Privacy Policy

Last updated: June 1, 2026 · Effective: June 1, 2026

1. Introduction

Bula Pro ("we," "us," "our," or the "Platform"), operating under the consumer brand Bula Live, runs a mobile marketplace for the construction industry available on iOS and Android (the "App") that connects Homeowners, Companies, Subcontractors, and Workers. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our App and related services (collectively, the "Services").

By creating an account or using the Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, do not access or use the Services.

This Privacy Policy is the canonical privacy disclosure referenced in our App Store and Google Play listings.

2. Information We Collect

2.1 Information you provide directly

  • Account information: first and last name (or, for the Company role, your company name), email, password (stored as a cryptographic hash; never in plain text), and user-role selection (Homeowner, Company, Subcontractor, or Worker).
  • Profile information: city and state/region, optional phone number, profile photo (Workers and Companies must upload one during sign-up — for a Company the photo represents the company logo), bio section, and language preference (English, Spanish, or Bilingual).
  • Role-specific information:
    • Companies: company name (stored as your primary identity), contact person, company type (General Contractor, Residential, Commercial, Industrial), years of experience.
    • Subcontractors: company name, primary trade, crew size, years of experience, insurance status.
    • Workers: trade specialties, hourly rate, availability status, language preference.
  • Verification documents (sensitive): EIN documentation, certificates of insurance, business-registration documents, W-4, I-9 employment-eligibility verification, SSN-verification documents, government-issued photo ID, and OSHA 10/30 certifications, as applicable to your role.
  • Financial information: payment-card details (collected and stored exclusively by Stripe — we never store full card numbers), withdrawal-request details, and bank-account information for withdrawals (processed via our payments provider).
  • Communication data: chat messages you send through the Platform, withdrawal-request notes and admin communications, ping (bid) messages, project descriptions, and milestone descriptions.
  • Profile-PIN messages: short messages sent to another user via the PIN-to-Connect feature (see Section 18). PIN bodies are stored as notification entities and made visible to the recipient.
  • User-generated photos: milestone-evidence images uploaded by Subcontractors and Workers, first-daily clock-in selfies, and profile/avatar images.
  • Ratings and reviews: ratings and review text you leave on completed projects.

2.2 Information collected automatically

  • Device information: device type and model, operating system and version, app version, language and locale, and a unique Firebase Cloud Messaging (FCM) registration token used to deliver push notifications.
  • Usage information: app interactions and feature usage, action timestamps, and activity logs (e.g., "user clocked in at time T," "milestone X approved at time T").
  • Location information: see Section 20. We do not run background GPS tracking. The Time Clock (Workers only) captures point-in-time GPS at clock-in and emits low-frequency heartbeat pings while on shift, used to verify presence at the job site.
  • Diagnostics: uncaught crash reports captured by the Flutter framework's standard error handler (see Section 23).

2.3 Information we receive from third parties

  • Stripe: payment-confirmation status, transaction metadata. We receive webhook events from Stripe to verify payment status.
  • Firebase / Google: push-notification delivery status, FCM-token registration.
  • Google Maps / Apple Maps: when a Worker shares a live-location link voluntarily, the underlying location data is hosted and controlled by Google or Apple, not by Bula Live.

3. Mobile Permissions

The App requests the following device permissions only when a feature that depends on them is used. Each permission may be denied at install time and revoked later in your device settings. Denying a permission disables only the specific feature listed below — the rest of the App continues to work.

PermissionWhy we request itBackground?
Camera Take your profile photo, capture first-daily clock-in selfie, upload milestone-evidence photos, and upload verification documents. Foreground only
Photo Library Choose existing photos for your profile, milestone evidence, project galleries, and verification documents. Foreground only
Location (Precise) Verify that a Worker is inside the configured geofence at clock-in and post low-frequency heartbeat pings while the Worker is actively clocked in. Used by the Worker role only. Foreground only
Notifications Deliver pings, milestone updates, chat messages, profile views, profile PINs, withdrawal-status changes, and time-sensitive hourly-check-in prompts. Standard push
Internet / Network State Communicate with our backend (Supabase), Stripe, Firebase, and Google/Apple Maps tile servers. As needed
Vibration Heavy vibration on hourly-check-in and high-priority notifications so an on-site Worker can feel a prompt over loud equipment. Standard

The App does not request: microphone, contacts, calendar, SMS, call log, accessibility services, all-files-access ("Allow always" or "MANAGE_EXTERNAL_STORAGE"), Bluetooth, NFC, body sensors, "Allow always" background location, or any advertising-related identifiers.

4. How We Use Your Information

  • Providing and maintaining the Services: creating and managing your account; facilitating connections between Homeowners, Companies, Subcontractors, and Workers; processing escrow deposits, milestone payouts, and withdrawals; enabling real-time messaging; delivering push notifications; generating and storing contracts; and managing project lifecycles.
  • Verification and compliance: verifying user identity and business credentials, reviewing verification documents, maintaining compliance records, and preventing fraud and unauthorized access.
  • Communication: sending transactional emails (email verification, password reset); delivering push notifications about pings, milestones, messages, profile pins, profile views, and clock-related events; and facilitating admin↔user communication.
  • Safety and security: using AI to monitor chat messages and detect attempts to share personal contact information that could be used to circumvent the Platform's escrow; translating chat messages between English and Spanish via a server-side AI proxy; detecting and preventing fraudulent activity; applying rate limits and anti-spam measures; maintaining audit logs.
  • Improving the Services: reading aggregated usage patterns to identify and fix technical issues and develop new features. We do not build behavioral profiles for advertising or sell usage data.
  • Legal compliance: meeting recordkeeping obligations related to financial transactions, tax reporting, and worker compliance.

5. Third-Party SDKs and Service Providers

The App embeds and communicates with the following third-party SDKs and services. Each entry lists what data is sent, what the provider does with it, and a link to that provider's privacy policy.

ProviderRole in the AppData shared with the providerProvider's policy
Supabase (Supabase, Inc.) Primary backend — PostgreSQL database, Auth, Realtime, Storage, Edge Functions. All Platform data described in Section 2 (account, profile, role-specific, financial-ledger, communications, verification documents). supabase.com/privacy
Stripe (Stripe, Inc.) Card and bank processing for escrow deposits, milestone payouts, and withdrawals. Payment-card details, bank-account details, billing name and address, transaction metadata. stripe.com/privacy
Firebase Cloud Messaging (Google LLC) Push-notification delivery (HTTP v1 → APNs on iOS). FCM registration token, push payload at delivery time. firebase.google.com/support/privacy
Google Maps (Google LLC) Map tiles and place search inside the App; hosts the optional Worker live-location link. Approximate map-view coordinates and search queries you type into map fields. policies.google.com/privacy
Apple Maps (Apple Inc., iOS only) Alternative host for the optional Worker live-location link on iOS devices. Map-view coordinates as needed to render shared links. apple.com/legal/privacy
Hugging Face Inference API (Hugging Face, Inc.) On-demand machine translation of chat messages between English and Spanish, invoked via a Bula-operated Edge Function. The translation token is server-side; the App never holds it. Plain text of the message being translated for the duration of the request. No account identifiers are forwarded. huggingface.co/privacy
geolocator / permission_handler (Flutter plugins) System-level access to the device's GPS and to runtime permission prompts. These plugins are libraries that wrap OS APIs — they do not transmit data off-device themselves. None — data stays on device until the App posts it to Supabase. n/a
image_picker / cached_network_image (Flutter plugins) System-level access to camera and photo library; caching of profile and project images. Libraries; no off-device data transmission of their own. None. n/a

We do not embed any advertising-network SDK, attribution SDK, behavioral-analytics SDK, social-login SDK, A/B-testing SDK, or social-tracking pixel in the App.

6. How We Share Your Information

We do not sell your personal information to third parties, and we do not share it for cross-context behavioral advertising. We share your information only in the following circumstances:

6.1 With other Platform users

  • Your name (or company name, for the Company role), city, state, trade specialties, company details, ratings, and profile photo are visible to other users.
  • Messages you send are visible to the other participants in the conversation. In group workforce conversations, worker-to-worker messages display only initials (e.g., "M.G.") to protect worker privacy.
  • Other users can see whether you are verified, but they cannot see your verification documents.
  • Workers who voluntarily share a Google Maps or Apple Maps location link surface that link to their recruiter only — not to the broader marketplace.
  • Workforce-member rosters and milestone-evidence files are visible only to participants of that contract — not to other marketplace browsers.
  • The anonymized "Offer A / Offer B / Offer C" tiles on a project's live card show the top three bid amounts on an open project. Bidder identities are never displayed; only the project owner can see who submitted which bid.
  • PIN messages (Section 18) are visible to the recipient. Both parties' display names and avatars are visible to each other once a PIN exchange has occurred.

6.2 With service providers

See Section 5 for the itemized list of third-party SDKs and processors.

6.3 For legal reasons

We may disclose your information if required by law or in good faith to comply with a legal obligation, protect our rights, prevent wrongdoing, protect personal safety, or protect against legal liability.

6.4 Business transfers

If we are involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. Successor entities are bound by the commitments in this Privacy Policy or will provide you a notice of any material change with an opportunity to delete your account.

7. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with similar requirements, we rely on the following legal bases:

  • Performance of a contract — to provide the Services you signed up for (account, marketplace, escrow, messaging, contracts).
  • Legitimate interests — to maintain platform integrity (fraud prevention, contact-sharing detection, anti-spam), secure our systems, and improve the Services in non-intrusive ways. We have balanced these interests against your privacy rights.
  • Legal obligation — to retain financial and verification records as required by law.
  • Consent — for optional features such as voluntary location-link sharing and certain notification categories. You can withdraw consent at any time.

8. Data Storage and Security

Storage

Your data is stored on Supabase infrastructure (PostgreSQL database). Verification documents are stored in a private Supabase Storage bucket with no public URLs — access is granted only to administrators via signed URLs that expire shortly after issuance. Payment data is stored and processed by Stripe.

Security measures

  • Row-Level Security (RLS): database-level policies that ensure users can only access their own data. Every user-facing table in our PostgreSQL database is RLS-enabled.
  • Private document storage with no public access.
  • Encrypted connections (HTTPS / TLS 1.2+) for all client-server traffic.
  • Passwords hashed with industry-standard algorithms.
  • PKCE authentication flow.
  • Stripe webhooks verified with cryptographic signatures.
  • Server-side processing for all financial calculations (escrow deposits, milestone payouts, withdrawal debits) — clients cannot manipulate balances directly.
  • FCM service-account credentials and translation tokens are stored as server-side Edge Function secrets — they are not embedded in the mobile binary.
  • Self-healing FCM-token cleanup: when a push delivery returns an UNREGISTERED or INVALID_ARGUMENT error, the recipient's stored token is cleared so a fresh one is registered on next sign-in.

No security system is impenetrable. While we use commercially reasonable measures, we cannot guarantee absolute security. You are responsible for keeping your account password confidential.

9. International Data Transfers

Bula Live is operated from the United States. Our infrastructure providers (Supabase, Google/Firebase, Stripe, Apple, Hugging Face) may process data in the United States, the European Union, or other jurisdictions where they operate. When personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States or another country without an equivalent level of data protection, we rely on appropriate safeguards such as the Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Agreement. By using the Services, you acknowledge that your personal data may be transferred to and processed in these jurisdictions.

10. Data Retention

  • Account data is retained while your account is active. After account deletion (Section 11), we delete identifying account data within 30 days, subject to legal-retention exceptions.
  • Verification documents are retained for the duration of the account plus the period required by applicable financial, tax, immigration, and labor-law recordkeeping rules.
  • Chat messages in active conversations are retained for the duration of the project or contract and are automatically purged when the contract closes.
  • Activity and audit logs are retained for security and compliance.
  • Transaction and withdrawal records are retained as required by financial regulations (generally 7 years in the U.S.).
  • Clock entries, hourly-check-in records, and heartbeat-ping logs are retained for the duration of the contract plus any statutory wage-and-hour retention window.
  • Anonymized aggregate statistics may be retained indefinitely as they no longer identify you.

11. Account Deletion

You can delete your account at any time using either of the following paths:

11.1 In-App deletion

  1. Open the App and sign in.
  2. Go to the Profile tab.
  3. Tap SettingsAccountDelete Account.
  4. Confirm the deletion when prompted.

