Privacy Policy

2.1 Account Information

When we create an account for you, we collect:

• Full name
• Email address
• Organization and franchise affiliation
• Timezone preference
• Role and access permissions

2.2 Authentication Information

To secure your account, we collect:

• Encrypted password (using industry-standard hashing)
• Password reset tokens (temporary)
• Google OAuth tokens (if you use Google sign-in)

2.3 Session and Security Information

When you use the Service, we automatically collect:

• Session tokens and authentication data
• IP addresses
• Browser type and version (user agent)
• Device information
• Login timestamps and session duration
• Security event logs (failed login attempts, suspicious activity)

2.4 Usage Information

To improve the Service, we collect:

• Features and pages you access
• Time spent on pages
• Errors and performance metrics
• Search queries within the Service

2.5 Customer Data

The Service processes business data you upload, including:

• Sales transaction records
• Inventory and product data
• Employee names and performance metrics
• Store operational data
• Financial and budget information
• Vendor and supplier information

Important: You retain ownership of all Customer Data. We process Customer Data solely to provide the Service and as described in this Privacy Policy.

3.1 Service Delivery

• Creating and managing your user account
• Authenticating your identity and maintaining session security
• Processing and displaying your business data (sales analytics, inventory reports, etc.)
• Providing access control and multi-tenant data isolation
• Delivering notifications and alerts

3.2 Security and Fraud Prevention

• Monitoring for suspicious activity and unauthorized access
• Logging security events for audit purposes
• Investigating and responding to security incidents
• Implementing rate limiting to prevent abuse

3.3 Service Improvement

• Analyzing usage patterns to improve features
• Troubleshooting technical issues
• Conducting performance monitoring and optimization
• Developing new features based on user needs

3.4 Legal and Compliance

• Complying with applicable laws and regulations
• Responding to lawful requests from authorities
• Enforcing our Terms of Service
• Protecting our legal rights and interests

5.1 Service Providers

We engage trusted third-party service providers who assist in operating the Service:

• Neon (Neon Postgres): Cloud database hosting and data storage
• Vercel: Web hosting and application deployment
• Google (OAuth): Authentication services (if you use Google sign-in)

All service providers are contractually required to protect your information and use it only for the purposes we specify.

5.2 Within Your Organization

Customer Data is accessible to authorized users within your organization based on role-based access controls. Users with appropriate permissions can view data for stores and franchise groups they are authorized to access.

5.3 Legal Requirements

We may disclose personal information when required by law or in response to:

• Valid legal processes (subpoenas, court orders, warrants)
• Government or regulatory investigations
• Requests from law enforcement authorities
• Emergency situations involving threats to safety

5.4 Business Transfers

If SuppTraq is involved in a merger, acquisition, asset sale, or bankruptcy, personal information may be transferred to the successor entity. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

6.1 Storage Location

Your personal information and Customer Data are stored on secure cloud servers provided by Neon. These servers may be located in:

• Canada
• United States
• Other jurisdictions where our service providers operate

6.2 Cross-Border Data Transfers

By using the Service, you acknowledge and consent to the transfer of your personal information outside of Canada. When personal information is transferred internationally, it may be subject to the laws of those jurisdictions, including lawful access by courts, law enforcement, and national security authorities.

We take reasonable steps to ensure that foreign service providers protect your personal information with safeguards comparable to Canadian privacy laws, including through contractual agreements.

7.1 Technical Safeguards

• Encryption of data in transit (HTTPS/TLS)
• Encryption of data at rest (database encryption)
• Password hashing using industry-standard algorithms
• Multi-factor authentication support
• Session management and automatic timeout
• Rate limiting to prevent brute-force attacks

7.2 Access Controls

• Role-based access control (RBAC)
• Multi-tenant data isolation (organization and franchise-level scoping)
• Audit logging of security events
• Restricted access to production systems

7.3 Organizational Safeguards

• Security incident response procedures
• Regular security assessments
• Employee confidentiality obligations
• Vendor security requirements

7.4 Limitations

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your login credentials.

8.1 Retention Periods

We retain personal information only as long as necessary to fulfill the purposes for which it was collected:

• Active Accounts: Account information and Customer Data are retained while your account is active and you continue using the Service.
• After Termination: Upon account termination, we retain your data for 30 days to allow retrieval. After 30 days, we permanently delete or anonymize your data unless legally required to retain it.
• Security Logs: Security and audit logs are retained for up to 12 months for security monitoring and incident investigation.
• Legal Holds: We may retain data longer when required by law, litigation, or regulatory investigations.

8.2 Deletion Process

When we delete personal information, we use secure deletion methods to prevent recovery. Backups containing personal information are deleted according to our backup retention schedule (typically 30 days).

9.1 Right to Access

You have the right to request access to your personal information that we hold. We will provide you with a copy of your personal information in a commonly used format.

9.2 Right to Correction

You have the right to request correction of inaccurate or incomplete personal information. You can update your account information directly through the Service settings, or contact us for assistance.

9.3 Right to Withdraw Consent

You may withdraw your consent for certain uses of your personal information at any time, subject to legal or contractual restrictions. Note that withdrawing consent may limit your ability to use the Service.

9.4 Right to Deletion

You have the right to request deletion of your personal information, subject to legal retention obligations. To delete your account, contact us through the Service.

9.5 Right to Data Portability

You have the right to request a copy of your Customer Data in a structured, commonly used format (such as CSV or JSON) for transfer to another service.

9.6 Right to Lodge a Complaint

If you believe we have not complied with privacy laws, you have the right to file a complaint with:

• Office of the Information and Privacy Commissioner of Alberta
  Phone: 1-888-878-4044
  Website: www.oipc.ab.ca
• Office of the Privacy Commissioner of Canada
  Phone: 1-800-282-1376
  Website: www.priv.gc.ca

9.7 How to Exercise Your Rights

To exercise any of these rights, please contact us using the information in the "Contact Us" section. We will respond to your request within 30 days (or as otherwise required by law). We may request verification of your identity before processing your request.

10.1 Cookies We Use

We use cookies and similar technologies to maintain your session and improve your experience:

• Essential Cookies: Required for authentication, session management, and security. These cookies cannot be disabled.
• Functional Cookies: Remember your preferences (theme, timezone) to enhance your experience.
• Performance Cookies: Collect anonymous analytics to improve Service performance.

10.2 Managing Cookies

Most browsers allow you to control cookies through their settings. However, disabling essential cookies may prevent you from using the Service. Disabling other cookies may limit functionality.