Legal

Privacy Policy

Effective date:
April 10, 2026
Last updated:
April 10, 2026

1. Who we are

Tiko ("Tiko", "we", "us", or "our") is a software-as-a-service product operated by Practico Software LLC, a limited liability company organized under the laws of the State of New York, United States.

You can reach us about privacy questions at support@practicoits.com.

Tiko is a back-office management platform for HVAC and other field-service small businesses. It helps business owners and their teams manage customers, estimates, invoices, payments, expenses, and related workflows, and includes an AI assistant (also called "Tiko") that helps users operate their business.

This Privacy Policy describes how we collect, use, share, and protect information when you visit our marketing website (including practicoits.com), create a Tiko account, use the Tiko web application at app.practicoits.com, or interact with us in any other way (collectively, the "Services").

2. Scope of this policy

Tiko is primarily a business-to-business (B2B) service. Most of the personal information we process is provided by our business customers ("Subscribers") about their own employees, contractors, customers, vendors, and leads. Depending on the context, Practico Software LLC acts as:

  • A controller for information about Subscribers (the business account holder, its owners, and authorized users) and visitors to our marketing site.
  • A processor / service provider for information that Subscribers upload into their Tiko workspace about their own end-customers and other third parties. Subscribers are the controllers of that information and are responsible for the lawful basis, notices, and consents required to put it into Tiko.

If you are an end customer of a Subscriber (for example, a homeowner who received an estimate or invoice generated in Tiko, or who used a client portal link), please direct questions about your information to the business that sent it to you. We will support that business in responding to your request.

3. Information we collect

We collect information in the following categories:

3.1 Information you give us directly

  • Account and identity data. When you sign up or are invited to a Tiko workspace, we (through our authentication provider) collect your name, email address, password or SSO identifier, and the organization you belong to. We also store a user record that links your authentication identity to your Tiko user.
  • Organization/business profile data. Business name, logo, mailing address, phone number, default invoice and estimate messages, invoice/estimate numbering preferences, default tax rate, timezone, and branding details.
  • Payment and billing data. To subscribe to Tiko, we use Stripe to collect and process payment information. We do not store full card numbers on our servers; Stripe returns a customer identifier, subscription identifier, last4 digits, and status that we store to manage your subscription, seat counts, trial state, and AI credit balance.
  • Merchant payout data (Stripe Connect Standard). If you enable in-product payment acceptance, you connect a Stripe Standard account to Tiko. With a Standard account you hold a direct relationship with Stripe, accept Stripe's terms directly, and manage your own Stripe Dashboard; Tiko receives a connected-account identifier and a flag indicating whether charges are enabled. Stripe — not Tiko — is the payment processor, handles cardholder data, and stores PCI-scoped information. We do not store full card numbers, CVVs, or bank account numbers on our servers.
  • Content you upload. Files and attachments you add to customer records, estimates, invoices, and expense receipts, and any notes, reminders, messages, or templates you create.
  • Communications. Messages you send to our support team, feedback you submit, and content of emails you exchange with us.
  • Marketing data. If you sign up to our marketing emails or our waitlist, we collect your email address, verification status, and source/referrer.

3.2 Information you provide about third parties

Tiko allows Subscribers to manage information about their customers and business contacts, including:

  • Customer name or business name, type (residential or commercial), lead source, email, phone.
  • One or more service addresses per customer.
  • Notes, reminders, and attachments about a customer or job.
  • Estimates and invoices with line items, amounts, tax, discounts, PDFs, approval signatures, and dates of service.
  • Expense records and receipts, manual income entries, and bookkeeping data.
  • Portal access tokens that allow the customer to view their own documents.

Subscribers determine what information to enter into Tiko. We process it on the Subscriber's behalf as described in Section 8 (Data processing on behalf of Subscribers).

3.3 Information we collect automatically

  • Usage and device data. IP address, browser type and version, device and operating system, pages visited, referring URLs, timestamps, and similar telemetry used to operate and secure the Services.
  • Log data. Application and security logs, including authentication events, function invocations, errors, and request metadata.
  • Product analytics. In production only, we use a product analytics provider to understand how the Tiko web application is used so we can fix bugs and improve the product. It records pageviews, feature interactions, and session replays, and associates them with your Tiko user identifier, email, and name once you sign in. We use this data only to operate and improve Tiko — we do not sell it, share it with advertisers, or use it for cross-context behavioral advertising. If you do not want your activity captured by product analytics, contact us at support@practicoits.com and we will exclude your account from analytics capture.
  • Cookies and similar technologies. We and our providers (for authentication and product analytics) use cookies, local storage, and similar technologies to keep you signed in, remember preferences, and measure how the Services are used. You can control cookies through your browser settings; blocking required cookies may break core functionality such as login.