Your account is queued for deletion immediately. Identifying personal data is removed within 30 days. Data we are required to retain by law (financial-transaction records, verification documents within the statutory retention window, audit logs) is moved to a restricted-access archive and is no longer associated with active profile lookups.

11.2 Email request

If you cannot access the App, email contact@bulaapp.us from the email address registered with your account with the subject line "Account Deletion Request." Include your registered email so we can verify your identity. We will process the request within 30 days and confirm completion by email.

11.3 What is deleted, restricted, or retained

CategoryAction on deletion
Profile (name, photo, bio, role-specific fields)Deleted within 30 days
Chat messages you sentRemoved from active conversations; copies retained by other participants remain visible to them.
Ratings/reviews you wroteReviewer name replaced with "Deleted user."
Pings and bidsAnonymized or removed from feeds.
Active contractsCannot be deleted while a contract is in progress — you must complete or cancel it first.
Financial transaction ledgerRetained per financial regulations; identifiers replaced with internal IDs.
Verification documentsRetained per statutory recordkeeping; archived with restricted access.
FCM push tokenCleared immediately
Optional Maps location linkDeleted immediately

Account deletion is irreversible. If you re-register later with the same email, a new account is created with no link to your previous data.

12. Your Rights and Choices

Account information

You can update your profile information at any time through the Edit Profile screen. You can change your password from the Security section.

Notifications

You can enable or disable push notifications from your profile settings and at the device level. Hourly-check-in pushes (Section 21) cannot be globally muted on an active shift, but you can end your shift at any time to stop them.

Location

Workers may choose whether to share an optional Google Maps / Apple Maps location link — it is entirely voluntary. You can update or remove your location link at any time. We do not track your location in the background outside of the Time Clock flow described in Section 20.

Data access, portability, and correction

You have the right to request access to the personal data we hold about you, a portable copy, correction of inaccurate data, and deletion (subject to legal-retention exceptions). To exercise any of these rights, email contact@bulaapp.us with the subject line "Privacy Request" and include your registered email so we can verify your identity. We respond within 30 days (or such shorter period as required by law).

Right to lodge a complaint

If you believe we have not handled your personal data appropriately, you have the right to complain to your local data-protection authority.

13. U.S. State Privacy Rights

Residents of certain U.S. states have specific privacy rights under state law. The rights below apply where state law confers them; we apply substantially similar treatment to all U.S. users where practical.

California (CCPA / CPRA)

  • Right to know what personal information we collect, the categories, sources, purposes, and recipients.
  • Right to delete your personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information (verification documents, precise location during a shift).
  • Right to non-discrimination for exercising your rights.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Tennessee (TIPA), and other states with comprehensive consumer-privacy laws

  • Right to confirm processing and access your data.
  • Right to correct inaccuracies.
  • Right to deletion.
  • Right to obtain a portable copy.
  • Right to opt out of (a) targeted advertising, (b) sale of personal data, and (c) profiling that produces legal or similarly significant effects. We do not engage in targeted advertising, sale, or significant-effect profiling.
  • Right to appeal a denied rights request — contact contact@bulaapp.us with the subject "Privacy Appeal."

Submitting a request

Email contact@bulaapp.us with the subject "Privacy Request" and include your registered email. We verify identity through email-based confirmation; for higher-risk requests we may ask for additional verification consistent with the relevant state law.

Authorized agents

You may designate an authorized agent to submit a request on your behalf. We require written authorization signed by you (or proof of power of attorney) and may verify your identity directly before fulfilling the request.

14. European, UK, and International Rights

If you are in the European Economic Area, the United Kingdom, Switzerland, Brazil (LGPD), Canada (PIPEDA), or another jurisdiction with similar privacy laws, you have the following rights:

  • Right of access to your personal data.
  • Right to rectification.
  • Right to erasure ("right to be forgotten") subject to legal exceptions.
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to certain processing (including legitimate-interests processing).
  • Right to withdraw consent at any time where processing relies on consent.
  • Right not to be subject to a decision based solely on automated processing that has legal or similarly significant effects (we do not make such decisions).
  • Right to lodge a complaint with a supervisory authority.

To exercise these rights, email contact@bulaapp.us.

15. Children's Privacy

The Services are not intended for use by persons under 18 years of age. We do not knowingly collect personal information from children under 18. The App is not directed to children, contains no child-directed content, and is rated 17+ on the App Store and "Mature" / for-ages-18+ as applicable on Google Play. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact contact@bulaapp.us.

16. Third-Party Links and Services

The App may contain links to third-party websites or services, including but not limited to Google Maps and Apple Maps (for optional location sharing), Stripe (for payment processing), Firebase / Google (push notifications), and the App Store and Google Play Store. We are not responsible for the privacy practices of these third-party services. We encourage you to review their respective privacy policies (linked in Section 5).

17. AI-Powered Features

Chat translation

We use AI to translate chat messages between English and Spanish on demand. Translation requests are proxied through a Bula-operated Edge Function so that translation-provider credentials remain server-side. The AI provider processes messages solely to return the translation and does not retain message content beyond the processing request. You can disable per-conversation translation from the chat screen.

Contact-sharing detection

We use a combination of client-side regular expressions and server-side moderation to detect attempts to share personal contact information (phone numbers, email addresses, social-media handles, off-platform meeting requests) in chat. This protects the integrity of the Platform's escrow and payment systems; ensures work agreements and payments are processed through the Platform for both parties' protection; and prevents fraud and unauthorized off-platform deals. Messages flagged by the detection system are blocked at send time, and the sender is notified. Flagged attempts are logged for administrative review. The detection is applied equally to all parties and does not produce decisions with legal or similarly significant effects.

18. Profile Visibility, PINs, and Connections

Bula Live uses a "PIN to Connect" model that controls who can initiate direct messages with whom. Workers and Subcontractors do not automatically have a messageable inbox open to every Company that finds their profile. Instead:

  • Any user may visit another user's profile.
  • To initiate a chat, the visitor sends a short PIN message — a one-line introduction stored as a notification entity on the recipient's account.
  • The recipient sees the PIN and can choose to accept (which opens a normal chat thread) or ignore.
  • Until a PIN is accepted, no chat thread exists between the two users.
  • A 24-hour cooldown limits how often the same sender can re-send a PIN to the same recipient, to prevent abuse.

PIN bodies are visible to the recipient. By sending a PIN you acknowledge that the message text will be delivered to and stored for the recipient.

19. Profile-View Notifications

When another user views your profile, we may record the visit and send you a notification of the form "X viewed your profile." To limit noise, the same viewer-viewee pair triggers at most one notification per 24-hour window — repeat views inside that window do not produce additional notifications.

Profile-view records contain only the viewer's user ID and the timestamp of the view. They do not contain page-scroll, dwell-time, or behavioral analytics. If you delete your account, view records referencing you are removed.

20. Location and the Time Clock

Bula Live does not request "Allow always" location permission. We do not perform background GPS tracking outside of an active Time Clock shift.

Clock-in (Workers)

When a Worker clocks in to a shift on a contract that has a geofenced job site, the App captures a single foreground GPS position to verify the Worker is inside the geofence radius. A selfie is captured on the first daily clock-in (used only to verify identity at the start of the day).

Heartbeat pings during a shift

While a Worker is actively clocked in, the App posts a low-frequency GPS heartbeat (approximately every 5 minutes) so the recruiter or contractor can verify continued presence at the job site. Heartbeats stop the moment the Worker clocks out, ends the shift, or revokes location permission. We do not collect heartbeat pings when the Worker is not on shift.

Voluntary location link

Workers may optionally paste a Google Maps or Apple Maps live-location link on their profile. This link is hosted by Google or Apple. We store only the URL string; we do not store the underlying coordinates.

Worker control

Workers may end a shift at any time, which immediately stops heartbeat collection. The voluntary location link can be removed at any time from the profile screen.

21. Push Notifications and Vibration

We use Firebase Cloud Messaging (FCM HTTP v1 → APNs for iOS) to deliver push notifications. Notification categories include: pings received, milestone updates, chat messages, profile views, profile PINs, withdrawal-status changes, and hourly check-in prompts.

Hourly check-in pushes

Workers on an active shift receive a server-driven check-in prompt approximately once per hour. The push uses a high-priority delivery channel with heavy vibration (and, on iOS, the time-sensitive interruption level — Bula Live does not use Apple's Critical Alerts entitlement). If a Worker does not re-confirm within a 5-minute grace window, the server clips the shift clock-out to the time of the missed check-in and the entry is recorded as "missed."

You can stop hourly check-in pushes at any time by ending your shift. Disabling system-level notifications for the App will also suppress them, but doing so will result in missed-check-in clips because the server cannot tell the difference between a silenced device and an unanswered prompt.

22. App Tracking Transparency & Advertising IDs

Bula Live does not "track" you across apps or websites owned by other companies, as that term is defined under Apple's App Tracking Transparency framework. We do not request the Apple IDFA (Identifier for Advertisers), the Google AAID (Advertising ID), or any equivalent identifier. We do not display advertising, embed advertising SDKs, or share data with advertising networks or attribution providers.

Because we do not track you for advertising purposes, the App does not show the App Tracking Transparency prompt on iOS, and our Google Play "Data safety" form declares no advertising data collection.

23. Analytics, Crash Reporting, and Diagnostics

We do not embed third-party product-analytics SDKs (Google Analytics, Firebase Analytics, Mixpanel, Amplitude, Segment, etc.). Server-side request logs at our infrastructure providers (Supabase, Firebase Cloud Messaging) record standard operational metadata such as timestamps, endpoint paths, response status codes, and IP addresses for security and abuse prevention. These logs are retained only as long as necessary for operational and security purposes.

Uncaught application errors caught by the Flutter framework's standard error handler may be written to the device's console for debugging. We do not currently transmit crash reports to a third-party crash-reporting service. If we add a crash-reporting SDK in the future, we will update this Privacy Policy and Section 5 before the SDK is integrated.

24. Data We Do Not Collect

For clarity, the App does not collect, request, or transmit any of the following:

  • Microphone audio, voice recordings, or call content.
  • Contacts, address book, or social graph data.
  • Calendar events.
  • SMS, MMS, or call-log content or metadata.
  • Health, fitness, biometric, or medical data.
  • Web-browsing history outside the App.
  • List of installed apps on your device.
  • Background GPS location outside of an active Time Clock shift.
  • Apple IDFA, Google AAID, or any advertising or cross-app tracking identifier.
  • Race, ethnicity, religious or political beliefs, sexual orientation, or trade-union membership.

25. Email and Marketing Communications

The App sends transactional emails (email verification, password reset, withdrawal-status updates, and similar account-critical notices) using a transactional-email provider on our behalf. These emails are necessary to operate the Services and are not marketing.

We do not currently send marketing or promotional emails. If we begin doing so in the future, we will provide a clear opt-out (unsubscribe link) in every marketing email, and you can also email contact@bulaapp.us with the subject line "Unsubscribe" at any time.

26. Cookies and Similar Technologies

The mobile App does not use HTTP cookies. The App uses standard mobile platform mechanisms — keychain (iOS), encrypted shared preferences (Android), and secure local databases — to persist your authentication session, language preference, and similar local settings. These mechanisms are essential to the operation of the App. There is no advertising or cross-site tracking technology in the App.

27. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated Privacy Policy within the App, updating the "Last Updated" date at the top of this document, and sending a push notification for significant changes (if notifications are enabled). For material changes that adversely affect your rights, we will provide at least 30 days' advance notice where required by law. Your continued use of the Services after any changes constitutes acceptance of the updated Privacy Policy.

28. Contact Us

If you have questions, concerns, or requests about this Privacy Policy or our data practices, contact us at:

Bula Pro (operator of Bula Live)
Email: contact@bulaapp.us

For data access, deletion, or portability requests, please email us with the subject line "Privacy Request" and include your registered email address so we can verify your identity.

For account deletion specifically, see Section 11 — you can also delete your account from within the App.

29. Governing Law

This Privacy Policy is governed by and interpreted in accordance with the laws of the United States. Any disputes arising from this Privacy Policy will be resolved in accordance with the dispute-resolution section of our Terms of Service.