๐ Our Promise
We never sell your personal information. We never share your data between tenants. Your business data stays yours. We collect only what is necessary to provide our AI-powered services, and we honor your privacy rights under GDPR, CCPA, and Colorado law.
Table of Contents
1. Who We Are
Visionary Solution LLC is a Colorado limited liability company that operates three AI-powered business tools:
- BizDiag โ AI business diagnostics for small businesses
- Flowcast โ AI-powered cash flow forecasting
- EstimateAI โ AI contractor estimation and job-site photo analysis
This Privacy Notice applies to all three products and our website at visionaryconsultant.net.
Controller: Visionary Solution LLC
Jurisdiction: Colorado, United States
Privacy Contact: privacy@visionarysolution.net
2. What Data We Collect
2.1 Data You Provide
| Category | Examples | Products |
|---|---|---|
| Account Information | Name, email address, phone number, company name, password hash | All |
| Business Data | Business type, revenue, employee count, years in operation, locations | BizDiag, Flowcast |
| Financial Documents | P&L statements, bank statements, invoices, accounting exports | BizDiag, Flowcast |
| Uploaded Files & Photos | Job-site photos, blueprints, receipts, financial documents | EstimateAI, BizDiag |
| Client Information | Client names, emails, phone numbers, addresses | EstimateAI |
| Custom Pricing | Material rates, labor rates, markup percentages | EstimateAI |
| AI-Generated Outputs | Diagnostic scores, forecasts, estimates, recommendations | All |
2.2 Data Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage Data | Pages visited, features used, session duration, click patterns | Service improvement, analytics |
| Device & Technical Data | Browser type, OS, screen resolution, IP address | Security, debugging, compatibility |
| Cookies & Tracking | Session cookies, essential cookies, analytics cookies (opt-in) | Authentication, service functionality |
2.3 CCPA Category Mapping
For California residents, the following maps our data to CCPA personal information categories (ยง1798.140(v)):
| CCPA Category | What We Collect |
|---|---|
| Identifiers | Name, email, phone, IP address |
| Commercial Information | Business type, revenue, purchase history, estimates |
| Financial Data | Bank statements, P&L statements, cash flow data |
| Internet Activity | Pages visited, features used, session data |
| Inferences | AI-generated diagnostics, forecasts, estimates |
Sources: We collect data directly from you, automatically through your use of the Services, and from our authorized service providers.
3. How We Use Your Data
| Purpose | Description | Data Used |
|---|---|---|
| Service Provision | Provide, maintain, and operate the AI-powered services you signed up for | Account, business, financial, uploaded files |
| AI Processing | Analyze your data to generate diagnostics, forecasts, estimates, and recommendations | Business data, financial documents, photos, custom pricing |
| Service Improvement | Improve features, AI accuracy, and user experience using anonymized, aggregated data | Usage data, anonymized outputs |
| Communication | Service notifications, billing updates, security alerts, support responses | Email, account data |
| Security & Fraud | Detect and prevent fraud, abuse, unauthorized access, and security incidents | Device data, usage data, IP address |
| Legal Compliance | Fulfill legal obligations, respond to lawful requests, enforce our terms | As required by law |
We do NOT: sell your personal information, use your data for advertising third-party products, build consumer profiles for credit/insurance/employment, or share individual data between tenants.
4. Lawful Basis for Processing
4.1 GDPR (EU/EEA Residents)
Under the GDPR, we process your personal data on the following lawful bases:
| Processing Activity | Lawful Basis | Article |
|---|---|---|
| Account creation & authentication | Contract | Art. 6(1)(b) |
| Business/financial data processing (core service) | Contract | Art. 6(1)(b) |
| AI analysis of uploaded files & photos | Contract + Legitimate Interest | Art. 6(1)(b) & (f) |
| Data sharing with sub-processors | Contract | Art. 6(1)(b) |
| Service improvement (anonymized/aggregated) | Legitimate Interest | Art. 6(1)(f) |
| Security & fraud prevention | Legitimate Interest | Art. 6(1)(f) |
| Usage analytics (non-essential) | Consent | Art. 6(1)(a) |
| Marketing communications | Consent | Art. 6(1)(a) |
Where processing is based on consent, you may withdraw consent at any time by contacting privacy@visionarysolution.net. Withdrawal does not affect the lawfulness of processing before withdrawal.