3.4 Information from third parties

  • Authentication providers. When you sign up with a third-party identity provider through our authentication service, we receive the profile fields you authorize (such as name and email).
  • Payment processors. Stripe provides us with webhook events about your subscription, payouts, refunds, and connected account status.
  • AI model providers. Our AI features route requests through a third-party AI routing service and underlying model providers, which return model output and usage metrics (token counts and cost estimates) that we store against your workspace's credit ledger.

3.5 AI assistant data

When you interact with the Tiko AI assistant, we process:

  • The prompts and messages you send.
  • Context we attach from your workspace (such as customer, estimate, invoice, or expense records) in order to fulfill your request.
  • The assistant's responses.
  • Token counts, model identifiers, and cost information that we record in an AI credit ledger.

AI conversation history and thread titles are stored in your workspace so you can review and continue threads.

Zero Data Retention with AI providers. We route all Tiko AI requests through a third-party AI routing service to underlying large-language-model providers. Our routing is configured to use Zero Data Retention (ZDR) endpoints only and to deny data collection. This means that the underlying model providers we route to:

  • do not persist your prompts or the assistant's outputs beyond the time strictly needed to return a response, and
  • are contractually prohibited from using your inputs or outputs to train, fine-tune, or otherwise improve their models.

We also do not use your prompts, workspace context, or AI output to train Tiko's own models. See Section 5.5 for more detail.

4. How we use information

We use information for the following purposes:

  1. Provide the Services. Create and authenticate accounts, run the application, store your workspace data, generate estimates/invoices/PDFs, process payments, send transactional emails, and deliver AI responses.
  2. Billing and account management. Charge subscription fees, manage seats and trials, track AI credit balances, issue refunds, and prevent fraud or abuse of billing.
  3. Customer support. Respond to questions, troubleshoot issues, and improve documentation and onboarding.
  4. Security and reliability. Detect, investigate, and prevent security incidents, unauthorized access, fraud, and abuse; enforce our Terms of Service; and keep audit logs.
  5. Service improvement. Analyze aggregated usage to understand how the Services are used, fix bugs, and develop new features.
  6. Communications. Send service announcements, security alerts, invoice/estimate notifications you trigger, and — with permission where required — product updates and marketing emails. You can unsubscribe from marketing emails at any time.
  7. Legal and compliance. Comply with applicable laws, respond to lawful requests from authorities, and enforce our agreements.

We do not sell personal information, and we do not use Subscriber workspace content or AI assistant conversations to train foundation models for third parties. See Section 5.5 for details on AI model providers.

4.1 U.S.-only service

Tiko is provided to customers in the United States only. We do not market, sell, or intentionally direct the Services to individuals in the European Economic Area, the United Kingdom, or other non-U.S. jurisdictions. If you are located outside the United States, you may not use the Services.

5. How we share information

We share information only as described below.

5.1 Within your organization

Information entered into a Tiko workspace is visible to other authorized members of that workspace according to their roles. Admins and owners can manage user access, billing, and data export.

5.2 Subprocessors and service providers

We rely on the following categories of subprocessors to run the Services. Each is bound by confidentiality and data protection terms, and each processes information only as needed to provide its service to us:

Provider Purpose Data categories
Convex Application backend, database, file storage, scheduled jobs All workspace data, files, logs
Clerk Authentication, user and organization management, invitations Account identity, session, organization membership
Stripe (subscription billing) Tiko subscription billing, invoicing, and credit-pack purchases Billing contact, card tokens, transaction metadata
Stripe Connect (Standard accounts) Payment processing between Subscribers and their own customers; payouts Connected-account identifier, charge status; cardholder data goes directly to Stripe
Resend Transactional and notification emails Recipient email, message content, delivery events
AI routing service + underlying model providers (ZDR-only) Routing AI prompts to large language models under ZDR / no-training terms Prompt content, workspace context, model output (not retained by providers)
PostHog Product analytics and session replay used solely to improve Tiko Pageviews, feature events, session replay, Tiko user identifier, email, name
Hosting, CDN, and DNS providers Serving the marketing site and application IP address, request metadata

We may add or change subprocessors as the Services evolve. If you are a Subscriber and would like an up-to-date subprocessor list, contact us at support@practicoits.com.

5.3 Payment recipients

If a Subscriber has enabled in-product payment acceptance through Stripe Connect (Standard), any payment card information you enter to pay an invoice flows directly to Stripe as the payment processor. The Subscriber holds its own Stripe Standard account, is the merchant of record for the transaction, and has accepted Stripe's terms directly with Stripe. Tiko does not touch cardholder data.

