Privacy Policy
Effective date: February 14, 2026
1. Data Controller
Hiatys Systems Ltd. (“Hiatys,” “we,” “us”) is the data controller responsible for your personal information. We are incorporated in the Province of Ontario, Canada, and are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.
- Contact: privacy@hiatys.com
2. Information We Collect
Information you provide directly
- Account information: Name, email address, and authentication credentials (via OAuth providers or magic link).
- Profile information: Business name, logo, and brand colour (optional).
- Content: Quotes, project details, client information, and other data you enter into our products.
- Payment information: Processed and stored by Stripe. We do not store credit card numbers on our servers.
- Communications: Emails or messages you send to us.
Information collected automatically
- Server log information: Page requests, timestamps, and IP addresses.
- Error tracking data: Stack traces, browser/OS metadata, and internal user ID. No email addresses are sent to our error tracking provider.
- Product analytics data: Page views, feature usage events, referral source, device type, and approximate geography. Analytics is collected in cookieless mode — no analytics cookies or persistent identifiers are set on your device.
3. How We Use Your Information
We use your personal information to:
- Provide, maintain, and improve the Services.
- Process payments and manage subscriptions.
- Send transactional emails (account verification, quote notifications, invoice delivery).
- Respond to your inquiries and support requests.
- Detect, prevent, and address technical issues and security threats.
- Comply with legal obligations.
We do not sell your personal information. We do not use your data for advertising or profiling purposes.
4. Legal Basis for Processing
Under PIPEDA, we process your personal information based on:
- Consent: You consent to the collection and use of your information when you create an account and use our Services.
- Contractual necessity: Processing is necessary to fulfill our obligations under our Terms of Service.
- Legitimate interests: Improving our Services, ensuring security, and preventing fraud.
- Legal obligations: Complying with applicable laws and regulations.
5. Cross-Border Data Transfers
Your data may be processed by third-party service providers located in the United States. In accordance with PIPEDA Principle 4.1.3, we ensure that our sub-processors provide a comparable level of protection.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel | Hosting and edge delivery | United States |
| Supabase | Database and authentication | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional email | United States |
| Sentry | Error tracking (user ID only, no email addresses) | United States |
| PostHog | Product analytics (cookieless, no persistent identifiers) | United States |
6. Data Retention
When you delete your account, all account data, user content, and associated files are deleted immediately and permanently. There is no grace period or recovery window. We recommend exporting your data before deleting your account.
- Payment records: Retained by Stripe as required by tax and financial reporting laws (typically 7 years). These records are maintained by Stripe, not in our application databases.
- Server logs: Retained for 90 days for security and debugging purposes.
7. Your Rights
You have the following rights over your personal information, exercisable at any time:
- Access: Download a complete copy of your data from your account settings. The export is a ZIP file containing your profile, content, and uploaded files in machine-readable format (JSON).
- Correction: Edit your personal information directly in the product UI (settings, editors, forms).
- Deletion: Delete your account from your account settings. Deletion is immediate and permanent — all account data, content, and files are removed. This action cannot be undone.
- Data portability: The data export provides your information in a portable, structured format.
- Consent withdrawal: You may withdraw consent by deleting your account or by contacting privacy@hiatys.com.
Self-serve actions (export, correction, deletion) take effect immediately. If you contact us by email instead, we will respond within 30 days.
8. Consent Mechanisms
We collect your consent in the following ways:
- Express consent at sign-up: By clicking “Sign in with Google” or submitting your email for a magic link, you agree to our Terms of Service and this Privacy Policy. A clear statement is displayed above the sign-in buttons.
- Implied consent for service operation: When you enter profile information, view pages, or use the product, consent is implied for the operational purposes that a reasonable person would expect (storing your edits, recording page views, capturing error data for debugging).
- Client data — delegated responsibility: If you enter your clients' personal information (names, email addresses) into the service, you represent that you have obtained their consent. See our Terms of Service, Section 7. Public pages displaying client-facing content include a footer linking to this Privacy Policy.
- Transactional emails only: We send emails directly related to your use of the service (magic links, quote notifications, invoice delivery). We do not send marketing emails. Client-facing transactional emails include an unsubscribe link.
- Error tracking: We use Sentry to capture error data for service reliability. Only your internal user ID is sent to Sentry — no email addresses. This is implied consent for the legitimate purpose of maintaining and securing the service.
- Cookies: We use a single session cookie for authentication. No analytics cookies, advertising trackers, or fingerprinting technologies are used. No cookie banner is required because the session cookie is strictly necessary for the service to function.
9. Cookies and Tracking
We use a single authentication session cookie to maintain your login state. This cookie is strictly necessary for the service to function and is exempt from consent requirements under PIPEDA and Quebec Law 25.
Our product analytics (PostHog) operates in cookieless mode — it does not set cookies, use localStorage, or create persistent identifiers on your device. No analytics cookies, advertising trackers, social media pixels, or fingerprinting technologies are used.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal information, including:
- Encryption of data in transit (TLS/HTTPS).
- Encryption of data at rest in our databases.
- Row-level security policies ensuring users can only access their own data.
- Regular security reviews and updates of our infrastructure and dependencies.
- Minimal data access — only authorized personnel can access production systems.
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
11. Breach Notification
In the event of a data breach that creates a real risk of significant harm, we will:
- Notify the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible.
- Notify affected individuals directly, including a description of the breach, the type of information involved, and steps they can take to mitigate risk.
- Maintain records of all breaches for a minimum of 24 months.
12. Children's Privacy
Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete such information promptly.
13. Additional Rights for Quebec Residents
If you are a resident of Quebec, you may have additional rights under Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), including:
- The right to be informed of the specific purposes for which your information is collected at the time of collection.
- The right to data portability in a commonly used technological format.
- The right to be informed if your personal information is being used for automated decision-making.
- The right to de-indexation (the right to have your personal information cease to be disseminated).
We do not use automated decision-making in our Services.
14. Privacy Officer
The privacy officer responsible for Hiatys Systems Ltd.'s compliance with PIPEDA is:
- Name: Christopher Hicks
- Title: Privacy Officer, Hiatys Systems Ltd.
- Email: privacy@hiatys.com
You may contact the privacy officer with any questions about how your personal information is handled, to request access to or correction of your data, or to file a complaint about our privacy practices.
15. Complaints
If you have a complaint about our privacy practices, please contact us first at privacy@hiatys.com. We will investigate and respond within 30 days.
If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the “Effective date” at the top of this page. For significant changes, we will notify you by email.
17. Contact
If you have questions about this Privacy Policy, please contact us:
- Email: privacy@hiatys.com
- Company: Hiatys Systems Ltd.
- Location: Ontario, Canada