Privacy Impact Assessment

Quebec Law 25 compliant assessment of data processing practices

Organization:Axenvoy Inc.
Privacy Officer:Cody Lepine
Version:2.0
Last Updated:December 10, 2025

Overall Privacy Risk: LOW

This assessment concludes that Sergio presents a low overall privacy risk due to limited collection of basic, non-sensitive personal information, strong technical and organizational safeguards, and contractual protections for all cross-border transfers.

Key Findings

Only basic personal information necessary for field service operations is collected

No sensitive personal information (health, financial, biometric) is collected

All cross-border transfers protected by Data Processing Agreements

Technical safeguards meet or exceed industry standards

Privacy-by-design principles embedded in platform

Softphone (VoIP/SMS via Telnyx) adds telecommunications data processing with appropriate safeguards

AI features (Claude by Anthropic) process queries and images with no data used for AI training

Personal Information Categories

Business Customer Data

Contact info, billing address, payment method (via Stripe)

Retention: Active + 7 years

End User (Employee) Data

Name, email, role, GPS location (opt-in only)

Retention: Active + 1 year | GPS: 24 hours

End Customer Data

Name, contact info, service address, property details

Retention: Active + 7 years

Telecommunications Data (Softphone)

Provisioned phone numbers, call detail records, SMS metadata, voice recordings (opt-in)

Retention: CDRs/SMS 2 years | Voice recordings 90 days (configurable)

AI Processing Data

Support bot queries, Glass Expert images, photo moderation images. AI data is NOT used for training models.

Retention: Queries 90 days | Images per job retention | AI logs 12 months

Job Photo Capture Data

Before/after job photos, photo metadata (timestamp, GPS), property exterior photos, receipt images

Retention: Active + 7 years | Encrypted AES-256 at rest

Data NOT Collected

Not collected: Social Insurance Numbers
Not collected: Financial account numbers
Not collected: Health or medical information
Not collected: Biometric data
Not collected: Information about children
Not collected: Religious/political information

Sub-Processors & Data Location

ProcessorServiceLocationDPA
SupabaseDatabase, Auth, StorageCanada (Montreal)
StripePaymentsUnited States
QuickBooks (Intuit)Accounting IntegrationUnited States
MapboxMappingUnited States
ResendEmailUnited States
TelnyxVoIP/SMSUnited States
AnthropicAI InferenceUnited States
CloudflareCDN/SecurityGlobal

DPA Signed|DPA Pending

Security Controls

Technical

  • TLS 1.2+ encryption in transit
  • AES-256 encryption at rest
  • Row-Level Security (RLS)
  • Multi-factor authentication
  • Audit logging

Organizational

  • Privacy Officer designated
  • Confidentiality agreements
  • Access reviews
  • Incident response procedures
  • Breach notification plan

Privacy Risk Summary

CategoryRisk LevelJustification
Data SensitivityLOWBasic contact and service information only
Data VolumeLOW-MEDIUMSMB customer base, limited records per business
Cross-Border TransfersMEDIUMUS-based sub-processors with signed DPAs
Security ControlsLOWComprehensive technical and organizational measures
Overall Privacy RiskLOWProportionate safeguards in place

Download Full PIA

Get the complete Privacy Impact Assessment document for your records or legal review.

View & Print Full Document

Opens in new tab. Use Print → Save as PDF.

Questions?

Contact our Privacy Officer for questions about this assessment.

Contact Privacy Officer