Legal

Privacy Policy

Effective date: April 20, 2026

KenHome™ Corporation (“KenHome,” “we,” or “us”) operates the KenHome™ Subcontractor Pre-Qualification Portal at subs.kenhome.group (the “Portal”). This Privacy Policy explains how we collect, use, disclose, retain, and protect the information you or your organization submits through the Portal. It also describes the rights available to individuals under applicable United States privacy laws. This policy applies to prospective applicants, approved subcontractors, and their authorized representatives.

1. Information We Collect

We collect information that you provide directly, information generated automatically when you use the Portal, and information we obtain from authorized third parties during pre-qualification verification.

1.1 Information you provide

• Business identity: legal entity name, DBA/trade name, entity type, federal Employer Identification Number (EIN), state of incorporation, year established, D-U-N-S number, SAM.gov UEI, CAGE code, and NAICS codes.
• Beneficial ownership: names, titles, ownership percentages, citizenship or lawful-permanent-residency status, and the last four digits of Social Security Numbers for verification of ten-percent-or-greater owners.
• Corporate structure and disclosures: parent company, parent EIN, subsidiaries, affiliated companies, prior business names, and disclosures of debarment, bankruptcy, or principal felony convictions.
• Operational data: licensing, insurance carrier and policy data, bonding capacity, financial statements (revenue, balance sheet, working capital, net worth), project capacity, safety records (Experience Modification Rate and OSHA 300 logs), workforce composition, past performance, references, trade capabilities, and diversity certifications.
• Documents: certificates of insurance, state and local licenses, bonding letters, financial statements, OSHA 300A, EMR letters, W-9, HUB/MBE/WBE/DBE certificates, resumes of key personnel, organizational charts, project portfolios, and sample submittals.
• Contact information: names, email addresses, phone numbers, and physical addresses for the company, its personnel, and its references.
• Attestation and signature data: the typed name, title, timestamp, truncated IP address, and user agent recorded at the point of legal attestation.

1.2 Information collected automatically

• Account and session data: bcrypt-hashed passwords, session cookies, login timestamps, password-reset requests, and authentication events.
• Usage and audit data: page views within protected areas, section save events, document upload and removal events, status and tier changes performed by administrators, and every administrative action taken on your record.
• Network metadata: truncated IP addresses (IPv4 truncated to the /24 subnet and IPv6 to the /48 prefix before storage) and user-agent strings, recorded for audit and anti-abuse purposes.

The Portal does not use third-party advertising trackers or cross-site tracking cookies. We use only first-party cookies required for authentication and session integrity.

1.3 Information obtained from third parties

During pre-qualification review, and with your authorization under Section 3, we may receive information from references, banks, sureties, insurance carriers, and regulatory bodies. We may also consult publicly available records (for example, SAM.gov exclusion lists, state contractor license registries, and OSHA enforcement data) to verify the information you submit.

2. How We Use the Information

We use the information described above to:

• evaluate applications for inclusion in the KenHome™ pre-qualified subcontractor network;
• verify the accuracy of submitted information with the parties you authorize;
• calculate composite pre-qualification scores and assign tier placements;
• route bid invitations to appropriately qualified subcontractors;
• send transactional communications (application confirmations, renewal reminders, status updates, bid invitations);
• operate, secure, and improve the Portal, including debugging and error monitoring;
• detect, prevent, and respond to fraud, abuse, and violations of our Terms of Use;
• meet legal, regulatory, and contractual obligations, including obligations to project owners and lenders;
• enforce and defend our legal rights and respond to lawful process.

We do not sell, rent, or trade personal information, and we do not use submitted information for advertising or cross-context behavioral advertising.

3. Authorization for Verification

When you submit your application, you expressly authorize KenHome to contact any reference, bank, surety, insurance carrier, or regulatory body identified in your submission for the sole purpose of verifying the information you provided. You also consent to background checks on the company and its principals to the extent permitted by applicable law. This authorization remains in effect for twelve (12) months following each submission or until you withdraw your application, whichever is earlier.

4. Disclosure to Third Parties

We disclose information only in the circumstances below, and only to the extent necessary for the purpose.

• Verification parties: references, banks, sureties, insurers, and regulators that you identify in your application, when we contact them to confirm information you submitted.
• Platform operator: Enemo Consulting Group, Inc. develops, operates, and maintains the Portal software under contract with KenHome™ Corporation. Access by Enemo personnel is limited to engineers on duty under written confidentiality obligations, and solely for operation, security, and improvement of the Portal.
• Service providers: vendors that operate Portal infrastructure under written contract, including our database host (Neon), application host (Vercel), document storage (Vercel Blob), and transactional email provider (Resend). These vendors process information solely on our instructions, under confidentiality obligations, and for no independent purpose.
• Project stakeholders: when required by a project owner, lender, or public agency to document bid-list composition or diversity participation, aggregated or individual information may be shared with prior notice where reasonably possible.
• Legal and safety: to comply with valid legal process, protect the rights, property, or safety of KenHome, our personnel, or the public, or investigate suspected fraud, misrepresentation, or abuse.
• Business transfers: if KenHome is involved in a merger, acquisition, financing, reorganization, or asset sale, information may be transferred as part of that transaction, subject to the successor’s obligation to honor this Policy.

5. Security

• All data in transit is encrypted using TLS 1.2 or higher.
• Federal EINs and the last four digits of Social Security Numbers are encrypted at rest with AES-256-GCM. Encryption keys are maintained in the production environment and are not accessible to individual personnel.
• Passwords are stored using bcrypt with a work factor of 12; plaintext passwords are never transmitted to KenHome personnel or stored in backups.
• The Portal enforces role-based access control. Administrators see only the information required for their role.
• Every administrative action — status changes, tier assignments, score overrides, notes, and bid invitations — is recorded in an immutable audit log.
• Document uploads are restricted to PDF content types and a 25 MB maximum size, transferred directly from your browser to isolated blob storage.
• We monitor for abnormal activity (rate limits on registration and password reset, honeypot form fields, disposable-email filtering) and maintain a written incident-response procedure.

No security system is perfect. You are responsible for protecting your account credentials and for notifying us promptly if you suspect unauthorized access.

6. Retention

Retention durations are described in detail in our Data Retention Policy. In summary: rejected applicants are retained for three (3) years from rejection; approved subcontractors are retained for the duration of the business relationship plus seven (7) years; audit logs are retained for seven (7) years; and encrypted identifiers are purged on record deletion.

7. Your Rights

Subject to applicable law and our retention obligations, you have the right to:

• Access — request a copy of the personal information we hold about you or your organization;
• Correction — request correction of inaccurate or out-of-date information;
• Deletion — request deletion of your personal information outside of our retention obligations;
• Portability — receive a copy of the information you submitted in a structured, commonly used electronic format;
• Limit disclosures — request that we not share sensitive personal information except as needed to provide the service you requested;
• Withdraw consent — withdraw the verification authorization in Section 3 (this will require that we withdraw your application from active review);
• Non-discrimination — exercise any of the above rights without being denied service or subjected to differential treatment.

To exercise a right, email subcontractors@kenhome.group with your KH-SUB identifier (if known) and a description of the request. We verify identity before fulfilling a request. We respond within forty-five (45) days, extendable once by another forty-five days where reasonably necessary. Authorized agents may submit requests on your behalf with written documentation of authority.

7.1 California residents (CCPA / CPRA)

California residents may request disclosure of: the categories of personal information we have collected; the categories of sources from which we collected it; the business or commercial purpose of collection; the categories of third parties with whom we shared it; and the specific pieces of personal information collected. We do not sell personal information and do not share personal information for cross-context behavioral advertising.

7.2 Texas residents

Texas residents have rights substantially equivalent to those in Section 7 under the Texas Data Privacy and Security Act. Exercise them through the same contact method.

8. Children’s Information

The Portal is intended for authorized representatives of business entities and is not directed to children. We do not knowingly collect personal information from anyone under the age of sixteen. If we learn that we have inadvertently collected such information, we will delete it.

9. International Data

The Portal is operated in the United States. If you access the Portal from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States.

10. Automated Decision-Making

Our scoring engine generates a composite pre-qualification score from the information you provide. Scores, disqualifying flags, and tier assignments are reviewed by human administrators before any final determination is communicated to you. No pre-qualification outcome is made solely by automated means without meaningful human oversight.

11. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will update the effective date above and notify current account holders by email or through the Portal. Your continued use of the Portal after an update constitutes acceptance of the revised Policy.

12. Contact

KenHome™ Corporation
Attn: Subcontractor Pre-Qualification
subcontractors@kenhome.group