Privacy Policy

NORDIX LLC · Effective July 10, 2026

1. Who We Are and What This Policy Covers

NORDIX LLC (“Nordix,” “we,” “us”) provides an estimating and project management platform for commercial and industrial trade contractors (the “Service”), along with free public tools at nordixhq.com/tools. This policy explains what information we collect, how we use it, and the choices available to you. It covers visitors to our website, users of the Service, and people who interact with communications sent from the Service.

A note on business data: Nordix is business software. Most data in the Service — estimates, jobs, costs, contacts, documents — is entered by our business customers and belongs to them. We process that data on the customer’s behalf and under their instructions. If you are an employee of a Nordix customer and have questions about data in your company’s workspace, your company’s administrator is the primary point of contact.

2. Information We Collect

Account information. Name, work email address, password (stored in hashed form by our authentication provider), role, and optional profile details such as an avatar and notification preferences. If multi-factor authentication is enabled, we store the enrollment metadata needed to verify it.

Customer business data. Content that customers and their users enter or upload: estimates and bids, job and cost records, contacts and vendors, subcontractor and compliance records, schedules, and uploaded documents (drawings, quotes, PDFs, photos).

Activity and audit records. The Service keeps an activity log of business actions (who created, changed, or deleted what, and when) as a core product feature for our customers. These records are designed to be tamper-resistant.

Usage, log, and device data. IP address, browser type, pages visited, timestamps, and error diagnostics. Error reports may include the account identifier and email of the signed-in user so our team can investigate problems that user experienced.

Information about external recipients. When a customer sends an RFI, quote request, or submittal review from the Service, we process the recipient’s name, email address, organization, the message thread (including email replies), attachments, and — for secure review links — technical verification data such as IP address, browser identifier, open timestamps, and the name typed when submitting a response. This information forms part of the customer’s project record and supports the integrity of the review process. See Section 8.

Free-tools analytics. On our public /tools pages we count page views using a one-way, salted hash of the visitor’s IP address. The hash cannot reasonably be reversed to identify you, and we do not use it to build visitor profiles.

3. How We Use Information

  • To provide, operate, secure, and support the Service, including authentication, permissions, and customer support;
  • To send Service communications on customers’ instructions (invitations, RFIs, submittal reviews, alerts) and essential account notices;
  • To monitor for errors, abuse, and security incidents, and to enforce rate limits and access controls;
  • To maintain the activity and audit records described above;
  • To create aggregated, de-identified statistics (for example, anonymized industry benchmarks) that do not identify any customer or person;
  • To comply with law and to establish, exercise, or defend legal claims.

We do not sell personal information, and we do not use customer data to train third-party advertising or profiling systems.

4. How We Share Information

We share information only with service providers that help us run the platform, under contracts that limit their use of it to providing services to us:

  • Supabase — database hosting and authentication (United States).
  • Vercel — application hosting, content delivery, and request logs.
  • Cloudflare — file storage for uploaded documents (R2).
  • Resend — sending and receiving Service email (invitations, RFIs, submittals, alerts).
  • Sentry (Functional Software, Inc.) — error monitoring and diagnostics.
  • Google Fonts — font delivery on public pages (your browser requests fonts from Google, which receives your IP address).

We may also disclose information if required by law or legal process, to protect the rights, safety, or property of Nordix, our customers, or others, or in connection with a merger, acquisition, or sale of assets (in which case this policy will continue to apply to previously collected data until updated). Within the Service, data is shared according to the customer’s own workspace configuration — company membership, roles, and permission groups controlled by the customer’s administrators.

5. Cookies and Local Storage

We use only essential cookies and local storage: authentication session cookies, a timezone cookie so dates render in your local time, and a theme preference stored in your browser. We do not use advertising or cross-site tracking cookies, and we do not respond differently to “Do Not Track” signals because we do not track visitors across other sites.

6. Security

We maintain administrative, technical, and physical safeguards designed to protect information consistent with its sensitivity and with New York’s SHIELD Act, including encryption in transit, tenant isolation enforced at the database layer (row-level security), role-based access controls, optional multi-factor authentication, audit logging, and error monitoring. No system is perfectly secure; if we learn of a breach affecting your information, we will notify affected customers and regulators as required by law.

7. Retention and Deletion

We retain information for as long as the customer’s account is active and as needed for the purposes above. When a subscription ends, customer data is available for export for a limited period and then deleted from active systems, as described in our Terms of Service. Customers may request full erasure of their company’s data; when we complete an erasure we retain only a minimal receipt documenting that the erasure occurred (without the erased content). Residual copies in encrypted backups are deleted on the backup rotation schedule. Some records may be retained longer where required by law.

8. If You Received an Email or Review Link from Nordix

If a Nordix customer sent you an RFI, quote request, or submittal review, that communication was initiated by the customer, and your reply or review response becomes part of their project record. For secure review links, we record verification details (IP address, browser identifier, open times, and the name you sign with) so both sides have a trustworthy record of the review. You do not need a Nordix account, and we use your contact information only to deliver these communications — not for marketing. If you believe you received a communication in error, contact us at info@nordixhq.com.

9. Your Rights and Choices

You may access and update your profile information in the Service’s settings. Depending on where you live, you may have rights to request access to, correction of, or deletion of your personal information. Because most data in the Service is controlled by our business customers, we may refer requests concerning workspace data to the relevant customer and assist them in responding. To make a request, email info@nordixhq.com; we will verify your request and respond within the time required by applicable law. We will not discriminate against you for exercising your rights.

10. Children

The Service and website are intended for business use by adults. They are not directed to children, and we do not knowingly collect personal information from anyone under 18.

11. Changes to This Policy

We may update this policy from time to time. For material changes we will provide notice (for example, by email or in-app notice) before the change takes effect, and we will update the effective date above. The current version will always be available at nordixhq.com/privacy.

12. Contact Us

NORDIX LLC
Email: info@nordixhq.com