Privacy Policy

Last updated: February 18, 2026

1. Introduction

Welcome to Lifto ("we," "us," or "our"). Lifto is an all-in-one SaaS platform built for service professionals — including plumbers, HVAC technicians, electricians, roofers, landscapers, painters, general contractors, cleaners, pool service providers, pest control specialists, and more. Our platform helps you build a professional website, rank on Google, manage social media, generate leads, and grow your business — in minutes, not months.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at liftohq.com (including its staging variant at staging.liftohq.com), use our web application, or interact with any of our services (collectively, the "Services"). Please read this policy carefully. If you do not agree with its terms, please discontinue use of our Services.

2. Information We Collect

2.1 Personal Information You Provide

When you register, subscribe, or use certain features, we may collect:

  • Full name, email address, phone number
  • Business name, business address, industry type
  • Billing and payment information (processed securely through Stripe)
  • Social media account credentials when you connect Facebook, Instagram, Google Business Profile, LinkedIn, or other platforms via our Social Media Command Center
  • Website content you create or upload through our site editor, including text, images, logos, and project galleries
  • Communications you send to us (support requests, feedback, etc.)

2.2 Information Collected Automatically

When you access our Services, we may automatically collect:

  • Device and browser type, operating system, and screen resolution
  • IP address and approximate geolocation
  • Pages visited, time spent on pages, click patterns, and referral URLs
  • Cookies and similar tracking technologies (see Section 7)

2.3 Information from Third Parties

We may receive information from:

  • Facebook / Meta: When you connect your Facebook account, we receive your public profile, email, and Page-level access tokens to enable post publishing
  • Google: Google Business Profile data, Google Maps integration, and Google Analytics
  • Stripe: Payment processing confirmations and subscription status
  • Supabase: We use Supabase for authentication, database, and file storage

3. How We Use Your Information

We use the information we collect to:

  • Create, maintain, and manage your account and generated websites
  • Provide website building, hosting, and publishing services on custom subdomains
  • Enable social media publishing, scheduling, and automation through connected platforms
  • Generate AI-powered content including website copy, social media posts, and project descriptions
  • Process payments and manage subscriptions through Stripe
  • Send transactional emails (account confirmations, password resets, billing receipts)
  • Provide customer support and respond to inquiries
  • Generate QR codes for your business links
  • Analyze usage patterns to improve our platform and user experience
  • Detect, prevent, and address technical issues, fraud, or abuse
  • Comply with legal obligations

4. Social Media Data & Third-Party Integrations

Our Social Media Command Center allows you to connect Facebook, Instagram, Google Business Profile, and other platforms. When you connect an account:

  • We request only the permissions necessary to publish posts on your behalf (e.g., pages_manage_posts, pages_show_list)
  • Access tokens are stored securely in our database and are only used for authorized actions
  • You can disconnect any social account at any time from your Social Media Settings
  • We never post to your accounts without your explicit action (manual publish or scheduled publish you configured)
  • We do not sell or share your social media data with third parties for their marketing purposes

5. Data Sharing & Disclosure

We do not sell your personal information. We may share data with:

  • Service Providers: Trusted third parties that help us operate (e.g., Stripe for payments, Supabase for infrastructure, Vercel for hosting, OpenAI for AI content generation, Resend for email delivery)
  • Social Platforms: When you explicitly choose to publish content to connected accounts (Facebook, Instagram, Google, etc.)
  • Legal Requirements: If required by law, subpoena, court order, or government regulation
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate notice
  • With Your Consent: When you explicitly authorize us to share information

6. Data Security

We implement industry-standard security measures to protect your data:

  • All data transmitted between your browser and our servers is encrypted via TLS/SSL
  • Passwords are hashed and never stored in plain text (managed by Supabase Auth)
  • Social media access tokens are stored server-side and never exposed to the browser
  • Row-Level Security (RLS) policies ensure users can only access their own data
  • Payment data is handled entirely by Stripe and never touches our servers
  • We conduct regular security reviews of our infrastructure and codebase

While we strive to protect your information, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

7. Cookies & Tracking Technologies

We use cookies and similar technologies to:

  • Essential Cookies: Required for authentication, session management, and security (e.g., Supabase auth tokens)
  • Functional Cookies: Remember your preferences, active workspace, and selected company
  • Analytics Cookies: Help us understand how you use our platform to improve features and performance
  • OAuth State Cookies: Short-lived cookies used during social media account connection flows

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of our Services.

8. Data Retention

We retain your information for as long as your account is active or as needed to provide Services. Specifically:

  • Account Data: Retained while your account is active and for up to 30 days after deletion request
  • Website Content: Your generated websites, projects, and uploaded media are retained while your account is active
  • Social Media Tokens: Stored while your social accounts remain connected; deleted immediately upon disconnection
  • Payment Records: Retained as required by financial regulations and tax law
  • Server Logs: Automatically deleted after 90 days

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data ("right to be forgotten")
  • Portability: Request your data in a portable, machine-readable format
  • Objection: Object to certain processing of your data
  • Withdrawal of Consent: Withdraw consent for data processing where applicable
  • Disconnect Social Accounts: Remove connected social media accounts at any time from Settings

To exercise any of these rights, contact us at hello@lifto.com. We will respond within 30 days.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including:

  • The right to know what personal information is collected, used, shared, or sold
  • The right to delete personal information held by us
  • The right to opt out of the sale of personal information (we do not sell your data)
  • The right to non-discrimination for exercising your privacy rights

To submit a CCPA request, email hello@lifto.com with the subject "CCPA Request."

11. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at hello@lifto.com.

12. International Data Transfers

Lifto is based in Austin, Texas, USA. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located. By using our Services, you consent to the transfer of information to the US and other jurisdictions where our service providers operate.

13. Third-Party Links

Our Services may contain links to third-party websites and services, including but not limited to Facebook, Instagram, Google, Stripe, and others. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party services you access through our platform.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending you an email notification. Your continued use of our Services after any changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: