Privacy Policy

Bunyan is operated by Diftar LLC. This policy explains what data we collect, how we use it, and your rights. We keep it straightforward because we believe you should understand exactly what happens with your information.

Account information. When you sign up, we collect your name, email address, and authentication credentials. If you sign in with Google, we receive your name and email from Google — we do not access your Google contacts, calendar, or other data unless you explicitly connect those features.

Business data you enter. Contacts, estimates, proposals, projects, invoices, material catalogs, crew schedules, and any other data you create in Bunyan. This is your data — we store it to provide the service.

Files you upload. Company logos, project photos, and attachments. These are stored using Vercel Blob, which uses unique URLs. While files are not publicly listed or indexed, anyone with the direct URL can access them. Do not upload sensitive documents (e.g., social security numbers, bank statements) as file attachments.

Usage data. We collect anonymous analytics about how you use Bunyan — pages visited, features used, and performance metrics. This helps us improve the product. We use Vercel Web Analytics, which is privacy-friendly and does not use cookies for tracking.

Payment information. If you or your customers make payments through Bunyan, payment processing is handled entirely by Stripe. We never see or store full credit card numbers.

We use your data to:

• Provide the Bunyan service — CRM, estimating, proposals, scheduling, and invoicing
• Send transactional emails (proposals, invoices, purchase orders, team invitations) via Resend
• Display maps and satellite imagery for GeoDraw via Mapbox
• Process payments via Stripe
• Improve Bunyan based on aggregated, anonymous usage patterns
• Communicate product updates and important account information

We do not sell your data. We do not use your business data to train AI models. We do not share your data with advertisers.

Bunyan relies on the following services to operate:

• Supabase — authentication and identity management
• Vercel — hosting, serverless functions, and file storage (Vercel Blob)
• Stripe — payment processing for customer portal payments
• Resend — transactional email delivery (proposals, invoices, purchase orders, invitations)
• Mapbox — maps and satellite imagery for GeoDraw
• Vercel Web Analytics — anonymous, cookie-free usage analytics

Each of these services has their own privacy policy. We only share the minimum data required for each service to function.

Your data is stored on servers in the United States. We use encrypted connections (HTTPS) for all data in transit, and our database provider encrypts data at rest.

We implement security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), server-side authentication checks on all protected routes, and role-based access control within your organization.

Certain Bunyan features generate unique links that can be accessed without logging in — including proposal links sent to your customers and customer portal links for viewing project status and making payments. These links contain unique tokens and are not publicly listed, but anyone with the link can view the associated data.

You are responsible for sharing these links only with intended recipients. If you believe a link has been compromised, you can regenerate it from within the application.

Your data belongs to you. Period. You can export your contacts, estimates, projects, and invoices as CSV files at any time from within the application. If you decide to leave Bunyan, your data is yours to take.

You have the right to:

• Access your data — export it anytime via CSV
• Correct your data — edit any record in the application
• Delete your data — request account deletion by emailing us
• Export your data — CSV export is built into the application

To exercise any of these rights, email privacy@bunyanbuild.com. We will respond within 30 days.

We retain your data for as long as your account is active. If you delete your account or your account is terminated, we will retain your data for 30 days to allow you to export it, after which it will be deleted — except where we are required by law to retain it (e.g., financial records).

We may disclose your data if required by law, legal process, or government request; to protect the rights, property, or safety of Diftar LLC, our users, or the public; to enforce our Terms of Service; or in connection with a merger, acquisition, or sale of assets (in which case your data would remain subject to this policy).

Bunyan uses only essential cookies required for authentication and session management. We do not use advertising cookies or third-party tracking cookies. Vercel Web Analytics operates without cookies.

Bunyan is a business tool designed for adults. You must be at least 18 years old to use Bunyan. We do not knowingly collect data from anyone under 18.

We may update this policy from time to time. If we make significant changes, we will notify you by email or through a notice in the application. The effective date at the top of this page will always reflect the latest version.

Questions about this policy? Email us at privacy@bunyanbuild.com.