Privacy Policy

1. Introduction & Scope

Salomone Redi-Mix, LLC (“Company,” “we,” “us,” “our,” or “Salomone”) is committed to protecting the privacy and security of personal information. This Privacy Policy explains our practices regarding the collection, use, disclosure, and safeguarding of personal information when individuals (“you,” “user,” or “data subject”) visit or interact with our website located at salomoneapp.com (the “Website”), access our customer portal, or use our concrete delivery and ordering services (collectively, the “Services”).

This Privacy Policy applies to all personal information we process in connection with our business operations, including information collected directly from you, information inferred from your interactions with us, and information collected through third-party integrations and service providers.

Company Contact Information: Salomone Redi-Mix, LLC, located at 17 Demarest Drive, Wayne, New Jersey 07470, United States. Phone: 800-552-0248. Email inquiries may be directed through our contact page or WhatsApp at https://wa.me/18628813723.

2. Information We Collect

We collect personal information from various sources and in various forms. The categories of information we collect may include:

2.1 Information You Directly Provide

• Contact Information: Full name, email address, phone number(s), and mailing address (including job site and delivery addresses)
• Business Information: Company or business name, job title, and industry classification
• Account Credentials: Username, password, and other authentication information provided when registering for our customer portal
• Order Information: Product selections, quantities, specifications, delivery dates, pricing, special instructions, and payment method information (processed through our payment processors—we do not store full payment card details)
• Communications: Any messages, inquiries, requests, feedback, or correspondence you send to us via email, phone, chat, contact forms, or other channels
• Photographs and Documentation: Images of job sites, projects, or materials you upload to our platform for estimation, documentation, or reference purposes

2.2 Information Collected Automatically

• Usage and Navigation Data: Pages visited, time spent on each page, links clicked, searches performed, referral sources, and overall browsing behavior on our Website
• Device Information: Device type, operating system, browser type and version, device identifiers, and IP address
• Cookie and Tracking Data: Authentication session cookies (required for account access and security) and limited performance analytics
• Location Data: General geographic location information inferred from IP address, and precise location information if you enable location services for mapping or delivery features
• Log Data: Access logs, error logs, and system activity logs generated by our servers and infrastructure

2.3 Information from Third Parties

• Mapping and Geocoding Services: Address validation data from Google Maps and OpenCage Geocoding APIs
• AI and Vision Processing: Image analysis results from Anthropic Vision API when photos are uploaded for estimation
• Verification Services: Bot detection and verification data from Cloudflare Turnstile

3. Legal Basis for Processing Personal Information

We process personal information for various legitimate purposes under different legal bases:

3.1 Contract Performance

We process your contact information, delivery addresses, order details, and payment information as necessary to enter into and perform our concrete delivery and service agreements with you. This processing is essential to fulfill your requests and provide our Services.

3.2 Legitimate Business Interests

We process certain personal information to pursue our legitimate business interests, including:

• Improving our Website, Services, and customer experience
• Conducting business analytics and performance measurement
• Preventing fraud, security incidents, and unauthorized access
• Enforcing our Terms of Service and other agreements
• Protecting the rights, property, and safety of Salomone, our users, and the public
• Marketing and customer relationship management (with appropriate consent where required)
• System maintenance, security testing, and infrastructure optimization

3.3 Legal Obligations

We may process personal information to comply with applicable laws, regulations, court orders, government requests, and legal obligations, including tax and employment law requirements.

3.4 Consent

Where required by law or regulation, we obtain your explicit, informed consent before processing certain personal information. You may withdraw consent at any time by contacting us or updating your account settings, though this may limit our ability to provide certain Services.

4. How We Use Your Information

We use the personal information we collect for the following purposes:

4.1 Service Delivery

• Processing, fulfilling, and managing your concrete orders and deliveries
• Scheduling delivery dates and coordinating logistics
• Calculating pricing, quotes, and estimates
• Providing AI-powered photo analysis for project estimation via Anthropic Vision API
• Routing deliveries using mapping data from Google Maps and OpenStreetMap

4.2 Account Management

• Creating and managing your customer account
• Authenticating your access to the portal
• Processing account updates and profile information
• Resetting passwords and managing account security

4.3 Communication

• Sending order confirmations, delivery notifications, and status updates via email, phone, or SMS
• Responding to customer inquiries and support requests
• Providing invoices, receipts, and transactional communications
• Notifying you of changes to our Services, policies, or terms

