Skip to main content
Legal

Privacy Policy

Last updated: May 2026

RKServicesPDX (“we”, “us”) is a local home-services business based in Portland, Oregon. This policy explains what information we collect through this website and our mobile app, how we use it, who we share it with, how long we keep it, and the choices and rights you have. We wrote it in plain English on purpose.

Information we collect

  • Contact details you submit: name, email, phone (optional), and service address when you request a quote.
  • Service photos: before/after photos taken on the job, with your consent.
  • Account info: if you sign in to the customer portal, the email or phone we use to send your magic link.
  • Payment info: handled directly by our payment processor (PayPal, when enabled) — we don't store credit card numbers on our servers.
  • Marketing-campaign attribution: when you arrive from an ad or referral, the URL parameters (UTM source / medium / campaign, ad click IDs) are captured so we know which channels work. Stored only within your current browser tab unless you've accepted the Preferences cookie category.
  • Analytics data (only if you've consented): anonymous usage stats from Google Analytics 4 and session replay from Microsoft Clarity.
  • Marketing identifiers (only if you've consented): Meta Pixel, TikTok Pixel, Google Ads, and Bing UET cookies used for ad attribution and conversion tracking.
  • Device and usage info: basic, aggregated server logs (IP, user-agent, timestamp) used for security and to keep the site running.

How we use it

  • Respond to inquiries and deliver the services you requested.
  • Schedule appointments and send appointment, ETA, and status updates (SMS and push notifications are opt-in).
  • Improve the site's reliability, security, and user experience.
  • Measure marketing-campaign effectiveness — which ads, search keywords, or pages actually bring people who need our help.
  • Meet legal, tax, and accounting obligations (invoices, receipts).
  • We do not sell your personal information for money.

Third parties we share with

We rely on a small number of well-known infrastructure providers and (when you give consent) marketing-analytics tools. Each only sees what it needs to do its job. Links go to each provider's own privacy policy.

  • Vercel — website hosting, static asset delivery, and anonymous first-party performance telemetry (Vercel Analytics + Speed Insights). Privacy policy.
  • Turso — database that stores leads, quotes, and account records. Privacy policy.
  • Telegram — used internally to notify me about new leads and opt-out requests. Privacy policy.
  • PayPal (when enabled) — payment processing for invoices. PayPal handles card and bank data directly; we never see it. Privacy policy.
  • Twilio (when enabled) — SMS for appointment confirmations and status updates. Privacy policy.
  • Google Analytics 4 — anonymous traffic + engagement analytics. Loads only after you accept Analytics cookies. Privacy policy.
  • Microsoft Clarity — heatmaps + session replay. Loads only after you accept Analytics cookies. Privacy policy.
  • Microsoft Ads (Bing UET) — conversion tracking for Microsoft Ads campaigns. Loads only after you accept Marketing cookies. Privacy policy.
  • Meta (Facebook + Instagram) Pixel — ad attribution + retargeting. Loads only after you accept Marketing cookies. Privacy policy.
  • TikTok Pixel — ad attribution + retargeting. Loads only after you accept Marketing cookies. Privacy policy.
  • Google Ads — conversion tracking. Loads only after you accept Marketing cookies. Privacy policy.

Vercel Analytics + Speed Insights collect anonymous, cookieless performance data (no cross-site identifiers, no precise location, no PII). We treat that as essential first-party telemetry and it loads on all visits.

Legal bases (GDPR / UK GDPR)

For visitors in the EU, UK, or EEA, we rely on the following legal bases. The applicable basis depends on what data is being processed and why.

  • Contract: we need your contact details and service address to deliver the service you requested.
  • Consent: marketing + analytics cookies load only after you grant consent through the cookie banner. You can withdraw consent at any time.
  • Legitimate interest: essential first-party performance telemetry, basic security logging, and fraud prevention.
  • Legal obligation: tax and accounting records we're required to keep under U.S. and Oregon law.

Your rights

No matter where you live, you can ask us to:

  • See what data we hold about you (right of access).
  • Correct anything that's wrong (right of rectification).
  • Delete your data, subject to legal-retention limits (right to erasure).
  • Get a copy in a portable format (data portability).
  • Withdraw consent for marketing / analytics cookies at any time via the Cookie Settings button in the footer or on the /cookie-policy page.
  • Tell us not to share your data with marketing or analytics partners (see /do-not-sell).

To make any of these requests, see /data-deletion for the exact process, or email contact@rkservicespdx.com.

For data portability specifically, signed-in customers can self-serve a full machine-readable export from /portal/settings — the “Download my data” button hits the export endpoint and returns a JSON file containing your account record, leads, customers, quotes, jobs, reviews, newsletter status, and the audit-log entries you yourself triggered.

California residents (CCPA / CPRA)

If you live in California, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know what categories of personal information we collect, the sources, and the purposes.
  • Right to delete personal information we collect from you.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information with third parties for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising any of these rights.

We do not sell your personal information for money. We may “share” it (in the CPRA sense) with marketing and analytics partners — but only after you grant consent through the cookie banner. To opt out at any time, use the cookie banner, the Cookie Settings button in the footer, or visit /do-not-sell.

We do not knowingly collect “sensitive personal information” as defined by California law (Social Security numbers, financial-account credentials, precise geolocation, health data, biometric identifiers, contents of private mail/messages/email, etc.).

Oregon residents (OCPA)

The Oregon Consumer Privacy Act, effective July 1, 2024, gives Oregon residents rights similar to California's: the right to know, to correct, to delete, to obtain a portable copy, and to opt out of targeted advertising, profiling for decisions with legal effect, and the sale of personal data. We extend those rights to all Oregon residents as a good-faith posture, regardless of whether we meet the statute's commercial thresholds. To exercise any of these rights, email contact@rkservicespdx.com or use /data-deletion.

Cookies & tracking

Essential cookies (sign-in, security, your saved cookie choices) are always on. Analytics, marketing, and preferences cookies load only after you grant consent through the cookie banner. See the cookie policy for the full list of cookies, who sets them, and how long they last.

Global Privacy Control (GPC) and Do Not Track signals

We honor the Global Privacy Control signal sent by your browser or a privacy extension. If your browser sends GPC=1 when you arrive, we automatically record a “reject non-essential” cookie choice — no analytics or marketing scripts load. You can still revisit Cookie Settings and opt into specific categories if you want. We also do not load tracking pixels for any visitor in response to a legacy Do Not Track header until they explicitly grant consent through the cookie banner.

Data security & safeguards

We protect the data we hold using commercially reasonable technical and organizational measures:

  • All traffic between your browser and our site is encrypted with HTTPS / TLS.
  • Customer portal sessions use signed, short-lived tokens; passwords are not stored — we use magic-link sign-in.
  • Database access is restricted to a small number of authorized accounts with audit logging.
  • Payment card data is never seen by our servers — it's handled directly by PayPal during checkout.
  • Service photos and lead records are stored behind authenticated backends; access is limited to RKServicesPDX staff who need it to do the work.
  • We patch and update our hosting, dependencies, and tooling on a regular cadence.

No system is perfectly secure. If you have a security concern, email contact@rkservicespdx.com and we'll respond within one business day.

Authorized agents

California and Oregon residents may designate an authorized agent to make privacy requests on their behalf. We require: (1) a signed written authorization from you to the agent, and (2) verification of your identity (typically a reply confirming the email and phone on file). To submit an authorized-agent request, email contact@rkservicespdx.com with the subject AUTHORIZED AGENT REQUEST and attach the authorization. We aim to respond within 15 business days.

International transfers

We host the site on Vercel (United States). Most of the analytics and marketing tools we use are also U.S.-based. If you access the site from outside the United States, your data is transferred to and processed in the United States. For EU/UK visitors we rely on the providers' published transfer mechanisms (Standard Contractual Clauses or equivalent — see each provider's privacy policy linked above).

How long we keep it

  • Leads with no conversion: retained for 2 years, then deleted.
  • Customer records: retained for 7 years to satisfy IRS and Oregon Department of Revenue requirements. Identifying details are redacted upon a verified deletion request, but anonymized financial records are kept.
  • Service photos: deleted within 30 days of a deletion request.
  • Server logs: retained 90 days.
  • Newsletter subscribers: until you unsubscribe.
  • Third-party telemetry (analytics + ad pixels): subject to each vendor's retention. GA4 defaults to 14 months for event-level data; Microsoft Clarity defaults to 12 months; Bing UET (Microsoft Ads) retains for up to 13 months.

Children

Our services aren't directed at children under 13 and we don't knowingly collect information from them. If we learn we've received data from a child under 13, we will delete it.

Changes to this policy

We may update this policy occasionally. The “last updated” date at the top reflects the most recent change. Material changes will be communicated through the site or by direct email to active customers.

Contact

Questions about this policy or a data request? Email contact@rkservicespdx.com or call (971) 757-0248.