5.4 Portal recipients

When a Subscriber sends you an estimate, invoice, or portal link, we transmit that document and the portal token to the email address the Subscriber provided. Portal tokens expire after a set period.

5.5 AI model providers

When you use the Tiko AI assistant, your prompts and any workspace context we attach are sent through a third-party AI routing service to an underlying model provider that fulfills the request. Our routing is configured so that:

  • Requests are routed only to Zero Data Retention (ZDR) endpoints, meaning the provider does not persist prompt or response data beyond the time needed to return a response.
  • Data collection is set to deny, meaning the provider is contractually prohibited from using your inputs or outputs to train, fine-tune, or otherwise improve any model.

We do not use your prompts, workspace context, or AI output to train Tiko's own models, and we do not sell or share AI conversation content with third parties for advertising or model-training purposes.

5.6 Legal disclosures

We may disclose information if we believe in good faith that disclosure is necessary to: (i) comply with a law, regulation, legal process, or governmental request; (ii) enforce our Terms of Service; (iii) detect, prevent, or address fraud, security, or technical issues; or (iv) protect the rights, property, or safety of Practico Software LLC, our users, or the public.

5.7 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business or assets, information may be transferred as part of that transaction, subject to standard confidentiality protections. We will notify affected Subscribers of material changes.

6. How long we keep information

We retain information for as long as needed to provide the Services and for the purposes described in this policy, unless a longer retention period is required or permitted by law.

  • Workspace content. Retained while your Subscriber's account is active. If the account is cancelled, workspace data is retained for a reasonable period (typically 30–90 days) to allow reactivation and export, then deleted or anonymized on a rolling basis.
  • Billing records. Retained for as long as required by tax, accounting, and audit obligations (commonly 7 years in the United States).
  • AI ledger and usage logs. Retained for billing reconciliation, abuse investigation, and analytics.
  • Security logs. Retained for a reasonable period appropriate to the risk and our obligations.
  • Marketing data. Retained until you unsubscribe or ask us to delete your entry. Existing waitlist entries are retained under this same policy.

7. Your rights and choices

Subject to applicable U.S. law, you may have the following rights:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to correct inaccurate or incomplete information.
  • Deletion — ask us to delete personal information, subject to legal and contractual retention obligations.
  • Portability — request your information in a machine-readable format.
  • Withdraw consent — where we rely on consent, withdraw it at any time.
  • Non-discrimination — exercise your rights without being denied service (CCPA/CPRA).

If you are a user of a Tiko workspace, you can often exercise these rights directly inside the app (for example, updating your profile or leaving the workspace). Otherwise, contact support@practicoits.com and we will respond within the timeframe required by applicable law.

If your information is in Tiko because a Subscriber uploaded it (for example, you are a customer of an HVAC business that uses Tiko), please direct your request to that business. We will assist them in responding.

7.1 Notice for California residents

Under the California Consumer Privacy Act (CCPA/CPRA), California residents have the rights described above and the right to limit the use of sensitive personal information. We do not sell personal information and do not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA.

8. Data processing on behalf of Subscribers

For information that a Subscriber uploads to its Tiko workspace, Practico Software LLC acts as a processor / service provider. We process that information only on the Subscriber's documented instructions (through its configuration and use of the Services) and for the purposes described in this policy and our Terms of Service. Subscribers are responsible for:

  • Obtaining any consents and providing any notices required to enter their customers' and employees' information into Tiko.
  • Configuring user access appropriately within their workspace.
  • Responding to their end users' data subject requests, with our support.

Where required by law, we will enter into a separate data processing addendum with Subscribers.

9. Where your information is processed

Tiko is operated from the United States. Your information is processed by us and our subprocessors in the United States. Tiko is not offered to users outside the United States.

10. Security

We take reasonable administrative, technical, and physical measures to protect information against unauthorized access, loss, misuse, and alteration. These include encryption in transit and at rest, restricted internal access, audit logging, and use of reputable cloud providers. No method of transmission or storage is perfectly secure, however, and we cannot guarantee absolute security.

If you believe your account has been compromised, contact us immediately at support@practicoits.com.

11. Children's privacy

Tiko is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

12. Third-party websites and services

The Services may contain links to third-party websites and services, including payment pages hosted by Stripe. We are not responsible for the privacy practices of those third parties. Please review their privacy policies separately.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Services and update the "Last updated" date above. Your continued use of the Services after the changes take effect means you accept the updated policy.

14. Contact us

If you have questions or requests regarding this Privacy Policy or our data practices, contact Practico Software LLC at support@practicoits.com.