Privacy Policy

Version: 2.0
Effective Date: December 29, 2025
Last Updated: December 29, 2025

PRIVACY POLICY

Carpet Installers Direct ("Platform," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information.

By using our Platform, you consent to the practices described in this Policy.

1. Information We Collect

1.1 Information You Provide Directly

When you create an account, place an order, or use Platform features, we collect:

Account Information:

• Full legal name
• Email address
• Phone number
• Password (encrypted, not stored in plain text)
• Delivery address (residential or business)

Order Information:

• Room dimensions and layout
• Product selections (carpet style, color, quantity)
• Service tier selection (Materials Only, BYOI Basic, BYOI Certified)
• Installer contact information (for BYOI tiers - installer name, phone, email)

Payment Information:

• Credit/debit card information (processed via Stripe - we do NOT store full card numbers)
• Billing address
• Payment method preferences (save card for future use)

Photos and Content:

• Room photos uploaded to AI visualizer
• Floor plan sketches or CAD files
• Project photos (before/after installation)
• Product reviews and ratings

Communication Records:

• Customer support emails, live chat transcripts, phone call recordings (with your consent)
• SMS messages (delivery notifications, installation reminders)

1.1a Installer Information (Collected from Installers Directly)

For BYOI tiers, we collect information from installers who are nominated by customers:

Installer Account Information:

• Full legal name
• Email address
• Phone number
• Business name (if applicable)

Installer Credential Information:

• State contractor license number
• Insurance certificate (general liability, workers' compensation)
• Business license (if applicable)

Background Check Information (FCRA-Compliant):

• Social Security Number (encrypted, used only for background check)
• Date of birth
• Background check consent (explicit opt-in required)
• Background check results (pass/fail status only - full report retained by background check provider)

Important: Installers submit their own credentials directly via a secure link. This ensures accuracy and FCRA compliance. Customers do NOT submit installer credentials on behalf of installers.

1.2 Information Collected Automatically

When you visit the Platform, we automatically collect:

Device and Browser Information:

• IP address
• Browser type and version (Chrome, Safari, Firefox, Edge)
• Operating system (Windows, macOS, iOS, Android)
• Device type (desktop, tablet, mobile)
• Screen resolution

Usage Data:

• Pages visited and time spent on each page
• Click-through paths (how you navigate the site)
• Search queries (products searched, filters applied)
• Quote tool usage (dimensions entered, products viewed, quotes generated)
• Referral source (how you found the Platform - Google search, social media, direct link)

Cookies and Tracking:

• Session cookies (keep you logged in)
• Preference cookies (remember your settings - language, location, saved quotes)
• Analytics cookies (Google Analytics, Facebook Pixel - see Section 3.3)
• Advertising cookies (retargeting, conversion tracking)

1.3 Information from Third Parties

We may receive information about you from:

Payment Processors (Stripe):

• Transaction status (success, failure, refund)
• Fraud risk assessment
• Chargeback notifications

Shipping Carriers:

• Delivery status and tracking updates
• Delivery confirmation (signature, timestamp)

Social Media:

• If you log in via Facebook or Google, we receive your name, email, and profile photo (with your permission)

Background Check Providers (for installers):

• Criminal history (for installer vetting - Full Service tier)
• License verification (for installers)
• Insurance verification (for installers)

Data Brokers (optional, for marketing):

• Demographic data (age, income, homeownership status)
• Purchase history (to personalize offers)

2. How We Use Your Information

2.1 To Provide Services

We use your information to:

• Process orders: Calculate pricing, generate cutting diagrams, submit orders to mill
• Coordinate installation: Schedule installers, arrange delivery, provide spec packets (BYOI tiers)
• Manage accounts: Authenticate login, save quotes, maintain order history
• Customer support: Respond to inquiries, troubleshoot issues, facilitate NCR (Non-Conformance Report) process
• Quality assurance: Track installer metrics, monitor Certified Installer performance

2.2 To Improve the Platform

We use data to:

• Train AI models: Improve visualizer accuracy (color matching, lighting simulation, pattern rendering)
• Optimize algorithms: Enhance quote calculator, cutting diagram generator, shipping cost estimator
• Analyze usage patterns: Identify popular products, improve site navigation, reduce cart abandonment
• A/B testing: Test design changes, pricing experiments, new features

2.3 For Marketing and Advertising

With your consent, we use information to:

• Send promotional emails: Discounts, new product launches, seasonal sales
• Retargeting ads: Show ads on Facebook, Google, Instagram for products you viewed
• Personalized recommendations: Suggest carpets based on browsing history, room type, budget
• Referral programs: Track referrals, credit rewards for successful referrals

You can opt out of marketing (see Section 8).

2.4 For Legal and Safety Purposes

We use information to:

• Comply with laws: Respond to subpoenas, court orders, government requests
• Prevent fraud: Detect fraudulent transactions, abuse of promotions, fake accounts
• Enforce Terms: Investigate violations, suspend accounts, pursue legal action
• Protect safety: Report illegal activity to law enforcement, prevent harassment or harm

3. How We Share Your Information

3.1 With Service Providers (to Fulfill Orders)

We share information with third parties who help us operate the Platform:

Carpet Mill (Manufacturing Partner):

• What we share: Name, delivery address, phone, product selections, room dimensions
• Why: To manufacture and ship materials per your order

Shipping Carriers (LTL freight companies):

• What we share: Name, delivery address, phone, shipment weight/dimensions
• Why: To deliver materials to you or your installer

Installers (BYOI tiers):

• What we share: Name, installation address, phone, project details, cutting diagram, spec packet
• Why: To complete installation per your contract

Payment Processor (Stripe):

• What we share: Name, email, payment amount, billing address
• Why: To process payments securely (Stripe handles card information directly - we do NOT see full card numbers)

3.2 With Marketing and Analytics Providers

Google Analytics:

• What we share: IP address, device type, pages visited, session duration
• Why: To analyze traffic, understand user behavior, optimize site performance
• Your control: Opt out via Google Analytics Opt-Out Browser Add-On

Facebook Pixel:

• What we share: Page views, add-to-cart events, purchases (hashed email for matching)
• Why: To measure ad performance, retarget visitors, create lookalike audiences
• Your control: Adjust Facebook ad preferences at facebook.com/ads/preferences

Email Service Provider (e.g., SendGrid, Mailchimp):

• What we share: Email, name, order history, product preferences
• Why: To send transactional emails (order confirmations) and marketing emails (promotions, newsletters)

3.3 With Background Check Providers (Installers Only - FCRA Compliant)

For installers seeking verification (especially for BYOI Certified status), we share:

• Installer's name, SSN (encrypted), address, date of birth with background check providers
• Why: To verify criminal history, license status, insurance coverage

FCRA Compliance:

• Installers receive a standalone FCRA Disclosure document before background check
• Installers must provide explicit written consent before background check is initiated
• Installers have the right to dispute inaccurate information
• Installers receive a copy of the background check report if adverse action is taken

Customer data is NOT shared with background check providers.

3.4 With Legal Authorities

We may disclose information if required by law or to protect rights:

• Subpoenas and court orders: Comply with legal process
• Law enforcement requests: Investigate crimes (fraud, theft, harassment)
• Safety threats: Prevent imminent harm to persons or property

3.5 Business Transfers

If Platform is acquired, merged, or sold:

• Your information may be transferred to the new owner
• We will notify you via email before transfer (you may delete your account before transfer if desired)

3.6 We Do NOT Sell Your Personal Information

Platform does NOT sell your personal information to third parties for their marketing purposes.

Exception (California residents): Under CCPA, "sell" has a broad definition. If you are a CA resident and want to opt out of any data sharing that might qualify as a "sale," see Section 9 (California Privacy Rights).

4. Cookies and Tracking Technologies

4.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. We use cookies to:

• Keep you logged in
• Remember your preferences (saved quotes, language, location)
• Analyze site usage (Google Analytics)
• Serve personalized ads (Facebook Pixel, Google Ads)

4.2 Types of Cookies We Use

Essential Cookies (required):

• Session ID (keeps you logged in)
• CSRF token (prevents security attacks)
• Cannot be disabled (required for Platform to function)

Preference Cookies (optional):

• Language preference
• Location (for shipping estimates)
• Saved quotes and product views
• Can be disabled (site will still work, but won't remember preferences)

Analytics Cookies (optional):

• Google Analytics (tracks page views, session duration, bounce rate)
• Hotjar or similar (heatmaps, session recordings)
• Can be disabled via cookie banner or browser settings

Advertising Cookies (optional):

• Facebook Pixel (tracks conversions, enables retargeting)
• Google Ads conversion tracking
• Can be disabled via cookie banner or browser settings

4.3 Managing Cookies

Cookie Consent Banner:

• When you first visit, we show a cookie banner
• You can accept all cookies or customize preferences
• Preferences are saved for 1 year

Browser Settings:

• Most browsers let you block or delete cookies
• Instructions: Chrome, Safari, Firefox, Edge

Do Not Track (DNT):

• Some browsers send a "Do Not Track" signal
• Currently, there is no industry standard for honoring DNT
• We do NOT respond to DNT signals (use cookie banner to manage preferences)

5. Data Security

5.1 How We Protect Your Data

We implement industry-standard security measures:

Encryption:

• TLS/SSL encryption for all data in transit (HTTPS)
• AES-256 encryption for sensitive data at rest (passwords, payment info)

Access Controls:

• Role-based access: Only authorized employees can access customer data
• Multi-factor authentication (MFA): Required for employee access to production systems
• Audit logs: All data access is logged and monitored

Payment Security:

• PCI-DSS compliant: Stripe handles payment processing (we do NOT store full card numbers)
• Tokenization: Card numbers are replaced with tokens (useless if stolen)

Regular Security Audits:

• Penetration testing: Annual third-party security audits
• Vulnerability scans: Automated scanning for software vulnerabilities
• Patch management: Timely updates to software and libraries

5.2 Your Responsibilities

Protect your account:

• Use a strong, unique password (12+ characters, mix of letters/numbers/symbols)
• Do NOT share your password with anyone
• Log out when using shared devices
• Enable two-factor authentication (if available)

Report suspicious activity:

• If you suspect unauthorized access, email security@carpetinstallersdirect.com immediately
• Change your password if compromised

5.3 No System is 100% Secure

Despite our security measures, no system is completely secure. We cannot guarantee that:

• Hackers won't breach our systems (though we have defenses in place)
• Your data won't be intercepted in transit (though we use TLS encryption)
• Malicious insiders won't access data (though we have access controls and audit logs)

If a data breach occurs, we will notify you per Section 5.4.

5.4 Data Breach Notification

If a security breach exposes your personal information, we will:

1. Investigate the breach: Determine what data was accessed and who was affected
2. Notify affected users within 72 hours: Email notification with details of breach
3. Report to authorities: Notify state/federal regulators as required by law (GDPR, CCPA, state data breach laws)
4. Offer remediation: Free credit monitoring (if financial data was compromised)

6. Data Retention

6.1 How Long We Keep Your Data

Account data: As long as your account is active + 7 years after deletion (for legal compliance - tax records, dispute resolution)

Order data: 7 years after purchase (for warranty claims, legal disputes, accounting)

Payment data: Tokenized card information retained until you delete it or account is closed

Customer support records: 3 years (for quality assurance, legal defense)

Analytics data: Aggregated data retained indefinitely (de-identified - not linked to specific users)

Marketing data: Until you unsubscribe or delete account

6.2 Deleting Your Data

You may request deletion of your data by:

• Emailing privacy@carpetinstallersdirect.com
• Following account deletion process in account settings

We will delete your data within 30 days, except:

• Legal hold: Data subject to ongoing litigation or investigation (deleted after legal hold is lifted)
• Aggregated data: De-identified analytics data (cannot be linked back to you)
• Backup systems: Data in backups may persist for up to 90 days before automatic deletion

Note: Deleting your account does NOT cancel pending orders or void existing contracts.

7. Your Privacy Rights

7.1 Access Your Data

You have the right to request a copy of your personal information. To request:

1. Email privacy@carpetinstallersdirect.com with subject "Data Access Request"
2. Verify your identity (we may ask for account credentials or order number)
3. Receive data within 30 days (in machine-readable format - JSON or CSV)

We provide this for free (first request per year). Subsequent requests may incur a $25 processing fee.

7.2 Correct Your Data

If your personal information is inaccurate or outdated, you can:

• Update it yourself in account settings
• Email privacy@carpetinstallersdirect.com to request correction

We will update within 10 business days.

7.3 Delete Your Data

You can request deletion per Section 6.2.

Exceptions: We may retain data if:

• Required by law (tax records, legal holds)
• Necessary to complete pending orders or resolve disputes
• Aggregated/de-identified (no longer personal information)

7.4 Object to Processing

You can object to certain uses of your data:

• Marketing: Unsubscribe from emails, opt out of retargeting ads
• Profiling: Request we do NOT use your data for personalized recommendations or pricing experiments

Email privacy@carpetinstallersdirect.com to object.

7.5 Data Portability

You can request your data in a portable format (to transfer to another service):

1. Email privacy@carpetinstallersdirect.com with subject "Data Portability Request"
2. Receive data in JSON or CSV format (machine-readable)

Included data: Account info, order history, saved quotes, product reviews

Excluded data: Proprietary algorithms (cutting diagrams, price calculations), third-party data (payment tokens)

8. Marketing and Communication Preferences

8.1 Opt Out of Marketing Emails

To stop receiving promotional emails:

• Click "Unsubscribe" at the bottom of any marketing email
• Update email preferences in account settings
• Email privacy@carpetinstallersdirect.com with subject "Unsubscribe"

You will still receive transactional emails (order confirmations, shipping updates, installation reminders).

8.2 Opt Out of SMS

To stop receiving text messages:

• Reply "STOP" to any SMS from Platform
• Email privacy@carpetinstallersdirect.com with subject "SMS Opt-Out"

You will still receive critical SMS (e.g., installer arrival notification on installation day - unless you specifically request full SMS opt-out).

8.3 Opt Out of Retargeting Ads

To stop seeing Platform ads on Facebook, Google, etc.:

Facebook:

• Visit facebook.com/ads/preferences
• Remove Carpet Installers Direct from "Advertisers you've interacted with"

Google:

• Visit adssettings.google.com
• Turn off "Ad Personalization"

Industry-Wide Opt-Out:

• Visit optout.aboutads.info (Digital Advertising Alliance)
• Visit optout.networkadvertising.org (NAI Opt-Out Tool)

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

9.1 Right to Know

You can request:

• Categories of personal information collected (see Section 1)
• Sources of personal information (directly from you, automatically collected, third parties)
• Business purposes for collecting information (see Section 2)
• Third parties with whom we share information (see Section 3)

9.2 Right to Delete

You can request deletion of your personal information (see Section 6.2).

Exceptions: We may retain data if necessary to:

• Complete transaction or provide service
• Detect security incidents or fraud
• Comply with legal obligations
• Enable internal uses (research, product development)

9.3 Right to Opt-Out of "Sales"

CCPA defines "sale" broadly. While we do NOT sell your data for money, we do share data with analytics and advertising partners (Google Analytics, Facebook Pixel), which may qualify as a "sale."

To opt out:

• Click "Do Not Sell My Personal Information" link in footer
• Adjust cookie preferences (disable advertising cookies)

9.4 Right to Non-Discrimination

We will NOT discriminate against you for exercising CCPA rights. You will receive the same service quality, pricing, and features regardless of whether you opt out.

9.5 Submitting CCPA Requests

To exercise CCPA rights:

1. Email privacy@carpetinstallersdirect.com with subject "CCPA Request: [Right You're Exercising]"
2. Verify your identity (provide email, phone, or order number)
3. Receive response within 45 days (may extend to 90 days for complex requests)

Authorized agents: You may designate an authorized agent to submit requests on your behalf (provide written authorization).

10. International Users and GDPR

10.1 Platform is Based in the United States

Carpet Installers Direct is a Georgia-based business. Your data is processed and stored in the United States.

If you are located outside the U.S.:

• Your data is transferred to the U.S. (which may have different privacy laws than your country)
• By using the Platform, you consent to this transfer

10.2 GDPR Rights (European Users)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing:

• Contract: Processing necessary to fulfill your order
• Consent: Marketing emails, cookies, profiling
• Legitimate interests: Fraud prevention, platform improvements

GDPR Rights:

• Right to access: Request copy of your data
• Right to rectification: Correct inaccurate data
• Right to erasure ("right to be forgotten"): Delete your data
• Right to restrict processing: Limit how we use your data
• Right to data portability: Receive data in portable format
• Right to object: Object to marketing, profiling, automated decisions
• Right to withdraw consent: Revoke consent for marketing or cookies

To exercise GDPR rights:

• Email privacy@carpetinstallersdirect.com
• Receive response within 30 days

File a complaint:

• If you believe we are not complying with GDPR, you can file a complaint with your local Data Protection Authority (e.g., ICO in the UK, CNIL in France)

10.3 Data Transfer Mechanisms

For EEA users, we rely on:

• Standard Contractual Clauses (SCCs): EU-approved contracts for international data transfers
• Adequacy decisions: Where applicable (though the U.S. does not have an adequacy decision post-Schrems II)

11. Children's Privacy

11.1 Platform is NOT for Children

The Platform is intended for users 18 years and older. We do NOT knowingly collect personal information from children under 13 (or 16 in the EEA).

