Privacy Policy

Version: 1.4 Effective Date: December 3, 2025 Last Updated: February 5, 2026

EARLY ACCESS NOTICE

Sergio is early access software under active development. Features may evolve based on user feedback. Services provided on "best effort" basis without uptime guarantees (Enterprise SLA available Q4 2026+). Automated daily backups active via Supabase Pro with 7-day point-in-time recovery.

GEOGRAPHIC AVAILABILITY - NORTH AMERICA ONLY

Sergio is available only to businesses operating in North America (United States and Canada).

We do not currently serve:

European Union (EU)
European Economic Area (EEA)
United Kingdom (UK)
Other international regions

This Privacy Policy is designed for North American operations and compliance with North American privacy laws (PIPEDA, provincial laws, US state laws). We do not currently serve businesses or users located in the EU/EEA/UK.

International expansion planned for 2027-2028 with appropriate privacy policies for those regions.

IMPORTANT LEGAL NOTICE

This document is a Privacy Policy prepared for business operations in North America. While drafted with attention to applicable privacy laws, it has not been reviewed or customized by external privacy counsel. Axenvoy Inc. recommends periodic legal review by a qualified attorney specializing in privacy law, data protection, and technology regulations to ensure ongoing compliance as laws evolve.

This policy provides a general framework for PIPEDA and North American privacy law compliance but may not address all privacy risks specific to your business model, data processing activities, or applicable jurisdictions. Do not rely on this document as a substitute for professional legal advice.

Introduction

Axenvoy Inc. ("Sergio," "we," "us," or "our"), a federally incorporated Canadian corporation operating in Saskatchewan, Canada, is committed to protecting the privacy and security of personal information. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard personal information through our Sergio field service management platform (the "Platform") and related services.

Geographic Scope: Sergio currently operates exclusively in North America (United States and Canada). This Privacy Policy is designed for North American operations and compliance with North American privacy laws. We do not currently serve businesses or users located in the European Union, European Economic Area, or United Kingdom.

This policy applies to:

Business Customers - Organizations that subscribe to our Platform (window cleaning service businesses operating in North America)
End Users - Employees, contractors, and authorized users of our business customers (must be located in North America)
End Customers - Customers of our business customers whose data is processed through the Platform

B2B Service Provider Notice: Sergio is a B2B software platform provider, not an employer. Business customers are the employers of their technicians and are responsible for compliance with employment and privacy laws in their jurisdictions.

We comply with applicable privacy laws including:

PIPEDA - Personal Information Protection and Electronic Documents Act (Canada)
Provincial privacy laws (Alberta PIPA, British Columbia PIPA, Quebec Law 25)
US state privacy laws (California CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Montana MCDPA, Oregon OCPA, Texas TDPSA, Delaware DPDPA, Iowa ICDPA, New Hampshire NHDPA, New Jersey NJDPA, Nebraska NDPA, Tennessee TIPA, Minnesota MCDPA, Maryland MODPA, Indiana ICDPA, Kentucky KCDPA, Rhode Island RIDPA, Utah UCPA, and other applicable US state privacy laws)
Other applicable North American privacy regulations

Quick Reference

Topic	Section
What information we collect	Section 2
How we use your information	Section 3
Who we share information with	Section 4
International data transfers	Section 5
Data retention periods	Section 6
Your privacy rights	Section 7
Security measures	Section 8
Cookies and tracking	Section 9
Contact information	Section 13

1. Privacy Officer & Accountability

1.1 Accountability (PIPEDA Principle 1)

We are responsible for all personal information under our control, including information transferred to third-party service providers for processing.

Privacy Officer: Cody Lepine Axenvoy Inc. Email: legal@axenvoy.com General Support: support@sergio.app Mailing Address: Suite 1002, 1 Springs Drive, Unit #208, Swift Current, SK S9H 3X6, Canada

1.2 Privacy Program

Our privacy program includes:

Policies and procedures governing personal information handling
Staff training on privacy obligations
Privacy impact assessments for new processing activities
Contractual safeguards with service providers
Regular compliance reviews and audits
Incident response and breach notification procedures
Privacy by design principles in system development

1.3 Data Controller vs. Data Processor Roles

The nature of our data processing varies depending on the relationship:

Sergio as Data Controller:

For business customer account information (contact details, billing, subscription data)
For platform usage analytics and service improvements
For marketing communications to prospective customers

Sergio as Data Processor:

For end customer personal data processed by business customers through the Platform
Business customers are the data controller and determine processing purposes
We process data only according to customer instructions via platform functionality

2. Personal Information We Collect

We collect only the information necessary to deliver and support our services.

2.1 Information from Business Customers (We are Controller)

Account Registration:

Business name, legal entity information
Primary contact name, email address, phone number
Business address, province/state, country
Account administrator details
Industry and business size (optional)

Billing and Payment:

Payment method information (credit card details processed by payment processor)
Billing address
Transaction history
Tax identification numbers (if required)

Communications:

Support requests, inquiries, and correspondence
Phone calls (may be recorded with notice for quality assurance)
Chat messages and emails

2.2 Information from End Users (We are Controller/Processor)

User Accounts:

Name, work email address
Phone number (optional)
Role and permission level
Profile preferences
Password credentials (encrypted)

Platform Usage:

Login/logout timestamps
Features accessed and actions performed
Device information (type, business management software, browser)
IP addresses and approximate geolocation
Application version and performance metrics

Mobile Applications (iOS and Android):

Authentication tokens (stored in iOS Keychain and Android Keystore)
Device identifiers for session management
Navigation session data (active route identifiers, encrypted, auto-expires after 24 hours)
Crash logs and error reports (anonymized)

2.3 End Customer Information (We are Processor)

Business customers use the Platform to manage their own customer relationships. This data is controlled by our business customer, and we process it on their behalf:

Customer Records:

Names, phone numbers, email addresses
Service addresses and property details
Account identifiers and customer numbers
Service history and job details
Billing and payment information
Customer notes and preferences
Communication history

Service Delivery Information:

Job scheduling and completion data
Property access instructions
Service quality ratings or feedback

Location Data (Mobile App Only):

Currently Implemented:

Turn-by-Turn Navigation:

Real-time device location when technicians use in-app navigation
Used for turn-by-turn directions to customer addresses via Mapbox
Addresses sent to Mapbox for geocoding (converting addresses to GPS coordinates)
Geocoded coordinates cached locally on technician devices to minimize API calls

Geofencing for Job Completion:

Automatic detection when technician arrives at job site (within 50 meters of customer property)
Used for automatic job status updates and customer arrival notifications
Entry/exit events processed locally on device

Real-Time Location Tracking (Optional Feature):

How It Works:

Location Transmission: GPS coordinates sent via HTTPS edge function webhook every 5 minutes during active navigation
Display Method: Coordinates transmitted to web dashboard for display to authorized managers/dispatchers in real-time
Transmission Frequency: Every 5 minutes (reduces battery drain vs. live streaming)
Data Collected: Latitude, longitude, timestamp, accuracy, speed, heading
Server-Side Storage: GPS coordinates are transmitted to edge function for real-time display but NOT stored in our database
Retention: 24 hours maximum on device cache, then automatically deleted regardless of new route creation
Server Logs: Edge function execution logs (IP, timestamp, job ID) retained 30 days for debugging (no GPS coordinates in logs)

Dual Consent Requirement:

Company Level: Business customer (employer) must enable GPS tracking feature in web dashboard account settings
Technician Level: Technician must grant location permission ("While Using App") when prompted by iOS or Android

Opt-Out Options:

Company admins can disable GPS tracking feature for entire organization
Individual technicians can deny location permission in iOS Settings or Android Settings
Technicians can disable location permission mid-route (stops all location streaming immediately)
GPS tracking only active during navigation - no 24/7 tracking

IMPORTANT - Customer Responsibility: Business customers are solely responsible for complying with employment and privacy laws in their jurisdiction before enabling GPS tracking. Requirements vary by location:

Some jurisdictions require written consent in employment contracts
Some require specific notice periods before implementing workplace monitoring
Some prohibit continuous GPS tracking during work hours

We do not provide legal advice. Business customers should:

Consult with employment law attorney before enabling GPS tracking
Review applicable laws in their state/province/country
Obtain required employee consents per local regulations
Update employee handbooks and policies as needed

Sergio provides the technology tool; customers are responsible for lawful use.

For detailed compliance guidance, see our Employee Monitoring Compliance Guide: https://docs.sergio.app/legal/employee-monitoring-guide

The guide covers disclosure requirements, consent procedures, jurisdiction-specific considerations (Canada and US), and implementation checklists.

QuickBooks Integration Data (Team+ Tier, Opt-In Only): When business customers enable QuickBooks synchronization:

Customer names, addresses, email addresses, phone numbers
Invoice data (line items, amounts, dates, payment status)
All company data customer chooses to synchronize
Synchronization Direction: Two-way sync (Sergio <-> QuickBooks)
Data Location: United States (Intuit/QuickBooks servers)
Access Credentials: OAuth 2.0 access tokens and refresh tokens (encrypted storage)
Customer Control: Customers can disconnect integration at any time
Purpose: Accounting automation and data consistency between systems

QuickBooks Sync Liability:

Customer is solely responsible for data accuracy in QuickBooks
Sergio provides sync technology but does not verify accounting accuracy
We are not liable for accounting errors, tax mistakes, or financial discrepancies arising from sync issues
Customers must review and verify all financial data after synchronization
Sync conflicts (e.g., duplicate invoices, mismatched amounts) must be resolved by customer
We recommend regular manual reconciliation between Sergio and QuickBooks
For tax or accounting questions, consult your accountant or bookkeeper

Team Invitation System:

Invitee email addresses (before account creation)
Invitation tokens (UUID) valid for 7 days
Invited role (manager, technician, etc.)
Invitation status and acceptance date
Retention: Automatically deleted 7 days after expiration or acceptance (implementation in progress)
Current: Expired invitations retained until manual cleanup (auto-deletion pending)
Email Delivery: Sent via Resend (invitation email + link only, no sensitive data)

Communication Logging:

SMS and Email Message Logs: Metadata only (sender, recipient, timestamp, delivery status)
Message Content: NOT stored in our systems (content handled by Resend for email, Telnyx for SMS/Voice)
Purpose: Audit trail, error tracking, delivery confirmation, compliance
Data Tracked:
- External provider message IDs (Resend, Telnyx)
- Delivery status (sent, delivered, failed)
- Error logs for debugging failed deliveries
- Scheduled message queue (upcoming messages within 48-hour window)
Retention: 2 years from send date (automatic deletion after 2 years)
Access: System administrators and customer service staff

2.8 Softphone and Telecommunications Data (Telnyx-Powered)

Sergio provides Voice over IP (VoIP) calling and SMS messaging services via our telecommunications partner, Telnyx LLC.

Service Provider: Telnyx LLC (United States)

Data Collected:

Business phone numbers provisioned for your account
Call Detail Records (CDRs): caller/callee numbers, duration, timestamp, call type
SMS message metadata: sender, recipient, timestamp, delivery status
Voice recordings (if call recording enabled by business customer)
Voice minutes and SMS usage per billing period

Data Location: United States (Telnyx infrastructure)

Purpose:

Provide VoIP calling services for business communications
Enable SMS messaging for customer communication and appointment reminders
Track usage for billing and fair use policy enforcement
Improve call quality and troubleshoot technical issues

Call Recording (If Enabled by Business Customer):

Business customers may enable call recording for quality assurance and training
Call recordings stored for 90 days by default (configurable)
Business customers are solely responsible for compliance with call recording laws
Some jurisdictions require "all-party consent" or "two-party consent" before recording
Business customers must provide adequate notice to call participants
Sergio is not responsible for customer non-compliance with call recording laws

Data Sharing:

Call recordings accessible only to authorized business users
CDR metadata shared with business customer for billing reconciliation
Telnyx processes telecommunications data as sub-processor

Retention:

CDRs: 2 years for billing and regulatory compliance
Call recordings: 90 days default (configurable by business customer)
Voice minutes usage: 7 years (tax/accounting compliance)

Your Rights:

Access call detail records via business customer account
Request deletion of call recordings (subject to legal retention requirements)
Opt-out of calls from specific businesses (contact business directly)

For detailed compliance guidance, see our Call Recording Compliance Guide: https://docs.sergio.app/legal/call-recording-compliance

2.9 AI-Powered Features Data (Claude by Anthropic)

Sergio uses artificial intelligence (Claude AI by Anthropic) to provide enhanced features.

AI Voice Assistant (Sergio Skipper): Sergio Skipper is an AI-powered voice assistant that helps technicians with scheduling, job management, and platform navigation. Voice queries are processed by Anthropic Claude. Audio is processed in real-time and is NOT stored beyond the active session. No voice biometric data is collected or enrolled. Voice assistant responses are advisory only and should not replace professional judgment.

1. In-App Support Bot (Customer Service AI)

Purpose: Answer platform usage questions, provide guidance on features
Model: Claude Haiku (Basic tier), Claude Sonnet (Professional tier), Claude Opus (Business tiers)
Data Processed: Your support questions, account context, feature usage history
Data Shared: Queries sent to Anthropic for AI inference
Retention: Query logs retained 90 days, anonymized after 12 months
Usage Limits: 50-500 queries per month depending on subscription tier

2. AI Glass Expert (Damage Assessment)

Purpose: Analyze photos of window damage to classify severity and recommend solutions
Model: Claude Sonnet (Basic/Professional tiers), Claude Opus (Business/Enterprise tiers)
Data Processed: Photos uploaded by technicians, damage descriptions, property context
Data Shared: Images sent to Anthropic for visual analysis
Retention: Analysis results stored with job records (7 years); original photos per photo retention policy
Usage Limits: 30-300 queries per month depending on subscription tier
Accuracy: AI recommendations are advisory only; technicians make final determinations

3. Photo AI Moderation (Content Moderation)

Purpose: Automatically detect inappropriate, offensive, or irrelevant content in job photos
Model: Claude Opus (Professional tiers only)
Data Processed: All job photos and receipt images uploaded by technicians
Data Shared: Images sent to Anthropic for content analysis
Retention: Moderation flags stored with photos; flagged content reviewed by account admin
Usage Limits: 4-6 photos per job, 50-150 receipts per month depending on tier
Action: Flagged photos require admin review before client visibility

AI Data Processing Safeguards:

Anthropic Sub-Processor: SOC 2 Type II certified, GDPR-compliant infrastructure
Data Processing Agreement: Executed with Anthropic (signed December 10, 2025)
No AI Training: Your data is NOT used to train Anthropic's AI models (per Anthropic commercial terms)
Encryption: All AI queries encrypted in transit (TLS 1.3)
Access Controls: Only authorized users can trigger AI features
Audit Logs: All AI queries logged for security and billing

AI Limitations and Disclaimers:

AI recommendations are not professional advice (legal, medical, financial)
AI may make errors; human review required for critical decisions
AI cannot replace qualified professionals (e.g., glass technicians, safety inspectors)
Sergio is not liable for decisions based solely on AI recommendations

Your Control Over AI Features:

Opt-out: Contact support to disable AI features (may limit functionality)
Data Deletion: AI query logs deleted upon request (subject to 90-day retention minimum)
Accuracy Feedback: Report AI errors to improve service quality

2.10 Job Photo Capture and Storage

Sergio enables technicians to capture and store photos related to job documentation.

