Privacy Impact Assessment

1. Executive Summary

Category	Risk Level	Justification
Data Sensitivity	LOW	Basic contact and service information only
Data Volume	LOW-MEDIUM	SMB customer base, limited records per business
Cross-Border Transfers	MEDIUM	US-based sub-processors with signed DPAs
Security Controls	LOW	Comprehensive technical and organizational measures
Overall Privacy Risk	LOW	Proportionate safeguards in place

The platform collects only basic personal information necessary for field service operations
No sensitive personal information (health, financial, biometric) is collected
All cross-border transfers are protected by Data Processing Agreements
Technical safeguards meet or exceed industry standards
Privacy-by-design principles are embedded in the platform

Recommendation: This project may proceed with the current privacy controls in place.

Project Name: Sergio Field Service Management Platform

Project Type: Software-as-a-Service (SaaS) application for field service businesses

Geographic Scope: North America (Canada and United States)

Data Element	Purpose	Retention
Business name, Contact name	Account identification	Active + 7 years
Email, Phone	Communications, billing	Active + 7 years
Billing address	Invoicing, tax compliance	Active + 7 years
Payment method	Subscription billing (via Stripe)	Not stored locally

Data Element	Purpose	Retention
Name, Email, Phone	User identification, notifications	Active + 1 year
Role/permissions	Access control	Active + 1 year
GPS location (mobile)	Route tracking (opt-in)	24 hours
Login activity	Security audit	2 years

Data Element	Purpose	Retention
Name, Email, Phone	Service identification, communications	Active + 7 years
Service address	Service delivery location	Active + 7 years
Property photos, notes	Quote preparation, service customization	Active + 7 years

Requirement	Status	Evidence
Privacy Officer designated	✓ Compliant	Cody Lepine appointed
Privacy policy published	✓ Compliant	Available at sergio.app/privacy
Consent mechanisms	✓ Compliant	Granular consent manager
Right of access	✓ Compliant	DSAR process via legal@axenvoy.com
Right of deletion	✓ Compliant	Documented in privacy policy
Data portability	✓ Compliant	Self-service export (CSV/JSON)
Breach notification	✓ Compliant	72-hour process documented
Cross-border safeguards	✓ Compliant	DPAs with all sub-processors
Privacy Impact Assessment	✓ Compliant	This document

Risk ID	Risk Description	Initial Risk	Controls	Residual Risk
R1	Unauthorized database access	Medium	RLS, MFA, encryption, audit logs	Low
R2	Sub-processor breach	Low-Medium	DPAs, SOC 2 processors	Low
R3	Excessive data collection	Very Low	Data minimization policy	Very Low
R4	Cross-border transfer risk	Low	DPAs, contractual safeguards	Very Low
R5	DSAR response delays	Low	Privacy Officer, tracking	Very Low
R6	Inadequate marketing consent	Very Low	Consent manager	Very Low
R7	GPS tracking without awareness	Low	Employee guide, dual consent	Very Low

Recipient	Location	Data Transferred	DPA Status
Supabase	Canada (Montreal)	All application data	✓ Signed
Stripe	United States	Payment data only	✓ Signed
Mapbox	United States	Addresses only	✓ Signed
Resend	United States	Email addresses	✓ Signed
OpenPhone	United States	Phone numbers	✓ Signed
Cloudflare	Global	IP addresses, traffic	✓ Signed

Primary Data Storage: Montreal, Canada (AWS ca-central-1 via Supabase)

Decision: This project is APPROVED to proceed with current privacy controls.

The Sergio platform presents a low overall privacy risk due to:

This PIA should be reviewed when any of the following occur:

Scheduled Review: December 2026 (or earlier if triggered)

I, Cody Lepine, as Privacy Officer of Axenvoy Inc., have reviewed this Privacy Impact Assessment and confirm that:

The assessment accurately reflects the personal information processing activities
Appropriate privacy risks have been identified and assessed
Adequate mitigation measures are in place
The project may proceed with the current privacy controls

Signature: Date: