Privacy Policy

1. Information you provide

You provide information directly when you:

• Submit the contact form or booking gate. Name, email, phone number, ZIP code, city, service or project interest, budget range, approximate square footage, and any message you include.
• Book a consultation. When you click a “Book Consultation” button we first collect four contact fields through the pre-booking form, then redirect you to Microsoft Bookings, which collects additional scheduling information under Microsoft’s privacy practices.
• Request a renovation quote or use the cost estimator. Service selections, project scope indicators, ZIP code, and contact details.
• Create a Portal account. Email, display name, password (stored hashed by Supabase Auth), and any profile data you add.
• Work with us on a project. Project photos, inspiration images, floor plans, addresses, budget information, selections, messages, invoices, payment details processed by Stripe, and documents you upload or we generate for your project.
• Communicate with us. Any information you share in email, phone calls, text messages, or in-person meetings.
• Approve selections in the Portal. When you approve a selection item (a finish, fixture, material, or similar choice), the Portal captures the name you type in the signature field, a timestamp, and a one-way hashed fingerprint of the IP address that submitted the approval. The hash is used only to verify that the same approver submitted the record if a later dispute arises; we do not retain the raw IP address.
• Use AI-assisted rendering (TrueSpec Restyle).When you upload a photo for AI rendering, we send that image and your prompt to our AI rendering partners to produce the output. The source photo is stored in our database with your account so you can regenerate or share it. See Section 4 for the processors involved.

2. Information collected automatically

• Analytics. Pages visited, approximate location, device type, browser, and referrer. We use Vercel Analytics (cookie-free) and, when enabled, Plausible (cookie-free). Neither service creates a persistent profile of you.
• Marketing attribution. UTM parameters and referrer information are captured when you arrive from a link that includes them, so we know which campaigns, partners, or referral sources produced an inquiry.
• Google Ads conversion pixel. If you arrive from a Google Ads campaign and submit a conversion event, the Google Ads tag records that fact so we can measure campaign effectiveness.
• Anti-abuse. Google reCAPTCHA v3 runs on the contact form and booking gate to distinguish humans from bots. reCAPTCHA collects device and behavioral signals under Google’s privacy policy.
• Server logs. Our hosting provider (Vercel) records standard HTTP logs including IP address, timestamp, URL, and user-agent for security and reliability purposes.

3. Why we collect and use your information

We use the information we collect to:

• Respond to your inquiry, schedule a call, and prepare a consultation;
• Evaluate project fit and provide a Statement of Work or estimate;
• Deliver design, rendering, consulting, and design-build Services under a signed Service Agreement;
• Operate the Portal: accounts, messages, documents, invoices, payments, selections, and project schedules;
• Send transactional email (inquiries, invoices, portal invites, appointment confirmations, project updates);
• Send periodic marketing emails ONLY to contacts who have opted in or engaged our services; you can unsubscribe any time;
• Measure website and campaign performance using anonymized analytics;
• Protect the Site, Portal, and our users from abuse, fraud, and security threats;
• Comply with legal, tax, and accounting obligations.

4. Service providers we share with

We do not sell, rent, or trade your personal information. We share information with vetted third-party service providers only as necessary to operate our business. Each of the following processes a specific set of data on our behalf under contractual confidentiality and security obligations:

• Supabase — database and authentication hosting for the Portal. Stores client records, project data, messages, uploaded documents, and hashed passwords.
• Vercel — website hosting, serverless compute, and anonymous analytics.
• Resend — transactional email delivery (inquiries, portal invites, invoices, appointment alerts).
• Stripe — payment processing and invoice management. We do not store your full credit-card number on our servers; card data is handled directly by Stripe, which is PCI-DSS Level 1 certified.
• Microsoft Bookings — scheduling the consultation you book.
• Google reCAPTCHA — bot mitigation on the contact form and booking gate.
• Google Ads — conversion measurement for paid-search campaigns, when you arrive from one.
• Plausible Analytics — cookie-free traffic analytics, when enabled.
• Anthropic — large-language-model processing for AI-assisted features (proposal drafting, Code Guide assistant, daily-log project recaps that summarize site-visit notes into a homeowner-friendly update posted to your Portal). We send only the minimum context required to produce the output; we do not train Anthropic models on your data.
• fal.ai and Google Gemini (via fal.ai)— AI image rendering backends used by TrueSpec Restyle. We send the photo you upload and a text prompt describing the requested style. These providers do not retain your images after the render completes.
• api.zippopotam.us — US ZIP-code lookup that auto-fills city and state when you type a ZIP. Your IP and the ZIP you typed are sent to this third party; no other contact data is shared with it.
• Partner builders and subcontractors. When your project includes construction, we share project-specific information (plans, schedules, contact information) with the build partner identified in your Service Agreement and with vetted subcontractors on a need-to-know basis.

We may also disclose information if required by law, court order, or regulatory request, or to protect the rights, property, or safety of McGill & Co. Designs, our clients, or the public.

5. Cookies and tracking

We use the minimum number of cookies required for the Site and Portal to function. Specifically:

• Session cookies set by Supabase Auth to keep you signed in to the Portal.
• Theme preference stored in your browser’s local storage (not a cookie) so the Site remembers your light/dark mode choice.
• Google Ads conversion cookies, set when you arrive from a Google Ads campaign, for conversion measurement only.
• reCAPTCHA cookies, set by Google on the contact form and booking gate for bot detection.

Our core analytics (Vercel, Plausible) are configured to be cookie-free.

6. Data retention

• Active client records — retained for the life of the engagement and afterward as long as needed for tax, accounting, legal, or warranty obligations (typically 7 years).
• Inquiries that do not convert — up to 24 months, then deleted or anonymized.
• Project media, documents, and messages— retained with the client record; former clients may request deletion after the retention period above.
• Server logs and analytics — retained for the default period of the processor (typically 30-90 days).

7. Your rights

Regardless of where you live, you can email Dylan@McGillCoDesigns.com to:

• Access the personal information we hold about you;
• Correct inaccurate or outdated information;
• Request deletion of information that we are not legally required to retain;
• Opt out of marketing email (use the unsubscribe link);
• Request a copy of your Portal data in a portable format.

We will respond within 30 days. If you are a California, EU/UK, Canadian, or other jurisdiction resident with additional statutory rights (such as under CCPA/CPRA, GDPR, UK GDPR, or PIPEDA), we will honor those rights to the extent they apply to us.

8. Security

We use industry-standard controls to protect your information, including HTTPS in transit, encrypted storage at rest on our database host, hashed passwords via Supabase Auth, Row-Level Security policies scoping Portal data to each client’s own account, signed-webhook verification on payment events, and reCAPTCHA and rate-limiting on public forms. No system is 100% secure, but we work to protect your data to a commercially reasonable standard consistent with its sensitivity.

If we become aware of a data incident affecting your personal information, we will notify you as required by applicable law.

9. Children’s privacy

The Site, Portal, and our Services are directed to adults. We do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, contact us and we will delete it.

10. International users

McGill & Co. Designs is based in North Carolina, United States. If you access the Site from outside the US, you understand that your information will be transferred to and processed in the United States and stored by service providers located in the United States and the European Union, where privacy protections may differ from those in your home country. Your continued use of the Site constitutes consent to that transfer.

11. Do Not Track

Some browsers send a “Do Not Track” signal. There is currently no industry standard for how websites should respond to DNT signals. The Site does not change its behavior in response to DNT signals, but we do honor explicit opt-out requests you email to us.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top shows when the current version took effect. Material changes will be flagged on this page or by email to active clients.

13. Contact

Questions about this Privacy Policy? Email Dylan@McGillCoDesigns.com or call (919) 588-1304. Mailing address available on request.