1. Introduction and Scope
This Privacy Policy explains how Maddox Ventures LLC, a Texas limited liability company doing business as “doBid” (“doBid,” “we,” “us,” “our”) collects, uses, shares, and protects your personal information through the doBid platform. It complies with the Texas Data Privacy and Security Act (TDPSA, Tex. Bus. & Com. Code Ch. 541), the Texas Identity Theft Enforcement and Protection Act (Ch. 521), and — where applicable — the California Consumer Privacy Act (CCPA/CPRA) and the EU/UK GDPR. By using doBid, you acknowledge you have read this Policy.
2. Information We Collect
2.1 You Provide Directly
Account: name, email, phone, home/service address, password (hashed), optional profile photo, user role.
Service Providers: business name/structure, service categories, experience, service area, bio, license/permit information you supply, Certificate of Insurance, and a Tax Identification Number (SSN or EIN) collected through Stripe for 1099-NEC reporting.
Clients: payment method (handled by Stripe — we do not see full card numbers), job descriptions, before/after photos.
Communications: in-app messages, support tickets, reviews and ratings, dispute documentation.
Consent records: timestamps of Terms/Policy acceptance and notification preferences.
2.2 Payment Information
We do not collect, store, or access full card numbers, CVV, or bank account numbers. Stripe processes all payment data. We receive only transaction amounts/dates, payout status, Stripe identifiers, and verification flags. Pro identity/banking data is provided directly to Stripe and controlled by Stripe.
2.3 Collected Automatically
Usage: pages/features used, searches, job-browsing and bid history, timestamps.
Device/log: device type, OS/browser, approximate location (city/region from IP — not continuous GPS), IP address, referrer, error logs, and session tokens (managed by Supabase Auth).
2.4 From Third Parties
Google OAuth (if used to sign in): name and email only.
Stripe: identity-verification status and payout capability flags.
3. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Operate the marketplace; match Clients and Pros | Contract |
| Process payments and payouts (via Stripe) | Contract; legal obligation |
| Send transactional notifications | Contract |
| Resolve disputes and investigate misconduct | Contract; legal obligation |
| Automated content moderation (see 3.1) | Legitimate interest (platform safety) |
| Platform safety, security, and fraud prevention | Legitimate interest |
| Legal/tax compliance (e.g., 1099-NEC) | Legal obligation |
| Product analytics and improvement (aggregated where possible) | Legitimate interest |
| Marketing & advertising (only if you opt in) | Consent |
3.1 Automated Content Moderation (Anthropic / Claude API)
We send certain user-submitted text (job descriptions, bid text, and messages) to Anthropic's Claude API to automatically screen for prohibited or harmful content. The content is processed to return a moderation result. By default, Anthropic does not use inputs or outputs from its commercial products (including the Anthropic API) to train its models, and it applies a limited retention period to API data, subject to trust-and-safety exceptions. Anthropic acts as our service provider/processor under its Commercial Terms and data processing addendum. If moderation is unavailable, the request is rejected (fail-closed).
4. How We Share Your Information
We do not sell, rent, or trade your personal data. We share data for cross-context behavioral advertising only through the Meta advertising pixel described in §9 (Facebook/Instagram), and only if you opt in to Marketing cookies — which are off by default and which you can withdraw at any time.
4.1 Between Users
Clients see about Pros: business name, ratings/reviews, service area/categories, experience, and whether the Pro has a Certificate of Insurance on file — which doBid collects but does not independently verify — not the Pro's email or full personal contact details.
Pros see about a Client (after the Client accepts the Pro's bid): first name + last initial, the service address (needed to perform the job), job description/photos, and in-app messages — not the Client's payment method or full phone number.
4.2 Service Providers (Data Processors)
We share data only with vendors that process it on our behalf under signed Data Processing Agreements (DPAs):
| Vendor | Data | Purpose | DPA |
|---|---|---|---|
| Stripe | Payment method, transaction history, Pro identity/banking | Payments, payouts, identity verification | |
| Supabase | Account, messages, job records (database host/auth) | Data storage & authentication | |
| Vercel | Application traffic and logs | Hosting & deployment | |
| Resend | Email address, notification content | Transactional email | Confirm signed |
| Anthropic (Claude API) | Message/bid text | Automated content moderation (not training) | |
| Google Analytics 4 | Pseudonymous device/usage data | Platform analytics | |
| Twilio | Mobile phone number, SMS message content | Transactional SMS delivery | |
| Google OAuth | Name, email (sign-in) | Authentication |
Advertising partner (with your consent only): If you opt in to Marketing cookies, we also share a limited set of activity events and a securely hashed (one-way encrypted) version of your email with Meta Platforms, Inc. (Facebook/Instagram) to measure our ads and reach similar audiences (see §9). For this advertising activity Meta acts as an independent controller under its Business Tools terms, not as our processor. It is off by default, and you can withdraw consent at any time via the cookie banner.
