Back

Legal

Privacy Policy

Effective 2026-06-02.

v1.1
Effective 2026-06-02privacy.v1.1 · supersedes v1.0

Privacy Policy

Last Mile Strategies LLC Effective date: June 2nd 2026 Last updated: June 2nd 2026

This Privacy Policy explains what information Last Mile Strategies LLC ("Last Mile," "we," "us," or "our") collects through the customer portal at portal.lastmilestrategies.com (the "Portal"), how we use it, and who we share it with. We wrote it in plain language because our customers are small and mid-sized trades businesses, not enterprise legal teams.

If you have questions about this Policy, email info@lastmilestrategies.com.

Who we are

Last Mile Strategies LLC is a Georgia-based consulting firm. The Portal is one of our offerings. We help home services trades businesses understand and reduce their technology spend by benchmarking against peer companies and recommending vendor changes.

Mailing address: 120 Blue Heron BLVD, Senoia, GA 30276 Privacy contact: info@lastmilestrategies.com General contact: info@lastmilestrategies.com

What this Policy covers

This Policy covers information we collect through the Portal and through emails customers send to the Portal's invoice-forwarding addresses (the <slug>@lstmile.com addresses we issue to each customer).

It does not cover:

  • Information you share with us outside the Portal (for example, during a consulting engagement governed by a separate agreement).
  • Information collected by third-party websites you reach by clicking links from the Portal.
  • Information held by your own vendors that appears on the invoices you upload. Your vendors have their own privacy practices.

Information we collect

We collect six categories of information.

1. Account information

When you create a Portal account, we collect your email address, a password (which we never store in plaintext — only a bcrypt hash, managed by Supabase Auth), and optional contact information like your name. If you turn on two-factor authentication, we store your TOTP secret and hashed recovery codes. We log the date your account was created and the timestamps of your sign-ins.

When you choose or change a password, the Portal checks whether the password has appeared in known data breaches. This check uses the HaveIBeenPwned k-anonymity API, which means we send only the first five characters of a SHA-1 hash of your password — never the password itself.

2. Business profile information

To produce peer benchmarks, the Portal collects information about your business: company name, the trades you serve (HVAC, plumbing, electrical, and so on), your US state or region, an optional revenue band, and your employee count broken down by worker type (field technicians, dispatch/CSR, sales, admin). You may also provide a company logo, a list of allowed email domains, and a primary contact email and address.

If you do not upload a logo, the Portal may fetch one automatically from Brandfetch or Logo.dev using your website domain. Only your domain is sent to those services.

3. Invoice information

When you upload an invoice (by web upload, mobile camera, or by forwarding email to your <slug>@lstmile.com address), we store:

  • The invoice file itself (PDF, JPEG, or PNG) in Cloudflare R2 object storage.
  • Fields extracted from the invoice by our AI processing: vendor name, invoice number, dates, billing period, total amount, and line items with descriptions and amounts.
  • Any manual corrections you make to those fields during the review step.

Invoices typically identify business vendors (AT&T, ServiceTitan, RingCentral, and so on). Those vendors are companies, not consumers. Where an invoice incidentally contains personal data — for example, a sales representative's name in an account contact field — that information lives within the invoice file and is not separately extracted.

4. QuickBooks Online information

If your business connects QuickBooks Online ("QBO") to the Portal, the connector uses the Intuit OAuth scope com.intuit.quickbooks.accounting in read-only mode. It accesses only vendor bills/expenses and vendor records needed to import and review payable spend: vendor names and records, bill or purchase/expense dates, document numbers, due dates, totals, currencies, line-item descriptions or labels, line-item amounts, and metadata-only QBO attachment records associated with Bills or Purchases.

The Portal never accesses banking, payroll, accounts-receivable/invoices, or payments through QBO. It does not request QuickBooks Payments, payroll, banking credentials, customer invoice/accounts-receivable data, card processing, ACH processing, payment initiation, or any write permission to create, update, delete, or submit QuickBooks transactions.

QBO access tokens, refresh tokens, and realm IDs are encrypted at rest with AES-256-GCM before storage. The encryption key is a Cloudflare Worker secret, not a database value or repository value. QBO connection state and imported QBO records are tenant-isolated to your Portal workspace; tenant users receive non-sensitive connection status only, not token material or plaintext realm IDs.

QBO-derived data is retained while the integration remains connected and while your account uses the Portal. Deletion on disconnect means Last Mile attempts to revoke the Intuit token and then tokens + imported QBO data purged locally for that tenant, including encrypted connection state, imported QBO payable records, QBO line items, QBO source-document metadata, and related QBO extraction job records. Disconnect does not delete or modify data inside your QuickBooks company.

