Privacy Policy
Last updated: May 2026
RKServicesPDX (“we”, “us”) is a local home-services business based in Portland, Oregon. This policy explains what information we collect through this website and our mobile app, how we use it, who we share it with, how long we keep it, and the choices and rights you have. We wrote it in plain English on purpose.
Information we collect
- Contact details you submit: name, email, phone (optional), and service address when you request a quote.
- Service photos: before/after photos taken on the job, with your consent.
- Account info: if you sign in to the customer portal, the email or phone we use to send your magic link.
- Payment info: handled directly by our payment processor (PayPal, when enabled) - we don't store credit card numbers on our servers.
- Marketing-campaign attribution: when you arrive from an ad or referral, the URL parameters (UTM source / medium / campaign, ad click IDs) are captured so we know which channels work. Stored only within your current browser tab unless you've accepted the Preferences cookie category.
- Analytics data (only if you've consented): anonymous usage stats from Google Analytics 4 and session replay from Microsoft Clarity.
- Marketing identifiers (only if you've consented): Meta Pixel, TikTok Pixel, Google Ads, and Bing UET cookies used for ad attribution and conversion tracking.
- Device and usage info: basic, aggregated server logs (IP, user-agent, timestamp) used for security and to keep the site running.
How we use it
- Respond to inquiries and deliver the services you requested.
- Schedule appointments and send appointment, ETA, and status updates (SMS and push notifications are opt-in).
- Improve the site's reliability, security, and user experience.
- Measure marketing-campaign effectiveness - which ads, search keywords, or pages actually bring people who need our help.
- Meet legal, tax, and accounting obligations (invoices, receipts).
- We do not sell your personal information for money.
Third parties we share with
We rely on a small number of well-known infrastructure providers and (when you give consent) marketing-analytics tools. Each only sees what it needs to do its job. Links go to each provider's own privacy policy.
- Vercel - website hosting, static asset delivery, and anonymous first-party performance telemetry (Vercel Analytics + Speed Insights). Privacy policy.
- Turso - database that stores leads, quotes, and account records. Privacy policy.
- Google (Gmail) - used internally to email us about new leads and opt-out requests. Privacy policy.
- PayPal (when enabled) - payment processing for invoices. PayPal handles card and bank data directly; we never see it. Privacy policy.
- Twilio (when enabled) - SMS for appointment confirmations and status updates. Privacy policy.
- Sentry - application error monitoring and crash diagnostics. Receives error events and stack traces, which can include your IP address and the page you were on when something broke. Privacy policy.
- Upstash (Redis) - rate-limiting counters that protect our forms and API from abuse. Stores short-lived request counts keyed to a hashed identifier; no personal information. Privacy policy.
- Sign in with Google - when you choose this option, Google authenticates you and shares your email and basic profile with us so we can create and access your account. Privacy policy.
- Sign in with Apple - when you choose this option, Apple authenticates you and shares your email (or a private relay address) so we can create and access your account. Privacy policy.
- Google (Gmail) - the mail service we use to send transactional email (quotes, confirmations, magic links). Receives the recipient email address and the message content. Privacy policy.
- Vercel Blob - file storage for images you or our team upload, such as before/after job photos. Holds the image files and their metadata. Privacy policy.
- Web Push services - deliver the browser push notifications you opt into (appointment and status updates). Receive a device push token, not your identity. Privacy policy.
- OpenStreetMap Nominatim - admin-only address geocoding used to verify service-area coverage. Receives the address being checked. Privacy policy.
- Google Analytics 4 - anonymous traffic + engagement analytics. Loads only after you accept Analytics cookies. Privacy policy.
- Microsoft Clarity - heatmaps + session replay. Loads only after you accept Analytics cookies. Privacy policy.
- Microsoft Ads (Bing UET) - conversion tracking for Microsoft Ads campaigns. Loads only after you accept Marketing cookies. Privacy policy.
- Meta (Facebook + Instagram) Pixel - ad attribution + retargeting. Loads only after you accept Marketing cookies. Privacy policy.
- TikTok Pixel - ad attribution + retargeting. Loads only after you accept Marketing cookies. Privacy policy.
- Google Ads - conversion tracking. Loads only after you accept Marketing cookies. Privacy policy.
Vercel Analytics + Speed Insights collect anonymous, cookieless performance data (no cross-site identifiers, no precise location, no PII). We treat that as essential first-party telemetry and it loads on all visits.
Legal bases (GDPR / UK GDPR)
For visitors in the EU, UK, or EEA, we rely on the following legal bases. The applicable basis depends on what data is being processed and why.
- Contract: we need your contact details and service address to deliver the service you requested.
- Consent: marketing + analytics cookies load only after you grant consent through the cookie banner. You can withdraw consent at any time.
- Legitimate interest: essential first-party performance telemetry, basic security logging, and fraud prevention.
- Legal obligation: tax and accounting records we're required to keep under U.S. and Oregon law.
Your rights
No matter where you live, you can ask us to:
- See what data we hold about you (right of access).
- Correct anything that's wrong (right of rectification).
- Delete your data, subject to legal-retention limits (right to erasure).
- Get a copy in a portable format (data portability).
- Withdraw consent for marketing / analytics cookies at any time via the Cookie Settings button in the footer or on the /cookie-policy page.
- Tell us not to share your data with marketing or analytics partners (see /do-not-sell).
To make any of these requests, see /data-deletion for the exact process, or email rkservicespdx@gmail.com.
For data portability specifically, signed-in customers can self-serve a full machine-readable export from /portal/settings - the “Download my data” button hits the export endpoint and returns a JSON file containing your account record, leads, customers, quotes, jobs, reviews, and the audit-log entries you yourself triggered.
For deletion specifically, signed-in customers can delete their own account immediately from /portal/settings - the “Delete my account now” option erases your account and personal data right away. We keep de-identified records of completed work (such as quote and job totals with no name, email, phone, or address attached) where we're required to for tax or legal reasons. You can also email us to request deletion if you prefer.
How quickly we respond: we act on rights requests within 45 days. If your request is complex or you've made several, we may extend by another 45 days, and we'll tell you why within the first 45.
Correcting your information (rectification): if something we hold about you is wrong, email rkservicespdx@gmail.com and tell us what to fix, or - if you have a portal account - update your details directly at /portal/settings. We'll correct it and, where required, ask the partners we shared it with to do the same.
Appealing a decision: if we deny your request, you may appeal by emailing privacy@rkservicespdx.com with the subject APPEAL. We'll respond to your appeal within 60 days. If we deny it, Oregon residents may also raise the matter with the Oregon Department of Justice.
California residents (CCPA / CPRA)
If you live in California, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
- Right to know what categories of personal information we collect, the sources, and the purposes.
- Right to delete personal information we collect from you.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of personal information with third parties for cross-context behavioral advertising.
- Right to limit use of sensitive personal information.
- Right to non-discrimination for exercising any of these rights.
We do not sell your personal information for money. We may “share” it (in the CPRA sense) with marketing and analytics partners - but only after you grant consent through the cookie banner. To opt out at any time, use the cookie banner, the Cookie Settings button in the footer, or visit /do-not-sell.
We do not knowingly collect “sensitive personal information” as defined by California law (Social Security numbers, financial-account credentials, precise geolocation, health data, biometric identifiers, contents of private mail/messages/email, etc.).
Oregon residents (OCPA)
The Oregon Consumer Privacy Act, effective July 1, 2024, gives Oregon residents rights similar to California's: the right to know, to correct, to delete, to obtain a portable copy, and to opt out of targeted advertising, profiling for decisions with legal effect, and the sale of personal data. We extend those rights to all Oregon residents as a good-faith posture, regardless of whether we meet the statute's commercial thresholds. To exercise any of these rights, email rkservicespdx@gmail.com or use /data-deletion.
Cookies & tracking
Essential cookies (sign-in, security, your saved cookie choices) are always on. Analytics, marketing, and preferences cookies load only after you grant consent through the cookie banner. See the cookie policy for the full list of cookies, who sets them, and how long they last.
Global Privacy Control (GPC) and Do Not Track signals
We honor the Global Privacy Control signal sent by your browser or a privacy extension. If your browser sends GPC=1 when you arrive, we automatically record a “reject non-essential” cookie choice - no analytics or marketing scripts load. You can still revisit Cookie Settings and opt into specific categories if you want. We also do not load tracking pixels for any visitor in response to a legacy Do Not Track header until they explicitly grant consent through the cookie banner.
Data security & safeguards
We protect the data we hold using commercially reasonable technical and organizational measures:
- All traffic between your browser and our site is encrypted with HTTPS / TLS.
- Customer portal sessions use signed, short-lived tokens; passwords are not stored - we use magic-link sign-in.
- Database access is restricted to a small number of authorized accounts with audit logging.
- Payment card data is never seen by our servers - it's handled directly by PayPal during checkout.
- Service photos and lead records are stored behind authenticated backends; access is limited to RKServicesPDX staff who need it to do the work.
- We patch and update our hosting, dependencies, and tooling on a regular cadence.
No system is perfectly secure. If you have a security concern, email rkservicespdx@gmail.com and we'll respond within one business day.
Authorized agents
California and Oregon residents may designate an authorized agent to make privacy requests on their behalf. We require: (1) a signed written authorization from you to the agent, and (2) verification of your identity (typically a reply confirming the email and phone on file). To submit an authorized-agent request, email rkservicespdx@gmail.com with the subject AUTHORIZED AGENT REQUEST and attach the authorization. We aim to respond within 15 business days.
International transfers
We host the site on Vercel (United States). Most of the analytics and marketing tools we use are also U.S.-based. If you access the site from outside the United States, your data is transferred to and processed in the United States. For EU/UK visitors we rely on the providers' published transfer mechanisms (Standard Contractual Clauses or equivalent - see each provider's privacy policy linked above).
How long we keep it
- Leads with no conversion: retained for 2 years, then deleted.
- Customer records: retained for 7 years to satisfy IRS and Oregon Department of Revenue requirements. Identifying details are redacted upon a verified deletion request, but anonymized financial records are kept.
- Service photos: deleted within 30 days of a deletion request.
- Server logs: retained 90 days.
- Third-party telemetry (analytics + ad pixels): subject to each vendor's retention. GA4 defaults to 14 months for event-level data; Microsoft Clarity defaults to 12 months; Bing UET (Microsoft Ads) retains for up to 13 months.
Children
Our services aren't directed at children under 13 and we don't knowingly collect information from them. When you create an account we ask for your date of birth and block account creation for anyone under 13 on the server, before any account is made - this is enforced in our systems, not just by a checkbox. If we learn we've received personal information from a child under 13 through any other channel, we will delete it.
Changes to this policy
We may update this policy occasionally. The “last updated” date at the top reflects the most recent change. Material changes will be communicated through the site or by direct email to active customers.
Contact
Questions about this policy or a data request? Email rkservicespdx@gmail.com or call (971) 757-0248.