1. Introduction and Scope
This Privacy Policy explains how Maddox Ventures LLC, a Texas limited liability company doing business as “doBid” (“doBid,” “we,” “us,” “our”) collects, uses, shares, and protects your personal information through the doBid platform. It complies with the Texas Data Privacy and Security Act (TDPSA, Tex. Bus. & Com. Code Ch. 541), the Texas Identity Theft Enforcement and Protection Act (Ch. 521), and — where applicable — the California Consumer Privacy Act (CCPA/CPRA) and the EU/UK GDPR. By using doBid, you acknowledge you have read this Policy.
2. Information We Collect
2.1 You Provide Directly
Account: name, email, phone, home/service address, password (hashed), optional profile photo, user role.
Service Providers: business name/structure, service categories, experience, service area, bio, license/permit information you supply, Certificate of Insurance, and a Tax Identification Number (SSN or EIN) collected through Stripe for 1099-NEC reporting.
Clients: payment method (handled by Stripe — we do not see full card numbers), job descriptions, before/after photos.
Communications: in-app messages, support tickets, reviews and ratings, dispute documentation.
Consent records: timestamps of Terms/Policy acceptance and notification preferences.
2.2 Payment Information
We do not collect, store, or access full card numbers, CVV, or bank account numbers. Stripe processes all payment data. We receive only transaction amounts/dates, payout status, Stripe identifiers, and verification flags. Pro identity/banking data is provided directly to Stripe and controlled by Stripe.
2.3 Collected Automatically
Usage: pages/features used, searches, job-browsing and bid history, timestamps.
Device/log: device type, OS/browser, approximate location (city/region from IP — not continuous GPS), IP address, referrer, error logs, and session tokens (managed by Supabase Auth).
2.4 From Third Parties
Google OAuth (if used to sign in): name and email only.
Stripe: identity-verification status and payout capability flags.
3. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Operate the marketplace; match Clients and Pros | Contract |
| Process payments and payouts (via Stripe) | Contract; legal obligation |
| Send transactional notifications | Contract |
| Resolve disputes and investigate misconduct | Contract; legal obligation |
| Automated content moderation (see 3.1) | Legitimate interest (platform safety) |
| Platform safety, security, and fraud prevention | Legitimate interest |
| Legal/tax compliance (e.g., 1099-NEC) | Legal obligation |
| Product analytics and improvement (aggregated where possible) | Legitimate interest |
| Marketing (only if you opt in) | Consent |
3.1 Automated Content Moderation (Anthropic / Claude API)
We send certain user-submitted text (job descriptions, bid text, and messages) to Anthropic's Claude API to automatically screen for prohibited or harmful content. The content is processed to return a moderation result. By default, Anthropic does not use inputs or outputs from its commercial products (including the Anthropic API) to train its models, and it applies a limited retention period to API data, subject to trust-and-safety exceptions. Anthropic acts as our service provider/processor under its Commercial Terms and data processing addendum. If moderation is unavailable, the request is rejected (fail-closed).
4. How We Share Your Information
We do not sell, rent, or trade your personal data, and we do not use it for cross-context behavioral (third-party) advertising.
4.1 Between Users
Clients see about Pros: business name, ratings/reviews, service area/categories, experience, and whether the Pro has a Certificate of Insurance on file — which doBid collects but does not independently verify — not the Pro's email or full personal contact details.
Pros see about a Client (after the Client accepts the Pro's bid): first name + last initial, the service address (needed to perform the job), job description/photos, and in-app messages — not the Client's payment method or full phone number.
4.2 Service Providers (Data Processors)
We share data only with vendors that process it on our behalf under signed Data Processing Agreements (DPAs):
| Vendor | Data | Purpose | DPA |
|---|---|---|---|
| Stripe | Payment method, transaction history, Pro identity/banking | Payments, payouts, identity verification | ✅ |
| Supabase | Account, messages, job records (database host/auth) | Data storage & authentication | ✅ |
| Vercel | Application traffic and logs | Hosting & deployment | ✅ |
| Resend | Email address, notification content | Transactional email | Confirm signed |
| Anthropic (Claude API) | Message/bid text | Automated content moderation (not training) | ✅ |
| Google Analytics 4 | Pseudonymous device/usage data | Platform analytics | ✅ |
| Google OAuth | Name, email (sign-in) | Authentication | ✅ |
4.3 Legal Requests
We may disclose information when required by valid legal process or to protect rights, safety, or property, and where we have a mandatory reporting obligation — including the duty to report suspected child abuse or neglect under Tex. Fam. Code § 261.101, and the obligation of a U.S. online service provider to report apparent child sexual abuse material to NCMEC via its CyberTipline under 18 U.S.C. § 2258A. We will notify you where legally permitted and will not comply with unlawful requests.
4.4 Business Transfers
If doBid is acquired, merged, or reorganized, your information may transfer as part of that transaction; we will notify you.
5. Your Privacy Rights
5.1 Texas (TDPSA)
Texas residents may request access, correction, deletion, portability, and opt-out of sale/targeted advertising (note: we do neither). To exercise rights, email dpo@dobid.app with the relevant subject line and the email associated with your account. We verify identity before responding and respond within 45 days (extendable once by 45 days with notice). If we deny a request, you may appeal (email dpo@dobid.app), and if the appeal is denied you may complain to the Texas Attorney General (texasattorneygeneral.gov; 512-463-2100).
5.2 California (CCPA/CPRA)
California residents have rights to know, delete, correct, opt out of “sale”/sharing (we do neither), and limit use of sensitive personal information. Note: we collect a TIN (SSN/EIN) for Pros, which is sensitive personal information used solely for tax compliance and identity verification. Submit requests to dpo@dobid.app (“CCPA Request”).
5.3 EU/UK (GDPR)
If you are in the EU/UK, you have access, rectification, erasure, restriction, portability, and objection rights, and the right to lodge a complaint with your supervisory authority. Our EU representative/DPO contact is dpo@dobid.app. International transfers to the US rely on Standard Contractual Clauses incorporated in our vendor DPAs.
5.4 Non-Discrimination
We will not discriminate against you for exercising these rights.
6. Data Retention
| Data | Retention | Reason |
|---|---|---|
| Active account data | While active; personal identifiers removed within 90 days of a verified deletion request | Operations; TDPSA |
| Payment/transaction records & 1099 data | 7 years | IRS recordkeeping (26 U.S.C. § 6001) |
| Job records & photos | 3 years | Dispute resolution |
| Messages | 3 years | Support & evidence |
| Consent records | 5 years | Regulatory compliance |
| IP/login logs | ≤ 1 year | Security |
| De-identified/aggregated data | Indefinite | Analytics |
On deletion, profiles are removed, messages anonymized, ratings retained for marketplace integrity, and records required by law (tax, legal holds) retained. Accounts terminated for fraud may be retained longer to prevent re-registration.
7. Notifications and Marketing
We send transactional notifications (job updates, payment, disputes, security) by email as part of providing the service. Marketing emails are opt-in and you can unsubscribe anytime (footer link or Account Settings); we honor opt-outs within 10 business days.
8. Data Security
We use commercially reasonable safeguards: HTTPS/TLS 1.2+ in transit; AES-256 at rest (Supabase); hashed passwords; Row-Level Security policies; least-privilege admin access with MFA; weekly dependency scanning; and an incident response plan. No method is 100% secure.
Data Breach Notification: If a breach affecting your personal data occurs, we will investigate promptly and notify affected users no later than 30 days (consistent with Tex. Bus. & Com. Code § 521.053). For users covered by the GDPR, we will notify the relevant supervisory authority within 72 hours where required. For breaches involving payment data or SSN/TIN, we offer 12 months of free credit monitoring.
9. Cookies and Tracking
| Category | Examples | Purpose | Can decline? |
|---|---|---|---|
| Essential | Supabase session token, CSRF token | Log-in, security, core platform function | No — required to use the platform |
| Preference | Theme, language, notification settings | Remember your settings | Yes |
| Analytics | Google Analytics 4 (_ga, _ga_*) | Understand how users navigate the platform | Yes |
| Marketing | Ad-targeting pixels (future — not currently active) | Show doBid ads | Yes — opt-in only |
On your first visit, doBid shows a cookie banner with options: Accept all, Reject non-essential, or Customize. Your choice is saved until you change it. You can update preferences anytime in Account Settings → Privacy → Cookies.
Google Analytics 4
We use Google Analytics 4 (GA4) to understand how the platform is used in aggregate. We have enabled IP anonymization, disabled Google Signals and cross-site advertising personalization, set data retention to 14 months, and signed Google's Data Processing Terms. GA4 does not receive your name, email, payment information, or any other directly identifying data.
California users (CCPA): analytics data may constitute a “sale” or “share” under the CPRA if used for cross-context behavioral advertising. We do not use GA4 data for that purpose; if you nonetheless wish to opt out, use the cookie banner or the GA opt-out add-on.
EU/UK users (GDPR): analytics cookies require your consent (GDPR Art. 6(1)(a) and Art. 7). The cookie banner collects and records that consent with a timestamp. You may withdraw consent at any time.
Do Not Track: doBid does not currently respond to browser-level “Do Not Track” signals because there is no uniform standard for interpreting them.
Future Marketing Cookies: doBid does not currently use ad-targeting or remarketing pixels. If we add them in future, we will update this Policy and the cookie banner before activating them, and will require your separate opt-in consent.
10. Children
doBid is for users 18 and older. We do not knowingly collect data from anyone under 18 (and never from anyone under 13 under COPPA). If we learn a minor has registered, we will delete the account and associated data except records the law requires us to keep.
11. Changes to This Policy
We may update this Policy; material changes will be emailed and posted with at least 30 days' notice. Continued use after the effective date constitutes acceptance.
12. Contact
5900 Balcones Drive, Suite 100, Austin, Texas 78731
Email: dpo@dobid.app · Legal: legal@dobid.app · Phone: 713-493-4533
Texas Attorney General (complaints): texasattorneygeneral.gov· 512-463-2100
© 2026 Maddox Ventures LLC d/b/a doBid. All rights reserved.