cleanScheduler is built for cleaning businesses that trust us with schedules, customer records, invoices, and payment activity. This page summarizes our security practices. For legal terms, see our Privacy Policy and Terms of Service.
Infrastructure
- Encrypted in transit: All web traffic uses HTTPS (TLS).
- Hosted infrastructure: Application hosting on Vercel; database and authentication on Supabase (Postgres).
- Environment separation: Production, development, and local environments use separate configuration and credentials.
- Payments: Card and bank payment data for your customers is handled by Stripe Connect. cleanScheduler does not store full card numbers.
Access controls
- Workspace isolation: Each cleaning business operates in its own tenant workspace with row-level security in Postgres.
- Role-based access: Owner, admin, employee, and viewer roles control what team members can see and change inside a workspace.
- Customer portal scope: End customers only see data their service provider exposes through the branded portal.
- Platform staff: Founder support masquerade requires an active session record and is limited to authorized platform administrators.
Operational security
- Authentication: Email/password and optional Google OAuth via Supabase Auth.
- Rate limiting: Sensitive endpoints such as trial signup and report exports are rate-limited to reduce abuse.
- Audit logging: Platform administrative actions and masquerade sessions are logged.
- Backups: Database backups are managed by our infrastructure providers with retention periods described below.
Subprocessors
We use vetted third-party services to operate cleanScheduler. Each provider receives only the data needed for its function:
| Provider | Role | Data involved | Their policy |
|---|---|---|---|
| Supabase | Database, authentication (email/password and OAuth), file storage (logos, avatars, report exports), and scheduled database jobs. | Account credentials and profile data; workspace and business records; customer, schedule, quote, invoice, and billing data; uploaded files; session tokens. | Supabase privacy policy |
| Stripe | Platform subscriptions (Starter, Business, Pro), Stripe Connect Express onboarding and payouts for tenants, customer invoice and subscription checkout, refunds, disputes, and payout reconciliation. | Names, emails, business identifiers; payment method and transaction metadata; subscription and invoice amounts; Connect account status; webhook event payloads. | Stripe privacy policy |
| Resend | Transactional email (quotes, invoices, trial reminders, employee invites, dispute alerts) and tenant email campaigns with delivery analytics webhooks. | Recipient email addresses and display names; message subject and body; tenant branding; campaign tags; open/click/bounce events. | Resend privacy policy |
| Optional “Sign in with Google” through Supabase Auth (OAuth). Google does not receive your cleanScheduler workspace data directly. | OAuth profile information (such as name and email) handled by Supabase Auth during sign-in. | Google privacy policy | |
| Vercel | Application hosting, preview deployments, and scheduled cron jobs that invoke internal maintenance routes. | HTTP request metadata (IP address, user agent, URLs); application logs; environment configuration secrets (not exposed to end users). | Vercel privacy policy |
| Twilio | Pro plan transactional SMS — quote notifications, visit reminders, and team alerts via Twilio when configured. | Phone numbers and message content for outbound SMS. | Twilio privacy policy |
We may enable additional providers as features ship. The following are configured in our environment but not yet called from production application code; we will update this page before they process your data:
| Provider | Intended role | Data involved | Their policy |
|---|---|---|---|
| Sentry | Error and performance monitoring when enabled. | Error stack traces, request context, and performance spans (configured to minimize personal data). | Sentry privacy policy |
| Plaid | Bank account linking and transaction import for reconciliation features. | Bank connection tokens, account and transaction metadata (when a tenant or user connects a bank). | Plaid privacy policy |
Tenant payment processing. When a cleaning business connects Stripe Connect, card and bank payments for that business's customers are processed by Stripe under that business's Stripe account. cleanScheduler receives payment status, amounts, and dispute notifications to operate invoicing and reporting; Stripe's handling of cardholder data is governed by Stripe's policies and the tenant's agreement with Stripe.
Authentication email. Depending on workspace settings, account confirmation or password-reset messages may be sent by Supabase Auth rather than Resend. Those messages are limited to account verification flows.
