Privacy Policy

TheGuys App, LLC Effective Date: [TO BE INSERTED UPON LAUNCH] Last Updated: [DRAFT — pre-launch placeholder] Version: Pre-Lawyer Draft

DRAFTING NOTES — REMOVE BEFORE PUBLICATION

This Privacy Policy is drafted on the following baseline decisions, which control the structure of the entire document. If any are wrong, this policy must be revised:

State coverage: Comprehensive — all U.S. residents are granted the strongest set of rights, regardless of state of residence.

Minimum age: Strict no-under-18.

Sale and "sharing": Flat no. We do not sell. We do not share for cross-context behavioral advertising.

AI training: We disclose explicitly that we may use de-identified, aggregated data to train and improve AI models. We do not train AI models on personal data in identifiable form.

Items in [red italic brackets] throughout the document are FLAGS FOR COUNSEL and should be reviewed before launch. Placeholders in [bracketed text] are pending operational decisions (registered agent address fill-in, etc.).

1. Introduction

This Privacy Policy describes how TheGuys App, LLC, a Florida limited liability company ("TheGuys App," "we," "us," or "our"), collects, uses, and shares personal information when you use TheGuys.app and related mobile and web applications (the "Platform"). This Privacy Policy applies to all individuals and entities that register for, access, or use the Platform.

This Privacy Policy is incorporated by reference into the Terms of Service and forms part of your agreement with us. Capitalized terms used but not defined here have the meanings given in the Terms of Service. To the extent of any conflict between this Privacy Policy and the Terms of Service with respect to the handling of personal information, this Privacy Policy controls.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy.

1.1 A Note on Vocabulary

This Privacy Policy uses the formal terms "Dispatcher" (a User who posts a Job and engages other Users to perform it) and "Performer" (a User who accepts a Job and performs it). Within the Platform's user-facing interface and informal communications, a Dispatcher may informally be called a "Boss" and a Performer may informally be called a "Guy." Those informal terms are gender-neutral and apply equally to Users of any gender, gender identity, or gender expression. The formal terms "Dispatcher" and "Performer" control in this Privacy Policy.

2. Who We Are and How to Contact Us

The data controller for personal information collected through the Platform is:

TheGuys App, LLC [Registered Agent name — to be inserted] [Registered Agent street address — to be inserted] [City, State, ZIP — to be inserted]

Email for privacy questions and rights requests: legal@theguys.app

To exercise any of the privacy rights described in Section 13, please email legal@theguys.app with the subject line "Privacy Rights Request." See Section 14 for the full request process.

3. Scope of This Privacy Policy

3.1 What This Policy Covers

This Privacy Policy covers personal information we collect when you:

Visit TheGuys.app (the marketing site)
Register for an Account on the Platform
Use the Platform in any role (whether as a Dispatcher with respect to a Job, a Performer with respect to a Job, or both)
Communicate with us
Receive or respond to text messages, emails, or other communications related to your use of the Platform

3.2 What This Policy Does NOT Cover

This Privacy Policy does not cover:

Information practices of third-party services we integrate with (Stripe, Twilio, Resend, Anthropic, Supabase, Vercel, Google services). Each of these has its own privacy policy that governs how it handles information when you interact with it. Section 9 lists these third parties.
Information practices of websites or services linked from the Platform but not operated by us.
Information you share with other Users directly off the Platform.
Information about a person who is not a User but whose contact details have been entered into the Platform by a Dispatcher (a prospective Performer invitee). Limited information about such persons is governed by Section 6.

4. Information We Collect

We collect personal information in three ways: (a) directly from you, (b) automatically as you use the Platform, and (c) from limited third-party sources.

4.1 Information You Provide Directly

When you register an Account or use the Platform, we collect:

Identity and contact information

Your legal name
Your business name (if any)
Your email address
Your mobile phone number
Your mailing address or service area
Government-issued identification, if we request identity verification under Section 2.6 of the Terms of Service

Account credentials and security

Your password (stored in hashed and salted form; we never see your plaintext password)
Two-factor authentication settings, if you enable them

Payment-related information

Stripe Connected Account identifiers and routing information necessary to credit you with payments
Limited transaction history (amount, date, counterparty, status) — full payment-card details are stored by Stripe, not by us

Job-related information

Job descriptions, task checklists, schedules, locations, rates, and any custom Job-specific terms you create when you post a Job
Job acceptances, completion data, expense entries, receipts, photos, and notes you submit when you perform a Job
Communications between you and other Users on the Platform

Private notes and ratings

Notes you maintain about other Users you have engaged (the private-notes feature available to a User acting as a Dispatcher), as described in Section 12 of the Terms of Service
Ratings, reviews, or feedback you submit about other Users

Communications with us

Support requests, complaints, and any other communications you send to us by email or other means

4.2 Information We Collect Automatically

When you use the Platform, we automatically collect:

Device and connection data

IP address
Device type, operating system, browser type, browser language
Mobile carrier (for SMS routing)
Time zone and approximate location derived from IP

Usage data

Pages or screens visited, features used, links clicked, time spent
Account creation, login, and logout events
Job postings, acceptances, completions, and payments
Errors and diagnostic information

Location data (precise GPS)

When you check in to or out of a Job using the Platform's GPS check-in feature, we collect your precise GPS coordinates and a timestamp. This data is collected in real time at the moment you check in or check out, not continuously, and is associated with the specific Job and your User Account.
We do not track your location continuously, in the background, or when you are not actively using the Platform's check-in feature.

Photographs and media

Photos you upload as part of Job submissions (completion photos, receipt photos)
Photo metadata (such as EXIF data, which may include date, time, device, and sometimes GPS coordinates embedded by your camera)

Reliability metrics

We compute internal metrics about your activity on the Platform, including acceptance rate, response time, check-in timing, task completion, photo quality, and expense accuracy. These metrics inform AI engagement recommendations as described in Section 7 of the Terms of Service.

Cookies and similar technologies

See Section 10 for details on cookies and tracking.

4.3 Information from Third Parties

We may receive limited information about you from:

Stripe — confirmation that your Connected Account onboarding was completed; Stripe-issued account identifiers; payout status and dispute notifications. We do not receive or store your full bank account number or full payment card number from Stripe.
Identity verification services (if used) — confirmation of identity verification results. The full verification dossier is held by the verification provider, not by us.
Other Users — information that another User submits about you (for example, when a Dispatcher enters your name and contact information to invite you to the Platform, or when a User submits a report about you under the Acceptable Use Policy).

We do not purchase personal information from data brokers or marketing-list providers.

[FLAG FOR COUNSEL: Confirm that the categories of information collected listed above accurately describe TheGuys App's actual data collection at launch. If launch product collects additional categories (e.g., voice recordings from voice-input job posting feature, biometric data for facial verification), this Section 4 must be updated to reflect them.]

5. Sensitive Personal Information

Several state privacy laws define a category of "sensitive personal information" that requires heightened protections. Under those laws, we may collect the following categories of sensitive personal information:

Precise geolocation — collected only at the moment of GPS check-in or check-out for a Job, as described in Section 4.2
Account credentials — your password (stored in hashed form only)
Government-issued identifiers — only if we request identity verification

We do not collect:

Race, ethnicity, religion, philosophical beliefs, union membership
Genetic or biometric data for the purpose of uniquely identifying a person
Health data, medical records, or sex-life information
Citizenship or immigration status (other than your representation of work eligibility under Section 10.1 of the Standard Job Terms)

We use sensitive personal information only for the limited purposes described in Section 6 (e.g., GPS coordinates for verifying Job check-in; password for authenticating you). We do not use sensitive personal information for advertising, marketing, profiling unrelated to the service, or any purpose that you would not reasonably expect.

If you are a resident of a state that grants the right to limit the use of sensitive personal information, see Section 13.

6. How We Use Personal Information

We use personal information to operate the Platform, fulfill our contracts with Users, comply with law, and protect our and Users' rights. Specifically, we use personal information to:

6.1 Provide the Platform

Create and maintain your Account
Authenticate you and protect your Account
Process Job postings, acceptances, completions, and payments
Generate Client invoices on behalf of Users acting as Dispatchers (without disclosing to the Client what the Dispatcher paid the Performer)
Deliver text messages and email notifications you have consented to receive
Display Platform information to you and other Users in the manner contemplated by the Platform's design

6.2 Operate the AI Tools

Use Job descriptions, task data, photos, expense data, GPS check-ins, reliability metrics, and Dispatcher private notes as inputs to the AI Tools described in Section 10 of the Terms of Service. The AI Tools generate Job-post drafts, engagement recommendations, photo-review outputs, invoice drafts, and answers to in-Platform Q&A.
AI Tool outputs are recommendations only; humans (Users) make all decisions with legal or economic effect.

6.3 Improve the Platform

Analyze usage patterns to identify problems and improve features
Develop new Platform features
Train and improve our internal AI models, using only de-identified, aggregated data (see Section 8)

6.4 Communicate with You

Respond to your support requests, questions, complaints, and rights requests
Send Account notifications, security alerts, and Platform-operational messages
Send transactional text messages, subject to your consent under the SMS Consent & Messaging Policy

6.5 Enforce Our Agreements and Protect Rights

Detect, investigate, and prevent fraud, abuse, prohibited conduct, or violations of the Terms of Service or Acceptable Use Policy
Enforce our agreements, including by recovering Platform Fees evaded under Section 14 of the Terms of Service
Assert, defend, or settle legal claims
Protect the security and integrity of the Platform and our Users

6.6 Comply with Law

Comply with applicable laws, regulations, court orders, subpoenas, and other legal process
Cooperate with law enforcement when required or where we have a good-faith belief that disclosure is necessary

6.7 Information About Prospective Invitees

When a User acting as a Dispatcher enters another person's contact information to invite that person to the Platform, we use the invitee's contact information solely to send the invitation email described in Section 10 of the SMS Consent & Messaging Policy. We do not send SMS to a non-User. If the invitee does not register an Account within a reasonable time, we delete the invitee's contact information unless the inviting Dispatcher has reused or refreshed it.

[FLAG FOR COUNSEL: Confirm the prospective-invitee data-handling description aligns with Florida's contact-information rules and CAN-SPAM requirements for invitation emails. Confirm retention period for unaccepted invitations.]

7. Legal Bases for Processing

We process personal information on the following bases:

Performance of a contract. We process your information as needed to operate the Platform under our contract with you (the Terms of Service and the policies it incorporates).
Consent. Where we rely on your consent (for example, SMS consent, optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.
Legitimate interests. We process information for our legitimate interests in operating, securing, and improving the Platform, preventing fraud and abuse, enforcing our agreements, and protecting our and Users' rights — provided these interests are not overridden by your privacy rights.
Legal obligation. We process information as required to comply with applicable law.

8. AI and Automated Processing

8.1 What AI Tools Do

The Platform uses AI Tools (defined in Section 10 of the Terms of Service) to:

Draft Job postings and task checklists
Generate engagement recommendations to Users acting as Dispatchers
Review photographs submitted by Users acting as Performers for clarity and completeness
Generate Client invoices
Answer Job-related and Platform-related questions in-product

8.2 AI Tools Generate Recommendations Only

All decisions on the Platform with legal or economic effect are made by Users, not by the AI Tools. A User retains full authority to ignore, override, or revise any AI output. We do not use AI to make decisions about you that produce legal or similarly significant effects without human involvement.

8.3 Data Used by AI Tools

The AI Tools may process Job content, photographs, expense data, GPS check-ins, your reliability metrics, dispatcher private notes (as inputs to recommendations made to that Dispatcher), and similar Platform data. AI Tool processing is done by our service provider Anthropic under a commercial agreement that prohibits Anthropic from using Platform inputs to train Anthropic's general AI models.

8.4 AI Training on De-Identified Data

We may use de-identified, aggregated data derived from User activity on the Platform to train and improve our internal AI models, refine our engagement and review algorithms, and produce analytics. We do not train AI models on personal data in identifiable form. "De-identified" means data from which all direct and reasonably re-identifiable indirect identifiers have been removed in accordance with industry standards.

8.5 Your Right to Opt Out of Profiling

Where applicable state law grants you the right to opt out of profiling that produces legal or similarly significant effects, you may exercise that right under Section 13. Because the AI Tools produce recommendations only and Users make decisions, we believe our AI processing does not constitute profiling in the legally regulated sense; nevertheless, we honor opt-out requests received under applicable law.

[FLAG FOR COUNSEL: confirm that the "recommendations only" framing is sufficient to keep the platform out of profiling-with-legal-effect classifications under CO Privacy Act, CT Data Privacy Act, VA CDPA, and FL FDBR. Confirm the de-identification standard meets each state's threshold.]

9. How We Share Personal Information

We share personal information only as described in this Section.

