Privacy Policy

Plumb is operated by BKM Ventures LLC (“Plumb,” “we,” “us”). We run an automated drawing-review platform at plumbreview.com.

Account information. When you sign up, we collect your email address, password (hashed), shop name, and primary trade. We use these to identify and contact you.

Drawings. When you submit a drawing for review, we receive the PDF file you upload plus the metadata you provide (project name, sheet count, package type, tier, notes). These are treated as confidential per our Terms of Service.

Payment information. Card details are collected and stored by Stripe, not by Plumb. We receive only a customer ID, subscription state, and billing-event metadata from Stripe. We never see or store your card number, CVC, or expiration.

Usage data. We log the reviews you submit, sheet counts, tier selections, and anonymized timing/cost data to operate the platform, bill correctly, and improve quality.

Operational logs. Standard web logs (IP address, user agent, timestamps) are retained for 30 days for security and debugging purposes.

• Deliver the reviews you request.
• Bill you correctly under your selected plan.
• Send you transactional emails (review delivery, payment receipts, trial reminders).
• Improve the Plumb prompt, library, and pipeline based on aggregated review patterns — never on your raw drawings as training data.
• Detect and prevent abuse.
• Respond to your support requests.

We will not use your drawings to train any AI model, including the Anthropic models that process your reviews. Anthropic’s API terms explicitly prohibit using API-submitted data for model training.

We rely on the following third-party services to deliver Plumb. Each is bound by its own data-processing terms:

• Supabase(PostgreSQL database, authentication, file storage) — account data, subscription state, drawing files, deliverables.
• Stripe(payments + billing) — payment processing, subscription management.
• Anthropic(AI reviewer engine) — receives drawing PDFs and structured prompt context to produce findings. Anthropic does not retain data from API submissions for model training.
• Modal(asynchronous worker compute) — runs the review pipeline that orchestrates Anthropic + our build scripts.
• Resend(transactional email) — sends review-completion, trial-ending, payment-failure, and similar emails to you.
• Vercel(web hosting + CDN) — hosts the plumbreview.com web application.
• GitHub(source-control + deploy) — stores Plumb’s application code, not customer data.

We do not sell your data to advertisers, brokers, or third parties for marketing purposes.

Source drawings— deleted from Plumb-controlled storage 30 days after upload.

Deliverables (marked PDF + Excel)— retained on Plumb-controlled storage for 90 days from delivery, after which the dashboard download links expire. Archive what you need long-term.

Findings JSON + order metadata— retained for the life of your account plus 1 year for audit and accounting purposes.

Account data— retained until you delete your account. After deletion, we retain billing records as required by tax law (typically 7 years) but anonymize them where possible.

You may at any time:

• Access the data we hold about you by emailing hello@plumbreview.com.
• Request correction of inaccurate data.
• Request deletion of your account and associated data. Note: we retain billing records as required by law.
• Export your historical findings JSON via the dashboard.
• Withdraw consent for processing (which will require terminating your account, since processing is necessary to deliver the Service).

If you are in the EU/EEA or UK, you have additional rights under GDPR. If you are in California, you have additional rights under CCPA. Contact us to exercise them.

We use only what we need to make the Service work:

• An authentication session cookie (set by Supabase) so you stay logged in.
• Stripe’s checkout session cookies during the checkout flow.

We do not use Google Analytics, Facebook Pixel, or other behavioral-tracking services as of the date above. If we add analytics in the future, we will update this page and notify active users.

We use industry-standard security practices including TLS for all data in transit, encryption at rest for stored drawings, role-based access control via Supabase Row Level Security, and secret rotation. No system is 100% secure; if we detect a breach affecting your data, we will notify you within 72 hours of discovery as required by applicable law.

Plumb is a B2B fabrication-review service. We do not knowingly collect data from anyone under 16. If you believe we have collected data from a minor, contact us and we will delete it.

Plumb’s servers and subprocessors are primarily located in the United States. If you submit data from outside the US, you consent to the transfer of that data to the US for processing. Where required by law, we use standard contractual clauses with subprocessors.

We may update this policy from time to time. We will notify active subscribers of material changes by email at least 14 days before the change takes effect.

Privacy questions? Email hello@plumbreview.com. For data-subject access requests (GDPR/CCPA), please use that same email with the subject line “Privacy Request”.