Data retention summary
We retain workspace data while your subscription is active. When a workspace closes, data is deleted or archived according to our retention schedule. Billing records may be retained longer where required for tax and legal compliance.
| Category | Examples | Retention period | Disposition | Notes |
|---|---|---|---|---|
| Workspace and tenant configuration | Company profile, slug, branding, operational settings, compensation rules, service plans | While the workspace is active; 30 days after free trial ends if never subscribed; up to 90 days after voluntary owner closure on activated workspaces | Secure deletion | Never-activated trial workspaces are hard-deleted automatically 30 days after trial_ends_at (see lib/billing/tenantPurge.ts). Voluntary owner deletion allows time to export data and complete billing wind-down. Hard delete cascades to tenant-scoped tables where database constraints are configured with ON DELETE CASCADE. |
| Tenant user accounts (staff and owners) | Profiles, memberships, roles, employee avatars | While the user remains a member of a workspace; auth records until account deletion is confirmed | Secure deletion | Removing a user from a workspace does not always delete the underlying Supabase Auth user if they belong to other workspaces. Full auth deletion requires an explicit account deletion request. |
| Customer and operations records | Customers, properties, schedules, visits, quotes, line items, invoices, payments, support threads | While the tenant workspace is active | Secure deletion | Deleted when the tenant workspace is deleted, subject to legal hold or billing record exceptions below. |
| Platform billing and Stripe mirrors | tenant_billing_accounts, subscription status, Connect account metadata, mirrored charges, refunds, disputes, payouts | 7 years after the transaction or tax-relevant period ends | Archived (restricted access) | Supports tax, accounting, and chargeback obligations. Stripe also retains payment data under its own policies. |
| Generated reports (cache) | report_runs rows and PDF objects in report_exports storage | 1 hour from generation (cache TTL) | Secure deletion | Automatic expiry via expires_at; PDFs in storage may persist until overwritten or manual cleanup. |
| Webhook idempotency logs | stripe_webhook_events, resend_webhook_events | Up to 90 days after successful processing | Secure deletion | Used only to prevent duplicate processing. Failed events may be deleted sooner on retry; operational purge may run periodically. |
| Email campaigns and suppressions | Campaigns, recipients, delivery metrics, tenant_email_suppressions, Resend message metadata we store | While the workspace is active; suppressions until removed by a tenant admin | Secure deletion | Resend retains message logs under its policy independently. Bounced addresses may remain suppressed to honor opt-out. |
| Transactional email content | Quote, invoice, trial-ending, dispute, and invite emails sent via Resend | Not stored in full in our database after send | Provider retention | We retain recipient metadata and status in app tables where applicable; message bodies live with Resend for a limited provider retention window. |
| Portal and employee invites | customer_portal_invites, employee_invites | Until accepted, revoked, or 30 days after expires_at (whichever is first) | Secure deletion | — |
| Marketing and sales inquiries | marketing_inquiries from the public contact form | 3 years from submission | Secure deletion | — |
| Founder admin audit and masquerade | audit_log_entries, masquerade_sessions | 3 years from event timestamp | Archived (restricted access) | Supports security investigations and access reviews. |
| Application and hosting logs | Vercel request logs, runtime errors, cron execution output | 30–90 days (per hosting provider configuration) | Provider retention | — |
| Database backups | Supabase point-in-time recovery and daily backups | Per Supabase project backup policy (typically up to 7–30 days rolling) | Provider retention | Backups may contain deleted data until backup rotation completes; we do not restore deleted tenant data except for disaster recovery. |
| Planned: bank reconciliation (Plaid) | bank_links, imported transactions (when feature is enabled) | While connection is active, plus 90 days after disconnect | Secure deletion | Not yet active in production application code; schedule applies when enabled. |
| Planned: SMS (Twilio) | Outbound SMS logs and delivery metadata (when feature is enabled) | While workspace is active; message bodies per Twilio retention (typically up to 400 days) | Provider retention | Not yet active in production application code. |
Full policy: Data Retention & Disposal.
Your responsibilities as a tenant
- Use strong passwords and limit admin access to trusted staff.
- Obtain appropriate consent before emailing customers through campaigns (CAN-SPAM).
- Configure Stripe Connect and bank connections only on accounts you control.
- Report suspected unauthorized access to legal@712int.com promptly.
Contact
Security or privacy questions: legal@712int.com or our contact form.