information that is inaccurate. Users can change most of their account details directly in product Settings.

Right to delete

Ask us to delete personal information about you. We will honour requests within the timeframe required by your jurisdiction (45 days under CCPA, one month under the GDPR). Some narrow exceptions apply where retention is legally required (tax records, fraud prevention).

Right to opt out of sale or sharing

Tell us not to share your personal information for cross-context behavioural advertising or to surface your contact record to paying customers. Use the footer link or email us.

Right to limit use of sensitive personal information

We do not knowingly process sensitive personal information; this right is here for completeness.

Right to non-discrimination

We will not deny you service, charge you a different price, or provide a different level of service because you exercised any right under this policy.

Right to lodge a complaint

If you believe we have mishandled your information, you can complain to the regulator in your jurisdiction. In California that's the California Privacy Protection Agency; in the EU/UK it's your local data-protection authority. You can also email us first at privacy@tibly.ai — we usually respond within two business days.

To exercise any of these rights, use the public form at /privacy/data-subject-rights. The form sends a verification link to the email you provided, and clicking that link runs the requested action against our caches (delete, opt-out) or queues it for human compilation (access, correction). For non-email-based requests — phone-only, LinkedIn-only, or authorised-agent submissions — email privacy@tibly.ai and a human will follow up. We respond within the deadline set by your jurisdiction (45 days under CCPA / CPRA / VA-CDPA / CO-CPA / CT-CDPA, one month under GDPR), with the one-time extension allowed by each statute available for complex requests.

Authorised agents are accepted. Email privacy@tibly.ai with the written authorisation signed by the data subject (or a power of attorney) and proof of the agent's own identity. We will not act on agent submissions through the self-service form because the verification step there is bound to the data subject's own inbox.

Tibly is based in the United States and our hosting provider, Railway, operates primarily in US data centres. If you access the product from outside the United States, your information will be transferred to and processed in the United States. The laws of the United States may differ from the laws of your home country. For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (or the UK Addendum) as the lawful transfer mechanism. Tibly is not currently targeting EU or UK customers and does not knowingly process personal data of individuals located in the EU or UK in the ordinary course; if you reach the product from those regions and want us to take additional precautions, contact privacy@tibly.ai.

We protect information using a combination of technical and organisational measures, including TLS in transit, encryption at rest at the database and backup storage layer, bcrypt password hashing, scoped least-privilege access, structured application logging, and rate limits on the authentication endpoints. The full list is on our security page at /security. No system is perfectly secure, and we do not promise that ours is. If you discover a vulnerability, please email privacy@tibly.ai — we read every report.

Tibly is a business product. It is not directed to children under 13, we do not knowingly collect personal information from children under 13, and we will delete any such information if it is brought to our attention. Parents and guardians can reach us at privacy@tibly.ai.

We may update this policy from time to time. Material changes will be announced at least 30 days before they take effect, by posting an updated version on this page with a new effective date and, for users with active accounts, by email. Continuing to use the product after the change takes effect means you accept the updated policy. Historical versions are available on request.

Privacy questions, requests, and complaints can be sent to the privacy team:

• Self-service privacy form — /privacy/data-subject-rights (for delete, opt-out, access, and correction requests with email-based identity verification)
• Email — privacy@tibly.ai
• Postal — Tibly, 2810 N Church St · STE 88949 · Wilmington, DE 19802 · USA

For requests that require us to verify your identity, please send the request from the email address we have on file (or, for third-party subjects, the address you want us to look up). We will respond within the time limit set by your jurisdiction.