4.3 Legal Requests
We may disclose information when required by valid legal process or to protect rights, safety, or property, and where we have a mandatory reporting obligation — including the duty to report suspected child abuse or neglect under Tex. Fam. Code § 261.101, and the obligation of a U.S. online service provider to report apparent child sexual abuse material to NCMEC via its CyberTipline under 18 U.S.C. § 2258A. We will notify you where legally permitted and will not comply with unlawful requests.
4.4 Business Transfers
If doBid is acquired, merged, or reorganized, your information may transfer as part of that transaction; we will notify you.
5. Your Privacy Rights
5.1 Texas (TDPSA)
Texas residents may request access, correction, deletion, portability, and opt out of the sale of personal data and of targeted advertising. We do not sell personal data; we engage in targeted advertising only through the Meta pixel (§9) and only if you opt in to Marketing cookies (off by default; opt out anytime via the cookie banner). To exercise rights, email dpo@dobid.app with the relevant subject line and the email associated with your account. We verify identity before responding and respond within 45 days (extendable once by 45 days with notice). If we deny a request, you may appeal (email dpo@dobid.app), and if the appeal is denied you may complain to the Texas Attorney General (texasattorneygeneral.gov; 512-463-2100).
5.2 California (CCPA/CPRA)
California residents have rights to know, delete, correct, opt out of the “sale” or “sharing” of personal information, and limit use of sensitive personal information. We do not sell personal information; we “share” personal information for cross-context behavioral advertising only through the Meta pixel (§9) and only if you opt in to Marketing cookies (off by default; opt out anytime via the cookie banner). Note: we collect a TIN (SSN/EIN) for Pros, which is sensitive personal information used solely for tax compliance and identity verification. Submit requests to dpo@dobid.app (“CCPA Request”).
5.3 EU/UK (GDPR)
If you are in the EU/UK, you have access, rectification, erasure, restriction, portability, and objection rights, and the right to lodge a complaint with your supervisory authority. Our EU representative/DPO contact is dpo@dobid.app. International transfers to the US rely on Standard Contractual Clauses incorporated in our vendor DPAs.
5.4 Non-Discrimination
We will not discriminate against you for exercising these rights.
6. Data Retention
| Data | Retention | Reason |
|---|---|---|
| Active account data | While active; personal identifiers removed within 90 days of a verified deletion request | Operations; TDPSA |
| Payment/transaction records & 1099 data | 7 years | IRS recordkeeping (26 U.S.C. § 6001) |
| Job records & photos | 3 years | Dispute resolution |
| Messages | 3 years | Support & evidence |
| Consent records | 5 years | Regulatory compliance |
| IP/login logs | ≤ 1 year | Security |
| De-identified/aggregated data | Indefinite | Analytics |
On deletion, profiles are removed, messages anonymized, ratings retained for marketplace integrity, and records required by law (tax, legal holds) retained. Accounts terminated for fraud may be retained longer to prevent re-registration.
7. Notifications and Marketing
We send transactional notifications (job updates, payment, disputes, security) by email and SMS as part of providing the service. Marketing emails are opt-in and you can unsubscribe anytime (footer link or Account Settings); we honor opt-outs within 10 business days.
SMS Messages
By providing your mobile phone number and checking the SMS consent box during registration, you agree to receive transactional SMS messages from doBid about your jobs, bids, and payments. doBid sends only transactional SMS — we do not send marketing or promotional SMS. Consent to receive SMS is not a condition of using doBid; you may use the platform without enabling SMS notifications.
Message frequency varies. Message and data rates may apply. We will not sell, rent, or share your mobile phone number with any third party for their marketing or promotional purposes.