QBO-derived data may be processed by these functional sub-processors: Supabase for encrypted token storage, tenant isolation, and imported payable records; Cloudflare for hosting, Workers, runtime secrets, edge routing, and scheduled sync traffic; and Anthropic only when a tenant explicitly invokes covered categorization or document-processing workflows. QBO data is not used to train models, not sold, and not shared with third-party advertisers. We do not automatically send structured QBO imports to Anthropic for model training or any non-functional use.

5. Derived and aggregate information

From the data above, we compute information about your business: spend totals by category and period, spend per employee, and category-level metrics. We use these to populate your dashboard.

We also contribute your computed metrics, in de-identified form, to peer benchmark aggregates that other Portal customers see (described below in "How we use information"). Contributing to these aggregates is part of the Portal service; you cannot opt out.

We also track which "request intro" buttons you click on Recommended Tools cards. We use these clicks to (a) connect you with the recommended vendor and (b) understand which recommendations customers find useful.

6. Communications

If you email our support address, the email-forwarding inbox, or any other Last Mile address, we receive and store those messages, including any attachments. Forwarded emails to your <slug>@lstmile.com address are parsed for invoice attachments; the email body content is retained briefly to support routing and troubleshooting, then deleted on the schedule described under "How long we keep information."

How we use information

We use the information above to:

  • Operate the Portal: authenticate your sign-ins, store your invoices, extract fields from them, compute your dashboard, and serve you peer benchmarks.
  • Improve the Portal: train our auto-categorization rules using the manual corrections customers make. We use the corrections themselves, not the underlying invoice files, to refine our categorization logic.
  • Produce anonymized peer benchmarks. Your computed spend metrics are aggregated with metrics from other customers in similar trades, regions, and employee tiers. We then publish quartile statistics (P25, P50, P75, P90) within each segment. We do not show individual customer data to other customers. We suppress benchmarks for any segment with fewer than five contributing customers, so individual customers cannot be re-identified from the aggregate. Aggregate contributions are irreversibly mixed into the dataset and are retained as part of the benchmark.
  • Make vendor recommendations. The Portal flags categories where your spend exceeds peer medians and recommends specific vendors that may be a better fit. Some recommended vendors are partners with whom we have referral relationships, meaning we may receive compensation if you engage them. We disclose this on each recommendation that involves a paid relationship and again in our Terms of Service. Recommendations are informational; they are not financial, legal, or operational advice, and you should independently verify any vendor before contracting with them.
  • Send transactional emails: confirmations, password resets, account invitations, and notifications when you request an intro to a recommended vendor.
  • Respond to your support requests and inquiries.
  • Comply with legal obligations, defend our rights, and prevent abuse of the Portal.

We do not sell personal information. We do not share personal information with third-party advertisers. We do not use the Portal data to train models for sale to anyone outside Last Mile.

Who we share information with

We share information with the following third-party service providers, who process it on our behalf to operate the Portal. Each is bound by contractual confidentiality and security obligations.

ProviderLocationWhat they doWhat they receive
SupabaseUS (AWS infrastructure)Primary database, authentication, and file metadata storageAccount information, business profile, invoice metadata, derived metrics, encrypted QBO token/realm records, and imported QBO payable records
CloudflareUS (global edge network)Compute, edge hosting, object storage (R2), email routing, DNS, CDNInvoice files, request routing data, inbound emails to <slug>@lstmile.com, QBO OAuth callbacks, and scheduled QBO sync traffic
AnthropicUSClaude Vision API for invoice OCR and field extraction, plus covered categorization workflows when explicitly invokedInvoice file contents during processing. Anthropic's enterprise data policy provides that API submissions are not used to train Anthropic's models and are retained only briefly for abuse monitoring. QBO structured imports are not automatically sent to Anthropic and QBO data is not used to train models.
BrandfetchSwitzerlandCompany logo CDNYour website domain only
Logo.devUSFallback logo CDNYour website domain only
MapboxUSAddress autocomplete during onboardingAddress fragments you type
SMTP2GOUSTransactional email deliveryEmail addresses and message content for notifications
HaveIBeenPwnedUnited KingdomLeaked-password check during password setupThe first five characters of a SHA-1 hash of the password being checked. Never the password itself.

We also share information with recommended vendors when you click "request intro" on a Recommended Tools card. The information shared is what you authorize on that screen: typically your company name, your contact information, and a note about your interest.

We may disclose information when required by law, in response to a valid subpoena or court order, to defend our rights, to investigate suspected abuse of the Portal, or to a successor entity in the event of a merger, acquisition, or sale of substantially all of our assets.

We will publish our current sub-processor list at lastmilestrategies.com/subprocessors and update it before adding any material new sub-processor.

How long we keep information

We keep your information for as long as your Portal account is active, and afterward as described below.

InformationRetention
Account information (email, hashed password, contact info)While the account is active; deleted within 90 days of account closure or your verified deletion request
Business profile (company name, trades, region, headcount)Same as account
Invoice files in Cloudflare R2While the account is active; deleted within 90 days of closure or deletion request
Extracted invoice fieldsSame as invoice files
Inbound emails to <slug>@lstmile.comEmail body retained for 30 days for troubleshooting; attachments retained as invoices per the schedule above
De-identified contributions to peer benchmarksRetained as part of the anonymized benchmark dataset. Already aggregated; cannot be reconstructed to identify you.
Audit logs of sign-ins and security events12 months
BackupsRotated on a normal cadence; identifiable data is removed from backups within 12 months of deletion

When you ask us to delete your data, we delete identifiable data on the schedule above. Aggregated contributions to peer benchmarks remain in the dataset because they are already de-identified and irreversibly mixed with other contributions. If you have questions about what deletion will and will not remove, email privacy@lastmilestrategies.com before submitting your request.

Your rights

You can do the following at any time:

  • Access: Request a copy of the information we hold about you and your business.
  • Correction: Correct inaccurate information through the Portal, or ask us to correct it.
  • Deletion: Ask us to delete your account and the identifiable data tied to it, subject to the limits described above.
  • Export: Ask for a structured export of your invoices and extracted data.
  • Withdraw consent: If we ever rely on your consent for a specific use, you can withdraw it.

Send any of these requests to privacy@lastmilestrategies.com. We will acknowledge within 10 business days and respond substantively within 45 calendar days. We may need to verify your identity using your Portal credentials before we act on the request.

California residents

California's privacy laws (the CCPA, as amended by the CPRA) give California residents specific rights. The rights above already cover most of them. Additionally:

  • Right to know: You can request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes for collecting it, and the categories of recipients we share it with.
  • Right to opt out of sharing: We do not sell personal information and do not share it for cross-context behavioral advertising. There is nothing to opt out of, but if that changes we will provide an opt-out mechanism.
  • Right to limit use of sensitive personal information: We do not collect sensitive personal information as that term is defined under California law.
  • Non-discrimination: We will not discriminate against you for exercising any of these rights.

To exercise California rights, use the same privacy@lastmilestrategies.com address. Authorized agents may submit requests on a Californian's behalf with verifiable authority.

How we protect information

We use industry-standard security measures, including:

  • TLS encryption for all data in transit.
  • Encryption at rest for databases and object storage.
  • Passwords stored only as bcrypt hashes.
  • Optional two-factor authentication using TOTP.
  • New and changed passwords checked against the HaveIBeenPwned breach database.
  • Audit logging of authentication events and administrative actions.
  • Role-based access controls for Last Mile staff who need access to operate the service.
  • Vendor security reviews before adding new sub-processors.

No service is perfectly secure. You are responsible for keeping your Portal credentials confidential, enabling two-factor authentication where appropriate, and notifying us promptly at security@lastmilestrategies.com if you suspect your account has been compromised.

Cookies and tracking

The Portal uses one cookie: a secure, HttpOnly authentication session cookie set by Supabase Auth to keep you signed in. We do not use advertising cookies, behavioral analytics cookies, or third-party tracking pixels.

We may add Cloudflare Web Analytics in the future. Cloudflare Web Analytics is designed to be privacy-preserving: it does not use cookies, does not collect IP addresses, and does not fingerprint visitors.

International data transfers

Most of our sub-processors are based in the United States. Brandfetch (Switzerland) and HaveIBeenPwned (United Kingdom) operate outside the US. The data sent to those services is limited to a domain name and a partial password hash respectively — neither receives personally identifying customer information. If we add a sub-processor that handles personally identifying data outside the US, we will update this Policy and put appropriate transfer protections in place.

The Portal is hosted in the United States and operated by a US company. If you access it from outside the US, you are transferring your information to the US for processing.

Children's privacy

The Portal is a B2B service. To use it you must be at least 18 years old and authorized to bind a business. We do not knowingly collect information from children under 16.

Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you through the Portal or by email before the change takes effect. The "Last updated" date at the top of this Policy reflects the most recent revision.

Contact

For privacy questions, requests, or complaints, email privacy@lastmilestrategies.com. For security incidents or suspected account compromise, email security@lastmilestrategies.com. For everything else, email info@lastmilestrategies.com.