Smart Design
Better Living

1. Purpose and Scope of This Privacy Framework

Refined Living Hub,("Refined Living Hub," "the Company," "we," "us," or "our") has developed this Privacy Policy to provide you with complete transparency regarding how we identify, collect, process, store, share, and protect personal information obtained through every interaction you have with our organization — including our website at www.refinedlivinghub.info, our iOS and Android mobile applications, telephone and video consultations, in-home assessments performed at your property, our regional office locations, social media platforms, email and SMS communications, and any other medium through which information flows between you and Refined Living Hub. By accessing our digital properties, engaging our services, subscribing to our communications, or otherwise interacting with us, you confirm that you have read, understood, and unconditionally agree to be governed by this Privacy Policy in its entirety. If any provision of this policy is unacceptable, you must immediately cease all use of our services and platforms.

2. Detailed Personal Data Categories We Collect

We maintain a comprehensive inventory of all personal data categories within our organization. Identity Information includes your legal first and last name, middle initial, preferred name, primary and secondary residential addresses, mailing address (if different), mobile telephone number, home telephone number, work telephone number, personal email address, work email address, date of birth (voluntarily provided), and Social Security Number (collected exclusively when required for credit verification, warranty registration, or employment background checks with explicit disclosure at the point of collection). Financial Data encompasses credit and debit card numbers (processed via Stripe's tokenized payment infrastructure where Refined Living Hub never receives raw card numbers), bank account routing and account numbers for ACH payments, loan application details submitted to financing partners, credit bureau reports obtained with your written authorization, payment transaction histories, deposit records, refund histories, outstanding balance information, and billing dispute documentation. Project and Property Data comprises interior and exterior photographs taken during assessments and construction progress documentation, architectural floor plans and elevation drawings, structural measurements and survey data, soil test results, existing condition assessment reports, material sample selections and approval records, design preference questionnaires and mood boards, 3D renderings and virtual walkthrough files, HVAC system specifications and load calculations, electrical panel configurations and circuit diagrams, plumbing layout drawings, roof geometry measurements and pitch calculations, gutter run calculations, and any environmental testing results (asbestos, lead paint, radon, mold) discovered during project assessment. Digital Interaction Data captured through our technology platforms includes IP address (both IPv4 and IPv6), precise geolocation coordinates (when you grant mobile app permission), device type, model, manufacturer, and unique device identifiers, operating system and version, browser type and version, screen resolution and pixel density, internet connection type and speed, page view sequences, click patterns, scroll depth percentages, session duration, time-on-page metrics, search queries entered, download events, form interaction data including field focus order and abandonment points, and server error logs. Communication Records includes all email correspondence, recorded phone calls (with verbal consent disclosure at the start of each call), live chat transcripts, SMS and iMessage communications, video consultation recordings, social media direct messages, and handwritten notes from in-person consultations digitized by our team.

3. Legal Bases and Purposes for Every Data Processing Activity

Each instance of personal data processing is anchored to at least one legally recognized ground. Contractual Necessity: Processing your identity, financial, and project data to perform the specific services outlined in your signed Service Agreement — from initial consultation through design, procurement, construction, quality assurance, warranty administration, and post-project support. This ground permits processing without separate consent because the data is objectively necessary to fulfill our mutual contractual obligations. Explicit Consent: Processing geolocation data from our mobile application, collecting biometric identifiers for smart lock facial recognition or fingerprint authentication, recording telephone calls, sending marketing emails and SMS messages, and using your project photographs in our portfolio and marketing materials — each requires and receives your opt-in consent, which you may withdraw at any time through clearly designated mechanisms. Legal Compliance: Processing Social Security Numbers for IRS 1099 reporting requirements, maintaining employment records for Department of Labor and EEOC audit compliance, submitting building permit documentation to municipal authorities, reporting workplace injuries to OSHA, cooperating with building inspectors during required inspections, and responding to lawful subpoenas, court orders, regulatory investigations, or information requests from state contractor licensing boards, the Consumer Financial Protection Bureau, the Federal Trade Commission, state attorneys general, or other authorized government entities. Legitimate Interests: Processing website analytics data to improve user experience and service delivery, conducting fraud detection and prevention screening, performing cybersecurity monitoring and threat detection, maintaining business continuity and disaster recovery capabilities, conducting quality assurance audits using anonymized project data, training our project managers and field teams, developing new service offerings based on aggregate demand patterns, managing our insurance programs, and performing internal benchmarking and performance analysis. Public Interest: Sharing information with emergency services during natural disaster response efforts, cooperating with consumer protection agencies investigating fraudulent contractor activity, and assisting law enforcement in situations involving imminent threats to human safety.

