Privacy Policy

Last Updated: May 2, 2026
Version: 2.0

1. Introduction & Data Controller

Wide Rivers LLC ("Wide Rivers," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (widerivers.com), use our customer portal, or otherwise interact with our services.

For purposes of the EU/UK General Data Protection Regulation (GDPR) and similar laws, the data controller is:

Wide Rivers LLC
205 Northeast Ave, Swannanoa, NC 28778
Email: legal@widerivers.com
Phone: (828) 229-2610

By using our website or services, you acknowledge the practices described in this policy.

2. Information You Provide

When you fill out forms, schedule a consultation, sign a contract, use our customer portal, or otherwise communicate with us, we may collect:

Contact Information: Name, email address, phone number
Address Information: Project street address, billing address, city, state, zip code
Project Information: Service interests, project details, property type, scope notes, photos, measurements
Customer Type: Whether you are an individual homeowner, household, or company
Account Credentials: Customer portal username, password (hashed), session tokens
Payment Information: Deposits and project payments processed through Stripe; we do not store full card numbers on our servers
Documents: Quotes, signed contracts, change orders, receipts, and any files you upload to the portal or via our forms
Communications: Email, SMS, voice, and chat correspondence with our team

3. Information Collected Automatically

When you visit our website or use the customer portal, we automatically collect:

Device Information: Browser type, operating system, device type, screen size
Usage Data: Pages visited, time spent on site, referring website, click attribution parameters (UTM, gclid, fbclid)
IP Address: Used for security, fraud prevention, and approximate geographic location
Cookies & Similar Technologies: See Section 9
Error & Performance Logs: Stack traces, request paths, and timing data captured by our error monitoring tools

4. Information from Third Parties

We may receive information about you from third-party sources, including:

Property Data: Realie.ai (parcel, ownership, structure data), HUD (loan-level public data), and the U.S. Census Bureau (demographic enrichment of your project address)
Advertising Platforms: Meta, Google, LinkedIn, and X may share ad-click identifiers and conversion attribution data
Social Platforms: When you message or interact with us on Facebook, Instagram, Threads, Messenger, LinkedIn, or X, those platforms share your public profile and message contents with us
Referrals: Names and contact details that existing customers or partners share with us when referring you

5. Sensitive Personal Information

We do not intentionally collect sensitive personal information such as:

Social Security numbers
Driver's license or government ID numbers
Full financial account or payment card numbers (handled by Stripe)
Precise geolocation data
Racial or ethnic origin
Religious beliefs
Health information
Biometric data

If you submit sensitive information to us in error, contact legal@widerivers.com and we will delete it.

6. How We Use Your Information & Legal Basis (GDPR)

We use the information we collect for the following purposes. For each, the GDPR legal basis is identified in parentheses:

Respond to inquiries, schedule appointments, and provide quotes (performance of a contract / legitimate interest)
Perform contracted home improvement services and manage your project (performance of a contract)
Process payments and deposits via Stripe (performance of a contract)
Send service-related updates, appointment confirmations, and follow-ups via email and SMS (performance of a contract / consent for marketing SMS)
Improve our website, products, and services (legitimate interest)
Detect, prevent, and respond to fraud, abuse, and security incidents (legitimate interest / legal obligation)
Measure ad performance via server-side conversion events (Meta Conversions API, Google Ads) (consent / legitimate interest)
Use AI tools (Anthropic Claude) to summarize leads, draft replies, perform document OCR/tagging, and generate photo embeddings for semantic search (legitimate interest)
Comply with legal, tax, accounting, and warranty obligations (legal obligation)
Defend and prosecute legal claims (legitimate interest)

Where consent is the legal basis, you may withdraw consent at any time without affecting the lawfulness of prior processing.

7. AI Processing Disclosure

We use artificial intelligence (primarily Anthropic's Claude models, accessed via the Anthropic API) to assist with the following internal operations:

Summarizing lead notes and call transcripts for our team
Drafting suggested email and SMS replies (always reviewed by a human before sending)
Performing optical character recognition (OCR) on documents you upload
Auto-tagging and embedding photos for semantic search inside our internal systems

We do not use your personal information to train third-party AI models. Per Anthropic's API terms, customer data sent through the Anthropic API is not used to train Anthropic's models. AI-generated outputs are decision-support tools; humans remain responsible for all customer-facing communications and project decisions.

8. How We Share Your Information

We do not sell your personal information. We share information only with the categories of recipients listed below, and only as necessary for the stated purpose.

Service Providers & Sub-Processors

We use the following third-party services to operate our business. Each has its own privacy practices:

Provider	Purpose	Privacy Policy
Cloudflare	Hosting, DNS, WAF, Workers, KV, R2 storage, Cloudflare Images, Turnstile bot protection	Link
Neon	Postgres database hosting (lead, contact, project data)	Link
Stripe	Payment processing for deposits and invoices	Link
QuickBooks Online (Intuit)	Invoicing, accounting, tax reporting	Link
Anthropic	Claude AI for summaries, replies, OCR, embeddings	Link
Voyage AI	Embedding generation for semantic media search	Link
Realie.ai	Property data lookup (parcel, ownership, structure)	Link
U.S. Census Bureau	Demographic enrichment of project address (public data)	Link
HUD	Loan-level public data lookup	Link
Google	Google Analytics 4, Google Ads, Tag Manager, Workspace (Mail/Calendar/Drive/Tasks), Search Console, Business Profile, OAuth	Link
Microsoft	Microsoft 365 (Outlook/Calendar/Tasks/OneDrive), Microsoft Clarity (session analytics), OAuth	Link
Meta (Facebook/Instagram/Threads/Messenger)	Page management, Conversions API server-side events, OAuth	Link
LinkedIn	Page posts, ads, analytics, OAuth	Link
X (Twitter)	Posts, analytics, OAuth	Link
SignalWire / Twilio	SMS and voice communications	Link / Link
ProVia	Dealer ordering portal for windows and doors (per-user encrypted credentials)	Link
Apple iCloud	Per-user app password integration for Wide Rivers staff (encrypted at rest); not used for customer data	Link

Photo and document embeddings are stored using pgvector inside our own Neon Postgres database (no separate vendor).

Other Recipients

Business Partners: Manufacturers, suppliers, and crews engaged to fulfill your project (only the information necessary)
Legal Requirements: When required by law, court order, subpoena, or government request, or to enforce our Terms or protect rights and safety
Business Transfers: In connection with a merger, acquisition, financing, or sale of assets, with appropriate confidentiality obligations
With Your Consent: Any other sharing for which you provide explicit consent

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

9. Cookies, Tracking & Do Not Track

We use the following categories of cookies and similar technologies on widerivers.com and our customer portal:

Category	Examples	Purpose
Essential	Session, CSRF token, Cloudflare WAF (`__cf_bm`), Cloudflare Turnstile	Required for site to function and to block spam/bots
Analytics	Google Analytics 4 (`_ga`, `_ga_*`), Microsoft Clarity (`_clck`, `_clsk`)	Aggregate traffic and behavior measurement
Advertising / Conversion	Google Ads (`_gcl_*`), Meta Pixel/Conversions API click identifiers (`_fbp`, `fbclid`)	Measure ad performance and attribute conversions

Managing cookies: Most browsers allow you to refuse or delete cookies through their settings. Disabling essential cookies may break parts of the site.

Do Not Track (DNT): Because no consistent industry standard for honoring DNT signals exists, our site does not currently respond to browser DNT signals. We do, however, honor Global Privacy Control (GPC) signals where applicable as a request to opt out of any sharing for cross-context behavioral advertising (which we do not engage in).

