DRAFT. This privacy notice is a template starting point and has not been reviewed by a lawyer. Review with counsel before production use.

Privacy Notice

Last updated: 2026-05-12

Overview

This notice explains what personal information we collect, why, and what your rights are. It is written to comply with Quebec's Act respecting the protection of personal information in the private sector (Law 25) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

What we collect

Account data (firm name, contact info, email). Client data the firm enters (display name, email, phone, locale, notes). Documents uploaded by clients (tax slips, statements, receipts). Usage data (which pages were viewed, IP address for security, browser type).

Why we collect it

To provide the Service: deliver the magic-link portal, store and deliver documents to the firm, generate reminders, run AI classification. To bill paying customers. To improve the Service. To comply with legal obligations.

Quebec Law 25 compliance

We have a designated person responsible for the protection of personal information, reachable at the contact email below. By default, your firm's privacy settings are set to the most protective level. We will inform you before any new use of your data outside the original purposes.

Where your data lives

All client documents and metadata are stored in Canadian regions (Supabase ca-central-1, S3-compatible). Transactional emails are sent via a processor that may transit data through US infrastructure; document content itself is never included in those emails.

Who we share with

We do not sell personal information. We share data only with the subprocessors listed below, and only as needed to operate the Service.

Subprocessors

Supabase (hosting, database, storage — Canada). Resend (email delivery — US). Twilio (SMS delivery — US). Anthropic (document classification — US; documents are processed and not retained). Stripe (payment processing — US/Canada).

Security

Data at rest is encrypted by Supabase. Data in transit uses TLS. Access to firm data is enforced by Row-Level Security at the database layer. Document downloads use short-lived signed URLs.

Retention

We retain firm and client data for as long as your account is active, and for up to 90 days after cancellation to allow data export. Audit logs (who did what, when) are retained for 2 years.

Your rights

You have the right to access, correct, port, or request deletion of your personal information, and to withdraw consent. Contact us using the address below to exercise these rights.

Security incidents

If we become aware of a confidentiality incident involving your personal information, we will notify you and the Commission d'accès à l'information du Québec where required.

Contact

Questions or rights requests? Email support@vylan.app.