Relentless Locallocal.relentless.buildSign In

Privacy Policy

Last Updated: February 21, 2026

Effective Date: February 21, 2026

1. Scope

This Privacy Policy describes how RBT LABS LLC ("we," "us," or "our") collects, uses, shares, and protects information through the Relentless Local platform available at local.relentless.build and tenant subdomains (*.local.relentless.build), including any custom domains connected to the platform (collectively, the "Service").

Our Service involves three categories of users:

  • Subscribers are local service business owners (such as HVAC, plumbing, electrical, and similar trades) who subscribe to the platform to manage their business operations.
  • Team Members are employees or contractors of a Subscriber business who are granted access by the Subscriber to use the platform for day-to-day operations.
  • End Customers are the clients of a Subscriber business who interact with the Service through published websites, service request forms, customer portals, or invoice payment pages operated by the Subscriber.

RBT LABS LLC acts in a dual capacity with respect to personal information:

  • Data Controller for information we collect directly from Subscribers and Team Members (account registration, billing, platform usage).
  • Data Processor for End Customer information that Subscribers enter into or collect through the platform. In this capacity, we process End Customer data on behalf of and under the instructions of the Subscriber, who remains the controller of their customers' data.

2. Information We Collect

From Subscribers

  • Name, email address, and contact information provided during account registration.
  • Business information including company name, trade/industry, business address, phone number, license numbers, and insurance details.
  • Billing and payment information processed through Stripe, including payment method details, subscription plan, and transaction history. We do not store full credit card numbers on our servers.
  • Usage data including feature interactions, pages visited within the admin dashboard, and general platform analytics.

From Team Members

  • Name, email address, and phone number provided by the Subscriber or during invite acceptance.
  • Role and permission level assigned by the Subscriber (Owner, Admin, Manager, or Employee).
  • Time clock data including clock-in and clock-out times, break durations, and shift records.
  • Vehicle and asset checkout records when using the asset management features (destination, mileage, estimated return times).

End Customer Data Entered by Subscribers

  • Customer records including name, email, phone number, and mailing address.
  • Service addresses associated with the customer.
  • Service history including job records, work orders, project details, and equipment information.
  • Financial records including invoices, quotes, and payment status.

Directly from End Customers

  • Service request submissions through the public service request form, including name, contact information, service address, description of the issue, and urgency level.
  • Customer portal interactions including login credentials, invoice viewing activity, and any messages or communications submitted through the portal.
  • Payment information when paying invoices through Stripe-powered payment links. Payment details are processed directly by Stripe and are not stored on our servers.

Automatically Collected Information

  • IP address, browser type, browser version, and operating system.
  • Device information including screen resolution and device type (desktop, mobile, tablet).
  • Referring URL and pages visited within the Service.
  • Session cookies necessary for authentication and security (see Section 8 for details).

3. How We Use Information

We use the information we collect to:

  • Provide and maintain the Service, including tenant provisioning, user authentication, and access control.
  • Process subscription payments through Stripe, including billing, invoicing, and managing subscription lifecycle.
  • Communicate with Subscribers and Team Members through transactional emails sent via Resend, including account notifications, team invitations, password resets, and service updates.
  • Improve the platform by analyzing usage patterns, identifying bugs, and developing new features.
  • Monitor security, including detecting unauthorized access, preventing fraud, and enforcing our terms of service.
  • Comply with legal obligations, including tax reporting, responding to lawful requests from government authorities, and enforcing our legal rights.

What we do NOT do with your information:

  • We do not sell personal information to third parties. Ever. Under any circumstances.
  • We do not display advertisements to End Customers or any other users of the platform.
  • We do not build behavioral profiles for third-party targeting, remarketing, or any advertising purpose.
  • We do not share data between tenants. Each Subscriber's data is completely isolated from every other Subscriber's data through database-level row-level security.
  • We do not use End Customer data for any purpose other than providing the Service to the Subscriber who controls that data.

4. How We Share Information

We share personal information only in the following limited circumstances:

  • With the Subscriber. End Customer data is accessible to the Subscriber (and their authorized Team Members) who created or collected that data. This is the primary purpose of the Service.
  • With sub-processors. We use a limited number of third-party service providers to operate the platform. These sub-processors are listed in Section 5 below and are contractually required to protect your information.
  • When required by law. We may disclose information in response to a valid subpoena, court order, or other legal process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • In connection with a business transfer. If RBT LABS LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide at least 30 days' advance notice via email before any such transfer and will post updated terms on this page.

We do not sell personal information. We do not share personal information between Subscribers. Each Subscriber's data is isolated at the database level and is never accessible to any other Subscriber.

5. Sub-Processors

We use the following third-party service providers to operate the platform. Each sub-processor has been selected for its security practices, data handling standards, and compliance posture.

ProviderPurposeData ProcessedLocationPrivacy Policy
StripePayment processingBilling and payment dataUSAstripe.com/privacy
NeonDatabase hostingAll application dataUSAneon.tech/privacy
RailwayApplication hostingApplication data in transitUSArailway.com/legal/privacy
VercelDashboard hostingApplication data in transitUSAvercel.com/legal/privacy-policy
CloudflareMedia storage and CDNUploaded images and filesUSAcloudflare.com/privacypolicy
ResendTransactional emailEmail addresses and message contentUSAresend.com/legal/privacy-policy

We will provide at least 30 days' advance notice to Subscribers before adding any new sub-processor. Subscribers may object to a new sub-processor by contacting us at privacy@relentless.build.

6. Data Security

We take the security of your information seriously and implement multiple layers of protection:

  • Encryption in transit. All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security). We enforce HTTPS on all connections.
  • Encryption at rest. Our database provider (Neon) encrypts all stored data at rest using AES-256 encryption.
  • Tenant isolation. Each Subscriber's data is isolated using PostgreSQL Row-Level Security (RLS) policies. This is a database-level enforcement mechanism that prevents any query from accessing data belonging to another tenant, regardless of application-level bugs or misconfiguration.
  • Password security. All user passwords are hashed using bcrypt with appropriate work factors before storage. We never store plaintext passwords.
  • Session-based authentication. We use cryptographically signed session tokens for authentication. Sessions expire after 7 days of inactivity.
  • Role-based access controls. The platform enforces four distinct permission levels (Owner, Admin, Manager, Employee) with 59 granular permissions across 9 operational domains. Access is validated on every API request.
  • CSRF protection. All mutating requests are validated against origin headers to prevent cross-site request forgery attacks.
  • Security incident response. In the event of a confirmed data breach, we will notify affected Subscribers within 72 hours, provide a detailed description of the incident, and outline remediation steps taken. See Section 12 for additional detail.

7. Data Retention

We retain your information only as long as necessary to provide the Service and fulfill the purposes described in this policy:

  • Active subscription. All Subscriber, Team Member, and End Customer data is retained for the duration of the Subscriber's active subscription.
  • Post-cancellation grace period. After a Subscriber cancels their subscription, we retain their data for 6 months in a read-only state. During this period, the Subscriber can request a full data export. After 6 months, all Subscriber data, Team Member data, and End Customer data associated with that account is permanently deleted.
  • Payment and billing records. Transaction records, invoices, and billing history are retained for 7 years after the transaction date to comply with tax and accounting obligations.
  • Server logs. Application server logs (which may contain IP addresses and request metadata) are retained for 90 days and then automatically purged.
  • Audit logs. Internal audit records of administrative actions (account changes, permission modifications, data access events) are retained for 2 years.

Subscribers may request early deletion of their data at any time by contacting us at privacy@relentless.build. Early deletion requests are processed within 30 days, subject to any legal retention requirements.

8. Cookies

We use only strictly necessary cookies to operate the Service. We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

  • Session cookie (better-auth.session_token). This cookie identifies your authenticated session. It is essential for logging in and maintaining your session as you navigate the platform. It is a host-only cookie (not shared across subdomains) and expires when your session ends or after 7 days of inactivity.
  • CSRF protection. Origin-based validation is used to prevent cross-site request forgery. This does not require a separate cookie but operates alongside the session cookie.
  • User preference cookies. We store a small number of functional preferences in browser local storage (such as theme preference). These are not cookies in the technical sense and are never transmitted to our servers.

Because we use only strictly necessary cookies, no cookie consent banner is required. There are no optional cookies to accept or reject.

9. Your Privacy Rights

Universal Rights

Regardless of where you are located, all users of the Service have the following rights:

  • Right to access. You may request a copy of the personal information we hold about you.
  • Right to correction. You may request that we correct any inaccurate or incomplete personal information.
  • Right to deletion. You may request that we delete your personal information, subject to legal retention requirements.
  • Right to data portability. You may request a machine-readable export of your personal information.

To exercise any of these rights, contact us at privacy@relentless.build. We will respond within 45 days.

California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to know. You may request that we disclose what personal information we have collected about you in the preceding 12 months, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we shared it.
  • Right to delete. You may request deletion of your personal information, and we will direct our service providers to do the same.
  • Right to opt-out of sale. We do not sell personal information. However, you have the right to direct us not to sell your personal information, and we honor this by default.
  • Right to non-discrimination. We will not discriminate against you for exercising any of your privacy rights. You will not receive different pricing, service quality, or access levels based on your privacy choices.
  • Authorized agents. You may designate an authorized agent to submit requests on your behalf. We will require verification of both the agent's authority and your identity before processing such requests.
  • 12-month disclosure metrics. We will publish annual metrics regarding the number of requests received, the median response time, and the number of requests denied, as required by the CCPA.

Multi-State Privacy Rights

Residents of the following states have privacy rights substantially similar to those described above: Virginia (Virginia Consumer Data Protection Act), Colorado (Colorado Privacy Act), Connecticut (Connecticut Data Privacy Act), Texas (Texas Data Privacy and Security Act), and Oregon (Oregon Consumer Privacy Act).