4.4 Service Improvement

• Analyzing usage patterns and user behavior to enhance the Website and Services
• Conducting market research and customer satisfaction surveys
• Testing new features and functionality
• Optimizing system performance and reliability

4.5 Security and Fraud Prevention

• Detecting, preventing, and investigating fraud, abuse, and security incidents
• Protecting against unauthorized access, modification, or destruction of data
• Verifying user identity and preventing bot activity via Cloudflare Turnstile
• Enforcing our Terms of Service and detecting violations

4.6 Legal and Regulatory Compliance

• Complying with applicable federal, state, and local laws and regulations
• Responding to lawful requests from government agencies and law enforcement
• Maintaining records for tax, accounting, and audit purposes
• Enforcing contracts and protecting legal rights

4.7 Business Operations

• Conducting internal business analysis, planning, and reporting
• Training staff and improving customer service delivery
• Managing customer relationships and developing business strategies

5. Data Sharing and Third-Party Disclosure

We do not sell or rent your personal information to third parties for their marketing purposes. However, we may disclose or share personal information with select third parties as follows:

5.1 Service Providers and Processors

We work with trusted third-party service providers who process personal information on our behalf under binding data processing agreements. These service providers are contractually obligated to use your information only as necessary to provide services to us and to maintain appropriate security measures:

• Supabase (Database and Authentication): Stores our user database, customer orders, account information, and authentication credentials. Data is encrypted in transit and at rest. Supabase infrastructure is hosted on cloud providers and maintains SOC 2 compliance certifications. Personal data may be processed in multiple geographic locations.
• Google Maps APIs (Mapping and Geocoding): Provides mapping, routing, address validation, and delivery routing services. When you access mapping features or request delivery routing, your delivery address and limited location data may be shared with Google to calculate distances and generate routes. Google processes this data according to its Privacy Policy available at https://policies.google.com/privacy.
• Google Places API: Used for address autocomplete and business location suggestions. Queries may be transmitted to Google's servers.
• Google Directions API and Distance Matrix API: Used for route optimization and delivery time estimation. Delivery address and job site location data are transmitted to Google's servers.
• OpenCage Geocoding API: Provides additional geocoding and reverse geocoding services for address validation. Address data may be transmitted to OpenCage for processing.
• OpenStreetMap and Leaflet: Provides map rendering services. Limited location data may be transmitted to OpenStreetMap infrastructure.
• Anthropic Vision API: Processes photographs you upload for AI-powered project estimation and photo analysis. Images are transmitted to Anthropic's servers for visual analysis. We limit usage to 25 requests per month. Anthropic processes images according to its Privacy Policy and does not use submitted content for model training without explicit consent. Images are not stored indefinitely and are typically processed on-demand.
• Cloudflare Turnstile: Provides bot detection and human verification services to protect our Website from automated abuse. Limited interaction data may be shared with Cloudflare to verify that you are human. Cloudflare processes this data according to its Privacy Policy at https://www.cloudflare.com/privacypolicy/.
• Resend (Email Service Provider): Sends transactional emails including order confirmations, delivery notifications, account alerts, and password resets. Your email address and relevant order information are transmitted to Resend's servers to deliver these communications. Resend does not use your information for marketing or other purposes.
• Vercel (Hosting and Deployment): Hosts our Website and services on Vercel's cloud infrastructure. Server logs and access logs may contain limited personal information and are retained for security and performance monitoring purposes. Vercel maintains SOC 2 compliance.

5.2 Legal and Regulatory Disclosure

We may disclose personal information when required by law, legal process, or government request, including in response to:

• Subpoenas, court orders, warrants, or other legal processes
• Requests from law enforcement, government agencies, or regulatory authorities
• Requirements to enforce our Terms of Service and other agreements
• Situations involving threats to public safety or national security

Where legally permitted, we will attempt to provide notice to affected users before disclosing information in response to government requests.

5.3 Business Transactions

If Salomone is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, or similar business transaction, your personal information may be transferred as part of that transaction. In such cases, we will provide notice to affected users about any change in ownership and any choices they may have regarding their personal information.

5.4 Aggregated and De-identified Information

We may aggregate, anonymize, or de-identify personal information in a manner that no longer reasonably identifies you. We may use and disclose such aggregated, anonymized, or de-identified information for research, marketing, analytics, and other business purposes without restriction and without notice or consent.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, maintain security, and collect usage information.

6.1 Types of Cookies

• Essential Cookies: These cookies are strictly necessary for the operation of our Website and Services. They enable core functionality such as account authentication, session management, security verification, and form processing. Essential cookies cannot be disabled without compromising the functionality of the Website.
• Performance Cookies: These cookies collect information about how users interact with our Website, including pages visited, time spent, and performance metrics. This data helps us optimize the Website's functionality and user experience.
• Analytics Cookies: We currently do not use third-party analytics trackers (such as Google Analytics) on our Website. We rely on server-side logs and limited performance monitoring to understand usage patterns.

6.2 Cookie Management

Most web browsers allow you to refuse cookies or alert you when cookies are being sent. However, disabling essential cookies will prevent proper functioning of our Website and Services. You can manage cookie preferences through your browser settings, but please be aware that:

• Disabling essential authentication cookies will log you out of your account
• Some features may not work properly without cookies enabled
• Your preferences may need to be reset when you clear your browser data

6.3 Similar Tracking Technologies

In addition to cookies, we may use similar technologies such as web beacons, pixels, local storage, and session storage to track user behavior, maintain security, and improve our Services. These technologies function similarly to cookies and collect comparable information about your interactions with our Website.

7. Data Retention Periods

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, to comply with legal and regulatory obligations, and to resolve disputes. Specific retention periods vary by category:

• Account Information: Retained while your account is active and for a reasonable period after account deletion to satisfy legal obligations (e.g., tax records, dispute resolution). We typically delete inactive accounts after 2 years of inactivity, provided there are no outstanding orders or disputes.
• Order and Transaction Data: Retained for a minimum of 7 years to comply with tax and business record requirements, accounting standards, and to address potential disputes or warranty claims.
• Payment Information: We do not store full payment card details. Payment processing information is handled by our payment processor and is subject to their retention policies and Payment Card Industry (PCI) compliance standards.
• Communications: Customer service emails, inquiries, and support tickets are retained for 2 years unless required longer for legal or business purposes.
• Usage Logs and Analytics: Server logs and analytics data are typically retained for 90 days for performance monitoring and security investigation purposes. Long-term aggregated analytics may be retained indefinitely in de-identified form.
• Cookies and Session Data: Session cookies are deleted when you log out or close your browser. Persistent cookies are retained for the duration necessary for authentication and functionality, typically up to 1 year.
• Location and Mapping Data: Location information used for delivery routing is retained only as long as necessary to complete the delivery. Historical location data associated with orders is retained with order records (7 years).
• Photographs and Job Site Images: Images uploaded for AI estimation are processed immediately and not stored permanently. Associated metadata and analysis results are retained with the related order (7 years) unless you request deletion.

In some cases, we may retain personal information for longer periods if required by law, to resolve disputes, enforce agreements, or protect our legal interests. When information is no longer needed, we delete or securely destroy it using industry-standard methods.

8. Data Security Measures

We implement comprehensive technical, administrative, and physical security measures designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These measures include:

8.1 Technical Safeguards

• Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using industry-standard encryption algorithms.
• Password Security: User passwords are hashed and salted using bcrypt or equivalent cryptographic functions managed by Supabase Auth. We do not store or have access to plain-text passwords.
• Firewalls and Network Security: Our infrastructure is protected by firewalls, intrusion detection systems, and network segmentation to prevent unauthorized access.
• Authentication: We implement secure authentication mechanisms including password requirements, session management, and multi-factor authentication options.
• API Security: Third-party API integrations (Google Maps, Anthropic, Cloudflare) use API keys and OAuth tokens with appropriate scope restrictions and rotation policies.
• Database Security: Supabase databases are configured with row-level security (RLS) policies to ensure users can only access their own data.

8.2 Administrative Safeguards

• Limiting access to personal information to employees, contractors, and service providers who have a legitimate need to know and who are bound by confidentiality agreements
• Conducting regular security training for personnel who handle personal information
• Implementing role-based access controls with principle of least privilege
• Regular security audits and vulnerability assessments
• Maintaining a security incident response plan

8.3 Physical Safeguards

• Data centers with controlled access, surveillance, and environmental monitoring
• Secure disposal of equipment and media containing personal information
• Restricted physical access to servers and infrastructure

8.4 Limitations of Security

While we implement strong security measures, no system is completely secure. We cannot guarantee absolute security of your personal information. You are responsible for maintaining the confidentiality of your account credentials. If you believe your account has been compromised, please contact us immediately.

