← Back

Privacy Policy

Effective 2026-05-18.

Heads up — for agency clients of foresthukill.com: Your separately-signed Service Agreement is the controlling document for your engagement; this Privacy Policy describes how the platform processes personal information generally and applies to that processing.

This Privacy Notice for Forest Hukill ("we", "us", or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

  • Visit our website at foresthukill.com or any tenant site hosted on the platform
  • Use Forest Hukill — an all-in-one website and business-management platform for service businesses (trades that go to the customer): custom website, online booking, card payments via Stripe, scheduling with Google Calendar sync, customer database, and an admin dashboard
  • Engage with us in other related ways, including any sales conversation or support exchange

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions, contact us at forest@foresthukill.com.

Summary of key points

This summary highlights the key points of our Privacy Notice. The numbered sections below provide the full detail.

  • What we process: business profile data from tenant owners, booking and payment data from end customers, and standard server-log data from all visitors. See Section 1.
  • Sensitive data: we do not process sensitive personal information (health, biometric, government ID, etc.).
  • Third-party data: we do not buy or acquire user data from outside sources.
  • Why we process: to deliver the Services, send confirmations and reminders, bill subscriptions, prevent fraud, and meet legal obligations. See Section 2.
  • Who we share with: a named list of subprocessors (Stripe, Twilio, Resend, Cloudinary, MongoDB Atlas, Vercel, Render, Sentry, Mapbox, Google). We do not sell personal information and do not share it for cross-context behavioural advertising. See Section 3.
  • How we keep it safe: HTTPS, scrypt-hashed passwords, encrypted third-party credentials, signed payment webhooks, tenant-scoped access controls, rate limiting. See Section 6.
  • Your rights: depending on jurisdiction, you may have rights to access, correct, delete, or port your data. See Section 8 and Section 10.

Table of contents

1. What information do we collect?

From tenant business owners

  • Names, email addresses, phone numbers
  • Passwords (stored as scrypt hashes — never in plaintext)
  • Contact and notification preferences
  • Mailing addresses (your business address as published on your tenant site)
  • Authentication data (session tokens, password-reset tokens, encrypted OAuth refresh tokens for connected third-party services such as Google Calendar)
  • Encrypted third-party credentials (Twilio API keys you provide for SMS)
  • Business profile (business name, industry, service area, hours, FAQs, terms text)
  • Uploaded media (logos, gallery photos, before/after images)
  • Stripe Connect account identifiers and payout configuration (we never see your raw card or bank data)
  • Custom-domain configuration and DNS verification tokens

From tenant staff members

  • Name, email, password hash, invite acceptance status

From end customers (your customers, processed for you)

  • Name, email, phone, customer-supplied notes
  • Service-request details from tenant booking forms (service type, location or address, preferred date and time, customer notes, and trade-specific details such as vehicle type/size, property type, or project scope where applicable)
  • Quote-request details (service description, location, scheduling preferences, customer notes)
  • Review and survey responses (1–5 rating, optional comments)
  • Booking and payment history for repeat-customer recognition
  • Payment metadata returned by Stripe (last4, brand, charge id) — never the full card number

From agency leads (foresthukill.com contact form)

  • Name, email, phone, preferred call date/time, free-form inquiry notes
  • IP address (captured at submission for abuse prevention)

From everyone visiting

  • Standard server logs (IP, user agent, paths, response codes, timing)
  • Error-monitoring breadcrumbs via Sentry (PII scrubbed where feasible)

Payment data

Payment instrument details (card number, security code, expiry, billing address) are collected and stored exclusively by Stripe. We never see or store raw card data. See Stripe's privacy policy for how Stripe handles that information.

Sensitive personal information

We do not process sensitive personal information (health, biometric, racial or ethnic origin, religious beliefs, sexual orientation, government ID numbers, precise geolocation, or financial-account credentials).

Google API services

Tenants can connect their Google Calendar to sync bookings with their personal or business calendar. Our access uses the OAuth 2.0 scope https://www.googleapis.com/auth/calendar.events, which permits read and write access to calendar events on the connected calendar and nothing else — no access to Gmail, Drive, Contacts, or any other Google service.

What we read.Busy intervals (free/busy times) on the connected calendar, used solely to detect conflicts when customers attempt to self-book through the tenant's public site.

What we write.A calendar event for each scheduled booking, containing the customer's name, the service requested, and the start and end times. Events are updated on reschedule and removed on cancellation.

Storage and security. Your OAuth refresh token is stored encrypted at rest in our managed database (MongoDB Atlas, US region). Short-lived access tokens are issued by Google on demand and not persisted.

Limited Use commitment. Our use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not use Google user data to:

  • Serve advertising of any kind, including retargeting or personalized ads
  • Train or improve generalized or non-personalized AI / machine-learning models
  • Transfer Google user data to any third party except as needed to provide the calendar-sync feature you connected
  • Allow humans to read Google user data, except: (a) with your affirmative consent for specific data, (b) as necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) for internal operations where the data has been aggregated and anonymized

Disconnecting and deletion. You can disconnect Google Calendar at any time from your dashboard. On disconnect we immediately delete the stored OAuth refresh token. Calendar events we previously created on your Google Calendar remain in your calendar (they belong to you); delete them in Google Calendar directly if you no longer want them. To request deletion of any other data we hold relating to your Google integration, email forest@foresthukill.com.

