← Back to home

Privacy Policy

Privacy Policy

Last updated: May 25, 2026

Lithiq ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cloud-based stone fabrication platform (the "Service"). Please read this policy carefully. If you do not agree with its terms, do not access or use the Service.

1. Information We Collect

1.1 Information You Provide

We collect information you voluntarily provide when you:

  • Create an account — Full name, email address, company name, phone number, and password (stored as a bcrypt hash)
  • Set up your company profile — Business name, address, phone, logo, branding colors, default payment/quote terms
  • Invite team members — Names and email addresses of colleagues you invite to your company account
  • Manage jobs — Client names, contact details, job addresses, project notes, photos, and fabrication specifications
  • Create materials and price lists — Material names, categories, supplier information, dimensions, costs, and pricing rates
  • Track inventory — Slab records including images, dimensions, supplier data, purchase costs, barcode/QR identifiers, and physical storage locations
  • Communicate with support — Any information you share when contacting our support team via email or chat
  • Provide payment information — Credit card details are collected and processed by Stripe, Inc. We do not store full credit card numbers on our servers

1.2 Information Collected Automatically

When you access the Service, we automatically collect:

  • Usage data — Pages visited, features used, time spent, actions taken within the platform
  • Device information — Browser type and version, operating system, screen resolution, device type
  • Log data — IP address, access times, referring URLs, request timestamps, error logs
  • Session information — Authentication tokens and session identifiers (stored in HTTP-only cookies)

1.3 Information from Third Parties

We may receive information from:

  • Authentication providers — If you sign in via Google or Azure SSO, we receive your name, email, and profile picture from the provider
  • Payment processors — Stripe provides us with limited payment confirmation data (payment method type, billing address, last four digits of card) but not full card numbers
  • File storage providers — Cloudflare R2 stores files you upload; we retain metadata about file size, type, and upload timestamps

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service — To operate, maintain, and deliver the features of the platform, including job management, estimating, layout, production tracking, inventory management, and billing
  • Account management — To create and manage your account, authenticate your identity, manage team members and permissions, and process subscription payments
  • Customer support — To respond to your inquiries, troubleshoot issues, and provide technical assistance
  • Service improvement — To analyze usage patterns, identify bugs or performance issues, and develop new features and improvements
  • Communication — To send service-related notices (e.g., payment receipts, subscription renewals, security alerts) and, with your consent, product updates and promotional materials
  • Security and fraud prevention — To detect and prevent unauthorized access, abuse, or fraudulent activity, and to enforce our Terms of Service
  • Legal compliance — To comply with applicable laws, regulations, and legal processes

3. How We Share Your Information

We do not sell your personal information. We may share your information only in the following circumstances:

3.1 Service Providers

We engage trusted third-party service providers to perform functions on our behalf. These providers are contractually bound to protect your data and use it only for the services they provide:

  • Stripe, Inc. — Payment processing and subscription management. Stripe's privacy policy: stripe.com/privacy
  • Cloudflare, Inc. — File storage via R2, content delivery, and DDoS protection. Cloudflare's privacy policy: cloudflare.com/privacypolicy
  • Neon — PostgreSQL database hosting. Neon's privacy policy: neon.tech/privacy
  • Vercel Inc. — Application hosting and deployment. Vercel's privacy policy: vercel.com/privacy
  • NextAuth.js — Authentication session management (self-hosted; no external data sharing)

3.2 Team Members and Invited Users

Information you enter into your company's account — including client data, job details, and internal notes — is accessible to other team members within your company based on their assigned roles and permissions. You control who has access to your company account through the team management settings.

3.3 Legal Requirements

We may disclose your information if required to do so by law or in the good faith belief that such disclosure is necessary to:

  • Comply with a legal obligation, court order, or governmental request
  • Protect and defend our rights, property, or safety, or the rights, property, or safety of our users or others
  • Investigate, prevent, or take action regarding suspected illegal activity, fraud, or security incidents

3.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or use of your information.

4. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit — All communications with the Service are encrypted using TLS 1.2+ (HTTPS). API endpoints are accessible only over HTTPS
  • Encryption at rest — Database storage uses encrypted volumes. File storage in Cloudflare R2 is encrypted at rest using AES-256
  • Password security — Passwords are hashed using bcrypt with 12 salt rounds. Plain-text passwords are never stored or logged
  • Access control — Team-based role permissions (COMPANY_ADMIN, ESTIMATOR, SALES, etc.) limit data access within each company account
  • Session management — Authentication tokens are stored in HTTP-only, secure, same-site cookies. Sessions expire after inactivity
  • Rate limiting — API endpoints are rate-limited to prevent abuse and brute-force attacks
  • Audit logging — All significant actions (user access, data changes, permission updates) are recorded in an immutable audit log
  • Regular updates — We apply security patches and dependency updates on a continuous basis

Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously monitor and improve our security posture.

4.1 Data Breach Notification

In compliance with data breach notification laws in all 50 U.S. states, the District of Columbia, and applicable international jurisdictions, we maintain a breach response plan that includes:

  • Detection and investigation — Continuous monitoring systems and a dedicated security incident response team to identify and contain breaches promptly
  • Risk assessment — Evaluation of the nature, scope, and likely impact of any breach on affected individuals
  • Notification — We will notify affected individuals and relevant regulatory authorities without undue delay and in accordance with applicable legal requirements. Notifications will include: (a) a description of the breach, (b) the types of information involved, (c) steps we have taken and will take to mitigate harm, (d) contact information for further inquiries, and (e) recommendations for affected individuals to protect themselves
  • Remediation — Corrective actions to prevent recurrence, including system patches, process improvements, and additional security controls
  • Record keeping — Maintenance of records of all data breaches, including their effects and remedial actions taken, as required by applicable law

If we determine that your personal information has been compromised, we will notify you via the email address associated with your account. We will also post a notice on the Service if the situation warrants. Where required by law (e.g., under Washington's breach notification law RCW 19.255.010, California's Civil Code sections 1798.29 and 1798.82, and similar statutes in other states), we will notify the appropriate state attorney general or regulatory authority.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service:

  • Account data — Retained for the duration of your subscription plus 90 days after account closure to allow for reactivation or data export
  • Job data — Retained indefinitely while your account is active. Upon account closure, job data is deleted or anonymized within 90 days
  • Invoice and payment records — Retained for 7 years to comply with tax and accounting regulations
  • Audit logs — Retained for a minimum of 12 months
  • Analytics and usage data — Retained in aggregated, anonymized form indefinitely for product improvement
  • Backup copies — Archived backups are retained for up to 30 days after deletion

6. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information. We will respond to all legitimate requests within the timeframes required by applicable law (generally 30–45 days).

6.1 Privacy Rights (All Users)

The following rights are available to all users regardless of location, to the extent provided by applicable law:

  • Access — Request a copy of the personal data we hold about you, including the categories and specific pieces of information we have collected
  • Correction — Request that we correct inaccurate or incomplete personal data
  • Deletion — Request deletion of your personal data, subject to legal retention requirements (e.g., tax records, audit logs)
  • Data portability — Request a machine-readable copy of your data in a commonly used format (e.g., JSON, CSV)
  • Objection / Opt-out — Object to the processing of your data for targeted advertising, profiling in furtherance of decisions that produce legal effects, or other purposes as provided by law. We do not sell your personal information or engage in profiling for significant decisions
  • Withdraw consent — Withdraw any consent you previously provided at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal
  • Appeal — If we decline to take action on a request, you have the right to appeal that decision. We will provide instructions for appeal in our response

6.2 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you the following additional rights:

  • Right to know — Request disclosure of the categories and specific pieces of personal information we have collected, the sources from which it was collected, the business purpose for collection, and the categories of third parties with whom we share it
  • Right to delete — Request deletion of personal information we have collected, subject to certain exceptions (e.g., completing transactions, detecting security incidents, complying with legal obligations)
  • Right to correct — Request correction of inaccurate personal information
  • Right to non-discrimination — You will not be discriminated against for exercising any of your CCPA rights (denial of service, different pricing, different quality)
  • Right to opt out of sale/sharing — We do not sell your personal information or share it for cross-context behavioral advertising. You may still submit an opt-out request to be notified of any future changes
  • Right to limit use of sensitive personal information — We only use sensitive personal information (e.g., account credentials) for purposes reasonably expected by an average consumer (account authentication and service delivery). We do not use sensitive information for inferring characteristics about you
  • Shine the Light — California Civil Code Section 1798.83 entitles you to request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not engage in such disclosure

To exercise your CCPA/CPRA rights, contact us at privacy@lithiqstudios.com. We will verify your identity using commercially reasonable methods before processing your request. You may designate an authorized agent to make a request on your behalf.

6.3 Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Delaware (DDPA), New Jersey (NJDPA), Indiana (INCDPA), New Hampshire (NHDPA), Nebraska (NDPA), Maryland (MDODPA), Minnesota (MNDPA), and Rhode Island (RIDPA)

If you are a resident of any of the above states, your state's comprehensive privacy law grants you rights substantially similar to those listed in Section 6.1, including:

  • Confirmation of processing — Whether we process your personal data and access to that data
  • Correction — Correct inaccuracies in your personal data
  • Deletion — Delete personal data provided by or obtained about you
  • Portability — Obtain a copy of your data in a portable format
  • Opt-out — Opt out of the processing of your data for (i) targeted advertising, (ii) sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in any of these activities
  • Appeal — If we decline to take action on your request, you may appeal our decision within a reasonable period. You may contact your state attorney general if your appeal is denied

To exercise your rights under any of these laws, contact us at privacy@lithiqstudios.com. We will authenticate your request and respond within the timeframe required by your state's law.

6.4 Washington State Residents

We are based in Washington State. In addition to the general rights described above, Washington residents have specific protections under the following laws:

  • Washington My Health My Data Act (MHMDA) — This law provides additional protections for consumer health data. Lithiq is a platform for stone fabrication shops and does not intentionally collect health data, medical information, or health-related identifiers. To the extent any health data is inadvertently processed through user-uploaded content (e.g., job notes, photos), we will: (a) obtain your consent before collecting such data, (b) not share it without your authorization, (c) maintain a data retention schedule, and (d) provide a mechanism for you to withdraw consent and request deletion. We do not use health data for targeted advertising or marketing
  • Washington Biometric Privacy Law (RCW 19.375) — Lithiq does not collect, capture, or store biometric identifiers (fingerprints, retina scans, face geometry, voice prints). We do not maintain a biometric database
  • Data Breach Notification (RCW 19.255.010) — In the event of a security breach involving your personal information, we will notify you in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the integrity of the system

Washington residents may exercise all rights described in Section 6.1 by contacting us at privacy@lithiqstudios.com.

6.5 Nevada Residents

Nevada Revised Statutes Chapter 603A permits Nevada residents to opt out of the "sale" of their "covered information" as defined by Nevada law. We do not sell your covered information as defined under Nevada law. If you are a Nevada resident and wish to submit a request regarding the sale of your covered information, please contact us at privacy@lithiqstudios.com.

6.6 Sensitive Personal Information

Under various state laws (CCPA/CPRA, VCDPA, CPA, CTDPA, and others), certain categories of data are classified as "sensitive" and receive additional protections. The sensitive personal information we may collect and how we use it is limited to the following:

  • Account login credentials (password) — Collected solely for authentication. Stored as a bcrypt hash; we never have access to the plain-text password. Used only for account access and security
  • Payment card information — Collected and processed entirely by Stripe, Inc. We receive only limited confirmation data (last four digits, card brand, expiration month/year). We do not store full card numbers, CVV codes, or magnetic stripe data
  • Precise geolocation — We do not collect precise geolocation data from your device. IP addresses are used in aggregate for security monitoring and fraud prevention

We do not process sensitive personal information for the purpose of inferring characteristics about a consumer, nor do we sell or share sensitive personal information. Our processing is limited to what is reasonably necessary and proportionate to provide the Service.

6.7 European Economic Area (GDPR) and United Kingdom

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:

  • Right to be informed — This Privacy Policy provides you with information about how we collect and process your data
  • Right of access — Request access to the personal data we hold about you (subject access request)
  • Right to rectification — Request correction of inaccurate or incomplete data
  • Right to erasure (right to be forgotten) — Request deletion of your personal data where there is no compelling reason for continued processing
  • Right to restrict processing — Request restriction of processing under certain circumstances (e.g., while a correction request is pending)
  • Right to data portability — Receive your data in a structured, commonly used, machine-readable format and transfer it to another controller
  • Right to object — Object to processing based on legitimate interests or for direct marketing. We will comply unless we have compelling legitimate grounds
  • Automated decision-making — We do not engage in solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you
  • Complaint to supervisory authority — You have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or the relevant authority in your EU member state)

Our legal bases for processing your data under GDPR are:

  • Performance of a contract (Article 6(1)(b)) — Account creation, authentication, service delivery, subscription management, and billing
  • Legitimate interests (Article 6(1)(f)) — Service improvement, security monitoring, fraud prevention, bug detection, and audit logging. Our legitimate interests do not override your fundamental rights and freedoms
  • Consent (Article 6(1)(a)) — Marketing communications and optional features (e.g., onboarding wizard completions). You may withdraw consent at any time
  • Legal obligation (Article 6(1)(c)) — Tax and accounting record retention, compliance with court orders and regulatory requests

7. Cookies and Tracking Technologies

We use cookies and similar technologies for essential and analytical purposes:

7.1 Essential cookies

Required for the Service to function properly:

  • next-auth.session-token — Authentication session token (HTTP-only, secure)
  • lithiq_validated_code — Temporary cookie storing a validated activation code during signup (15-minute expiry, HTTP-only)
  • lithiq_active_company — Stores the user's currently active company for multi-company accounts

7.2 Analytics cookies

We may use analytics tools to understand how the Service is used. These tools may set cookies that collect aggregated, anonymized usage data. We do not use third-party advertising cookies or tracking for marketing retargeting.

7.3 Do Not Track (DNT)

Some browsers support a "Do Not Track" signal that requests websites not to track your online activity. The Service does not respond to DNT signals at this time because there is no uniform industry standard for how DNT signals should be interpreted. We do not engage in the types of cross-site tracking that DNT is designed to prevent (targeted advertising, cross-context behavioral tracking, or sale of personal information for tracking purposes). As industry standards evolve, we will reevaluate our DNT response practices.

7.4 Managing cookies

Most browsers allow you to control cookies through their settings. However, disabling essential cookies may prevent the Service from functioning correctly. Analytics cookies can be blocked without affecting core functionality.

8. Third-Party Services and Links

The Service may contain links to third-party websites or services that are not owned or controlled by us. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with your personal information.

Third-party services integrated with the Service include:

  • Stripe (payment processing)
  • Cloudflare R2 (file storage)
  • Neon (database hosting)
  • Vercel (application hosting)
  • Google / Azure SSO (optional authentication)

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information promptly. If you believe we have collected information from a child, please contact us at privacy@lithiqstudios.com.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. Our hosting infrastructure is provided by Vercel (global edge network) and Neon (US-based database hosting). Cloudflare R2 storage may be distributed across global data centers.

When we transfer data across national borders, we rely on appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements (DPAs) with our service providers
  • Compliance with applicable data protection frameworks

By using the Service, you consent to the transfer of your information to countries that may have different data protection laws than your jurisdiction.

11. Your Data Responsibilities

As a Lithiq user, you are responsible for:

  • Client data — Ensuring you have the legal basis to store and process your clients' personal information in Lithiq (e.g., obtaining consent where required by applicable law)
  • Team access — Managing your team members' access permissions and promptly removing access for former employees
  • Security of your account — Maintaining the confidentiality of your login credentials and enforcing strong password policies within your company
  • Compliance — Complying with all applicable data protection laws in your jurisdiction when using the Service to process personal data

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Emailing the primary email address associated with your account
  • Posting a notice within the Service
  • Updating the "Last updated" date at the top of this policy

We encourage you to review this Privacy Policy periodically. Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will acknowledge receipt of your request within 5 business days and respond substantively within 30 days. If we require additional time, we will inform you of the extension and the reason.

Lithiq is a product of Lithiq Studios. This Privacy Policy is provided for informational purposes and does not create a contractual agreement. For the binding terms governing your use of the Service, please refer to the Terms of Service.