4.2 CCPA/CPRA (California Residents)
Under the CCPA, we collect and use your personal information for the following business purposes:
- Providing our services as requested by you
- Auditing related to counting ad impressions or security
- Debugging to identify and repair errors
- Short-term, transient use (e.g., page customization)
- Service improvement and feature development
- Detecting and preventing fraud and security incidents
5. Data Sharing & Vendors
โ ๏ธ We do NOT sell, rent, or trade your personal information. We share data only with service providers who process data on our behalf under contractual obligations, or as required by law.
We share data with the following categories of third parties:
Supabase
Data ProcessorPurpose: Database hosting, authentication, file storage
Stores your account data, business data, uploaded files, and AI outputs. Supabase is SOC 2 Type II certified and acts as a data processor under our instructions. Data hosted in the United States and EU (Ireland). Privacy Policy โ
Cloudflare
Data ProcessorPurpose: CDN, DDoS protection, DNS, SSL termination
Processes HTTP requests to deliver the Services and protect against attacks. May temporarily log IP addresses and request metadata. Does not store your business data. Privacy Policy โ
Resend
Data ProcessorPurpose: Transactional email delivery
Sends service-related emails (password resets, notifications, billing) on our behalf. Processes only email addresses and email content needed for delivery. Privacy Policy โ
Google Cloud
Data ProcessorPurpose: AI API processing (model inference)
When you use AI features, data may be sent to Google Cloud APIs for processing. Per Google's API data usage policy, your data is not used for model training. Results are returned to your account and not stored by Google beyond the processing request. Privacy Policy โ
5.1 Other Disclosures
We may also disclose your information:
- To protect rights: As necessary to enforce our terms, protect our rights, or defend against legal claims
- Law enforcement: When required by law, subpoena, court order, or government request
- Business transfers: In connection with a merger, acquisition, or sale of assets (you will be notified via email)
5.2 Data Processing Agreements
We maintain Data Processing Agreements (DPAs) with all vendors who process personal data on our behalf, in accordance with GDPR Article 28. These agreements ensure that processors handle your data only as instructed, implement appropriate security measures, and assist with data subject rights requests.
6. International Data Transfers
Our services are accessible globally. If you access our services from outside the United States, your data may be transferred to and processed in the United States and the European Union.
For transfers of personal data from the EU/EEA to the United States, we rely on the following safeguards:
- EU-U.S. Data Privacy Framework: We comply with the EU-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. This framework provides an adequate level of protection for personal data transferred from the EU to certified U.S. organizations.
- Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we implement the European Commission's Standard Contractual Clauses (2021 version) with our data processors to ensure appropriate safeguards for international transfers.
- Transfer Impact Assessments: We conduct transfer impact assessments to evaluate the adequacy of protection for personal data transferred to the United States, considering the legal framework and surveillance landscape.
Supabase hosts data in both the US and EU (Ireland). Cloudflare and Resend process data primarily in the US. Google Cloud API processing occurs in US data centers.
7. Your Rights
7.1 GDPR Rights (EU/EEA Residents)
If you are a resident of the EU/EEA, you have the following rights under the GDPR:
Right of Access (Art. 15)
Request a copy of all personal data we hold about you, along with processing details.
Right to Rectification (Art. 16)
Correct inaccurate personal data or complete incomplete data we hold about you.
Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
Right to Restrict Processing (Art. 18)
Request that we limit how we process your data while a dispute is resolved.
Right to Data Portability (Art. 20)
Receive your data in a structured, commonly used, machine-readable format (JSON/CSV) and have it transmitted to another controller.
Right to Object (Art. 21)
Object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7)
Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing.
Right Regarding Automated Decisions (Art. 22)
Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects, with the right to obtain human intervention.
7.2 CCPA/CPRA Rights (California Residents)
If you are a California resident, you have the following rights under the CCPA/CPRA:
Right to Know / Access (ยง1798.100)
Request disclosure of the categories and specific pieces of personal information we collect, how we use it, and to whom we disclose it.
Right to Delete (ยง1798.105)
Request deletion of your personal information from our records, subject to certain exceptions.
Right to Correct (ยง1798.106)
Request correction of inaccurate personal information we maintain about you.
Right to Opt-Out of Sale/Sharing (ยง1798.120)
Direct us not to sell or share your personal information. We do not sell or share your personal information for cross-context behavioral advertising.
Right to Non-Discrimination (ยง1798.125)
We will not discriminate against you for exercising your privacy rights โ you will not receive a different quality of service or be charged different prices.
Right to Limit Use of Sensitive Personal Information (ยง1798.121)
Request that we limit our use of sensitive personal information to what is necessary to provide the Services.
7.3 Exercising Your Rights
To exercise any of the rights above:
- Email us at privacy@visionarysolution.net
- Use the in-app account settings to export or delete your data
- Click the "Do Not Sell or Share My Personal Information" link
- Enable the Global Privacy Control signal in your browser
Response times: GDPR requests: within 30 days (extendable by 60 days for complex requests). CCPA requests: within 45 days (extendable by 45 days). Colorado CPA requests: within 45 days. We will acknowledge receipt within 5 business days.
Verification: We will verify your identity before processing your request, typically by matching your email address or account credentials. For sensitive requests (deletion, access), we may require additional verification.
Authorized agents: You may designate an authorized agent to submit requests on your behalf. We require proof of authorization and verification of your identity.
8. Colorado Privacy Rights
As a Colorado-domiciled company, we are subject to the Colorado Privacy Act (CPA), C.R.S. ยง 6-1-1301 et seq. Colorado consumers have the following rights:
Right to Access
Confirm whether we process your personal data and obtain a copy of that data.
Right to Correction
Correct inaccuracies in your personal data.
Right to Deletion
Request deletion of your personal data.
Right to Data Portability
Receive your personal data in a portable, readily usable format.
Right to Opt-Out of Profiling
Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. Our AI products (BizDiag, Flowcast, EstimateAI) use automated processing to generate business insights, diagnostics, and estimates. You may opt out of such profiling by contacting privacy@visionarysolution.net or using the in-app settings. If you opt out of profiling, we will offer a human review alternative where feasible.
Right to Opt-Out of Sale & Targeted Advertising
Opt out of the sale of your personal data or processing for targeted advertising. We do not sell your data or engage in targeted advertising.
Right to Limit Sensitive Data Processing
Limit the processing of your sensitive data (which may include financial data) to what is necessary to provide the Services.
8.1 Colorado Appeal Process
If we decline to take action on your privacy rights request, you have the right to appeal our decision within 45 days of receiving our response. To file an appeal:
- Email privacy@visionarysolution.net with the subject line "Privacy Appeal โ [Your Name]"
- Include the date of your original request and our response
- Explain why you believe our decision should be reconsidered
We will respond to your appeal within 45 days. If your appeal is denied, you may file a complaint with the Colorado Attorney General's Office (see Section 15).
8.2 Universal Opt-Out & Colorado CPA
Colorado recognizes universal opt-out mechanisms. We honor the Global Privacy Control (GPC) signal as a valid opt-out request for the sale of personal data, targeted advertising, and profiling, as required by the CPA.
9. Do Not Sell or Share My Personal Information
๐ซ We Do Not Sell or Share Your Personal Information
We have never sold, and will never sell, your personal information. We also do not share your personal information for cross-context behavioral advertising purposes.
California law requires us to provide a clear and conspicuous link titled "Do Not Sell or Share My Personal Information." Even though we do not sell or share your data, we provide this mechanism so you can formally register your opt-out preference:
Clicking this link opens your email client to send an opt-out request. You may also use the Global Privacy Control signal.
Because we do not sell or share your personal information, exercising this right will not change how we treat your data โ we already maintain the highest standard of not selling or sharing your information.
10. Global Privacy Control (GPC)
We honor the Global Privacy Control (GPC) signal.
The GPC is a browser-level signal that communicates your privacy preferences to websites. When your browser sends the GPC signal (the Sec-GPC: 1 header or navigator.globalPrivacyControl JavaScript property), we will treat it as:
- CCPA: A request to opt out of the sale or sharing of your personal information
- Colorado CPA: A universal opt-out request for sale, targeted advertising, and profiling
- Other jurisdictions: A privacy opt-out preference that we will honor to the extent applicable
Since we do not sell or share your personal information, the GPC signal does not change our data practices โ but we recognize and respect it as a matter of principle and compliance.
To enable GPC in your browser, install the Global Privacy Control extension or use a browser that supports it natively.
11. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this notice, comply with legal obligations, or resolve disputes.
| Data Category | Retention Period | Notes |
|---|---|---|
| Account Information | Duration of account + 2 years post-closure | Retained for legal/contractual obligations |
| Business & Financial Data | Duration of account + 2 years post-closure | Retained for continuity and legal compliance |
| AI-Generated Outputs | Duration of account + 2 years post-closure | Stored with your account data |
| Uploaded Files & Photos | Until deletion request or 90 days post-account closure | Auto-deleted earlier for some products (14-day for BizDiag diagnostics) |
| Usage & Analytics Data | 24 months, then anonymized | Anonymized data may be retained indefinitely |
| Audit Logs | 12 months (append-only) | Security and compliance |
| Backups | 30 days | Backup rotation period; deleted data purged from backups within 30 days |
Upon account deletion, we will delete your primary data within 14 days and purge it from backup systems within 30 days, except where retention is required by law. You may request an earlier deletion by contacting privacy@visionarysolution.net.
12. Data Security
We implement industry-standard technical and organizational measures to protect your personal data:
- Encryption in transit: TLS 1.2+ for all data in transit; TLS 1.3 where supported
- Encryption at rest: AES-256 encryption for stored data via Supabase/AWS infrastructure
- Row-Level Security (RLS): Every database table has RLS policies ensuring complete tenant isolation โ your data is never visible to other users
- Authentication: Supabase Auth with secure password hashing; we never see your password
- Access controls: Least-privilege access; only authorized personnel and systems can access production data
- Audit logging: All data modifications are logged in an append-only audit log
- Incident response: Documented breach response plan with 72-hour supervisory authority notification (GDPR)
- Multi-tenant isolation: API endpoints validate tenant ownership before returning any records; cross-tenant data leakage is treated as a critical security incident
13. Children's Privacy
Our Services are business tools not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover that we have collected personal information from a child under 18, we will delete it promptly. If you believe we have inadvertently collected data from a minor, please contact us at privacy@visionarysolution.net.
14. Changes to This Notice
We may update this Privacy Notice from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
- Material changes: We will notify you via email at least 30 days before they take effect
- Non-material changes: Updated notice will be posted on this page with a revised effective date
- Version history: Prior versions are available upon request
We encourage you to review this page periodically to stay informed about how we protect your data.
15. Contact & Complaint Channels
Contact Us
Company: Visionary Solution LLC
Privacy Email: privacy@visionarysolution.net
Jurisdiction: Colorado, United States
If you are unsatisfied with our response to a privacy request, you have the right to lodge a complaint with the following authorities:
CCPA / California
California Privacy Protection Agency (CPPA)
California Attorney General
Colorado
EU/EEA (GDPR)
Your Local Data Protection Authority (Supervisory Authority)
You may lodge a complaint with the supervisory authority in the EU member state where you reside, work, or where the alleged infringement occurred.
Filing a complaint with a supervisory authority does not preclude you from seeking other remedies available under applicable law.