PULLFIRST[THE RECORD]
PRIVACY / 01.0PULLFIRST / v1

WHAT WE KEEP.
WHAT WE DON’T.

PullFirst is a B2B contractor intelligence API. We collect as little as the service will allow. No ad pixels, no cross-site trackers, no dark-pattern consent screens. Here is the whole surface, stated plainly.

LAST UPDATED / APRIL 2026

02.0COLLECTION

What we collect. And don't.

WE COLLECT
  • Email address (from your Google profile)
  • Name (from your Google profile)
  • Hashed API keys you create
  • Stripe customer ID, once you upgrade past Sandbox
  • API request metadata (endpoint, timestamp, response code)
WE DO NOT COLLECT
  • Card numbers, CVC, or billing address (handled by Stripe)
  • API request payloads or response bodies
  • Ad identifiers, cross-site trackers, or fingerprints
  • Personal data about the end users of your applications
  • Anything the Vercel Analytics beacon does not already see
03.0ACCOUNTS

How accounts work.

Account creation runs through Google sign-in. We pull your email and name from your Google profile and we do not ask for a password. PullFirst does not run a password database of its own.

The account record is your email, your name from Google, the hashed API keys you create, and a Stripe customer ID if you upgrade past Sandbox. That is the whole record.

API keys are SHA-256 hashed at rest. The plaintext is shown exactly once at creation and never re-rendered. To delete the account and everything tied to it, email support@pullfirst.com from the address on the account. Handled individually, not on a schedule.

04.0COOKIES + LOCAL STORAGE

One cookie. One local-storage key.

SESSION COOKIE

We set a session cookie for authenticated dashboard users to keep you signed in. It is essential for authentication and cannot be disabled while signed in. If you never sign in, we never set it.

THEME PREFERENCE

Your light/dark theme preference is stored in your browser's local storage. It never touches our servers.

05.0ANALYTICS

Vercel Analytics. Nothing else.

We use Vercel Analytics for basic page-view metrics. It tells us which pages get visited and what browser families visit them. It does not track you across sites and does not set cookies.

Details are in Vercel's privacy policy. There is no Google Analytics, no Segment, no Amplitude, no marketing pixel of any kind on PullFirst.

06.0API USAGE

We log metadata, not payloads.

We log the endpoint path, the timestamp, and the response code of each request. That metadata is used for rate limiting, billing, and abuse prevention. We do not log query parameters, request bodies, or response bodies.

The set of contractors you look up is not retained against your account. The system knows you called /v1/contractors 200 times this hour. It does not know which contractors.

07.0DATA SOURCES

The contractor data is public record.

The contractor records PullFirst serves are sourced from public government databases. Those sources include state licensing registries, enforcement bulletins, OSHA inspections, and municipal permit feeds. We aggregate, normalize, and index those records. We do not collect personal data about the end users of our customers' applications.

If you find an inaccurate record, email us. We explain how corrections flow through public records in our Terms of Service.

PRIVACY / 08.0

Questions about how we handle your data?

Send a specific question and you get a specific answer from the same people who ship the platform. Security posture details live on a dedicated page.

Email Us →Security Posture →Terms →