Privacy Policy

Effective date: June 10, 2026

This Privacy Policy explains how However We Got Here, LLC ("HWGH," "we," "us") collects, uses, and shares information when you use StashGrade — our website, web application, and related services (the "Service"). StashGrade is a business tool for contractors; it is designed to process your company's business data, not consumer data.

If you have questions, email [email protected].

1. Information We Collect

Account information. Name, email address, password (stored as a hash), company name, and role, collected when you sign up.

Company profile. Information you provide about your business, such as trade/industry, fiscal year, revenue context, and profit goals.

Financial and operational data from Connected Services. When you connect a third-party account such as QuickBooks Online or Jobber, we retrieve data you authorize through that connection — for example invoices, expenses, profit and loss reports, accounts, customers, vendors, jobs, and quotes. We receive this data through the provider's official API after you complete their authorization (OAuth) flow. We store the access tokens needed to maintain the connection.

Payment information. Payments are processed by Stripe. We receive subscription status and limited billing metadata (such as the last four digits of your card). We do not store full card numbers.

Usage and device data. Log data such as IP address, browser type, pages viewed, and actions taken in the Service, used for security, debugging, and product improvement.

2. How We Use Information

We use the information above to operate the Service: to analyze your business data and generate insights, scores, and reports; to maintain your Connected Service integrations; to process payments and manage subscriptions; to send transactional emails (such as alerts, digests, and account notices); to provide support; to monitor for fraud, abuse, and security issues; and to improve the Service.

AI processing. To generate insights, we send relevant portions of your financial data to our AI provider, Anthropic, through its API. This processing happens on our behalf to provide the Service to you. Under our arrangement with Anthropic, API inputs and outputs are not used to train their models. We send only the data needed for the specific analysis.

Aggregated benchmarks. We may aggregate and de-identify data across many companies to produce industry benchmarks (for example, typical material-cost percentages for fencing contractors). Aggregated data does not identify you or your company.

We do not sell your personal information, and we do not use your financial data for advertising.

3. How We Share Information

Service providers. We share information with vendors that process it on our behalf to run the Service: Supabase (database and authentication), Vercel (hosting), Stripe (payments), Anthropic (AI processing), Intuit (QuickBooks Online connection), Jobber and other integration providers you connect, and Resend (transactional email). Each is bound by its own contractual and legal obligations regarding data handling.

Partners — only with your consent. The Service may recommend third-party products or service providers. We do not share your financial data with any partner unless you explicitly consent to that specific sharing.

Legal. We may disclose information if required by law, subpoena, or legal process, or to protect the rights, safety, or property of HWGH, our users, or others.

Business transfers. If HWGH is involved in a merger, acquisition, or sale of assets, information may transfer as part of that transaction. We will notify you of any change in ownership or use of your information.

4. Connected Services and Revoking Access

You control your Connected Service integrations. You can disconnect any integration in the Service settings, or revoke access from the third party's side (for example, in your Intuit account settings). When you disconnect, we stop retrieving new data and delete the stored access tokens. Data already retrieved remains in your account until you delete it or your account, as described below.

5. Security

We take security seriously because the Service holds financial data. Measures include encryption of data in transit and at rest, tenant isolation enforced at the database level (row-level security) so one company cannot access another's data, restricted server-side handling of credentials and tokens, and least-privilege access controls. No system is perfectly secure; if we learn of a breach affecting your data, we will notify you as required by law.

6. Data Retention and Deletion

We keep your information while your account is active. If you delete your account, or ask us to at [email protected], we will delete your account information and Customer Data within 30 days, except where we must retain records for legal, tax, or accounting compliance, and except for residual copies in encrypted backups, which expire on a rolling basis. Aggregated, de-identified data may be retained.

7. Your Choices and Rights

You can access and update your account and company profile in the Service settings, disconnect integrations at any time, export your data by contacting us, opt out of non-essential emails using the unsubscribe link, and delete your account.

To exercise any right, email [email protected]. We will respond within the time required by applicable law and may need to verify your identity first. We will not discriminate against you for exercising privacy rights.

8. State Privacy Rights (California and Others)

If you are a resident of California or another state with a comprehensive privacy law (such as Colorado, Virginia, Connecticut, or Texas), you may have the right to know what personal information we collect, use, and disclose; access a copy of it; correct inaccurate information; delete personal information; and opt out of the sale or sharing of personal information and of targeted advertising.

For clarity: we do not sell personal information, we do not share personal information for cross-context behavioral advertising, and we do not use sensitive personal information for purposes requiring an opt-out under the CCPA/CPRA.

The categories of personal information we collect are described in Section 1: identifiers (name, email, IP address), commercial information (subscription and billing metadata), professional information (company, role), financial data you connect, and internet activity (usage logs). We collect it from you and from the Connected Services you authorize, for the business purposes in Section 2, and disclose it to the service providers in Section 3.

California residents may also designate an authorized agent to make requests on their behalf. Contact [email protected] to exercise any of these rights or to appeal a decision we make about your request.

9. Children

The Service is for business use by adults. It is not directed to anyone under 18, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

10. Data Location

The Service is operated from the United States, and information is stored and processed in the United States. If you use the Service from outside the U.S., you understand your information will be transferred to and processed in the U.S.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make a material change, we will notify you by email or in the Service before the change takes effect. The effective date at the top shows when it was last revised.

12. Contact

However We Got Here, LLC
Email: [email protected]