9. Your Privacy Rights

Depending on your location and applicable laws, you may have certain rights regarding your personal information. We honor these rights and provide mechanisms to exercise them.

9.1 Universal Rights (All Users)

• Right to Access: You have the right to request a copy of the personal information we hold about you. You can access your personal information through your account dashboard at /portal/account or request a formal data export.
• Right to Correction/Rectification: You have the right to request correction of inaccurate, incomplete, or outdated personal information. You can update most information directly in your account settings, or contact us to request corrections.
• Right to Data Portability: You have the right to receive a copy of your personal information in a structured, commonly-used, machine-readable format (such as JSON or CSV) for transfer to another service provider. Request this via the /api/privacy/export endpoint or by contacting us.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions. You can delete your account through /portal/account, which will initiate deletion of your personal data. Some information may be retained for legal, tax, or dispute resolution purposes.
• Right to Object: You have the right to object to certain processing activities, including marketing communications and processing based on legitimate interests. You can opt out of non-essential communications through your account settings.

9.2 European Union / EEA Residents (GDPR)

If you are located in the European Union, European Economic Area, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Restrict Processing: You may request that we limit our processing of your personal information in certain circumstances while we address your concerns or pending a resolution of a dispute.
• Right to Object to Processing: You may object to processing of your personal information for direct marketing, profiling, or other purposes based on legitimate interests. We will cease such processing unless we have compelling legitimate reasons.
• Right to Withdraw Consent: Where we rely on your consent for processing, you may withdraw that consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your national data protection authority if you believe we have violated your rights. Contact information for EU/EEA DPAs is available at https://edpb.ec.europa.eu/about-edpb/board/members_en.

9.3 California Residents (CCPA / CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You may request what personal information we have collected about you, the sources of that information, our business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions (e.g., information needed to complete transactions or comply with law).
• Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale/Sharing: You may opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising. Note: We do not currently sell personal information, but we do share limited information with service providers for functional purposes.
• Right to Limit Use of Sensitive Personal Information: You may limit our use of sensitive personal information to purposes necessary to provide the Services you requested.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights through denial of goods or services, charging different prices, or offering different quality of service.

California Consumer Response Timelines: We will acknowledge receipt of requests within 10 business days and respond substantively within 45 calendar days. We may extend this deadline by an additional 45 days if necessary, in which case we will notify you of the extension.

Verification of Identity: To exercise your California rights, you must submit a verifiable consumer request. We will verify your identity by confirming your email address and requesting additional information as necessary to ensure we are responding to the correct person.

9.4 New Jersey Residents (NJ Data Privacy Act)

New Jersey's Data Privacy Act (effective January 15, 2024) provides New Jersey residents with certain privacy rights regarding personal information. These include:

• Right to access personal information we hold
• Right to delete personal information we have collected (subject to limited exceptions)
• Right to request correction of inaccurate personal information
• Right to data portability in a portable and readily useable format
• Right to opt out of automated decision-making (if applicable)

9.5 Exercising Your Rights

To exercise any of the above rights, you may:

• Log into your account at /portal/account and use the available privacy tools
• Use our automated endpoints: GET /api/privacy/export (for data export) or DELETE /api/privacy/delete (for account deletion)
• Contact us at the address, phone number, or email provided in Section 16 below
• Submit a request through our contact form on the Website

We will not require you to create an account with us to submit a request, and will respond to your request free of charge. We may charge a reasonable fee if requests are manifestly unfounded, excessive, or repetitive.

10. Children's Privacy

Our Website and Services are not directed to individuals under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete such information promptly.

For users between 13 and 18 years of age, we provide additional protections as required by law. If you are a parent or guardian and believe your child has provided personal information to us without consent, please contact us immediately.

The Services are intended for use by individuals age 18 and older or individuals with legal authority to enter into contracts (such as business representatives). Business users who are under 18 should have parental or guardian consent before using the Services.

11. International Data Transfers

Our Services are operated from the United States. If you are located outside the United States, please be aware that your personal information will be transferred to, and processed and stored in, the United States. The United States does not have data protection laws equivalent to the GDPR or other regions' privacy laws.

11.1 Data Transfer Mechanisms

For users in the European Union, EEA, or other jurisdictions with data protection laws, we rely on the following mechanisms to ensure appropriate safeguards for international transfers:

• Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs in our agreements with Supabase and other data processors to ensure appropriate protections for data transfers.
• Adequacy Decisions: Where applicable, we rely on adequacy decisions or mutual adequacy recognitions between jurisdictions.
• Supplementary Measures: We implement supplementary technical and organizational measures, such as encryption and pseudonymization, to mitigate risks associated with international transfers.

