Privacy Policy

Account Information

When you sign up for an account (whether via email/password or Google sign-in), we collect your name and email address. If you register with email, we also collect your password (which is stored in an encrypted form). If you use Google OAuth to sign in, we receive your name and email from Google (we do not get your Google password or any other Google data). We do not collect sensitive personal details like your physical address, social insurance number, or financial account information.

Uploaded Trip Data (CSV Files)

Our service allows you to upload CSV files (such as those exported from Turo) containing your trip-related data. The information in these files may include details like trip dates, earnings, vehicle ID, and potentially personal information about third parties (for example, the first name or identifier of a renter or guest associated with a trip). We parse the CSV to extract the relevant trip data for your dashboard and we do not store the original file – the CSV file is deleted from our system after parsing. The parsed trip data is stored in our database so it can be displayed back to you in your personal dashboard.

Important: If you upload personal information about others, you are responsible for ensuring you have the authority or consent to share that information with us. We will only use third-party personal information in your data to provide the service back to you, and we will not contact those individuals or use their data for any independent purpose.

Technical and Usage Information

Like most websites, we automatically collect certain technical information when you visit or use our service. This includes information such as your IP address, browser type, device type, operating system, referring URLs, pages viewed, and the dates/times of access. We may use cookies or similar technologies to remember your login session and preferences, or to analyze how users navigate our site. This technical data helps us ensure the platform works correctly, monitor performance, and continually improve the user experience. You can set your browser to refuse cookies; however, some features of our service may not function properly without them.

Communication Preferences

If you subscribe to receive updates or marketing communications, we will record your preferences (e.g. whether you opted in to receive newsletters or product updates). We will also maintain records of your communications with us (such as support requests or feedback) if you choose to contact us.

To Provide and Maintain the Service

We use your account information to create and manage your user account, authenticate you when you log in, and personalize your experience. The trip data you upload (and its parsed contents) are used to generate analytics, summaries, and dashboards so you can view your earnings and other trip metrics. In short, we process your information to run the core functionality of the app that you requested.

To Improve and Develop our Platform

Technical and usage data help us troubleshoot issues, monitor performance, and understand usage patterns. This insight allows us to refine features, enhance security, and optimize our services. For example, we may analyze which features are most used or identify where users encounter errors, so we can improve those areas.

To Communicate with You

We use your contact information (email address) to send necessary transactional communications related to the service. This includes emails for account verification, password resets, important service announcements, or responses to customer support inquiries. These communications are part of the service. If you have opted in to receive marketing or product updates, we will also use your email to send you newsletters, updates, or promotional communications about new features or offers. (See "Marketing & Communication" below for more details on how we handle marketing emails and your choices.)

For Customer Support

If you reach out to us with a question or need help, we will use your information to respond and resolve your issue. This may require accessing your account or uploaded data to assist you (for example, to debug a problem with a CSV file import).

To Ensure Legal Compliance and Security

We may use information as necessary to meet our legal obligations (for instance, keeping records of consents you have given us) and to enforce our Terms of Service. We also use data to detect and prevent fraud, abuse, or security incidents. For example, IP addresses may be used to identify and mitigate unusual or unauthorized activities on the account.

With Service Providers (Processors)

We use trusted third-party companies to help us operate and deliver our services. These service providers act on our behalf and are bound by contracts to protect your information and use it only for the purposes of providing services to us. Key service providers for our platform include:

• Supabase: We use Supabase as our cloud database and authentication provider to store account details and your parsed trip data. Supabase is a third-party service that hosts data on our behalf.
• Vercel: Our application is hosted on Vercel, which means when you use the website, your requests and data interactions are handled by Vercel's servers.
• Google: If you choose to sign in using Google, the authentication process is facilitated by Google. In that case, Google will verify your identity and share your basic profile information (name, email) with us. We do not send your data to Google; rather, you are using Google to log into our site. (Your use of Google OAuth is subject to Google's Privacy Policy.)

These service providers may have access to personal information as needed to perform their functions (for example, data is stored on Supabase's servers, or transmitted through Vercel's infrastructure), but they are not permitted to use your data for their own purposes. We ensure through agreements or established policies that these providers implement appropriate safeguards and confidentiality measures. We remain accountable for the protection of your personal information when it is processed by these service providers on our behalf.

Cross-Border Data Transfers

Please be aware that our third-party service providers may store or process data in countries outside of Canada. In particular, our platform's data may be stored on servers located in the United States (or other jurisdictions) depending on the regions chosen with Supabase and Vercel. When your personal information is transferred to and stored in another country, it may become subject to the laws of that jurisdiction and accessible to government, courts, or law enforcement of that country. For example, data stored in the U.S. might be lawfully accessed by U.S. authorities under American laws. We will only transfer data to foreign service providers in accordance with applicable privacy laws, and we will notify you of this transfer via this Privacy Policy (and at the time of data collection, if required). By using our service, you consent to this transfer and understand the associated risks. We take steps to ensure any international data transfers are done securely – for instance, by relying on reputable providers and, where appropriate, contractual clauses that require your data to be protected to standards comparable to Canadian law.

For Legal Reasons

We may disclose personal information if we reasonably believe that such action is necessary to comply with a law, regulation, valid legal process (e.g. a subpoena or court order), or governmental request. We may also disclose information if required to enforce our Terms of Service or other agreements, to establish or exercise our legal rights, or to defend against legal claims. Additionally, if we believe disclosure is necessary or appropriate to prevent physical or other harm or loss (for instance, to address fraud or security issues), we may share information in that context as permitted by law.

Business Transfers

If we ever transfer ownership or operation of the platform (for example, via a merger, acquisition, or asset sale), your personal information may be part of the assets transferred to the new owner. If such a transfer occurs, we will ensure that the successor entity is bound to protect your personal information in a manner consistent with this Privacy Policy, or we will notify you and obtain your consent if required by law. We will also provide notice on the website or via email before your personal data becomes subject to a different privacy policy due to a business transfer.

With Your Consent

In all other cases, we will seek your explicit consent before sharing your personal information with third parties. For instance, if we ever want to publish a user testimonial with your name, or integrate a new third-party service that involves sharing your info, we will ask for your permission. You are in control of whether we share your information in ways not covered by this Privacy Policy.

Uploaded CSV Files

When you upload a CSV, we process it immediately to extract the relevant trip data. The original CSV file is not stored on our servers beyond this processing period – it is deleted promptly after the data has been extracted. This means we do not keep your raw files on file after we've obtained the needed information.

Parsed Trip Data

The trip records and related data parsed from your CSV uploads are stored in our database (Supabase) so that you can access your dashboard and historical data anytime. We will keep this parsed data for as long as you maintain an account with us, since it is necessary for providing the service to you. If you stop using our service, we may retain your data for a reasonable period in case you return, but we will not keep it longer than necessary. Inactive account data may be deleted after a prolonged period of inactivity (we will try to notify you before that happens).

Account Information

Your registration details (name, email, etc.) are kept as long as your account is active. If you choose to delete your account or if we need to remove an account due to inactivity or other reasons, we will also delete or anonymize the personal information associated with it, subject to the next point about backups and legal requirements.

Backup and Logs

Like many services, we perform routine data backups and maintain server logs. Your information might remain in encrypted backups or logs for a short period even after deletion from our live database. We restrict access to backups and protect them. Over time, backups are rotated and old data is overwritten or destroyed. Any logs or backups will eventually be purged according to our data retention schedule. We will not restore deleted personal data back into our active database except if required for a limited time for security, legal, or disaster recovery purposes.

Legal Requirements

In certain cases, we might need to retain information for a longer period if necessary to comply with legal obligations (for example, if a law requires record-keeping for a certain time) or to resolve disputes and enforce agreements. In all cases, retention will be limited to what is required. We will securely dispose of or anonymize information once it is no longer needed.

Account Deletion Requests

You have the right to request deletion of your account at any time. If you want to delete your account (and all personal data associated with it), you can do so through your account settings (if that feature is available) or by contacting us at our privacy contact email. Upon verifying your identity and your request, we will promptly delete your account information and personal data from our active systems. As noted, residual data may remain in backups for a short period, but will be overwritten in due course. When we complete your deletion request, we will inform you and also clarify if any data could not be immediately deleted (and why, such as if it's in a backup archive), and ensure it is deleted as soon as possible. Once your account is deleted, you will no longer be able to sign in or retrieve any data, so please be sure you have exported any information you need before requesting deletion.

Access Your Information

You have the right to request a copy of the personal information we hold about you. This typically includes data like your account profile and the trip data associated with your account. To make an access request, contact us using the information in the Contact section below. We will need to verify your identity before releasing data, and will respond within a reasonable time (generally within 30 days as required by law). We will provide the information in a straightforward format, explaining any acronyms or codes if used, so that you can understand it.

Correction

If any of your personal information is inaccurate or incomplete, you have the right to request a correction or update. For example, if you change your email address or notice that some of your trip data is recorded incorrectly, you can ask us to correct it. In many cases, you can update basic account info yourself through your profile settings. For data that you cannot edit directly, contact us and we will make the correction or, if we cannot (for instance, if it's information that came from Turo's export and we believe it was correct as provided), we will annotate it to show the correction you requested. If we have shared the incorrect information with any third party (which is unlikely in our scenario, except with our service providers), we will also inform them of the correction where feasible.