9.1 With Other Users on the Platform

The Platform is, by design, a system in which Users share information with each other. Specifically:

A User acting as a Dispatcher sees information about Performers engaged on the Dispatcher's Jobs — including the Performer's name, contact information you have provided, Job-completion submissions, expense entries, photos, GPS check-ins, reliability data relevant to that Dispatcher, and any private notes that Dispatcher has authored about that Performer.
A User acting as a Performer sees information about Dispatchers whose Jobs the Performer has accepted — including the Dispatcher's name, the Job posting, communications related to the Job, and the rate the Dispatcher has agreed to pay.
Multi-Tier Hierarchy — when a User who has been a Performer on one Job posts a Job to another User, that User has visibility into the User they have engaged identical to the visibility a Dispatcher has in any other Dispatcher-Performer relationship.
Clients — Clients receive only the Dispatcher's invoice and any communications the Dispatcher directs to them. Clients do not have Accounts and do not see Performer compensation, Performer contact information, the Dispatcher's costs, or any other Platform-internal data.

9.2 With Service Providers

We share limited personal information with third-party service providers that help us operate the Platform. These service providers process information on our behalf and are contractually restricted from using it for any other purpose. The service providers we use as of the effective date of this Privacy Policy include:

| Service Provider | Purpose | What They Receive | |---|---|---| | Stripe, Inc. | Payment processing (Stripe Connect Express) | Payment, payout, and identity-verification data sufficient to process transactions and comply with financial-services law | | Twilio, Inc. | SMS dispatch and messaging | Mobile phone numbers, message content, delivery status | | Resend | Transactional email | Email addresses, message content, delivery status | | Anthropic, PBC | AI Tools (Claude API) | Job content, photos, expense data, and other Platform inputs the AI Tools require to generate outputs, subject to Anthropic's commercial-use restrictions | | Supabase, Inc. | Database and authentication infrastructure | All Platform data stored in our database | | Vercel, Inc. | Hosting and web-application delivery | Platform requests and responses; access logs | | Google LLC (Maps Platform, reCAPTCHA) | Address auto-complete, mapping, anti-bot protection on signup | Addresses; signup events; reCAPTCHA tokens |

We may add or change service providers from time to time; the current list is always available on request to legal@theguys.app. Each service provider has its own privacy policy and security practices. We perform reasonable diligence on service-provider privacy and security before engaging them, and we maintain written agreements with them that include data-protection obligations.

9.3 For Legal and Safety Reasons

We may disclose personal information when we have a good-faith belief that doing so is necessary to:

Comply with a court order, subpoena, search warrant, or other legal process
Comply with applicable law, regulation, or government investigation
Enforce our Terms of Service, Acceptable Use Policy, DMCA Policy, or other agreements
Detect, investigate, prevent, or respond to fraud, abuse, security incidents, or unauthorized access
Protect the rights, property, or safety of TheGuys App, our Users, or any other person

9.4 In Connection with a Business Transaction

If TheGuys App is involved in a merger, acquisition, financing, reorganization, or sale of all or substantially all of its assets, personal information may be transferred as part of that transaction. We will require the recipient to honor commitments materially equivalent to those in this Privacy Policy or, if not, will give you advance notice and an opportunity to delete your Account before the transfer takes effect.

9.5 With Your Consent or at Your Direction

We share personal information with other parties when you specifically consent or direct us to (for example, when you direct us to email an invoice on your behalf to a Client).

9.6 No Sale, No Sharing for Cross-Context Behavioral Advertising

We do not sell your personal information to anyone. "Sale" includes any disclosure of personal information to a third party in exchange for monetary or other valuable consideration, as defined under the California Consumer Privacy Act (CCPA), the Florida Digital Bill of Rights (FDBR), and analogous state laws.

We do not "share" your personal information for cross-context behavioral advertising. "Share" includes disclosure to a third party for the purpose of targeted advertising across non-affiliated websites or services.

We do not engage in advertising of any kind on the Platform. We do not allow advertisers to target our Users.

We do not disclose personal information of minors. Because our minimum age is 18, this is automatic, but we state it expressly: even if a User is under 18 in violation of our age requirement and we discover that fact, we do not sell or share that User's information.

10. Cookies and Similar Technologies

We use cookies and similar technologies (such as local storage, session storage, and pixels) to operate the Platform.

10.1 Categories of Cookies We Use

| Category | Purpose | Examples | |---|---|---| | Strictly necessary | Required for core Platform functions (authentication, session management, security). The Platform cannot function without these. | Session cookies, CSRF-token cookies, authentication cookies | | Functional | Remember your preferences and improve usability. | Time-zone preferences, UI-state preferences | | Analytics | Help us understand how Users interact with the Platform so we can improve it. | Aggregated usage analytics | | Security | Detect and prevent fraud, bots, and abuse. | reCAPTCHA tokens at signup |

10.2 Cookies We Do Not Use

We do not use cookies for advertising, retargeting, or cross-context behavioral tracking. We do not allow third-party advertisers to set cookies on the Platform.

10.3 How to Control Cookies

You can control cookies through your browser settings. Disabling strictly-necessary cookies will impair or prevent your use of the Platform. If we add a cookie consent banner to comply with applicable law, you can adjust your preferences there.

[FLAG FOR COUNSEL: Confirm cookie banner posture. Some states (notably California under CPRA and Connecticut under CTDPA) effectively require an opt-out mechanism for "sale" or "share." Because we do not sell or share, we believe a simple cookie notice without an opt-out toggle is sufficient. Confirm.]

11. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law. The following retention periods apply unless a specific legal hold or law requires longer:

| Data category | Retention period | |---|---| | Account data (name, email, phone, login history) | For the life of your Account, plus seven (7) years after Account closure | | Payment and transaction data | Seven (7) years after the transaction (to satisfy IRS and Stripe requirements) | | Job records (postings, completions, photos, expenses, GPS check-ins) | Seven (7) years after Job completion | | SMS consent audit trail | Seven (7) years after Account closure (per the SMS Consent & Messaging Policy) | | Reliability metrics | Active for the life of your Account; archived for seven (7) years after Account closure | | Private notes (notes one User maintains about another) | For the life of the authoring User's Account, plus archive for seven (7) years after closure | | Support communications | Three (3) years from the resolution of the matter | | Marketing email lists (if applicable) | Until you opt out, then deleted within thirty (30) days | | Server logs | Up to twelve (12) months | | Backups | Up to thirty-five (35) days after deletion of the underlying record | | Prospective-invitee contact information (non-User) | Up to ninety (90) days from the date the inviting User entered the contact, unless refreshed |

When data is no longer needed, we delete it or de-identify it so it can no longer be associated with you. De-identified data may be retained indefinitely for the purposes described in Section 8.4.

[FLAG FOR COUNSEL: Confirm seven-year retention is appropriate across categories. Some categories (e.g., reliability metrics) could be argued to merit shorter retention. Some (e.g., tax-related transaction data) may legally require longer. Reconcile with state-law minimums where applicable.]

12. Data Security

We use reasonable administrative, technical, and physical safeguards to protect personal information against unauthorized access, use, disclosure, alteration, and destruction. These safeguards include:

Encryption in transit — all communications between your device and the Platform use TLS encryption
Encryption at rest — sensitive data stored in our database is encrypted at rest using industry-standard encryption
Authentication and access control — passwords are stored in hashed and salted form; access to production systems is limited to authorized personnel and protected by strong authentication
Network security — Platform infrastructure is hosted on Vercel and Supabase, both of which maintain SOC 2-grade security programs
Audit logging — security-relevant events are logged for review
Vendor diligence — service providers are reviewed for appropriate security practices before engagement

No system is perfectly secure. While we use reasonable measures, we cannot guarantee that personal information will never be improperly accessed or disclosed. You are responsible for protecting your Account credentials and notifying us at legal@theguys.app if you believe your Account has been compromised.

12.1 Breach Notification

If a security incident affects your personal information and applicable law requires notification, we will notify you and applicable regulators within the time required by law and by the applicable Stripe and other service-provider agreements. We strive to provide notification as soon as reasonably practicable after we determine the scope of the incident.

[FLAG FOR COUNSEL: Florida § 501.171 imposes notification requirements within 30 days of determination of a breach. Several other states impose shorter timelines for residents. Confirm our breach-notification framework is compliant with the multi-state landscape.]

13. Your Privacy Rights

We grant the following rights to all U.S. residents who use the Platform, regardless of state of residence. Some of these rights are required by specific state laws; we extend them all to all Users for consistency.