Types of Photos Collected:

Before/after job photos: Document work completed for quality assurance
Property exterior photos: Assist with quote preparation and job scoping
Damage assessment photos: Support AI Glass Expert analysis (if enabled)
Receipt images: Expense tracking and reimbursement documentation

Photo Data Collected:

Image file (JPEG/PNG, max 10MB per photo)
Timestamp of capture
GPS coordinates (if location services enabled on device)
Associated job/customer record

Storage and Security:

Location: Supabase Storage (AWS ca-central-1, Montreal, Canada)
Encryption: AES-256 at rest, TLS 1.3 in transit
Access: Limited to business customer account and authorized employees
Retention: Active customer records + 7 years (per standard data retention)

AI Processing of Photos:

Photos may be analyzed by Claude AI for content moderation (Professional tiers)
Glass Expert feature analyzes damage photos for assessment recommendations
AI analysis data is NOT used for training AI models

Privacy Considerations: Photos may inadvertently capture:

Individuals (customers, bystanders, technicians)
Vehicle license plates
Neighboring properties
Personal items visible in service areas

Photographs Containing Individuals: Job photos may inadvertently capture individuals (customers, bystanders, neighbors). Business customers should:

Train technicians to minimize capture of individuals in photos
Implement photo review procedures before sharing with customers
Consider blurring or cropping photos containing uninvolved third parties
Respond promptly to requests from individuals captured in photos
Understand that individuals in photos may have privacy rights under applicable law

Business Customer Responsibilities:

Train technicians to focus photos on property/service, not individuals
Obtain customer consent for interior property photos where appropriate
Review flagged photos before sharing with customers
Implement photo capture policies for your organization

Photo Limits by Tier:

Professional: 4 photos per job, 50 receipts per month (AI moderation)
Business: 6 photos per job, 150 receipts per month (AI moderation)
Enterprise: Unlimited (custom limits negotiable)

2.4 Automatically Collected Information

Technical and Usage Data:

Session cookies (HttpOnly, Secure, SameSite=Strict) for authentication
Browser type, version, and language preferences
Referring URLs and page navigation paths
Timestamps of platform access
Error logs and diagnostic information
Security event logs (login attempts, permission changes)

No Marketing or Tracking Cookies: We do not use third-party advertising networks, behavioral tracking, or marketing cookies. Our cookies are strictly functional and necessary for platform operation.

Telemetry and Performance Metrics:

Anonymized application performance data
Feature usage statistics (aggregated)
Error rates and crash reports
API response times and system health metrics

2.5 Demo and Test Accounts

Demo Account:

We maintain a single demonstration account with pre-populated synthetic data
Demo data includes fake customers, jobs, invoices, and quotes (no real personal information)
Demo account credentials are publicly accessible via login page button for product evaluation
Demo account resets daily via automated cron job
No real customer information is used in demo accounts
Purpose: Product demonstration and sales evaluation

Demo Environment Isolation:

Completely isolated from production data with separate database and infrastructure
Demo database runs on separate Supabase project (isolated tenant)
No network connectivity between demo and production environments
Demo data cannot access or interact with real customer data
Separate authentication system (demo logins do not access production accounts)
If demo environment is compromised, production data remains secure

2.6 Information We Do NOT Collect

Credit card numbers (processed directly by payment processor - Stripe handles all card data)
Social insurance numbers or government IDs (unless legally required for tax reporting)
Health information or sensitive personal data categories
Children's information (Platform is for business use only; users must be 18+)
Biometric data (biometric authentication is device-level only, not transmitted to us)
Precise geolocation for purposes other than navigation (see Section 2.3)
Two-way SMS message content (SMS system is one-way reminders only; inbound replies are not processed)

2.7 Data We Cannot Access (Technical Limitations)

For transparency, there are certain types of data that we technically cannot access even if we wanted to:

Passkey Biometric Data:

Passkey/WebAuthn authentication uses your device's built-in biometric verification (fingerprint, Face ID, Windows Hello)
Biometric data is processed entirely on your device and never leaves your device
Sergio never receives, transmits, or stores biometric data — we only receive a cryptographic assertion confirming identity
This means passkey authentication creates zero biometric data exposure for Sergio

Customer Passwords:

Passwords (used as fallback to passkeys) are cryptographically hashed using bcrypt or Argon2
We never store plaintext passwords
Even Sergio administrators cannot view your password
Password reset is the only recovery option (we cannot "retrieve" passwords)

Stripe Credit Card Numbers:

Credit card data is processed directly by Stripe (PCI DSS Level 1 certified)
We never receive or store full card numbers
We only see: Last 4 digits, card brand (Visa/MC/Amex), expiration date
Stripe handles all card data securely via their encrypted systems

End-to-End Encrypted Device Data:

iOS Keychain data (authentication tokens stored on device)
Device biometric data (Face ID/Touch ID processed locally on device)
Local device cache (navigation data, geocoded coordinates)
These are encrypted at the device level and never transmitted to our servers

QuickBooks OAuth Tokens:

OAuth access tokens and refresh tokens are encrypted in our database
We cannot view the plaintext tokens
Tokens are used only for automated API calls, not human access
Revoking integration immediately invalidates all tokens

Message Content (Email/SMS):

Email content is handled by Resend (we only log metadata: timestamp, recipient, delivery status)
SMS message content is handled by Telnyx (we only log metadata, not message text)
We cannot read the content of messages sent through the platform

Why This Matters:

Privacy Protection: Even in the event of a data breach, certain sensitive data cannot be accessed
Compliance: Industry best practices for password security and payment processing
Trust: We cannot access certain data even if legally compelled to do so
Transparency: You know exactly what we can and cannot see

3. How We Use Personal Information

3.1 Identifying Purposes (PIPEDA Principle 2)

We identify the purposes for collecting personal information at or before the time of collection. We use personal information only for the purposes disclosed.

3.2 Purposes for Business Customer Data (We are Controller)

We use business customer information to:

Service Delivery:

Create and manage subscription accounts
Authenticate users and maintain secure sessions
Provide access to platform features
Process billing and payments
Deliver customer support and technical assistance

Communications:

Send service-related notifications (downtime, maintenance, security alerts)
Respond to inquiries and support requests
Provide account and billing information
Send subscription renewal reminders

Improvement and Development:

Analyze platform usage to improve features
Develop new functionality based on customer needs
Conduct research and analytics (using anonymized data)
Perform security monitoring and fraud prevention
Test and debug platform issues

Legal and Compliance:

Comply with legal obligations and regulatory requirements
Respond to lawful requests from authorities
Enforce our Terms of Service
Protect our rights and property
Investigate and prevent security incidents

Marketing (with consent):

Send newsletters and product updates (opt-in only)
Provide information about new features
Offer special promotions or discounts
Conduct customer satisfaction surveys

You may opt out of marketing communications at any time using the unsubscribe link in emails or by contacting legal@axenvoy.com.

3.3 Purposes for End Customer Data (We are Processor)

We process end customer data solely on behalf of and according to instructions from our business customers:

Store and retrieve customer records
Enable job scheduling and dispatch functionality
Facilitate communication between business and their customers
Generate invoices and billing records
Provide mapping and routing services
Support business operations and service delivery

We do not use end customer data for our own purposes, except:

Creating aggregated, anonymized statistics and benchmarks
As required for legal compliance or service security
With explicit consent from the business customer for specific purposes

3.4 Limiting Use, Disclosure, and Retention (PIPEDA Principle 4)

We do not use personal information for purposes other than those disclosed without obtaining fresh consent. We retain information only as long as necessary for the identified purposes or as required by law.

4.1 General Policy

We do not sell, rent, or trade personal information. We do not share information with third parties for their own marketing purposes.

4.2 Service Providers and Sub-Processors

We engage trusted third-party service providers to support our platform operations. These providers act as data processors on our behalf and are contractually bound to protect personal information and use it only for specified purposes.

Current Sub-Processors:

Service Provider	Purpose	Data Location	Safeguards
Supabase	Database hosting, backend infrastructure, authentication	Canada (AWS ca-central-1 region - Montreal)	AES-256 encryption at rest, TLS 1.3 in transit, SOC 2 Type II certified, ISO 27001 compliant, HIPAA compliant, DPA signed (August 5, 2025), hosted on AWS Canadian infrastructure
Cloudflare	Content delivery network (CDN), DDoS protection, DNS services	Global edge network (data processed in Canada/US)	Encryption in transit, contractual data protection terms, Free plan (basic DDoS protection, no WAF)
Mapbox	Mapping services, geocoding (address to coordinates conversion), routing and navigation	United States	Minimal data sharing (addresses only for geocoding), encryption, standard contractual terms
Stripe	Payment processing for subscriptions and billing	United States (with Canadian data residency options)	PCI DSS Level 1 certified, SOC 2 Type II, encryption, DPA signed (October 26, 2025), Stripe Services Agreement data protection terms
Resend	Transactional email delivery (service notifications, password resets, billing emails, team invitations)	United States	Encryption in transit, contractual data protection terms in place
Supabase Storage	File storage (company logos and branding assets)	Canada (same region as database - ca-central-1)	Encrypted at rest, access controls, part of Supabase infrastructure (same DPA)
QuickBooks (Intuit)	Optional accounting integration for customer and invoice synchronization (Team+ tier, opt-in only)	United States	SOC 2 certified, encryption in transit and at rest, OAuth 2.0 authentication, DPA signed (October 26, 2025), Intuit standard data protection terms
Telnyx	VoIP calling, SMS messaging, phone number provisioning (Sergio Softphone)	United States	SOC 2 Type II certified, HIPAA compliant infrastructure, CPNI protections per FCC regulations, encryption in transit, DPA signed (December 2025)
Anthropic	AI inference services (Claude models for support bot, glass expert, photo moderation)	United States	SOC 2 Type II certified, GDPR-compliant, no customer data used for AI training, DPA signed (December 10, 2025)

4.3 Sub-Processor Management

We maintain an up-to-date list of sub-processors
We notify business customers 30 days before adding new sub-processors
Customers may object to new sub-processors if they present material privacy concerns
All sub-processors sign Data Processing Agreements with appropriate safeguards
We remain responsible for sub-processor compliance with privacy obligations

Sub-Processor Breach Response:

We remain liable for sub-processor security failures under PIPEDA Principle 1 (Accountability) and applicable contractual obligations
In the event of a sub-processor breach affecting customer data:
- We will be notified by sub-processor within their contractual SLA (typically 24-48 hours)
- We will notify affected business customers within 72 hours of becoming aware
- We will coordinate investigation and remediation with sub-processor
- We will provide detailed incident reports including scope, impact, and corrective actions
- We will assist customers with their own breach notification obligations
Our DPAs with sub-processors include audit rights, breach notification requirements, and liability provisions

4.4 Business Transfers

If we are involved in a merger, acquisition, asset sale, or bankruptcy:

Personal information may be transferred to successor entity
You will be notified via email and/or prominent notice on our website
The successor will be bound by this Privacy Policy unless you consent to changes
You may have the option to delete your account before transfer

4.5 Legal Requirements

We may disclose personal information when required or permitted by law:

In response to court orders, subpoenas, or legal process
To comply with regulatory requirements or investigations
To protect our rights, property, or safety
To protect the rights, property, or safety of users or others
To prevent fraud, security threats, or illegal activities
With your consent or at your direction

We will notify affected individuals of legal requests when permitted by law and not prohibited by the request itself.

4.6 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify individuals or businesses:

Industry benchmarks and insights
Platform usage statistics
Research and publications
Marketing and promotional materials

Anonymization is performed according to industry best practices to prevent re-identification.

5. Data Transfers Within North America

5.1 Cross-Border Processing (Canada-US Only)

Primary Data Location: Canada (AWS ca-central-1 region in Montreal)

Processing Locations:

Canada: Supabase database and file storage (primary data location - Montreal)
United States: Cloudflare CDN, Mapbox geocoding, Resend email, Stripe payment processing, QuickBooks integration, Telnyx VoIP/SMS, Anthropic AI inference

All data is processed and stored exclusively within North America (Canada and United States). We do not transfer data to or process data in the European Union, European Economic Area, United Kingdom, or other international regions.

5.2 Safeguards for Canada-US Transfers

We protect cross-border data transfers between Canada and the United States through:

For PIPEDA-Protected Data (Canadian residents):

Contractual clauses with sub-processors requiring comparable level of protection
Due diligence on US sub-processor privacy practices and certifications
Encryption in transit (TLS 1.3) and at rest (AES-256)
Transparency about data locations and applicable laws
Ongoing accountability for data protection (PIPEDA Principle 1)

For US State Law-Protected Data:

Compliance with applicable state privacy laws (California CPRA, Virginia VCDPA, etc.)
Data Processing Agreements with sub-processors
Security certifications (SOC 2, ISO 27001 where applicable)
Breach notification procedures

5.3 Foreign Government Access

Data stored in the United States may be subject to lawful access by US government authorities under applicable laws (e.g., US CLOUD Act, FISA). Similarly, data stored in Canada may be subject to Canadian law enforcement access. We:

Carefully vet sub-processors for privacy and security practices
Use encryption to protect data in transit and at rest
Limit data sharing to what is necessary for service provision
Notify affected individuals of government requests when legally permitted
Resist overbroad or unlawful requests

5.4 Your Rights Regarding Data Location

You may:

Request information about where your data is processed (see Section 4.2 sub-processor list)
Export your data at any time via self-service tools
Request deletion in accordance with applicable retention requirements

6. Data Retention and Deletion

6.1 Retention Principles (PIPEDA Principle 4)

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements.

6.2 Retention Periods

Business Customer Account Data:

Active subscription period plus 7 years (for accounting, tax, and legal compliance)
Audit logs and security events: 2 years (unless longer retention required for investigations)

End User Account Data:

While employment/contract relationship exists
Up to 1 year after account deactivation (for dispute resolution)
Authentication logs: 2 years

End Customer Data (Controlled by Business Customer):

Retained according to business customer's instructions via platform settings
Default: Active customer relationship plus 7 years (customer configurable)
Customers may configure shorter retention periods
Data deleted within 30 days of customer-initiated deletion or account termination

Leads and Inquiries (Non-Customers):

Prospective customer inquiries: 24 months if no service relationship established
Marketing consent records: Duration of consent plus 3 years

Billing and Transaction Records:

7 years from date of transaction (for tax and audit requirements under Canadian law)

Backups:

Current Status (Supabase Pro): Automated daily backups with 7-day retention
Point-in-time recovery available within 7-day window
Backup data containing deleted information is overwritten in normal backup rotation (every 7 days)
Not used to resurrect deleted data except for system-wide disaster recovery
Customer self-service exports recommended as independent backup (available 24/7 in JSON/CSV formats)

6.3 Deletion Procedures

Standard Deletion: When retention periods expire or deletion is requested:

Data is permanently deleted using secure deletion methods
Database records are overwritten or purged
Backups are rotated out and securely destroyed
Sub-processors are instructed to delete data
Anonymization is applied where aggregated analytics are retained

Soft Delete Policy: Certain records use "soft delete" for audit and compliance purposes:

Entities Using Soft Delete: Jobs, user accounts, customers, quotes, invoices
How It Works: Record marked with deleted_at timestamp and deletion_reason
Visibility: Soft-deleted data is hidden from normal queries but retained in database
Retention Period: 7 years from deletion date (for accounting, tax, and legal compliance)
Hard Delete: After 7 years, data is automatically permanently deleted (hard delete)
Immediate Hard Delete: Available upon customer request (may not apply if legal retention requirement exists under PIPEDA, provincial law, or tax regulations)

Exceptions:

Data may be retained longer if required by law or legal hold
Anonymized data used for analytics may be retained indefinitely
Information necessary for ongoing legal proceedings is retained until resolution
Tax and accounting records: 7-year minimum retention per Canadian law

6.4 Customer-Controlled Deletion

Business customers can delete end customer data through:

Self-service deletion tools in the Platform
Bulk deletion via export/import or API
Account termination (triggers 30-day data retention, then deletion)

End customers may request deletion through the business customer (data controller).

7. Your Privacy Rights

Your rights vary depending on applicable laws (PIPEDA, provincial privacy laws, US state privacy laws). We honor privacy rights in accordance with the laws applicable to your jurisdiction.

7.1 PIPEDA Rights (Canadian Residents)

Under PIPEDA (Canada's federal privacy law), you have the right to:

Access (Principle 9):

Request access to your personal information in our possession
Receive information about how your data has been used and disclosed
Obtain copies of your information in an understandable format

Correction (Principle 6):

Request correction of inaccurate or incomplete information
Have corrections annotated or appended to your records
Be notified if we refuse correction (with reasons and recourse options)

Withdraw Consent:

Withdraw consent for optional processing (e.g., marketing)
Be informed of implications (e.g., inability to provide certain services)

Challenge Compliance (Principle 10):

File a complaint about our privacy practices
Receive investigation results and corrective actions taken
Escalate to the Privacy Commissioner of Canada if unsatisfied

7.2 US State Privacy Rights

Several US states have comprehensive privacy laws that may apply to you. If you are a resident of California, Virginia, Colorado, Connecticut, or another state with privacy legislation, you may have rights including:

Right to Know / Access:

Request access to personal information we collect about you
Receive information about how your data is used and shared
Obtain copies of your personal information

Right to Correction:

Request correction of inaccurate personal information
Have incomplete information completed or updated

Right to Deletion:

Request deletion of personal information (subject to legal exceptions)
Have data deleted from our systems and third-party processors

Right to Opt-Out:

Opt-out of sale of personal information (Note: We do NOT sell personal information)
Opt-out of targeted advertising (Note: We do NOT engage in targeted advertising)
Opt-out of profiling for automated decisions (Note: We do NOT use automated decision-making)

Right to Data Portability:

Obtain personal information in a portable, machine-readable format
Transfer data to another service provider

Right to Non-Discrimination:

Exercise privacy rights without discrimination or retaliation
Not be denied services or charged different prices for exercising rights

7.2.1 California Sensitive Personal Information (CPRA)

Under the California Privacy Rights Act (CPRA), "sensitive personal information" has specific disclosure requirements.

Categories of Sensitive Personal Information We Collect:

Precise Geolocation: GPS coordinates during active navigation sessions only (optional feature, requires explicit consent, 24-hour device-side retention, not stored on servers)
Account Credentials: Login credentials (cryptographically hashed using bcrypt/Argon2, not accessible in plaintext)

Categories of Sensitive Personal Information We Do NOT Collect:

Social Security numbers, driver's license numbers, or state identification card numbers
Financial account numbers, debit/credit card numbers with security codes (Stripe handles payment processing)
Racial or ethnic origin
Religious or philosophical beliefs
Union membership
Genetic data or biometric information for unique identification
Health information
Sexual orientation or sex life information
Contents of mail, email, or text messages (where Sergio is not the intended recipient)

Purposes for Sensitive Personal Information Collection:

We collect and use sensitive personal information ONLY for the following purposes:

Category	Purpose	Necessity
Precise Geolocation	Turn-by-turn navigation, geofencing for job completion	Required for service delivery
Account Credentials	User authentication and account security	Required for platform access

We do NOT use sensitive personal information for:

Inferring characteristics about you
Advertising or marketing purposes
Profiling or automated decision-making
Any purpose beyond service provision

Your Right to Limit Use of Sensitive Personal Information: California residents have the right to limit use of sensitive personal information to what is necessary to perform the services requested. However, as we only use such information for service provision, limiting would prevent platform functionality. To exercise this right or discuss options, contact: legal@axenvoy.com

We do NOT:

Sell sensitive personal information
Share sensitive personal information for cross-context behavioral advertising
Use sensitive personal information for purposes beyond service provision

7.3 Provincial Privacy Rights (Canada)

Residents of certain Canadian provinces may have additional rights under provincial privacy laws:

British Columbia (PIPA), Alberta (PIPA):

Similar rights to PIPEDA (access, correction, complaint)
Right to request information about collection purposes
Right to withdraw consent subject to legal/contractual restrictions

Quebec (Law 25):

Right to access and portability
Right to rectification and erasure
Right to restrict use and disclosure
Enhanced consent requirements for sensitive information

7.4 How to Exercise Your Rights

For Business Customers and End Users: Email: legal@axenvoy.com Subject: "Privacy Rights Request - [Type of Request]" Include: Your name, email address, account details, and specific request

For End Customers: Contact the business customer (data controller) who collected your information. They will coordinate with us if necessary.

Response Timeframes and Procedures:

When the Clock Starts:

Response clock starts upon receipt of an unambiguous, verifiable request
If identity verification is required, the clock restarts after successful verification
We will acknowledge receipt of your request within 3 business days
Acknowledgment will include estimated response date and any verification requirements

Standard Response Times:

PIPEDA (Canadian residents): 30 days from verified request
US State Laws (varies by state): 30-45 days depending on applicable state law
Provincial Laws (BC, AB, QC): 30 days from verified request
Simple requests (e.g., access to limited data): Target 10 business days
Standard requests: Target 20 business days
Maximum deadline: 30-45 days depending on applicable law

Complex Request Extensions: For complex or voluminous requests (>10,000 records or requiring manual review):

We may extend the deadline to 60-90 days depending on applicable law
PIPEDA: Up to 90 days with Privacy Commissioner approval
US State Laws: Up to 45-60 days depending on state (with notice)
We will notify you within 30 days of the original request if an extension is needed
Extension notice will include:
- Reasons for extension (complexity, volume, resource constraints)
- New expected completion date
- Your right to complain to applicable privacy authority

Need for Clarification: If your request is unclear or we need additional information:

We will contact you within 10 business days requesting clarification
The response clock pauses until clarification is received
If no clarification is received within 30 days, we may close the request (with notice)

Response Formats:

Data Access Requests:

JSON format: Complete structured data with all relational links and metadata
CSV format: Flattened data suitable for spreadsheets
PDF report: Human-readable summary with key data points
Custom format: Available upon request for complex requests (may extend timeline)

Data Portability Requests:

Machine-readable formats: JSON (default), CSV, XML
Direct transmission to another service provider: Available where technically feasible
Large datasets (>100MB): Provided via secure download link (expires in 7 days)

Other Request Types:

Correction requests: Confirmation of changes made (or reasons for refusal)
Deletion requests: Confirmation of deletion and timeline for backup overwrite
Restriction requests: Confirmation of restriction applied and scope
Objection: Confirmation of cessation of processing (or reasons for refusal)

Verification: We may request additional information to verify your identity before fulfilling requests to protect against fraudulent requests.

Government-issued ID (redact sensitive details like ID numbers)
Confirmation email to registered email address
Security questions based on account information
For high-risk requests (deletion, full access): Multi-factor verification may be required

Fees:

First data access request per year: Free
Additional data access requests: Free unless manifestly unfounded or excessive
Complex manual requests (requiring >8 hours of work): Up to $100/hour (maximum $500)
Expedited processing (within 10 business days): $250 fee
Manifestly unfounded or excessive requests: We may refuse or charge reasonable fee based on administrative costs
Fee estimates provided before work begins; you may withdraw request to avoid fees

7.5 Data Export Tools

Business customers can export data via:

Self-service export tools (JSON, CSV formats)
Manual export requests (may incur fees for large datasets >100GB)

8. Security Safeguards

8.1 Security Commitment (PIPEDA Principle 7)

We implement appropriate technical, organizational, and physical safeguards to protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification.

8.2 Technical Security Measures

Encryption:

In Transit: TLS 1.2+ for all data transmission between users and servers
At Rest: AES-256 encryption for database storage
Backups: Encrypted backup storage
Mobile: iOS Keychain and Android Keystore for authentication tokens, encrypted navigation session storage

Access Controls:

Role-based access control (RBAC) with least-privilege principle
Primary authentication: Passkey/WebAuthn with device-native biometrics (phishing-resistant by design)
Fallback authentication: Password-based with bcrypt or Argon2 hashing
Multi-factor authentication (MFA) available for administrators; passkeys inherently provide MFA
Password requirements (minimum length, complexity) for password fallback
Automatic session timeout after 30 minutes of inactivity
Cross-tab logout propagation (logout in one browser tab logs out all tabs)

Application Security:

Web Application Firewall (WAF) via Cloudflare
DDoS protection and rate limiting
Input validation and output encoding (XSS prevention)
SQL injection prevention (parameterized queries)
CSRF protection via token validation
Security headers (CSP, HSTS, X-Frame-Options)

Session Management:

HttpOnly cookies (prevent JavaScript access)
Secure flag (HTTPS only)
SameSite=Strict (CSRF protection)
Session timeout: 30 minutes of inactivity
Automatic JWT token refresh by Supabase client
Cross-tab synchronization via localStorage (auth state synchronized across browser tabs)
Logout propagation: Logout in one tab broadcasts to all open tabs
Session invalidation on password change or security event

Mobile Security (iOS and Android):

Currently Implemented:

iOS Keychain Storage: Authentication tokens stored in iOS Keychain (encrypted at device level with hardware-backed encryption)
Android Keystore: Authentication tokens stored in Android Keystore (hardware-backed encryption when available)
Turn-by-Turn Navigation: Route optimization and GPS navigation for technician dispatch via Mapbox Navigation SDK
Automatic Data Expiry: Navigation session data automatically purged after 24 hours
Biometric Expiration: Face ID/Touch ID/Fingerprint credentials auto-expire after 90 days requiring password re-authentication
Enhanced Local Encryption: AES-256-GCM encryption for cached navigation data with device-specific encryption keys
Jailbreak/Root Detection: App signature verification and runtime integrity checks to detect compromised devices
Real-Time Location Tracking: GPS coordinates transmitted to edge function webhook every 5 minutes during active navigation (optional feature)
iOS App Transport Security: All network connections protected by iOS system-level TLS 1.2+ with automatic certificate validation
Android Network Security Configuration: All network connections protected by Android system-level TLS 1.2+ with certificate pinning
Play Integrity/SafetyNet: Android device integrity verification to detect compromised devices

Planned Security Features (Implementation in Progress):

Passcode Enforcement (PLANNED): Prompts for users to enable device passcode (currently detection only)

Transport Layer Security:

The iOS application relies on iOS App Transport Security (ATS) for HTTPS protection:

TLS 1.2+ enforced by iOS for all network connections
Certificate validation performed automatically by iOS system
Strong encryption (AES-256) for data in transit
Third-party SDK security:
- Supabase: SOC 2 Type II certified infrastructure
- Mapbox: Industry-standard security practices
- Both SDKs use internal networking that follows iOS security requirements

Note on Certificate Pinning: Modern third-party SDKs (Supabase, Mapbox) use internal URLSessions that cannot be intercepted for certificate pinning. This is industry standard. All connections are protected by iOS App Transport Security, which enforces strong TLS standards and certificate validation.

Current Security Status: The iOS mobile application has implemented production-grade security measures including hardware-backed Keychain storage, AES-256-GCM encryption, biometric credential expiration, jailbreak detection, and iOS system-level transport security. All network traffic is encrypted and certificate-validated by iOS.

Timeline: Passcode enforcement is the remaining security enhancement planned before commercial launch (Q2 2026).

8.3 Organizational Security Measures

Access Management:

Background checks for employees with data access (where legally permitted)
Confidentiality and non-disclosure agreements for all personnel
Regular access reviews and permission audits
Immediate access revocation upon termination

Training:

Privacy and security training for all employees
Role-specific training for those handling sensitive data
Annual refresher training and policy updates
Phishing awareness and social engineering prevention

Policies and Procedures:

Information security policy and standards
Incident response and breach notification plan
Change management and deployment procedures
Data classification and handling guidelines
Vendor management and due diligence processes

Monitoring and Auditing:

Real-time security monitoring and alerting
Log aggregation and analysis (SIEM)
Regular vulnerability scanning
Penetration testing (annual or as needed)
Code security reviews and static analysis

8.4 Physical Security

Data Center Security (via Sub-Processors):

SOC 2 Type II certified facilities
24/7 physical security and surveillance
Biometric and multi-factor facility access
Environmental controls (fire suppression, climate control)
Redundant power and network connectivity

Office Security:

Locked facilities with access controls
Visitor logs and escort requirements
Secure disposal of physical documents (shredding)
Clean desk policy for sensitive materials
Hardware encryption on employee devices

8.5 Limitations

No Absolute Security: Despite our best efforts, no security measures are perfect or impenetrable. We cannot guarantee absolute security. You acknowledge the inherent risks of transmitting information over the internet.

Your Responsibilities:

Keep account credentials confidential
Use strong, unique passwords
Enable multi-factor authentication when available
Promptly report suspected security incidents
Keep contact information current for security notifications

8.6 Security Breach Notification and Response

In the event of a security breach affecting personal information, we follow this response timeline:

Breach Response Timeline:

Detection to Internal Notification: 24 hours
- Security monitoring systems alert incident response team
- Initial incident triage and severity assessment
- Containment measures activated immediately
Internal Investigation: 24-48 hours
- Forensic analysis to determine scope and impact
- Identification of affected data and individuals
- Assessment of risk to affected individuals
- Documentation of breach details
Customer Notification: Within 72 hours
- Notification sent to affected business customers within 72 hours of confirming breach affects personal data
Note: PIPEDA requires notification "as soon as feasible" rather than a fixed deadline. Our 72-hour target reflects best practice while acknowledging that complex incidents may require additional time for accurate assessment. Quebec Law 25 requires notification "promptly" for incidents presenting risk of serious injury.
- Notification includes:
  - Nature of the breach and affected data
  - Likely consequences and potential risks
  - Measures taken to address the breach
  - Remediation steps and security improvements
  - Contact information for questions
Regulatory Notification: As Required
- PIPEDA (Canada): Notify Privacy Commissioner as soon as feasible if real risk of significant harm (RROSH)
- Quebec Law 25: Notify Commission d'acces a l'information (CAI) promptly if breach presents "risk of serious injury" to Quebec residents
- US State Laws: Vary by state (typically 30-90 days depending on jurisdiction)
- Provincial Laws: As required by applicable provincial legislation
- Timing depends on jurisdiction and severity

Quebec Law 25 Breach Notification Requirements:

For breaches affecting Quebec residents that present a "risk of serious injury":

Regulatory Notification: Report to the Commission d'acces a l'information du Quebec (CAI) promptly via their online portal
Individual Notification: Notify affected Quebec residents without delay
Breach Register: We maintain a register of all confidentiality incidents as required by Quebec law (retained minimum 5 years, exceeding 24-month PIPEDA requirement)
Content Requirements: Notification includes nature of incident, personal information affected, measures taken, and contact information

Quebec Law 25 Breach Register Requirement:

In compliance with Quebec Law 25 Section 3.8, we maintain a register of all confidentiality incidents (breaches) affecting Quebec residents. This register:

Is maintained for a minimum of 5 years from the date the breach was discovered (exceeds 24-month PIPEDA requirement to align with Quebec standards)
Contains: nature of incident, categories of personal information affected, number of individuals affected, dates of discovery and notification, measures taken to reduce risk
Is available for inspection by the Commission d'acces a l'information (CAI) upon request
Business customers (as controllers) must maintain their own breach registers for incidents affecting their Quebec-based end customers

CAI Contact Information:

Website: https://www.cai.gouv.qc.ca/
Phone: 1-888-528-7741

Controller Responsibilities for Quebec: Business customers (as data controllers for end customer data) are responsible for determining whether breaches meet Quebec Law 25 notification thresholds for their Quebec-based end customers and for making their own CAI notifications where required.

What We Do:

Immediately contain and remediate the breach
Conduct forensic investigation
Notify affected business customers promptly
Assist customers with their notification obligations to end customers
Provide detailed incident reports
Implement corrective measures to prevent recurrence

What You Must Do (as Business Customer):

Notify your end customers if their personal data was affected (your responsibility as data controller)
Comply with breach notification requirements in your jurisdiction
Report to regulatory authorities as required by applicable law
Document breach notifications and responses

Reporting Security Incidents:

If you discover a security incident or vulnerability:

Email: support@sergio.app (monitored 24/7)
Subject Line: "SECURITY INCIDENT" for immediate escalation
Include details: What happened, when, what data may be affected

9. Cookies and Tracking Technologies

9.1 What We Use

Essential Cookies Only: We use only first-party, strictly necessary cookies for platform functionality:

Cookie Name	Purpose	Duration	Type
`sb-access-token`	User authentication session	Session (expires on logout)	HttpOnly, Secure, SameSite=Strict
`sb-refresh-token`	Session renewal without re-login	30 days (rolling)	HttpOnly, Secure, SameSite=Strict

No Tracking or Marketing Cookies:

We do NOT use third-party advertising networks
We do NOT use behavioral tracking or profiling
We do NOT use social media pixels or widgets
We do NOT use analytics cookies (we use server-side analytics)

9.2 Mobile Application Data Storage

iOS Keychain and Android Keystore:

Authentication tokens stored securely in iOS Keychain and Android Keystore
Encrypted at device level, not accessible to other apps
Automatically deleted when app is uninstalled

Local Storage:

Navigation session data (active route job identifiers)
Encrypted and stored locally with automatic 24-hour expiry
Geocoded address coordinates (cached to reduce API calls)

9.3 Analytics

Server-Side Analytics: We collect anonymized usage statistics through server logs:

Page views and feature usage (no personal identification)
Error rates and performance metrics
Aggregated device/browser statistics

No Third-Party Analytics: We do not use Google Analytics, Facebook Pixel, or similar third-party tracking services.

9.4 Your Choices

Browser Settings:

You can block cookies through browser settings
Blocking essential cookies will prevent platform functionality
We do not respond to "Do Not Track" signals (as we don't track)

Mobile Settings:

Disable location services in iOS Settings or Android Settings to prevent navigation features
Biometric authentication can be disabled in app settings
Revoke app permissions in iOS Settings or Android Settings

10. Children's Privacy

The Platform is intended for business use only and not directed to individuals under 18 years of age.

No Knowing Collection:

We do not knowingly collect personal information from children under 18
Account holders must represent they are 18+ years old
End users must be employees/contractors (assumed 18+)

Parental Rights: If we learn we have collected information from a child under 18 without verifiable parental consent:

We will delete the information as quickly as possible
We will terminate the associated account
Parents may contact us at legal@axenvoy.com to inquire about or delete children's information

Note: End customer data (controlled by business customers) may include minors. Business customers are responsible for obtaining appropriate parental consents and complying with children's privacy laws (e.g., COPPA in the US).

We obtain consent for collection, use, and disclosure of personal information except where otherwise permitted by law.

Forms of Consent:

Express Consent: Explicit opt-in (e.g., checkbox, signature, verbal agreement)
Implied Consent: Reasonable expectation based on circumstances (e.g., providing email address to receive response)
Deemed Consent: Use of publicly available information within reasonable limits

When We Obtain Consent:

At account registration (acceptance of Terms and Privacy Policy)
Before collecting sensitive information beyond basic contact details
Before using information for new purposes not previously disclosed
For marketing communications (express opt-in required)

We strive to make consent meaningful:

Clear, plain language explanations of data practices
Granular consent options where feasible (e.g., separate marketing consent)
Prominent notice at or before collection
Reasonable access to privacy information

For business customers and end users in Quebec, we ensure consent meets the enhanced requirements under Quebec's Law 25 (An Act to modernize legislative provisions as regards the protection of personal information):

Consent must be:

Express (Manifest): Obtained through clear affirmative action (checkbox, click-through, explicit agreement) - not pre-checked boxes or inactivity
Free: Not bundled with unrelated terms; declining optional processing does not prevent access to core services
Informed: Provided after disclosure of purposes, recipients, rights, and consequences in clear, plain language
Specific: Granted for each distinct processing purpose where required
Granular: Separate consent obtained for sensitive processing activities (e.g., GPS tracking, biometric data)

Additional Quebec Requirements:

Implied consent is not relied upon for Quebec residents except where legally permitted for non-sensitive commercial activities
Consent for minors (under 14) must be obtained from parent or guardian
We provide information in French upon request for Quebec residents

Quebec Right to Object: Quebec residents may object to the processing of their personal information for purposes other than those for which it was collected. Contact legal@axenvoy.com to exercise this right.

You may withdraw consent at any time, subject to legal or contractual restrictions:

How to Withdraw:

Email legal@axenvoy.com
Use unsubscribe links in marketing emails
Adjust consent preferences in account settings (where available)

Implications:

We will explain any consequences (e.g., inability to provide services)
Account termination may be necessary if consent for core processing is withdrawn
Legal retention obligations may require continued storage despite withdrawn consent

Consent is not required when:

Collection is clearly in your interests and consent cannot be obtained timely
Required by law or legal process
For investigation of law violations or emergencies
Information is publicly available and specified by regulation
Made for journalistic, artistic, or literary purposes

12. Changes to This Privacy Policy

12.1 Updates

We may update this Privacy Policy to reflect:

Changes in our data practices
New legal or regulatory requirements
Platform feature additions or modifications
Feedback from privacy authorities or audits

12.2 Notice of Material Changes

For material changes that affect your rights or how we use personal information:

30 days advance notice via email to registered account addresses
Prominent notice on Platform homepage
Option to withdraw consent or terminate account if you disagree
Updated "Last Updated" date at the top of this policy

12.3 Minor Changes

For non-material changes (clarifications, contact information updates, formatting):

Updated "Last Updated" date
Changes take effect immediately upon posting
Continued use constitutes acceptance

12.4 Version History

We maintain archived versions of prior Privacy Policies. You may request historical versions by contacting legal@axenvoy.com.

13. Contact Us

13.1 Privacy Inquiries

For questions, requests, or complaints related to privacy:

Privacy Officer: Axenvoy Inc. Email: legal@axenvoy.com Alternative Email: support@sergio.app

Mailing Address: Axenvoy Inc. Suite 1002, 1 Springs Drive, Unit #208 Swift Current, SK S9H 3X6, Canada

Response Time: We will respond to privacy requests within 30 days or provide explanation of any delay.