4. Third-Party Disclosure Controls and Recipient Categories

We maintain strict controls over personal data disclosure, classifying all recipients into defined categories with specific data access limitations. Service Subcontractors: Licensed trade specialists (electricians, plumbers, HVAC technicians, fire suppression installers, solar panel installers) receive only the project-specific information necessary for their assigned scope — typically the property address, project scope documents, relevant photographs, material specifications, and construction schedule. All subcontractors execute our Master Subcontractor Agreement incorporating data protection clauses mandating confidentiality, security standards equivalent to our own, prohibition on secondary data use, and breach notification within 24 hours. Material Suppliers and Fabricators: When custom materials are produced by external fabricators (specialty glass, custom metalwork, natural stone cutting), they receive only dimensional specifications and design files — never personal identity data, financial data, or property photographs. Financing Partners: LightStream, SoFi, and regional credit union partners receive financial application data as required for credit decisioning under their separate privacy policies, which we review annually for adequacy. Insurance Carriers: Our general liability, professional liability, workers' compensation, and inland marine insurers receive incident reports, project documentation, and claim-related information as necessary for claims handling, underwriting, and loss prevention. Government and Regulatory Disclosures: We disclose personal information to building departments (permit applications and inspection records), tax authorities (1099 forms, sales tax documentation), safety regulators (OSHA incident reports, fire marshal inspection documentation), and law enforcement (subpoenas, emergency requests, court orders) when required by applicable law. We have not sold, do not sell, and commit to never selling personal information as "sale" is defined under any applicable state privacy statute — meaning we do not exchange personal information for monetary or other valuable consideration to any third party for the purpose of cross-context behavioral advertising.

5. Cookie and Digital Tracking Technology Architecture

Our digital tracking infrastructure implements a privacy-first, consent-gated architecture. Essential Cookies (10 active cookies) strictly necessary for platform operation include: session identifiers (Refined Living Hub_sid), authentication tokens (lm_auth_jwt), CSRF protection tokens (lm_csrf), load balancer routing cookies (lm_lb_route), content caching preferences (lm_cache_cfg), consent state storage (lm_consent_v4), accessibility configuration settings (lm_a11y), analytics opt-out preference (lm_analytics_opt), font rendering preference (lm_fonts), and theme persistence (lm_theme). Analytics: We use Plausible Analytics, a privacy-focused, cookie-free analytics platform that collects only aggregate page views, referral sources, device categories (desktop/mobile/tablet), browser categories, operating system families, and geographic regions at the city level — without using any cookies, without tracking individual users, without building user profiles, and without sharing data with any advertising networks. Heatmap Tools: PostHog captures anonymized click patterns and scroll behavior for UX optimization with automatic PII redaction for all form input fields. Email Tracking: Marketing emails sent through Mailchimp include open tracking pixels (single-pixel GIF images) and click tracking redirect links — you can disable open tracking in your email client settings and unsubscribe from all marketing communications at any time. We explicitly do NOT use Google Analytics, Facebook/Meta Pixel, Google Ads tracking, LinkedIn Insight Tag, TikTok Pixel, or any third-party advertising tracking pixels on our website or within our emails. Our Cookie Consent Banner, implemented via custom JavaScript (no third-party CMP platform), appears on first visit offering three options: "Essential Only" (default — only essential cookies), "Accept All" (essential + analytics), and "Customize" (granular category controls). We honor the Global Privacy Control (GPC) browser signal as a universal opt-out from all non-essential data processing.

6. Information Security Architecture and Technical Safeguards

Our security program implements defense-in-depth principles aligned with the NIST Cybersecurity Framework. Network Security includes next-generation firewall protection (Cloudflare WAF), TLS 1.3 encryption for all data in transit, DDoS mitigation, DNSSEC validation, and network segmentation isolating production environments from corporate networks. Application Security encompasses secure software development lifecycle practices, static and dynamic application security testing (SAST/DAST) in our CI/CD pipeline, dependency vulnerability scanning, quarterly penetration testing by independent third-party firms, and runtime application self-protection. Data Protection employs AES-256 encryption for data at rest within AWS S3 buckets with server-side encryption, AWS Key Management Service for cryptographic key management with automatic 90-day rotation, field-level encryption for highly sensitive data elements (SSN, financial account numbers) using envelope encryption, and database activity monitoring with real-time anomaly alerting. Access Controls implement zero-trust architecture principles with mandatory multi-factor authentication for all user accounts, role-based access control with least-privilege assignments, privileged access management for administrative functions, and automated deprovisioning upon role changes or employment termination. Physical Security at our headquarters and regional offices includes 24/7 video surveillance, electronic access control with badge and PIN verification, visitor management systems, secure document storage with fire-rated cabinets for physical records, and clean-desk policy enforcement. Despite these comprehensive measures, no method of internet transmission or electronic storage is completely secure, and we cannot guarantee absolute security of your information.

7. Your Rights — Complete Inventory and Exercise Procedures

Depending on your state of residence, you possess specific rights regarding your personal information under applicable state and federal privacy laws. Right to Know: Request a detailed disclosure of all personal information we have collected about you, including specific data points, sources, business purposes, and third-party recipients. Right to Delete: Request complete erasure from our systems and our service providers' systems, subject to exceptions for information necessary to complete contracted projects, comply with legal obligations, detect security errors, enable solely internal uses aligned with your expectations, or comply with federal law. Right to Correct: Request correction of inaccurate personal information, with reasonable verification of proposed corrections. Right to Portability: Request your personal information in a structured, machine-readable format (JSON or CSV) suitable for transmission to another service provider. Right to Opt-Out: Direct us to stop using your personal information for targeted advertising (though we do not engage in cross-context behavioral advertising), selling your information (which we do not do), or profiling that produces legal or similarly significant effects. Right to Limit Sensitive Data: Instruct us to use your sensitive personal information (precise geolocation, racial/ethnic origin, religious beliefs, private communications, genetic data, biometric information, health information, sexual orientation) only for specified permitted purposes. Right to Non-Discrimination: Assurance that we will not deny services, charge different prices, provide different quality levels, or suggest differential treatment for exercising any privacy right. Submit verified requests through our Privacy Rights Portal at privacy.refinedlivinghub.info, by email to privacy@refinedlivinghub.info, or by calling +1 860-325-7632. We respond within 45 days (with one 45-day extension for complex requests) and never require account creation to submit a request.

8. California Consumer Privacy Act Specific Disclosures

For California residents, this section provides disclosures required under the CCPA as amended by the CPRA. In the preceding twelve months, we have collected the following categories of personal information: Identifiers (name, email, phone, address, IP address, account IDs), Customer Records (home address, payment information, phone, email), Protected Classifications (age/date of birth when provided), Commercial Information (purchasing history, service preferences, project specifications), Internet Activity (browsing patterns via Plausible Analytics — aggregate only), Geolocation Data (city-level from IP; precise GPS with app permission), Sensory Data (photographs of your home taken during service delivery), Professional Information (employment history for job applicants), and Inferences (preferences and characteristics). We have used this information for the purposes described in Section 3. We have disclosed information for business purposes to the recipient categories described in Section 4. We have NOT sold personal information. We have NOT shared personal information for cross-context behavioral advertising. California residents have the right to know, delete, correct, port, opt out, limit use of sensitive personal information, and non-discrimination. Our Chief Privacy Officer is the designated agent: Refined Living Hub, Attn: Privacy Officer, 2652 Carriage Lane Brooklyn, PA 18813; privacy@refinedlivinghub.info; +1 860-325-7632.

9. State-by-State Privacy Law Compliance Matrix

Beyond California, we maintain compliance with all enacted state comprehensive privacy laws. Virginia (VCDPA): Rights to know, correct, delete, obtain a copy, and opt out, with the Virginia Attorney General as sole enforcement authority. Colorado (CPA): Core rights plus universal opt-out via GPC signal support and data protection assessments for high-risk processing. Connecticut (CTDPA): Rights to know, correct, delete, port, and opt out with enhanced minor data protections. Texas (TDPSA): Opt-out rights for targeted advertising, sale, and profiling. Utah (UCPA): Opt-out rights for targeted advertising and sale. Oregon, Montana, Delaware, New Jersey, Tennessee, Iowa, Minnesota, and additional states with enacted legislation are tracked by our legal team with compliance updates deployed proactively before each effective date. For residents of states without comprehensive privacy legislation, all protections available under common law privacy torts and applicable federal laws (FTC Act Section 5, FCRA, ECPA, COPPA) remain fully available.

10. Children's Privacy Protections

Our services and digital platforms are exclusively directed at adults who own or are authorized to make decisions about residential properties. We do not knowingly collect personal information from children under 13 (COPPA) or under 16 (as required by certain state laws). Our platforms do not employ child-directed design elements, content, or incentive structures. If a child under 13 has provided personal information, a parent or guardian may contact privacy@refinedlivinghub.info for immediate deletion within 10 business days per 16 CFR § 312.8. If we inadvertently collect information from minors between 13 and applicable state age thresholds without parental consent, we delete it promptly upon notification.

11. Biometric, Genetic, and Health Data Handling

Biometric data collection occurs only for smart lock installations (facial geometry for recognition, fingerprint templates for biometric handles) and requires your explicit written consent through a separate Biometric Data Consent Form disclosing the specific identifiers collected, purpose, duration, sharing (if any), retention period, and withdrawal rights. Facial geometry data is processed on-device using secure enclave technology — raw images are never transmitted to Refined Living Hub servers. Fingerprint templates are stored using one-way cryptographic hashing within the lock's local memory only. We do not collect genetic data. Health information disclosed voluntarily for accessibility modifications (grab bars, wheelchair ramps, accessible fixture heights) is stored in a restricted-access, field-level-encrypted file accessible only to the project lead and accessibility specialist, deleted upon project completion unless needed for warranty purposes.

12. AI and Automated Decision-Making Transparency

We employ AI in carefully scoped applications: design assistance tools (generating initial layout suggestions from our project database), cost estimation models (providing preliminary ranges from historical data), smart home device learning (confined to local edge devices — no data transmitted to Refined Living Hub), and computer vision quality control (analyzing progress photographs to flag potential issues for human inspector review). AI-generated design suggestions are clearly labeled and serve as starting points for human designers. We do not use AI to make final decisions producing legal or similarly significant effects without providing human review upon request. Annual bias audits are conducted on models influencing client-facing recommendations.

13. Mobile Application Privacy Specifics

Our iOS and Android applications implement privacy-by-design. Location Services: Precise GPS collected only with "Allow While Using" permission — we never request "Always" access. Background location collection is never performed. Camera Access: Requested only for uploading project photographs. Revocable through device settings without affecting other features. Photo Library: Requested only when selecting existing photos for upload. Notifications: Local (on-device, no server transmission) for milestones; push (via Firebase Cloud Messaging, transmitting only device token for routing) for reminders and alerts — customizable by category. Background Processing: None — the only background activity is the persistent Firebase connection for push notification delivery, transmitting only the device registration token with no personal data. We maintain accurate App Store and Play Store privacy nutrition labels.

14. Vendor and Supply Chain Data Governance

Every third party with personal data access undergoes: our 80-question Vendor Privacy & Security Questionnaire; review of SOC 2 Type II reports, ISO 27001 certifications, and PCI-DSS Attestations; legal review and execution of our Data Processing Agreement mandating purpose limitation, confidentiality, equivalent security standards, 24-hour breach notification, prohibition on secondary use and unauthorized sub-processing, audit rights, and data return/destruction upon termination; annual re-assessment for high-risk vendors; continuous monitoring via SecurityScorecard; and immediate review upon any vendor security incident. Sub-processor engagements by our vendors require our prior written consent. We have terminated vendor relationships for privacy and security deficiencies and will continue to do so.