10. SMS / Text Messaging

When you submit a form on our website and provide a phone number, you consent to receive text messages (SMS) and calls from Wide Rivers LLC at the number provided, including messages sent via an automated system. These messages may include appointment confirmations, project updates, quotes, follow-ups, and service-related communications. Message frequency varies. Message and data rates may apply. You can opt out at any time by replying STOP to any message, or reply HELP for assistance.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information collected for SMS communication, including phone numbers and opt-in consent, is used solely to communicate with you about Wide Rivers services and is not sold, rented, or shared with third parties or affiliates for their marketing purposes. Service providers (such as our SMS delivery platform) may process this information only to facilitate the messaging service on our behalf, subject to confidentiality obligations.

11. Customer Portal

Our customer portal lets you log in to view quotes and contracts, upload documents and photos, pay deposits via Stripe, message your project team, and view scheduled appointments. We protect portal access with hashed passwords, signed session tokens, and encrypted transport (HTTPS/TLS). Files you upload are stored in Cloudflare R2 and Cloudflare Images and are accessible only via signed URLs.

12. Meta Conversions API & Server-Side Ad Measurement

When you submit a lead, schedule an appointment, or complete a purchase, we may send a hashed, server-side event to Meta's Conversions API (and similar APIs operated by Google Ads, LinkedIn, and other ad platforms) to measure ad performance and attribute conversions. We hash personally identifiable fields (email, phone, name) before transmission. We do not use this for cross-context behavioral advertising on our own properties.

13. Social Platform Interactions

Wide Rivers maintains business profiles on Facebook, Instagram, Threads, Messenger, LinkedIn, X, and YouTube and uses each platform's API to manage these profiles. When you interact with us on those platforms (messages, comments, mentions, reactions, ad engagement), we may collect:

Direct message content along with your public profile name and photo
Comments, replies, mentions, and tags on our content
Aggregated reaction and engagement metrics
Ad engagement and conversion events

We use this information to respond to inquiries, follow up on potential leads, and measure marketing effectiveness. The platforms' own use of your data is governed by their respective privacy policies (linked in Section 8).

14. Data Retention

We retain personal information only as long as necessary for the purposes for which it was collected, consistent with the following defaults:

Category	Default Retention
Lead inquiries that do not result in a contract	3 years from last contact, then redacted
Customer project records (contracts, change orders, photos)	7 years after project completion (warranty + tax)
Financial & tax records (invoices, payments)	7 years (IRS / NC Dept. of Revenue requirements)
Communications log (email, SMS, call notes)	3 years from last interaction
Web analytics (GA4, Clarity)	14 months
Error/observability logs (self-hosted, Cloudflare Workers)	90 days
DNC list entries	Indefinite (required to honor opt-out)

When we no longer need information, we redact, anonymize, or delete it. Redaction is our default for records that have foreign-key dependencies (contracts, invoices, audit logs), so referential integrity is preserved while personal identifiers are removed.

15. Data Security & Breach Notification

We implement reasonable administrative, technical, and physical safeguards including:

HTTPS/TLS encryption in transit
Encryption at rest for sensitive credentials (ProVia, iCloud) using AES-256
Role-based access controls and least-privilege defaults
Hashed passwords (bcrypt/scrypt) — we never store or transmit plaintext passwords
Cloudflare WAF, rate limiting, and Turnstile bot protection
Continuous error and intrusion monitoring (self-hosted observability, Cloudflare Worker logs)
Regular review of third-party integrations and access tokens

No method of transmission or storage is 100% secure. In the event of a data breach affecting your personal information, we will notify affected individuals and the appropriate authorities within 72 hours of confirming the breach, as required under GDPR Article 33 and consistent with applicable U.S. state breach-notification laws.

16. International Data Transfers

Wide Rivers operates from North Carolina, USA. If you contact us from outside the United States, your information will be transferred to and processed in the United States. Where required, we rely on the European Commission's Standard Contractual Clauses or equivalent transfer mechanisms for transfers from the EU/UK.

17. Your Rights — General

Subject to your jurisdiction, you may have the right to:

Access: Request a copy of the personal information we hold about you
Portability: Receive your data in a structured, machine-readable format
Correction: Correct inaccurate or incomplete information
Deletion: Request deletion of your personal information ("right to be forgotten")
Restriction: Restrict or object to certain processing
Withdraw Consent: Withdraw any consent you previously gave
Opt-Out: Unsubscribe from marketing email and SMS
Lodge a Complaint: File a complaint with your local data protection authority (EU/UK) or the U.S. FTC

To exercise any of these rights, email legal@widerivers.com. We respond to verified requests within 30 days (extendable by an additional 60 days for complex requests, with notice).

18. California Residents (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing for cross-context behavioral advertising, the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising these rights.

Categories of personal information collected in the last 12 months:

Category	Source	Purpose
Identifiers (name, email, phone, IP)	You, automatic, third parties	Service, fraud prevention, marketing
Customer records (address, project info)	You	Service delivery
Commercial information (services purchased)	You	Billing, accounting
Internet/network activity (cookies, logs)	Automatic	Analytics, security, ad measurement
Geolocation (approximate, from IP)	Automatic	Service area routing, fraud prevention
Audio/visual (uploaded photos, call recordings with consent)	You	Project assessment, training, dispute resolution
Inferences (project preferences, lead scoring)	Derived	Sales follow-up, marketing
Professional info (for B2B contacts)	You	Business relationship management

We do not sell personal information, and we do not share it for cross-context behavioral advertising. We have not knowingly sold or shared the personal information of consumers under 16.

California Shine the Light: California Civil Code § 1798.83 entitles California residents to request information about disclosures of personal information to third parties for direct marketing purposes. We do not disclose personal information for third-party direct marketing.

To submit a CCPA/CPRA request, email legal@widerivers.com with subject line "California Privacy Request", or call (828) 229-2610. You may designate an authorized agent to act on your behalf with appropriate proof.

19. Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, Iowa, Tennessee, Indiana, New Jersey, Delaware, New Hampshire, Minnesota, Maryland, Rhode Island, and South Carolina (SCDPA) have rights to confirm, access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale, or profiling that produces legal or similarly significant effects. We honor these rights through the same process described in Section 17. Where state law requires it, you may appeal a denial of a request by replying to our denial email.

20. European Union, United Kingdom & EEA Residents (GDPR / UK GDPR)

If you are in the EU, UK, or EEA, the legal bases on which we process your personal data are listed in Section 6. You have the rights listed in Section 17, including the right to lodge a complaint with your local supervisory authority. You may contact us at legal@widerivers.com for any GDPR-related request.

21. Data Deletion Requests

You may request deletion of any personal data Wide Rivers has collected about you, including data we received through Meta Platforms (Facebook, Instagram, Threads, Messenger), LinkedIn, X, our website forms, the customer portal, SMS, or other channels.

How to request deletion:

Email legal@widerivers.com with the subject line "Data Deletion Request"
Include your name and the contact information (email, phone, social handle) associated with the data
Optionally describe the specific data you want deleted (otherwise we will delete or redact all data we hold about you)

What happens next:

We confirm receipt within 7 business days
We verify your identity (see Section 22)
We complete deletion or redaction within 30 days of verified receipt
We send written confirmation when deletion is complete

Limitations: Some data must be retained as required by law (e.g., financial records related to completed transactions, warranty documentation). When data must be retained, access is restricted and the data is deleted once the retention obligation expires.

22. Verifying Your Request

To protect your privacy, we verify your identity before fulfilling access, correction, or deletion requests. Verification may include:

Confirming your email address or phone number
Matching information you provide against our records
Requesting additional documentation in unusual cases

You may submit free data access requests up to twice within any 12-month period.

23. Children's Privacy (COPPA)

Our website and services are intended for adults and are not directed to children under the age of 13. We do not knowingly collect, use, or disclose personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, contact legal@widerivers.com and we will delete it promptly. We also do not knowingly sell or share personal information of consumers under 16 without affirmative authorization, in compliance with the CPRA.

24. Links to Other Websites

Our website may contain links to third-party websites. We are not responsible for the privacy practices of external sites; please review their privacy policies before submitting any information.

25. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced on this page with an updated "Last Updated" date and an incremented version number. Continued use of our website or services after changes are posted constitutes acceptance of the updated policy.