2. How do we process your information?

  • To facilitate account creation, authentication, and account management.
  • To deliver the Services: serve tenant sites, route bookings, send confirmations and reminders, process payouts.
  • To respond to user inquiries and provide support.
  • To send administrative information (account changes, billing notices, security alerts, terms updates).
  • To fulfill and manage orders, payments, and refunds processed through the Services.
  • To enable tenant-to-customer communications (booking confirmations, SMS reminders, quote responses).
  • To request feedback (post-job review-request emails and SMS).
  • To post testimonials that tenants choose to publish on their own sites (with assumed customer consent).
  • To bill subscriptions and meter usage (SMS / email allowances and overages).
  • To detect abuse and protect the Services (rate limiting, anomaly detection, fraud monitoring).
  • To improve the Services through aggregate, anonymized analytics — no per-customer profiling.
  • To identify product usage trends in aggregate.
  • To comply with legal obligations (tax reporting, sanctions screening, law-enforcement requests).

3. When and with whom do we share your information?

We share only what each subprocessor needs to deliver its service. We do not sell personal information. We do not share it for cross-context behavioural advertising.

  • Stripe — payment processing, subscription billing, Connect payouts.
  • Twilio — outbound SMS for booking confirmations and reminders.
  • Resend — transactional email delivery.
  • Cloudinary — image hosting for tenant logos and gallery uploads.
  • MongoDB Atlas — managed database hosting.
  • Vercel — web application hosting and (for the Domain Marketplace) registrar services.
  • Render — API server hosting.
  • Sentry — error monitoring (PII scrubbed where feasible).
  • Mapbox — geocoding and map rendering for tenant booking-flow service-area selection (sees IP and address-search queries from end users).
  • Google — Calendar API for tenants who explicitly connect their Google Calendar. We use only the calendar.events scope and only on calendars the tenant authorizes. See "Google API services" above.

We may also share information in connection with legal obligations: response to lawful subpoenas, court orders, or other legal process; compliance with tax recordkeeping; and enforcement of our Terms of Service.

Business transfers. If the platform is acquired or merged, personal information may be transferred to the successor entity, which will be bound by this Privacy Policy or a successor with comparable protections. Affected users will be notified and given a chance to delete their account before transfer.

4. Cookies and similar technologies

We use a small number of strictly-necessary first-party cookies to keep authenticated users signed in. We do not set advertising cookies, do not use cross-site tracking pixels, and do not load third-party analytics on our pages. Because every cookie we set is essential to the service you requested, we do not display a consent banner.

All session cookies are HttpOnly, SameSite=Lax, and Secure in production. They are scoped to the platform domain and never shared with third parties.

  • platform_owner_session — keeps a tenant business owner signed into their dashboard. Default lifetime: 7 days.
  • platform_staff_session — keeps a tenant staff member signed into their dashboard. Default lifetime: 7 days.
  • platform_admin_session — keeps the platform operator signed into the agency console. Default lifetime: 12 hours.

Local storage on tenant booking forms

Tenant booking forms use your browser's localStorageto save draft answers so a refresh doesn't lose your progress. This is not a cookie, is not transmitted to our servers, and you can clear it from your browser at any time.

Subprocessor cookies

When you complete a payment, Stripe's embedded checkout may set its own cookies for fraud prevention; those are governed by Stripe's privacy policy. Mapbox sets functional cookies needed to render the booking-flow map; see Mapbox's privacy policy. Our hosting providers (Vercel and Render) do not set tracking cookies on our pages.

Tenant-added tracking

Tenants who add their own analytics, advertising, or tracking technologies to their public site are responsible for disclosing those cookies and obtaining any consent required in their jurisdiction. The platform itself does not add such trackers.

5. How long do we keep your information?

We keep your personal information only as long as necessary to fulfill the purposes outlined in this notice, unless a longer retention period is required or permitted by law.

  • Account data: kept while your subscription is active and for 90 days after cancellation, then deleted.
  • Customer / booking / payment records: kept while your subscription is active. Available for export from your dashboard at any time. After cancellation, retained for 90 days for export, then deleted.
  • Operational logs: kept for up to 90 days, then aggregated.
  • Tax and accounting records (subscription invoices): retained for 7 years to meet US tax recordkeeping requirements.
  • Google Calendar OAuth tokens: deleted immediately when you disconnect from your dashboard. Calendar events we created on your Google Calendar belong to you; we do not delete them on disconnect.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if not possible (for example because it has been stored in backup archives), we will securely store and isolate it from further processing until deletion is possible.

6. How do we keep your information safe?

We use HTTPS in transit, scrypt-hashed passwords, hashed session tokens, encrypted third-party API credentials (such as Twilio auth tokens), signed Stripe webhooks, tenant-scoped access controls, and rate-limited public endpoints. Cross-host authentication uses signed handoff tokens with a 5-minute time-to-live.

Despite these safeguards, no system is perfectly secure and no electronic transmission can be guaranteed 100% secure. If we discover a breach affecting your data, we will notify you without undue delay and per applicable law.

7. Do we collect information from minors?

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 or are the parent or guardian of such a minor and consent to such minor dependent's use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at forest@foresthukill.com.

8. What are your privacy rights?

Depending on your country, province, or state of residence, you may have certain rights regarding your personal information. In general, these include the right to access, correct, delete, or port your data, and to object to or restrict certain processing. Tenant owners can exercise these directly from the dashboard or by emailing the operator. End customers should contact the tenant whose site they used; we will support the tenant's response.

Withdrawing your consent

Where we rely on your consent to process your information, you may withdraw that consent at any time by contacting us using the details in Section 14. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal nor processing carried out under another legal basis.

Account information

If you would like to review, change, or terminate your account, you can do so from the dashboard or by contacting us. On termination we will deactivate or delete your account data per the schedule in Section 5; some information may be retained where required for fraud prevention, legal compliance, or tax recordkeeping.

Cookies

Most browsers accept cookies by default. You can configure your browser to remove or reject cookies — note that doing so for the strictly-necessary session cookies described in Section 4 will prevent you from staying signed in.

9. Controls for Do-Not-Track features

Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. No uniform technology standard for recognizing and implementing DNT signals has been finalized; as such, we do not currently respond to DNT browser signals. If a standard is adopted that we must follow, we will update this notice.

10. Do US residents have specific privacy rights?

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the personal information we maintain about you, correct inaccuracies, get a copy of, or delete your personal information.

Categories of personal information we collect

The following categories reflect what we have collected in the past 12 months:

  • A. Identifiers — name, postal address, phone, email, IP address, account ID. Collected: yes.
  • B. Personal information under the California Customer Records statute — name, contact info, financial information (Stripe-held). Collected: yes.
  • C. Protected classification characteristics (race, ethnicity, religion, etc.). Collected: no.
  • D. Commercial information — booking history, purchase records, payment metadata. Collected: yes.
  • E. Biometric information. Collected: no.
  • F. Internet or other similar network activity (browsing history, cross-site behavior). Collected: no.
  • G. Geolocation data. Collected: no.
  • H. Audio, electronic, sensory, or similar information. Collected: no.
  • I. Professional or employment-related information. Collected: no.
  • J. Education information. Collected: no.
  • K. Inferences drawn from collected personal information. Collected: no.
  • L. Sensitive personal information. Collected: no.

We retain personal information in categories A, B, and D for the duration described in Section 5. We have not sold or shared personal information for cross-context behavioural advertising in the preceding 12 months. We have disclosed categories A, B, and D to the subprocessors named in Section 3 for the operational purposes described in Section 2.

Your rights

Depending on the state, you may have the right to:

  • Know whether we are processing your personal data
  • Access your personal data
  • Correct inaccuracies in your personal data
  • Request deletion of your personal data
  • Obtain a copy of the personal data you previously shared with us
  • Non-discrimination for exercising your rights
  • Opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects (we do not do any of these — there is nothing to opt out of)
  • Limit the use and disclosure of sensitive personal data (we do not collect any)

How to exercise your rights

To exercise these rights, email us at forest@foresthukill.com or use the contact details in Section 14. You may designate an authorized agent to make a request on your behalf; we may require proof of authorization.

Verification

To process your request, we may need to verify your identity using information already in our records (for example, the email tied to your account). We will use that information solely to verify your identity or authority to make the request.

Appeals

If we decline to act on your request, you may appeal by emailing us at forest@foresthukill.com. We will respond in writing with the action taken or the reason for declining. If the appeal is denied, you may file a complaint with your state attorney general.

California "Shine the Light" law

California Civil Code §1798.83 permits California residents to request, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes. We do not disclose personal information to third parties for direct marketing purposes; if you would like to confirm this in writing, contact us using the details in Section 14.

11. Roles and responsibilities

For tenant business owners (signed-up customers of the platform), we act as a data controller for your account data and a data processor for the customer records, bookings, and content you create on the platform. For end customers (people booking services with one of our tenants), the tenant is the data controller and we are the processor acting on their instructions.

For agency clients of foresthukill.com, your separately-signed Service Agreement is the controlling document for your engagement; this Privacy Policy describes how the platform processes personal information generally and applies to that processing.

12. International transfers

Our infrastructure and subprocessors operate primarily in the United States. If you access the platform from outside the US, your data will be transferred to and processed in the US.

13. Updates to this notice

We may update this Privacy Policy from time to time. The updated version will be indicated by a new "Effective" date at the top of this page. For material changes affecting tenant owners, we will email the address on file at least 30 days before the change takes effect.

14. How to contact us

Privacy questions: email forest@foresthukill.com, or write to us at:

Forest Hukill
9609 NE 87th Ave
Vancouver, WA 98662-3200
United States

To request to review, update, or delete your personal information, visit foresthukill.com/privacy or use the contact details above.