11.2 If We Discover Child Data

If we discover we have collected data from a child:

1. Delete the data immediately
2. Terminate the account
3. Notify parents (if contact information is available)

11.3 Parental Notification

If you are a parent and believe your child has created an account or provided personal information:

• Email privacy@carpetinstallersdirect.com with subject "Child Privacy Concern"
• Provide child's name, email, or account details
• We will delete the account and data within 24 hours

12. Third-Party Links

12.1 Platform May Link to Third-Party Sites

The Platform may contain links to:

• Carpet manufacturer websites (for product specs, warranty info)
• Installer websites (if installer has their own site)
• Social media platforms (Facebook, Instagram, Pinterest)
• Payment processor (Stripe)

We are NOT responsible for the privacy practices of third-party sites. Review their privacy policies before providing personal information.

12.2 Social Media Integration

If you interact with our social media (like, share, comment):

• Social platforms collect data about your interaction (per their privacy policies)
• We may receive aggregate data (likes count, demographics) but NOT personal information (unless you message us directly)

13. Changes to This Privacy Policy

13.1 We May Update This Policy

Platform may update this Privacy Policy by:

• Posting updated version at [website URL]
• Incrementing version number
• Updating "Last Updated" date

We will notify you of material changes via:

• Email (if you have an account)
• Banner notice on website

13.2 Continued Use = Acceptance

By continuing to use the Platform after updates, you agree to the new Privacy Policy. If you do not agree, you must stop using the Platform and delete your account.

13.3 Material Changes Requiring Consent

If changes materially expand how we use your data (e.g., we start selling data to third parties), we will:

• Request your explicit consent before applying new terms
• Allow you to opt out without penalty

14. Contact Us

For privacy questions, data requests, or concerns:

Carpet Installers Direct - Privacy Team
Email: privacy@carpetinstallersdirect.com
Phone: [Phone Number]
Address: [Physical Address, Georgia]
Business Hours: Monday-Friday, 9 AM - 5 PM EST

For GDPR-specific inquiries:
Email: gdpr@carpetinstallersdirect.com

For CCPA-specific inquiries:
Email: ccpa@carpetinstallersdirect.com

15. Summary of Key Points

What we collect:

• Account info, order details, payment info, photos, device/usage data, cookies

How we use it:

• Process orders, improve Platform, marketing (with consent), legal compliance

Who we share with:

• Installers, mill, shipping carrier, payment processor, analytics providers (Google, Facebook)

We do NOT sell your data (except possibly under CCPA's broad definition - opt out available)

Your rights:

• Access, correct, delete, opt-out of marketing, data portability

Installer data (FCRA compliant):

• Installers submit their own credentials via secure link
• Background checks require explicit consent per FCRA
• Installers can dispute inaccurate background check information

How to contact us:

• privacy@carpetinstallersdirect.com

Effective Date: December 29, 2025
Version: 2.0
Document ID: PRIVACY-2025-v2.0

Attorney Review Notes

⚠️ IMPORTANT: This document should be reviewed by a privacy attorney before use. Key areas requiring review:

1. CCPA compliance - Verify "Do Not Sell" disclosures, opt-out mechanisms, non-discrimination policy
2. GDPR compliance - Confirm legal basis for processing, data transfer mechanisms (SCCs), DPA appointment (if needed)
3. State data breach laws - Ensure breach notification procedures meet requirements (72-hour rule varies by state)
4. Cookie consent - Verify cookie banner meets requirements (ePrivacy Directive, GDPR, CCPA)
5. Children's privacy - Confirm COPPA compliance (no data collection from under-13s)
6. Third-party data sharing - Ensure all data processors are listed and have DPAs in place
7. Data retention - Verify retention periods align with legal requirements and business needs
8. FCRA compliance - Verify installer background check process meets FCRA requirements (standalone disclosure, consent, adverse action notice)
9. Installer credential data - Ensure proper handling and retention of installer license, insurance, and background check data

Recommended attorney budget: $400-600 for Privacy Policy review (high complexity due to GDPR/CCPA/FCRA)