To opt out at any time, reply STOP to any message we send. You will receive one confirmation message and then no further SMS from doBid. Reply START to re-enable SMS. Reply HELP for assistance, email us at support@dobid.app, or update your notification preferences in your account settings.
SMS messages are delivered via Twilio (see §4.2). doBid is not responsible for messages delayed or undelivered by your mobile carrier. Supported by all major U.S. carriers.
8. Data Security
We use commercially reasonable safeguards: HTTPS/TLS 1.2+ in transit; AES-256 at rest (Supabase); hashed passwords; Row-Level Security policies; least-privilege admin access with MFA; weekly dependency scanning; and an incident response plan. No method is 100% secure.
Data Breach Notification: If a breach affecting your personal data occurs, we will investigate promptly and notify affected users no later than 30 days (consistent with Tex. Bus. & Com. Code § 521.053). For users covered by the GDPR, we will notify the relevant supervisory authority within 72 hours where required. For breaches involving payment data or SSN/TIN, we offer 12 months of free credit monitoring.
9. Cookies and Tracking
| Category | Examples | Purpose | Can decline? |
|---|---|---|---|
| Essential | Supabase session token, CSRF token | Log-in, security, core platform function | No — required to use the platform |
| Preference | Theme, language, notification settings | Remember your settings | Yes |
| Analytics | Google Analytics 4 (_ga, _ga_*) | Understand how users navigate the platform | Yes |
| Marketing | Meta (Facebook/Instagram) pixel (_fbp) | Measure ad performance and show doBid ads on Meta | Yes — opt-in only |
On your first visit, doBid shows a cookie banner with options: Accept all, Decline (non-essential cookies), or Customize. Your choice is saved until you change it. You can update preferences anytime in Account Settings → Privacy → Cookies.
Google Analytics 4
We use Google Analytics 4 (GA4) to understand how the platform is used in aggregate. We have enabled IP anonymization, disabled Google Signals and cross-site advertising personalization, set data retention to 14 months, and signed Google's Data Processing Terms. GA4 does not receive your name, email, payment information, or any other directly identifying data. If you decline analytics cookies, no analytics cookies are set; Google may still receive cookieless, non-identifying signals (Google Consent Mode) used only for aggregate measurement.
California users (CCPA): analytics data may constitute a “sale” or “share” under the CPRA if used for cross-context behavioral advertising. We do not use GA4 data for that purpose; if you nonetheless wish to opt out, use the cookie banner or the GA opt-out add-on.
EU/UK users (GDPR): analytics cookies require your consent (GDPR Art. 6(1)(a) and Art. 7). The cookie banner collects and records that consent with a timestamp. You may withdraw consent at any time.
Do Not Track: doBid does not currently respond to browser-level “Do Not Track” signals because there is no uniform standard for interpreting them.
Marketing & Advertising Cookies (Meta Pixel)
With your opt-in consent, doBid uses the Meta Pixel and Conversions API from Meta Platforms, Inc. (Facebook/Instagram) to measure how our ads perform and to show doBid ads to people likely to be interested. These tools load only after you opt in to Marketing cookies (via “Accept all” or the Marketing toggle) and are off by default. When enabled, they send Meta a limited set of events (such as page views, sign-ups, and job posts) and a securely hashed (one-way encrypted) version of your email address, which Meta uses to match the activity to a Meta account for ad measurement and targeting. For this advertising activity Meta acts as an independent controller under its Business Tools terms. You can withdraw consent at any time using the cookie banner (footer → “Manage cookie preferences”) and can control ad personalization in your Facebook and Instagram ad settings. doBid does not send Meta your name, phone number, payment information, or the contents of your messages.
10. Children
doBid is for users 18 and older. We do not knowingly collect data from anyone under 18 (and never from anyone under 13 under COPPA). If we learn a minor has registered, we will delete the account and associated data except records the law requires us to keep.
11. Changes to This Policy
We may update this Policy; material changes will be emailed and posted with at least 30 days' notice. Continued use after the effective date constitutes acceptance.
12. Contact
5900 Balcones Drive, Suite 100, Austin, Texas 78731
Email: dpo@dobid.app · Legal: legal@dobid.app · Phone: 832-422-7055
Texas Attorney General (complaints): texasattorneygeneral.gov· 512-463-2100
© 2026 Maddox Ventures LLC d/b/a doBid. All rights reserved.