Withdrawal of Consent

As mentioned in the Legal Basis section, you can withdraw your consent for certain uses of your information. For example, you can opt out of marketing emails at any time (see the next section on Marketing & Communications). If you previously gave us permission to use some data and you change your mind, let us know. We will respect your choice going forward, though this will not affect any processing that has already occurred with your prior consent. Do note that if you withdraw consent for core data uses (like use of your trip data to display your dashboard), we may not be able to provide that aspect of the service unless you re-consent.

Account Deletion

You have the right to have your personal information erased (the "right to be forgotten") subject to certain exceptions in law. As described in the Data Retention section above, you may delete your account at any time, which will remove your personal information from our systems (save for temporary backup retention).

Data Portability

While Canadian law doesn't explicitly mandate data portability in the same way as some other jurisdictions, we support your ability to obtain your data. The trip information you upload is already originally yours (from your CSV files), and we aim to make it easy for you to export any analysis or reports from our platform. If you need assistance extracting data in a usable format, you can request it from us.

Contacting Regulators

We hope to resolve any concern you have directly and amicably. However, if you believe we have not addressed your privacy questions or handled your personal information properly, you have the right to contact the relevant privacy regulators. For British Columbia residents, this is the Office of the Information and Privacy Commissioner for BC (OIPC). For federal matters under PIPEDA, you can contact the Office of the Privacy Commissioner of Canada (OPC). We will provide contact information for these regulators upon request.

Encryption

Our website uses HTTPS encryption (TLS/SSL) to secure data in transit between your device and our servers. This means that when you upload CSV data or view your dashboard, the information is encrypted while it travels over the internet. We also rely on Supabase's security features to ensure your data is encrypted at rest in the database whenever possible.

Access Controls

We restrict access to personal data to authorized personnel who need it to operate or support the service. In practice, this means that only a limited number of our team members or contractors (if any) can access user data, and only for specific purposes like troubleshooting an issue or performing maintenance. Each such person is subject to confidentiality obligations. We also utilize authentication and session management best practices to prevent unauthorized account access – for example, if you use Google sign-in, we rely on Google's secure OAuth process, and if you use a password, it's stored hashed (not in plain text) for your protection.

Third-Party Security

Our service providers (Supabase, Vercel, etc.) are chosen in part for their robust security practices. We review their documentation to ensure they employ modern security measures (such as firewalls, regular security audits, and physical security at data centers). We also enter into appropriate agreements with them to ensure your data remains protected under standards similar to PIPA/PIPEDA while in their systems.

Monitoring and Testing

We keep our software up to date and monitor the platform for potential vulnerabilities or attacks. We may employ logging and automated tools to detect unusual patterns that could indicate security issues. In the event of any security breach that affects personal information, we will notify affected users and regulators as required by law, and we will take immediate steps to remediate the issue.

User Responsibilities

We also advise you to help keep your own information secure. Choose a strong, unique password if using email signup, and keep your login credentials confidential. Remember that any information you share in public forums (if our service ever offers community features) can be viewed by others.

Consent for Emails

We will only send you marketing or promotional emails if we have your consent. Typically, when you sign up, we may ask you if you want to receive product updates or marketing messages. You can choose to opt-in or opt-out. If at any time you no longer wish to receive these emails, you can withdraw your consent.

Unsubscribe Option

Every marketing email we send will include a clear unsubscribe link or instructions to opt out. If you click that link or follow the instructions, you will be able to stop any further marketing emails from us. We will process unsubscribe requests promptly (and in any event within the timeframe required by law, usually 10 business days for CASL compliance). Alternatively, you can adjust your communication preferences in your account settings (if available) or by contacting us to let us know you don't want marketing messages.

Identification and Information in Emails

We will ensure our commercial emails clearly identify us as the sender and include our contact information as required by CASL. For example, our emails will typically show our company/name and an email or mailing address where you can reach us. We will not send false or misleading subject lines or content — our communications will accurately reflect the purpose (e.g., announcing a new feature).

Types of Communications

There are generally two types of emails you might receive from us: (1) Transactional/Service emails, which are directly related to your use of the service (such as login confirmations, password reset emails, important service notices, billing receipts if applicable, etc.). These are not promotional in nature and are sent as part of our contract with you or for user safety/notification purposes. You cannot opt out of receiving essential service communications as long as you have an active account, except by closing your account, because they are necessary for the operation of the service. (2) Promotional emails, which include newsletters, product updates, surveys, or offers. These are optional and sent only with consent as described. You have full control over whether you receive these.

Text Messages or Other Channels

Currently, our communications are primarily via email. We will not send text messages or other electronic messages for marketing purposes unless you explicitly opt in to such channels in the future. Should we introduce new communication channels, we will update this policy and obtain appropriate consents.