Privacy Policy
Top Builder AI is operated by Salisbury Bookkeeping, LLC. This policy explains what we collect, how we use and protect it, who processes it on our behalf, and the choices you have. We do not sell your data — ever.
01 Who we are & scope
Top Builder AI ("Top Builder AI", "we", "us", "our") is a multi-tenant software platform that connects to a contractor's field-service and accounting systems (for example ServiceTitan, Buildertrend, Procore, and QuickBooks) and provides advisory AI agents for booking, dispatch, finance, inventory, workforce, and document handling. The platform is owned and operated by Salisbury Bookkeeping, LLC, a Utah limited liability company.
This policy covers the topbuilderai.com marketing site, the Top Builder AI web application, and the related booking service. It applies to website visitors, prospective customers, and the authorized users of customer accounts. Where we process a customer's business data on their behalf, the customer is the data controller and we act as their processor under a separate services agreement; this policy describes our own practices.
02 Data we collect
You give us
- Contact & account data — name, business name, email, phone, and role when you book a call, apply for a founding seat, email us, or create an account.
- Authentication data — login credentials and two-factor authentication factors for the web application (passwords are stored only as salted hashes; we never see them in plaintext).
- Connected-system credentials — OAuth tokens or API keys you authorize us to use to read your ServiceTitan / Buildertrend / Procore / QuickBooks data. These are stored encrypted (see Security).
- Business operating data — the records we read from your connected systems to produce recommendations: jobs, appointments, invoices, estimates, inventory, technicians, documents, and similar operational data.
- Support & communications — messages you send us and feedback you submit on agent recommendations.
We collect automatically
- Usage & device data — IP address, browser/user-agent, pages viewed, and timestamps, used for security, rate-limiting, and aggregate analytics.
- Audit logs — a record of agent runs, approvals, and actions taken inside the application, retained for security and accountability.
We do not intentionally collect special-category personal data and ask that you not submit it. The platform is for business use and is not directed at children.
03 How we use data
- To provide the service — connect to your systems, run the advisory agents, and present recommendations and actions for your approval.
- To secure the platform — authenticate users, enforce per-tenant isolation, detect abuse, and rate-limit.
- To support and improve the product — respond to requests, fix defects, and improve agent quality using your feedback within your own tenant.
- To communicate — service notices, security alerts, and (where you have opted in) product updates. You can opt out of marketing email at any time.
- To meet legal and accounting obligations.
04 Legal bases (EEA/UK visitors)
Where the GDPR or UK GDPR applies, we process personal data on the basis of: performance of a contract (providing the service you requested), legitimate interests (securing and improving the platform, B2B communications), consent (marketing email and non-essential cookies, where applicable), and legal obligation (tax and accounting records). You may withdraw consent at any time.
05 Subprocessors
We use a small set of vetted infrastructure and AI providers to operate the service. Each is bound by a data-processing agreement and processes data only on our instructions.
| Subprocessor | Purpose | Data processed |
|---|---|---|
| Supabase (hosted on Amazon Web Services) | Primary application database & authentication | Account data, business operating data, audit logs |
| Amazon Web Services (AWS) | Underlying cloud infrastructure for the database region | Encrypted data at rest |
| Google Cloud Platform | Application hosting (Cloud Run), the booking calendar service, and secret management | Application traffic, scheduling data, encrypted secrets |
| Anthropic (Claude) | The advisory / narration language model and in-app assistant | The narration context passed to the model for a given run; not used to train Anthropic's models |
| ElevenLabs | Text-to-speech for the booking phone voices | The text spoken by the booking agent |
We also connect, only at your direction, to your own field-service and accounting systems (ServiceTitan, Buildertrend, Procore, QuickBooks, and similar). Those remain your systems and their own privacy terms apply. A current list of subprocessors is available on request, and we will give notice before adding a new one that processes customer data.
06 How we secure data
- Encryption in transit — all traffic to the site and application is served over HTTPS using TLS 1.2 or higher.
- Encryption at rest — data stored in our database is encrypted at rest. Connected-system credentials are additionally sealed with AES-256-GCM envelope encryption before storage, so a database copy alone never exposes a usable credential.
- Tenant isolation — every customer's data is segregated with database row-level security that is enforced for the application role, so one tenant can never read another's data.
- Least privilege & access control — the application connects as a non-superuser role; administrative actions require elevated, audited authorization and (for sensitive operations) two-factor authentication.
- Human-approved actions — agents are advisory by default. Any action that writes back to your systems is gated behind explicit approval, is reversible, and is recorded in an audit log.
- Secrets management — application secrets are held in a managed secret store, never in source code.
No system is perfectly secure, but we design for failure-closed behavior: when a security check cannot be satisfied, the platform refuses the operation rather than proceeding. If we ever learn of a breach affecting your data, we follow a documented incident-response process and will notify affected customers without undue delay, as described on our security page and in the Contact section below.
07 Retention & deletion
We keep personal and business data only as long as needed for the purposes above or as required by law:
- Account & business operating data — for the life of your account. On account closure we delete or anonymize it within 90 days, except records we must retain for legal, tax, or security reasons.
- Connected-system credentials — deleted promptly when you disconnect a system or close your account.
- Marketing-prospect data (e.g. a booking inquiry that does not become a customer) — retained no longer than 24 months unless you ask us to delete it sooner.
- Security & audit logs — retained for a limited period for fraud prevention and accountability, then purged.
09 Your rights
Depending on where you live, you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing or withdraw consent. California residents have the rights to know, delete, correct, and to opt out of "sale"/"sharing" — and because we do not sell or share data for advertising, there is nothing to opt out of, but you may still exercise the other rights. To exercise any right, email support@salisburybookkeeping.com; we will not discriminate against you for doing so. If we serve you as a processor for your employer, we will refer your request to that customer.
11 AI & automated processing
The platform uses AI language models (Anthropic's Claude) to narrate recommendations and to power an in-app assistant. The AI receives only the context needed for a given task within your tenant. Your business data is not used to train shared foundation models. Automated agents do not make legally or similarly significant decisions about individuals; recommendations are advisory and any consequential action requires a human's approval.
12 Contact
Questions, privacy requests, or security reports:
Salisbury Bookkeeping, LLC
7835 N. Escalante Dr, Eagle Mountain, UT 84005, USA
Privacy & security: support@salisburybookkeeping.com
Security disclosures: see our vulnerability-disclosure policy and /.well-known/security.txt
If we make material changes to this policy we will update the "Last updated" date above and, where appropriate, notify you. Your continued use of the service after a change means you accept the updated policy.