Provn

Privacy Policy

Last updated: 14 April 2026

1. Who We Are

Provn is operated by Jacaranda Labs Inc, registered in the United States. We provide a location-verified review platform for service professionals.

Contact: privacy@getprovn.io

2. Data We Collect

Agent Data (account holders)

  • Name, email address, phone number
  • Agency name and business details
  • Branding assets (logos, colours)
  • Payment information (processed by Stripe — we do not store card details)

Consumer Data (reviewers)

  • Name and email address (provided by the agent when creating an interaction)
  • GPS coordinates at time of check-in (captured once, with explicit consent)
  • Review content (rating, title, body text)
  • Device fingerprint hash (for anti-spoofing — not personally identifiable)

3. How We Use GPS Data

Privacy by design: Raw GPS coordinates are used solely to calculate the distance between the consumer and the property address. After verification, the raw coordinates are discarded. Only the following are stored:

  • Distance in metres from the expected location
  • Verification status (VERIFIED, PROXIMITY, OUT_OF_RANGE, LOW_ACCURACY)
  • GPS accuracy in metres

We never store, sell, or share raw GPS coordinates.

4. Legal Basis for Processing (GDPR)

Jacaranda Labs Inc is a US-based company that operates in the European Union and complies with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and all applicable EU data protection laws for EU-based users.

  • Contract performance: Processing agent data to provide the service
  • Legitimate interest: Processing consumer check-in data to verify review authenticity
  • Consent: GPS location capture requires explicit opt-in from the consumer

5. Data Storage & Security

  • Your personal data is stored in Supabase EU West (Ireland). We rely on Stripe, Resend, Vercel, Sentry, Anthropic, Google (Analytics/Ads), and Meta (Pixel) for specific processing functions (§8). Any transfer outside the EEA is covered by the EU Standard Contractual Clauses (SCCs) and — where applicable — the EU–US Data Privacy Framework.
  • All connections use TLS 1.3 encryption
  • Database access is protected by row-level policies and app-layer tenancy checks
  • Passwords are hashed (bcrypt) — we never see them in plaintext
  • Admin access to production data is limited to named operators and fully audit-logged

6. Data Retention

  • Account data: retained while your account is active + 30 days after deletion
  • Reviews: retained indefinitely as they are the agent's professional record. A deleted reviewer's first-name initial + last name anonymisation is applied automatically.
  • Check-in records: retained 12 months; IP address, user-agent, device fingerprint and coarse IP geolocation are then nullified. Distance-to-location and verification status are kept for longer as a durable proof of verification.
  • Admin audit logs: 1 year (legal + fraud-investigation basis), then deleted
  • Help questions (help_asks): 90 days
  • Webhook delivery bodies: 30 days. Delivery metadata (status, hash): 90 days.
  • Rate-limit counters: 2 minutes (self-cleaning)
  • Stripe records: retained by Stripe per their retention policy; our copy references the Stripe customer ID only.

7. Your Rights

Under GDPR (for EU users) and applicable US state privacy laws, you have the right to:

  • Access your personal data (Art 15)
  • Rectify inaccurate data (Art 16)
  • Erase your data ("right to be forgotten", Art 17)
  • Port your data to another service (Art 20)
  • Object to processing or request restriction (Art 21 + 18)
  • Withdraw consent at any time for processing based on consent
  • Lodge a complaint with the Portuguese Data Protection Authority (CNPD — www.cnpd.pt) or your local EU supervisory authority

To exercise any of these rights, email privacy@getprovn.io.

8. Third-Party Processors

  • Supabase (EU) — database, authentication, storage, realtime. Acts as data processor under a signed DPA.
  • Vercel (EU + US edge) — application hosting, static asset delivery. Data processor under signed DPA.
  • Stripe (EU + US) — payment processing, customer records, invoices. Joint controller/processor per Stripe's DPA.
  • Resend (EU + US) — transactional email delivery (suppression + bounce/complaint events). Data processor.
  • Sentry (US) — error telemetry with PII scrubbing. Data processor; transfers covered by SCCs.
  • Anthropic (US) — Claude Haiku powers the in-app help assistant. Questions typed into "Ask AI" are sent to Anthropic for response generation and not retained for training. Data processor; transfers covered by SCCs + Data Privacy Framework.
  • Google LLC (US) — Google Analytics 4 (usage analytics) and Google Ads (attribution). Loaded only after you opt in via the cookie banner. Transfers covered by SCCs + EU–US Data Privacy Framework.
  • Meta Platforms Ireland Limited (EU) — Meta Pixel (attribution). Loaded only after you opt in via the cookie banner.
  • CRM processors (only if you connect one): HubSpot, Salesforce, or Pipedrive receive your verified reviews' consumer data. Your agency is the controller for that onward transfer.
  • Signed DPAs exist with all processors above; contact privacy@getprovn.io to request copies.

9. Cookies & Similar Technologies

Provn uses a small number of strictly necessary cookies for authentication, session management, CSRF protection, locale, and consent storage. These are always on. Analytics cookies (Google Analytics 4) and marketing cookies (Meta Pixel, Google Ads) only load after you explicitly opt in via the cookie banner on your first visit; you can change your selection at any time via the "Cookie settings" control in the site footer. No consent-gated tag fires before your choice is recorded.

10. Changes to This Policy

We will notify registered users by email of any material changes to this policy at least 30 days before they take effect.