13.1 Right to Know / Access

You have the right to request:

Confirmation of whether we are processing your personal information
The categories of personal information we have collected about you
The categories of sources from which we collected your information
The business or commercial purposes for which we process your information
The categories of third parties with whom we share your information
The specific pieces of personal information we hold about you

13.2 Right to Correct

You have the right to request that we correct inaccurate personal information about you. For information you can edit yourself in Account settings, please use that mechanism. For information you cannot edit yourself, contact us as described in Section 14.

13.3 Right to Delete

You have the right to request that we delete your personal information, subject to limited exceptions for information we are legally required to retain (such as transaction records for tax purposes, audit trails, and information needed to resolve disputes).

13.4 Right to Data Portability

You have the right to receive a copy of your personal information in a structured, commonly used, and machine-readable format, where technically feasible.

13.5 Right to Opt Out of Sale or Sharing

We do not sell or share personal information for cross-context behavioral advertising. There is therefore no opt-out mechanism for sale or sharing — but you have the right to be informed of this fact, which we confirm in Section 9.6.

13.6 Right to Limit Use of Sensitive Personal Information

We use sensitive personal information only as described in Section 5 (i.e., for the limited Platform-operational purposes for which it is collected). You have the right to direct us not to use or disclose your sensitive personal information beyond those limited purposes; because our use is already limited, no opt-out mechanism is required, but you have the right to be informed of this fact.

13.7 Right to Opt Out of Profiling

To the extent we engage in profiling that produces legal or similarly significant effects, you have the right to opt out. As described in Section 8.5, we do not believe our AI Tools produce legal or similarly significant effects within the meaning of state laws (because human Users make all decisions), but we will honor opt-out requests received under applicable law. If you opt out of AI-Tool processing, your visibility on the Platform may be reduced, since engagement recommendations are a primary mechanism for connecting Users who post Jobs with Users who perform them.

13.8 Right to Non-Discrimination

We will not discriminate against you for exercising any of these rights. We will not deny you the Platform, charge you different prices, or provide you with a different level of service based on your exercise of these rights, except where such differences are reasonably related to the value of personal information you have not provided (for example, you cannot complete a Job through the Platform without providing payment-routing data).

13.9 Right to Appeal

If we decline a rights request, you have the right to appeal that decision. To appeal, reply to our denial email within thirty (30) days, or send a separate email to legal@theguys.app with the subject line "Privacy Rights Appeal." We will respond to appeals within sixty (60) days.

14. How to Exercise Your Privacy Rights

14.1 How to Submit a Request

Send an email to legal@theguys.app with:

Subject line: Privacy Rights Request
Your full name and the email address associated with your Account
A clear description of which right you are exercising and the personal information involved
Any additional information needed for us to verify your identity (see Section 14.2)

You may also submit a request through any in-Platform "Privacy Rights" feature we make available.

14.2 Identity Verification

To protect against fraudulent rights requests, we will verify your identity before fulfilling a request. For most requests, verification involves confirming you control the email address and Account associated with the personal information. For sensitive requests (such as deletion or full-data export), we may require additional verification.

If we cannot verify your identity using information already in our possession, we will inform you and suggest reasonable alternative verification methods. We will not require you to create an Account solely to make a privacy request.

14.3 Authorized Agents

You may designate an authorized agent to make requests on your behalf. The agent must provide written authorization signed by you and submit verification of their own identity. We may also independently verify your authorization with you.

14.4 Timing of Response

We will acknowledge your request within ten (10) business days and respond substantively within forty-five (45) days. We may extend this period by an additional forty-five (45) days when reasonably necessary, in which case we will notify you of the extension and the reasons for it within the original response window.

14.5 No Fees

We do not charge a fee to respond to privacy rights requests, except where requests are excessive, repetitive, or manifestly unfounded, in which case we may charge a reasonable fee or decline the request and inform you why.

15. State-Specific Disclosures

The following supplemental disclosures apply to residents of specific states. The substantive rights described in Section 13 apply to all U.S. residents; this Section 15 satisfies state-specific notice requirements.

15.1 California Residents (CCPA / CPRA)

In the twelve months preceding the effective date of this Privacy Policy, we have collected the following categories of personal information about California consumers (using the categories defined by the CCPA): identifiers; customer-records information; internet/network activity; geolocation; commercial information; professional/employment-related information; inferences drawn from any of the foregoing; and sensitive personal information as defined in Section 5.

We have not sold or shared (as those terms are defined under the CCPA/CPRA) any personal information about California consumers in that period. We have not disclosed sensitive personal information for purposes other than those identified in Section 5. We do not have actual knowledge that we sell or share the personal information of any consumer under sixteen (16) years of age.

California residents have the rights described in Section 13 and may exercise them through Section 14. California residents have the right to designate an authorized agent (Section 14.3).

15.2 Florida Residents (Florida Digital Bill of Rights)

Florida residents have the rights described in Section 13. Florida law applies its rights to consumers of "controllers" that meet the FDBR's thresholds; we extend the rights to all Florida residents who use the Platform regardless of whether the FDBR's thresholds technically apply to us.

[FLAG FOR COUNSEL: confirm FDBR applicability. The FDBR's threshold ($1B in global revenue with limited exceptions) likely does not apply to TheGuys App at launch. Confirm whether to retain or remove the explicit FDBR section.]

15.3 Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, Nebraska, Minnesota, Maryland, Rhode Island, Kentucky Residents

If you are a resident of any of these states with a comprehensive privacy law, you have the rights described in Section 13 and may exercise them through Section 14. Where state law grants additional rights specific to your state, those rights are included in Section 13's enumeration.

15.4 Other States

If you are a resident of a state not specifically listed and you believe state law grants you privacy rights with respect to information we hold, please contact us at legal@theguys.app and we will work in good faith to honor those rights.

[FLAG FOR COUNSEL: state privacy law landscape continues to evolve. As of drafting, this list reflects comprehensive consumer privacy laws enacted or in effect. Update at launch and on an annual basis thereafter. Consider whether to add specific compliance language for state laws with unique requirements (e.g., Colorado universal opt-out).]

16. Children's Privacy

The Platform is not intended for, and we do not knowingly collect personal information from, anyone under the age of 18. If we become aware that we have collected personal information from a person under 18, we will delete it as promptly as reasonably possible.

If you are a parent or guardian and believe a person under 18 has provided personal information to us, please contact us at legal@theguys.app and we will take appropriate action.

This minimum age is stricter than the federal Children's Online Privacy Protection Act (COPPA), which applies to persons under 13. Because the Platform is for adult contractor work and the Terms of Service require Users to be at least 18, our minimum age and our COPPA compliance are aligned: we collect no information from anyone under 13, and we do not collect information from minors aged 13–17 either.

17. International Users

The Platform is intended for use by residents of the United States. We host data in the United States. We do not solicit or knowingly accept registrations from individuals located outside the United States. If you are accessing the Platform from outside the United States, please be aware that your information will be transferred to, stored in, and processed in the United States, and that the U.S. data-protection framework may differ from the framework in your country.

We do not currently offer GDPR rights, UK GDPR rights, or other non-U.S. data-protection rights, and the Platform is not designed for use by individuals subject to those regimes. If you are subject to those regimes and you nevertheless register, the rights granted in Section 13 apply but may not satisfy the specific requirements of your home jurisdiction's law.

[FLAG FOR COUNSEL: confirm "U.S. only" framing is operationally accurate at launch. If TheGuys App ever expands to Canada or other jurisdictions, this section requires significant rewriting.]

18. Third-Party Links and Services

The Platform may contain links to third-party websites or integrate with third-party services. Those websites and services have their own privacy policies, which we do not control and which are not described here. Read those privacy policies before providing personal information to a third party.

We are not responsible for the practices of third parties, including without limitation:

Stripe (payment processing) — see https://stripe.com/privacy
Twilio (SMS) — see https://www.twilio.com/legal/privacy
Resend (email) — see Resend's privacy policy at the time of use
Anthropic (AI) — see https://www.anthropic.com/privacy
Supabase (database) — see Supabase's privacy policy at the time of use
Vercel (hosting) — see Vercel's privacy policy at the time of use
Google (Maps, reCAPTCHA) — see https://policies.google.com/privacy

19. Privacy Practices for Other Users' Personal Information

When you act as a Dispatcher and submit information about another person (a Performer you engage, a Client you invoice, or a prospective User you invite), you act as a separate controller with respect to that information. Specifically:

You represent that you have a lawful basis under applicable law to collect that person's information and submit it to the Platform
You represent that you have provided that person any notices required by applicable law
You agree to honor any rights requests or other communications from that person regarding the information you submitted

We will cooperate reasonably with requests from individuals whose information has been submitted by a Dispatcher, and we may forward such requests to the Dispatcher for response.

[FLAG FOR COUNSEL: this Section 19 is the controller/joint-controller language for Dispatcher-submitted Performer data. Confirm framing is sufficient under multi-state law and that the indemnification language in ToS Section 18.1(i) flows correctly to capture violations.]

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The current version is always available at https://theguys.app/privacy. When we make material changes, we will:

Update the "Last Updated" date at the top of this document
Provide notice of the change by email to registered Users and/or by in-Platform notification
Where required by applicable law, obtain your consent before applying the change to information we have already collected

For non-material changes, we may rely on the updated date alone. Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes your acceptance of the revised Privacy Policy.

21. Contact Us

For questions, concerns, or rights requests under this Privacy Policy, contact us at:

TheGuys App, LLC [Registered Agent name — to be inserted] [Registered Agent street address — to be inserted] [City, State, ZIP — to be inserted]

Email: legal@theguys.app

For the fastest response, please email rather than mail.

Appendix A — Counsel Review Checklist

The following items are flagged for counsel review before publication:

Section 1.1 (Vocabulary Note): Confirm the brief informal-vocabulary disclosure is sufficient to (a) preserve TheGuys App's defense against any Title VII or analogous gender-based claim premised on UI use of "Guy," and (b) align with the more-detailed disclosure in Section 1.10 of the Terms of Service.
Section 4 (Information We Collect): Confirm the categories of information collected accurately describe TheGuys App's actual data collection at launch. Update if any new categories (voice input, biometric verification) are added before launch.
Section 6.7 (Prospective Invitee Data): Confirm the prospective-invitee retention and CAN-SPAM treatment.
Section 8 (AI Disclosure): Confirm "recommendations only" framing is sufficient to avoid profiling-with-legal-effect classifications under multi-state laws. Confirm the de-identification standard meets each state's threshold for de-identified data.
Section 10 (Cookies): Confirm whether a cookie consent banner is required given that we do not sell or share. Confirm posture in California, Connecticut, Colorado, and any state with universal opt-out requirements.
Section 11 (Retention): Confirm seven-year baseline retention. Adjust per category if any are inappropriate (too long for low-value data, too short for tax-required data).
Section 12.1 (Breach Notification): Confirm framework satisfies Florida § 501.171 plus the multi-state landscape, especially shorter notice deadlines in some states (e.g., 30 days in many; 14 days in some specific contexts).
Section 15.2 (FDBR): Confirm whether to retain explicit FDBR section given that the threshold likely does not apply to TheGuys App at launch.
Section 15.3 (Multi-state list): Update the list at launch and annually thereafter to reflect newly-effective state privacy laws.
Section 17 (International Users): Confirm "U.S. only" framing is operationally accurate.
Section 19 (Dispatcher as Joint Controller): Confirm the controller / joint-controller framing for Dispatcher-submitted Performer data is sufficient and aligns with the indemnification language in ToS Section 18.1(i).
General — Cross-Reference Audit: Confirm all cross-references to Terms of Service section numbers, Acceptable Use Policy, SMS Consent & Messaging Policy, DMCA Policy, and Standard Job Terms are current after final edits to those documents.
General — Effective Date: Set on launch.
General — Address Placeholders: Insert exact registered agent name and address throughout.

Appendix B — Pre-Launch Operational Items

These items must be completed before this Privacy Policy goes live and the Platform launches:

Set up the legal@theguys.app mailbox to receive privacy rights requests, complaints, and legal notices. Forward to operator's primary email at minimum.
Confirm exact registered agent name, address, and ZIP for insertion throughout the document.
Publish this Privacy Policy at https://theguys.app/privacy and link from site footer.
Confirm cross-references in Terms of Service V3 point to live URLs for this Privacy Policy.
Confirm Stripe Connect onboarding submission references this published Privacy Policy URL.
Confirm A2P 10DLC carrier-registration submission references this published Privacy Policy URL.
Establish internal process for receiving, verifying, and responding to privacy rights requests within the timelines described in Section 14.4.
Establish breach-detection and breach-notification process consistent with Section 12.1.
Establish vendor-diligence file documenting privacy and security review of each service provider listed in Section 9.2.