11.2 Third-Party Service Providers in Other Countries

Some of our service providers are located in other countries. By using our Services, you consent to the transfer and processing of your personal information in countries outside your country of residence, which may have different data protection laws. Where applicable, we ensure adequate safeguards are in place through binding contracts, encryption, and other protective measures.

12. Data Breach Notification and Incident Response

In the event of a personal data breach (unauthorized access, disclosure, or destruction of personal information), we will take the following actions:

12.1 Immediate Response

• Activate our incident response plan and assess the scope and impact of the breach
• Contain the breach to prevent further unauthorized access
• Preserve evidence for forensic investigation
• Notify relevant law enforcement and regulatory authorities as required

12.2 Notification to Affected Individuals

We will notify affected individuals of a personal data breach without unreasonable delay, and in accordance with applicable law. Notifications will include:

• A description of what personal information was involved
• The likely consequences of the breach
• The measures we are taking to address the breach and mitigate harm
• Contact information for questions and for credit monitoring services (if applicable)

12.3 Regulatory Notification

For breaches affecting EU residents, we will notify the relevant data protection authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in risk to rights and freedoms.

For breaches affecting California residents, we will notify the California Attorney General if the breach affects more than 500 California residents. We will also notify consumer reporting agencies if notification is required.

13. Changes and Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" and "Effective Date" at the top of this policy
• Notify you by email or through our Website if the changes materially affect how we use or disclose your personal information
• Obtain your consent if required by law (e.g., for material changes that expand our use of previously collected information)

Your continued use of our Website and Services after changes become effective constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically to stay informed about how we protect your information.

14. Contact Information and Data Protection Officer

If you have questions about this Privacy Policy, our privacy practices, or to exercise your privacy rights, please contact us using the following information:

14.1 Privacy Contact

For data protection and privacy inquiries, please contact us at:

Salomone Redi-Mix, L.L.C.
17 Demarest Drive, Wayne, NJ 07470
[email protected]

14.2 Response Timeline

We will acknowledge receipt of privacy inquiries and requests within 10 business days and provide a substantive response as quickly as possible, typically within 45 days. For complex requests, we may extend this timeline with notice.

15. Governing Law and Jurisdiction

This Privacy Policy and all matters related to your privacy and our data protection practices are governed by the laws of the State of New Jersey, United States, without regard to its conflict of laws provisions. This choice of law applies regardless of your location.

By using our Website and Services, you consent to the exclusive jurisdiction of the state and federal courts located in New Jersey for resolution of any disputes arising from this Privacy Policy or our privacy practices.

Nothing in this Privacy Policy is intended to limit your rights under applicable data protection laws, including the GDPR, CCPA, CPRA, or New Jersey Data Privacy Act. If there is a conflict between this policy and applicable law, the applicable law will prevail.

16. Additional Information

16.1 Third-Party Links and Integrations

Our Website may contain links to third-party websites, applications, and services that are not operated by Salomone. This Privacy Policy does not apply to third-party sites, and we are not responsible for their privacy practices. Please review the privacy policies of third-party sites before providing personal information or using their services. This includes:

• Google (Google Maps, Google Places, Google Directions APIs) — https://policies.google.com/privacy
• Cloudflare (Turnstile) — https://www.cloudflare.com/privacypolicy/
• Anthropic (Vision API) — https://www.anthropic.com/privacy
• OpenCage — https://opencagedata.com/privacy
• OpenStreetMap — https://wiki.openstreetmap.org/wiki/Privacy_Policy

16.2 Do Not Track

Some browsers include a Do Not Track (DNT) feature. Because standards for recognizing DNT signals have not yet been established, our Website does not currently respond to or honor DNT browser signals. However, you can take other steps to protect your privacy, such as managing cookie preferences in your browser settings.

16.3 California Shine the Light Law

Under California Civil Code Section 1798.83, California residents may request information about the categories of personal information we have shared with third parties for those third parties' direct marketing purposes. We do not sell personal information to third parties for their marketing purposes, so we have nothing to disclose under this law.

16.4 Nevada Residents

Nevada residents may opt out of the sale of certain information under Nevada law. While we do not currently sell personal information, you may submit an opt-out request at any time. We will honor such requests and refrain from selling your information in the future.