15. Data Retention Schedules and Destruction Methods

Active Client Records: Retained for business relationship duration plus 7 years (IRS audit requirements, state contractor license retention, statute of limitations). Project Documentation: Minimum 15 years post-completion (reflecting longest potential defect claim periods). Employment Records: 7 years post-separation (EEOC, IRS, DOL requirements). Marketing Consent Records: 5 years from consent or last interaction. Security Logs: 90 days hot, 1 year cold storage. Upon retention period expiration: cryptographic erasure (deleting encryption keys in AWS KMS, rendering encrypted S3 data permanently unrecoverable) for digital data; physical shredding to DIN 66399 P-4 for paper; degaussing plus physical destruction for magnetic media. Destruction events are logged with date, method, categories, and responsible party.

16. Data Breach Notification and Remediation

Upon confirmed unauthorized access, acquisition, or disclosure of personal information, we initiate our Incident Response Plan within one hour: forensic investigation by pre-contracted firm (CrowdStrike), scope determination, affected individual identification, root cause analysis, and containment. Notification to affected individuals occurs without unreasonable delay, within the most restrictive applicable state timeframe: 72 hours for 500+ California residents (CCPA), 60 days for SSN breaches (many state laws), or "most expedient time possible" (other statutes). Notifications include: incident description and discovery date, specific data categories involved, our contact information, steps taken, specific protective recommendations, and offered credit monitoring/identity protection services. We also notify state attorneys general, the FTC, and other regulators as required by each state's breach notification law.

17. International Data Transfer Safeguards

Our primary infrastructure resides in AWS US-East-1 (N. Virginia). Limited transfers occur to: Cloudflare edge nodes (caching non-personal static content only — personal data is never cached at edge), GitHub (source code — no personal data in repositories, access restricted to authenticated engineering team), Zendesk (US-hosted customer support tickets with DPA), and Mailchimp (US-hosted email delivery with DPA). No personal data is transferred outside US jurisdiction except for Cloudflare edge caching of non-personal static assets in international locations. For any transfer involving personal data, we implement Standard Contractual Clauses under Executive Order 14114, supplemented by encryption and contractual commitments for equivalent protection.

18. Marketing Communications and Preference Management

Multiple opt-out mechanisms are available: Email Marketing — "Unsubscribe" link in every promotional email footer (processed immediately), reply "UNSUBSCRIBE," email unsubscribe@Refined Living Hubhomes.com, or manage preferences via your account. SMS Marketing — reply STOP to any message, text HELP for assistance. Phone Marketing — request placement on internal Do-Not-Call list at +1 860-325-7632 or dnc@refinedlivinghub.info; we comply with the National Do-Not-Call Registry. Direct Mail — email unsubscribe@refinedlivinghub.info with your address. Opting out of marketing does NOT affect transactional messages (active projects, account security, warranty claims, emergency notifications) necessary for service delivery and safety.

19. Do Not Track, GPC, and Signal Recognition

We recognize and honor: Global Privacy Control (GPC) — the Sec-GPC header is treated as a binding opt-out from non-essential tracking and targeted advertising; given our privacy-first architecture, GPC primarily disables Plausible Analytics individual-level features (though Plausible collects only aggregate data by design). Do Not Track (DNT:1) — honored as a user preference signal despite W3C deprecation. NAI and DAA opt-out cookies — respected for any third-party services on our platforms. These signals do not affect essential functionality (session management, authentication, security) or transactional communications.

20. Privacy Governance, Accountability, and Continuous Improvement

Our privacy program structure: Chief Privacy Officer (direct CEO reporting, overall accountability for policy, training, incident response, regulatory liaison, annual board reporting); Privacy Steering Committee (quarterly meetings: CPO, General Counsel, CTO, VP Operations, VP Client Experience — reviews risks, approves policy changes, evaluates new processing); Annual Privacy Impact Assessments (mandatory for new services, significant changes, new vendor relationships, new technology); Employee Training (mandatory within 30 days of hire + annually; advanced modules for teams handling sensitive data); External Audit (annual independent SOC 2 + Privacy Trust Service Criteria assessment, summary available upon request); Quarterly Policy Reviews (with 30-day advance notice of material changes via email and website banner). We view privacy as a design principle, not just a compliance obligation — and we invest accordingly.