Legal
Privacy Policy
This policy explains what information StoneEx System collects, how we use and protect it, the integrations your data flows through, how long we keep it, and the rights you have over it.
1. Overview and scope
This Privacy Policy explains how StoneEx System (“StoneEx System,” “we,” “us,” or “our”) collects, uses, discloses, and protects information in connection with our cloud software platform for stone and countertop fabricators, installers, contractors, and suppliers (the “Service”). It applies to our marketing website, the web application, and the companion field applications used by templaters and installers.
StoneEx System is a multi-tenant platform. Each customer is an organization (a “tenant”) with its own isolated workspace. For the business data an organization stores in the Service — its contacts, projects, drawings, documents, financial records, and communications — the organization is the controller of that data, and StoneEx System acts as a processor that handles the data on the organization’s behalf and under its instructions. For account, billing, and operational data that we collect to run and secure the Service, StoneEx System is the controller.
If you use StoneEx System through an organization (for example, as an employee of a stone shop), that organization’s administrators control your access and the settings that govern your data. Questions about how a particular organization uses your information should be directed to that organization.
2. Information we collect
We collect the following categories of information.
Account and identity data
When an account is created we collect your name, email address, and organization membership and role. We authenticate you using a passwordless magic link or Google sign-in, so we do not store a password for your account. We also record which organization you belong to and your role-based permissions within it.
Customer relationship (CRM) data
Organizations use StoneEx System to manage their customers and leads. This includes contact names, companies, phone numbers, email and mailing addresses, tags, notes, and the activity timeline associated with each contact. Organizations decide what customer information to enter and are responsible for having a lawful basis to do so.
Projects, quotes, and drawings
The Service stores project and quote records — materials, dimensions, edge profiles, pricing, line items, and revision history — along with countertop drawings created in the browser-based drawing designer, including their geometry and exported files such as DXF and PDF.
Documents and uploaded files
Organizations upload and generate files through the Service: photos, measured-area records, signatures captured in the field, PDFs, spreadsheets, and other documents attached to contacts, projects, jobs, and quotes. Uploaded media is stored in object storage and counts toward the organization’s storage allowance.
Financial data (Finance Hub)
When an organization uses the Finance Hub, we store contract snapshots, change orders, internally-prepared invoice drafts and line items, recorded payments, and the workflow state of each project. Where an organization connects QuickBooks Online, we also store the identifiers and status needed to keep records in sync — see Third-party integrations. StoneEx System does not collect or store full bank account or credit card numbers; subscription payments are handled by our payment processor.
Communications
The Service includes a shared inbox that consolidates messages per customer. Depending on the integrations an organization enables, this can include email content and metadata, SMS message content, call metadata, voicemail recordings and their transcriptions, and internal notes. This content is processed to deliver the inbox, threading, notifications, and related features.
Usage, device, and log data
To operate and secure the Service, we automatically collect technical information such as IP address, browser and device characteristics, pages and features used, timestamps, and diagnostic and error data. We tag operational logs with request and organization identifiers — never with credentials, secrets, or raw sensitive message bodies.
Information you provide directly
If you contact us, request a demo, or submit a public intake or drawing-request form, we collect the information in that submission, such as your name, email, phone number, and message.
3. How we use information
We use the information described above to:
- Provide, maintain, and improve the Service and its features;
- Authenticate users, enforce role-based permissions, and keep each organization’s workspace isolated;
- Power core workflows — drawing, quoting, CRM, scheduling, inventory, the Finance Hub, and the field apps;
- Deliver communications through connected channels and surface them in the shared inbox;
- Provide optional AI features when an organization enables them;
- Process subscription billing and enforce plan entitlements and quotas;
- Monitor, secure, and troubleshoot the Service, prevent abuse, and investigate incidents;
- Provide customer support and respond to your requests;
- Comply with legal obligations and enforce our agreements.
We do not sell your personal information, and we do not use the business data an organization stores in the Service for advertising or to build advertising profiles.
4. AI features and providers
StoneEx System offers optional AI features, including drawing assistance, slab-layout and vein-matching suggestions, and assistants for quoting, email and text, scheduling, and in-app voice. AI features are available on qualifying plans and are enabled per user; they run only when a user invokes them.
To provide these features, we send the relevant content — such as the text of a request, the drawing or project details it concerns, or a message you are drafting — to trusted third-party AI providers, currently Anthropic (Claude) and OpenAI, which process it through their APIs to return a result. We use these providers under their commercial API terms, which provide that content submitted through the API is processed solely to generate responses and is not used to train their models.
AI output can be imperfect and should be reviewed before it is relied upon. AI features are assistive; they do not make binding decisions on your behalf.
5. Third-party integrations and OAuth
Organizations can connect StoneEx System to third-party services. These integrations are optional and are enabled by an organization’s administrators. When you authorize an integration, you grant access through a secure OAuth flow; we store the resulting access and refresh tokens encrypted and scoped to your organization, and we use them only to provide the connected feature. You can disconnect an integration at any time, which revokes StoneEx System’s stored access.
QuickBooks Online (Intuit)
When an organization connects QuickBooks Online, we access accounting data needed to prepare and synchronize invoices and payments — customers, items, invoices, and payment records for the connected company. StoneEx System remains the operational source of truth for projects and contracts, while QuickBooks remains the accounting source of truth for invoices, payments, and taxes. We store the QuickBooks company (realm) identifier, invoice and payment identifiers, sync tokens, and synchronization status and logs so that records stay consistent. We do not create records in your QuickBooks company until you explicitly confirm an action.
Google services (Gmail, Calendar, Drive)
Organizations may connect Google accounts to send and receive email in the shared inbox, synchronize scheduling with Google Calendar, and work with files in Google Drive. StoneEx System’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We use Google user data only to provide and improve the features you connect it to; we do not transfer it to others except as needed to provide those features, to comply with law, or as part of a merger or acquisition; we do not use it for advertising; and no humans read it except with your consent, for security or to comply with law, or in aggregated and anonymized form for operations.
Twilio (SMS and voice)
Organizations may connect Twilio to send and receive text messages and to capture inbound calls and voicemails. Through this integration we process phone numbers, message content, call metadata, and voicemail recordings and transcriptions in order to deliver messaging and surface it in the shared inbox.
Payment processing
Subscription payments are processed by our third-party payment provider, Stripe. Your card details are provided to and handled by Stripe under its own terms and privacy policy; StoneEx System does not receive or store full payment card numbers.
8. Your data belongs to you
The business data an organization puts into StoneEx System — its contacts, projects, drawings, documents, financial records, and communications — belongs to that organization, not to StoneEx System. We claim no ownership over it and use it only to provide the Service and as described in this Policy.
Organizations can export their data in common formats, including exporting contacts, projects, files, and records, and downloading drawings as DXF or PDF. We design for data portability so you can move your information in and out of the Service and avoid vendor lock-in. Learn more on our Security & Data page.
9. Data retention
We retain organization data for as long as the organization’s account is active and as needed to provide the Service. When an organization deletes specific records, those records are removed from active systems, though residual copies may persist briefly in encrypted backups until they age out on our normal backup rotation.
When a subscription ends, we retain the organization’s data for a limited wind-down period so it can be exported or the account reactivated, after which the data is deleted or anonymized, except where longer retention is required for legal, accounting, security, or dispute-resolution purposes. Certain financial records synchronized to QuickBooks remain in the organization’s QuickBooks company and are governed by Intuit’s and the organization’s own retention practices. An organization may request deletion of its data as described below.
10. How we protect your information
We apply administrative, technical, and organizational safeguards designed to protect your information. These include encryption of data in transit over HTTPS and encryption of stored integration credentials, strict per-tenant isolation enforced in the application layer and backed by database row-level security, role-based access controls, encrypted secrets, signed upload URLs for media, verified webhooks, and continuous monitoring. No method of transmission or storage is perfectly secure, but we work continuously to protect your data. Our practices are described in more detail on the Security page.
11. Your rights and choices
Depending on where you live, you may have rights over your personal information, including the right to access, correct, export, or delete it, and to object to or restrict certain processing. Because most data in the Service is controlled by an organization, we will generally direct individual requests to the relevant organization, and we will assist that organization in responding.
If you have an account, you can view and update much of your information directly in the Service, and your organization’s administrators can manage members and access. To make a privacy request or ask a question, contact us at privacy@stoneexsystem.com. We will respond consistent with applicable law. We will not discriminate against you for exercising your rights.
12. International data processing
StoneEx System is operated from the United States, and the information we process is stored and processed on infrastructure located in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States and other locations where we or our service providers operate, which may have data-protection laws different from those in your jurisdiction. Where required, we rely on appropriate safeguards for such transfers.
13. Children’s privacy
StoneEx System is a business tool intended for use by organizations and their personnel. It is not directed to children, and we do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us personal information, please contact us so we can remove it.
14. Changes to this Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where appropriate, provide additional notice. Your continued use of the Service after an update takes effect means you accept the revised Policy.
15. Contact us
If you have questions or requests about this Privacy Policy or your information, contact us at:
StoneEx System — Privacyprivacy@stoneexsystem.com
General legal inquiries: legal@stoneexsystem.com