For residents of these states:

  • You have the right to access, correct, delete, and obtain a portable copy of your personal data.
  • You have the right to opt out of the sale of personal data, targeted advertising, and profiling. We do not engage in any of these activities.
  • We will respond to verified requests within 45 days. If we need additional time, we will notify you of the extension and the reason.
  • If we deny your request, you have the right to appeal. Appeals must be submitted within 60 days of receiving the denial, and we will respond to your appeal within 60 days.

10. End Customer Rights

Because End Customer data is managed by Subscribers using our platform, the Subscriber is the primary point of contact for End Customer data requests.

  • First, contact the Subscriber. If you are an End Customer and wish to access, correct, or delete your personal information, please contact the business (the Subscriber) that collected your information directly. They control the data and can process your request through the platform.
  • If the Subscriber is unavailable or unresponsive. If you are unable to reach the Subscriber, or if they do not respond to your request within a reasonable time, you may contact RBT LABS LLC directly at privacy@relentless.build. We will make reasonable efforts to facilitate your request with the Subscriber.
  • If the Subscriber's account is terminated. If the Subscriber's account has been cancelled or terminated, we will process your data request directly. During the 6-month post-cancellation retention period, we can provide data access or deletion. After permanent deletion, we will confirm that the data no longer exists.

We will respond to all End Customer requests within 45 days.

11. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. Subscribers are business operators and are expected to be adults. Team Members must be of legal working age.

If we learn that we have collected personal information from a child under 13, we will promptly delete that information. If you believe that a child under 13 has provided personal information to us, please contact us at privacy@relentless.build and we will take immediate action to investigate and remove the data.

For children between 13 and 16, we comply with applicable state privacy laws that require affirmative authorization before processing their personal information.

12. Data Processing Agreement

The following terms constitute an embedded Data Processing Agreement ("DPA") between RBT LABS LLC (the "Processor") and each Subscriber (the "Controller") with respect to End Customer personal data processed through the Service.

Processor Obligations

  • We process End Customer data solely on behalf of and under the documented instructions of the Subscriber. We will not process End Customer data for any purpose other than providing the Service.
  • All personnel with access to End Customer data are bound by confidentiality obligations.
  • We implement and maintain the technical and organizational security measures described in Section 6 of this policy.

Sub-Processor Notification

  • Our current sub-processors are listed in Section 5.
  • We will provide Subscribers with at least 30 days' advance written notice before engaging any new sub-processor.
  • Subscribers may object to a new sub-processor by contacting us within the 30-day notice period. If we cannot reasonably accommodate the objection, the Subscriber may terminate their subscription.

Data Breach Notification

  • In the event of a confirmed personal data breach affecting End Customer data, we will notify the affected Subscriber(s) within 72 hours of becoming aware of the breach.
  • The notification will include: the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach.
  • We will cooperate with the Subscriber in fulfilling their own breach notification obligations to End Customers and regulatory authorities.

Data Deletion on Termination

  • Upon termination of a Subscriber's subscription, we will retain the Subscriber's data (including End Customer data) for 6 months in a read-only state.
  • During this period, the Subscriber may request a complete data export.
  • After the 6-month retention period, all data associated with the Subscriber's account will be permanently and irreversibly deleted from our systems and backups.
  • Subscribers may request early deletion at any time by contacting us at privacy@relentless.build.

Audit Rights

  • Subscribers may request an audit of our data processing practices as they relate to the Subscriber's End Customer data.
  • Audit requests must be made with at least 30 days' advance written notice to privacy@relentless.build.
  • Audits will be conducted during regular business hours (Monday through Friday, 9:00 AM to 5:00 PM Eastern Time) and will be limited in scope to the Subscriber's own data.
  • The Subscriber is responsible for all costs associated with the audit, including any third-party auditor fees and reasonable expenses incurred by RBT LABS LLC in facilitating the audit.
  • Subscribers may conduct no more than one audit per 12-month period unless a data breach has occurred.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

  • Material changes. For any material change to this policy (including changes to data collection practices, data sharing, sub-processors, or user rights), we will provide at least 30 days' advance notice via email to the primary email address on each Subscriber's account.
  • Non-material changes. Minor clarifications or formatting changes may be made without advance notice, but will always be reflected in the "Last Updated" date at the top of this page.
  • Annual review. We commit to reviewing this Privacy Policy at least once per year to ensure it remains accurate and complete.
  • Previous versions. Previous versions of this Privacy Policy are available upon request by contacting us at privacy@relentless.build.

Your continued use of the Service after the effective date of any updated policy constitutes your acceptance of the changes.

14. Contact

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us:

RBT LABS LLC
47 Hunts Brook Rd
Quaker Hill, CT 06375
United States

Email: privacy@relentless.build

We aim to respond to all privacy inquiries within 10 business days. For formal privacy rights requests (access, deletion, correction), we will respond within 45 days as required by applicable law.

This Privacy Policy is governed by and construed in accordance with the laws of the State of Connecticut, United States, without regard to its conflict of law principles.