Privacy Policy

1. Who We Are

ToolBud, Inc. ("ToolBud," "we," "us," or "our") operates the ToolBud mobile application and the website at toolbudapp.com. ToolBud is a community tool-sharing platform that enables neighbors to borrow and lend tools within verified local communities.

Our mailing address is: 27026 Golden Knoll Dr, Magnolia, TX 77354.

For privacy inquiries, contact us at: support@toolbudapp.com

2. Information We Collect

2.1 Account & Profile Information

When you create an account and complete your profile, we collect:

• First name, last name, and display name
• Email address
• Phone number
• Date of birth (used for eligibility purposes)
• Home address (street address, city, state, and ZIP code — used for community verification)
• Profile photo (avatar)

2.2 Tool Inventory

When you add tools to your inventory, we collect:

• Tool name, category, brand, model, condition, and description
• Purchase information (store, date, price, order number, UPC/ASIN) — stored privately, visible only to you
• Tool photos (AI-processed and then deleted; not stored permanently)
• Lending availability settings

2.3 Borrow & Lend Session Data

When you participate in a borrow or lend session, we collect:

• Session details: requested dates, approved dates, tool name, notes to lender/borrower
• Checkout and return evidence photos (immutable once submitted; visible only to session participants)
• Session checklist responses and condition notes
• Borrower ratings and reviews (submitted by lenders after session close)
• Dispute details: category and description (visible to ToolBud administrators only)

2.4 Communications

We collect messages sent through the in-app session messaging system between borrowers and lenders. Messages are visible only to session participants.

2.5 Community Feed Activity

If you post to the community feed (Ask posts, recommendations), we collect your post content, your display name, and your profile photo at time of posting. Feed posts are visible to verified members of your community only.

2.6 Device & Technical Data

We collect:

• Expo push notification token (to deliver push notifications to your device)
• Device platform (iOS or Android)
• App usage analytics events (feature interactions, community ID) — used to improve the app
• ToolShed Market click data (outbound retailer links you tap)

2.7 Contacts (Device Only — Never Uploaded)

If you grant contacts permission, we read your device contacts on-device only to display friend suggestions. Contact names and phone numbers are never transmitted to our servers, never stored, and never shared. Your device contacts are used solely to generate invite suggestions within the app.

3. Device Permissions

ToolBud requests the following device permissions:

Camera

Used to photograph tools for AI-assisted identification. Photos are processed by OpenAI and then deleted. You can decline camera access and use your photo library instead.

Photo Library

Used to select tool photos for AI identification, upload a profile avatar, and capture session evidence (checkout and return condition photos).

Contacts

Used on-device only to suggest neighbors you may want to invite to ToolBud. Contact data is never uploaded or stored. A soft prompt explains this before the system permission dialog appears.

Push Notifications

Used to deliver borrow requests, session updates, messages, and friend activity. You can manage notification preferences per category in the app under Profile > Notifications. Some session-critical notifications cannot be fully disabled.

We do not request location, microphone, or any other device permissions.

4. How We Use Your Information

• Community verification: Your address is matched against our community allowlist to determine your Ring 2 verified community membership.
• Tool sharing: Your tool inventory, availability settings, and session history enable the core borrowing and lending features.
• Communications: We send transactional notifications (push, email, SMS) for session events, friend activity, and account updates.
• Safety and trust: Session evidence photos, dispute records, and borrower ratings are used to maintain community trust and resolve disputes.
• AI tool identification: Tool photos are sent to OpenAI for identification and immediately deleted after processing.
• App improvement: Analytics events help us understand how features are used and where to improve the experience.
• Legal compliance: We retain certain records as required by applicable law.

5. Third-Party Services

Firebase / Google

We use Firebase Authentication, Firestore, Firebase Storage, Cloud Functions, and Firebase Cloud Messaging. All user data is stored and processed on Firebase infrastructure (Google Cloud). See Google's Privacy Policy at policies.google.com/privacy.

OpenAI

Tool scan photos are sent to OpenAI's API for identification. Photos are transmitted as image data only — no personally identifiable information (name, email, address, or phone) is included. Photos are deleted from our systems immediately after processing. See OpenAI's Privacy Policy at openai.com/privacy.

SendGrid (Twilio)

We use SendGrid to deliver transactional emails. Your email address and display name are shared with SendGrid for this purpose. All emails include a compliant unsubscribe link and our mailing address. See SendGrid's Privacy Policy at twilio.com/en-us/legal/privacy.

Twilio

We use Twilio to deliver SMS notifications. Your phone number is shared with Twilio for this purpose. All SMS messages include opt-out instructions ("Reply STOP to opt out"). See Twilio's Privacy Policy at twilio.com/en-us/legal/privacy.

Expo

We use Expo's platform for push notification token management and app builds. See Expo's Privacy Policy at expo.dev/privacy.

6. How We Share Information

We do not sell your personal information. We share information only in these circumstances:

• With other users: Your display name, profile photo, tool listings (if marked lendable), and community feed posts are visible to your Ring 1 friends and Ring 2 verified community members as described above.
• With session participants: Borrow/lend session details, evidence photos (via signed URLs), and messages are shared between the borrower and lender in that session only.
• With service providers: We share data with Firebase, OpenAI, SendGrid, Twilio, and Expo as described in Section 5, solely to provide the service.
• For legal reasons: We may disclose information if required by law, court order, or to protect the rights and safety of ToolBud, our users, or the public.
• Business transfer: If ToolBud is acquired or merges with another company, your information may be transferred as part of that transaction.

7. Data Retention

We retain your data for as long as your account is active. When you delete your account:

• Your personal information (name, email, phone, address, date of birth, photos) is deleted from your user profile.
• Your display name is replaced with "Deleted User."
• Your push tokens, device records, and notification settings are deleted.
• Your Firebase Authentication record is deleted.

Session records and dispute records may be retained in anonymized or limited form as required for dispute resolution and legal compliance. Tool listings you created may be retained in anonymized form.

AI tool scan photos are deleted immediately after processing. Orphaned scan uploads are automatically purged every 6 hours.

8. Security

We implement multiple layers of security to protect your information:

• Firestore security rules enforce that users can only read and write their own data. Server-managed fields (community verification, session status, ratings) cannot be written by clients.
• Session evidence photos are immutable once submitted and accessible only via time-limited signed URLs (10-minute expiry).
• Unsubscribe links use HMAC-SHA256 signed tokens with 30-day expiry and timing-safe verification.
• All data is transmitted over HTTPS/TLS.
• Firebase App Check is used to verify that requests originate from the legitimate ToolBud app.
• Admin access requires a verified Firebase custom claim and is not accessible to regular users.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at support@toolbudapp.com.

9. Your Rights & Choices

Notification Preferences

You can manage push, email, and SMS notification preferences per category in Profile > Notifications. Some session-critical notifications cannot be fully disabled. You can unsubscribe from emails via the unsubscribe link in any email. You can opt out of SMS by replying STOP.

Access & Correction

You can view and update your profile information at any time within the app.

Account Deletion

You can delete your account from the app. Upon deletion, your personal information is removed as described in Section 7.

California Residents (CCPA)

California residents have the right to know what personal information we collect, request deletion of your personal information, and opt out of the sale of personal information (we do not sell personal information). To exercise these rights, contact us at support@toolbudapp.com.

EEA/UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, you have rights including access, rectification, erasure, restriction, portability, and objection. Our legal basis for processing is performance of a contract (to provide the service) and legitimate interests (safety and fraud prevention). Contact us to exercise your rights.

10. Children's Privacy

ToolBud is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, contact us immediately and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify you via email or in-app notification. Your continued use of ToolBud after changes are posted constitutes your acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information: