Privacy Policy

PermitPlace ("we", "us", "our") respects your privacy and is committed to protecting it in compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

This policy explains what personal information we collect, why we collect it, how we use it, and the choices you have. By using our service you agree to this policy.

1. Who we are

PermitPlace is operated as a sole proprietorship by Dhruv Jakhar, located in British Columbia, Canada. For privacy questions or to exercise your rights under this policy, contact: privacy@permitplace.net.

2. Information we collect

From subscribers (customers):

• Email address (for sending you reports and account communications)
• Business name (optional, helps us personalize delivery)
• Subscription preferences (which trade/city you've selected)
• Payment information — processed entirely by Stripe. We never see or store your full card number.
• Basic usage analytics (which pages you visit, browser type, approximate location from IP)

From building permit data:

• We aggregate public building permit records published by Canadian municipalities under their open data licences (City of Toronto, Vancouver, Calgary, Edmonton, Halifax Regional Municipality).
• This data may include the names of contractors, applicants, and property addresses that are already public record.
• We do not combine this with any other data source to identify private individuals.

From outreach prospects:

• We collect business email addresses from publicly-published business listings (e.g. Google Maps business profiles, contractor websites) for the purpose of one-time relevant B2B outreach under CASL s.10(9) (conspicuously published business contact).
• We record the public source URL where each email was found, as proof of implied consent.
• One unsubscribe request removes you permanently from all current and future campaigns.

3. Why we collect it (purposes)

• To deliver the service you've subscribed to (sending weekly digests, providing access to the data explorer)
• To process payment and manage your subscription
• To send service-related notifications (password resets, billing, important changes)
• To improve the product based on aggregate usage patterns
• To comply with legal obligations (e.g. tax records, CASL audit trail)

We do not use your personal information for any purpose unrelated to the service without your explicit consent.

4. How we share it

We do not sell your personal information to anyone. We share data only with:

• Stripe — to process payments (see Stripe's privacy policy)
• Resend (or equivalent transactional email provider) — to deliver our emails to you
• Supabase / cloud database providers — to securely store your account data
• Vercel — to host and deliver this website
• Law enforcement — only when required by valid Canadian legal process

All third-party processors are bound by their own privacy commitments and contractual obligations.

5. Where we store it

Your data is stored on servers operated by our service providers, primarily located in Canada and the United States. By using the service, you consent to this cross-border transfer.

6. Your rights under PIPEDA

You have the right to:

• Access the personal information we hold about you
• Correct any inaccurate information
• Withdraw consent for processing (this may end your service)
• Delete your account and associated personal data
• Lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) if you believe we've mishandled your data

To exercise any of these rights, email privacy@permitplace.net. We will respond within 30 days as required by PIPEDA.

7. How long we keep it

• Active subscriber data: as long as your account is active, plus 7 years for tax/audit purposes (required under the Income Tax Act)
• Cancelled subscribers: 30 days for any reactivation, then deleted (except tax records)
• Suppression list (unsubscribers): kept indefinitely so we never email you again — this is for your protection
• Outreach prospects who never engaged: 24 months from initial scrape, then auto-deleted

8. Security

We implement reasonable technical and organizational measures to protect your data:

• HTTPS encryption on all pages
• Encrypted-at-rest database storage
• Hashed passwords (we never see your plain-text password)
• Payment data handled exclusively by PCI-DSS-certified Stripe
• Restricted access to production systems

No system is perfectly secure. If we detect a breach affecting your data, we will notify you within 72 hours as required under PIPEDA's breach notification rules.

9. Cookies and tracking

We use only essential cookies needed to keep you logged in and remember your preferences. We do not use third-party advertising cookies or sell behavioural data. We may use privacy-preserving analytics (e.g. Plausible, or Vercel Analytics) to count visits without tracking individuals.

10. Children

This service is intended for businesses. We do not knowingly collect data from anyone under 18.

11. Changes to this policy

We may update this policy. Material changes will be emailed to active subscribers at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent version.

12. Contact