13.2 General Support

For non-privacy inquiries: Customer Support: support@sergio.app Billing: billing@axenvoy.com

14. Complaints and Regulatory Authorities

14.1 Internal Complaint Process (PIPEDA Principle 10)

If you believe we have not complied with this Privacy Policy or applicable privacy laws:

Contact our Privacy Officer at legal@axenvoy.com
We will investigate your complaint promptly and thoroughly
We will respond with findings and any corrective actions taken
We will document the complaint and resolution

14.2 Canadian Privacy Commissioner

If you are unsatisfied with our response, you may file a complaint with:

Office of the Privacy Commissioner of Canada (OPC) Website: https://www.priv.gc.ca/ Toll-Free: 1-800-282-1376 Email: info@priv.gc.ca Mail: Office of the Privacy Commissioner of Canada 30 Victoria Street Gatineau, Quebec K1A 1H3 Canada

14.3 Provincial Privacy Authorities (Canada)

For matters under provincial jurisdiction:

British Columbia: Office of the Information and Privacy Commissioner (OIPC BC) - https://www.oipc.bc.ca/
Alberta: Office of the Information and Privacy Commissioner of Alberta (OIPC AB) - https://www.oipc.ab.ca/
Quebec: Commission d'acces a l'information du Quebec (CAI) - https://www.cai.gouv.qc.ca/

14.4 US State Privacy Authorities

For US state privacy law complaints:

California: California Privacy Protection Agency - https://cppa.ca.gov/
Virginia: Office of the Attorney General - Consumer Protection Section
Colorado: Office of the Attorney General - Consumer Protection
Connecticut: Office of the Attorney General - Privacy and Data Security
Other states: Contact your state's Attorney General office

Note: Not all states have dedicated privacy enforcement agencies. Enforcement varies by state law.

15. Special Provisions for B2B SaaS Model

15.1 Customer as Data Controller

When business customers use the Platform to process their own customer data:

Customer Obligations:

Maintain lawful basis for collecting and processing end customer data
Obtain necessary consents from end customers
Provide privacy notices to end customers
Honor end customer rights requests (access, deletion, etc.)
Comply with applicable privacy laws (PIPEDA, provincial privacy laws, US state privacy laws)

Sergio Obligations:

Process data only according to customer instructions (via platform use)
Maintain security safeguards
Assist with data subject rights requests (reasonable assistance)
Notify customer of data breaches
Support compliance efforts (DPA, audit rights, etc.)

15.2 Data Processing Relationship

The data processing relationship between Sergio and business customers is governed by our Terms of Service (Section 9.4). Key aspects:

Controller-Processor Relationship: Customer is controller for end customer data, Sergio is processor
Sergio as Controller: For business customer account and billing data
Processing Instructions: Via platform functionality and configuration settings
Security Measures: As described in Section 8
Sub-Processors: Listed in Section 4.2, with 30-day change notice
Data Subject Rights: Sergio provides reasonable assistance as processor
Breach Notification: Within 72 hours of becoming aware when feasible
Data Return/Deletion: Within 30 days of account termination (Section 6.3)

15.3 Business Customer Privacy Obligations

Business customers must:

Provide privacy notices to their end customers
Disclose use of Sergio as service provider/processor
Obtain consents for data processing where required by applicable law
Maintain records of processing activities as required in their jurisdiction
Conduct privacy impact assessments when required by law
Report breaches to authorities and data subjects as required by applicable privacy laws
Comply with employment and privacy laws when using employee monitoring features

We are not responsible for:

Customer's failure to obtain proper consents from end customers or employees
Customer's privacy policy or notices to end customers and employees
Customer's compliance with privacy laws as a data controller
Customer's handling of data subject rights requests
Customer's compliance with employment laws regarding technician monitoring

16. Additional Information

16.1 Accuracy (PIPEDA Principle 6)

We rely on individuals to provide accurate information. We take reasonable steps to ensure personal information used for decisions is accurate, complete, and up-to-date.

Your Responsibility:

Provide accurate information during registration
Update information when changes occur
Notify us of inaccuracies

Our Responsibility:

Correct inaccuracies upon notification
Annotate records if accuracy is disputed
Maintain current data when used for decisions

16.2 Openness (PIPEDA Principle 8)

We are transparent about our privacy management practices:

This Privacy Policy describes our practices
Additional information available upon request
Documentation includes data retention schedules, security policies, DPA

16.3 Third-Party Links

The Platform may contain links to third-party websites or services (e.g., payment processors, help documentation). This Privacy Policy does not apply to third-party services. We are not responsible for third-party privacy practices. Review their privacy policies before providing information.

16.4 Business Continuity

In the event of service discontinuation:

We will provide 60 days notice when feasible
Customers will have opportunity to export data
Data will be deleted according to retention schedule
Sub-processors will be instructed to delete data

17. Jurisdiction-Specific Provisions

17.1 Saskatchewan, Canada

This Privacy Policy is governed by the laws of Saskatchewan, Canada. Our principal place of business is in Saskatchewan.

Provincial Laws: Saskatchewan does not have a provincial private-sector privacy law. PIPEDA (federal law) applies to our commercial activities in Saskatchewan.

Applicable Laws:

PIPEDA (Personal Information Protection and Electronic Documents Act)
Canadian Anti-Spam Legislation (CASL)
Other federal privacy and electronic commerce legislation

17.2 Other Canadian Provinces

British Columbia and Alberta (PIPA):

Substantially similar to PIPEDA with provincial variations
Provincial privacy commissioners have oversight
See Section 14.3 for contact information

Quebec (Law 25 / Private Sector Act):

More stringent than PIPEDA in some respects
Enhanced consent requirements for sensitive information
Commission d'acces a l'information du Quebec (CAI) has oversight
Mandatory breach notification for real risk of serious injury

17.3 United States (State Privacy Laws)

California (CCPA/CPRA):

Categories of Personal Information: See Section 2 Business Purposes: See Section 3 Third-Party Disclosures: See Section 4 Do Not Sell: We do not sell personal information Do Not Share: We do not share for cross-context behavioral advertising

California Privacy Rights:

Right to know what data is collected, used, and shared
Right to delete personal information
Right to correct inaccurate information (CPRA)
Right to non-discrimination for exercising rights
Right to limit use of sensitive personal information (if applicable)

Virginia, Colorado, Connecticut, Montana, Oregon, Texas, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, Utah (Comprehensive State Laws):

Similar rights to California (access, deletion, correction, portability)
Right to opt-out of targeted advertising and sales (we do neither)
Right to opt-out of profiling for automated decisions (we do not profile)

Contact for US State Privacy Rights: legal@axenvoy.com

17.3.1 Global Privacy Control (GPC)

We honor Global Privacy Control (GPC) signals transmitted by your browser. When we detect a GPC signal, we treat it as a valid opt-out request. Since we do not sell or share personal information, the GPC signal confirms your preference which we already respect by default.

17.3.2 Automated Decision-Making Technology (ADMT)

Sergio uses artificial intelligence in the following limited capacities:

AI Feature	Purpose	Opt-Out
Support Chatbot	Answer common questions automatically	Yes - request human support
Glass Damage Assessment	Estimate damage severity from photos	Yes - request manual assessment
Photo Moderation	Screen uploads for inappropriate content	Limited - required for platform safety

Important: AI-generated outputs are advisory only. No automated system makes final decisions about your account, pricing, or service without human review.

Data Training: Your data is NOT used to train AI models. All AI processing is performed via Anthropic's API under a data processing agreement that prohibits training use.

To opt out of non-essential AI features or request human review of an AI decision, contact legal@axenvoy.com.

17.4 North America Only

Geographic Limitation: Sergio operates exclusively in North America (United States and Canada). We do not serve customers or process data for individuals located in:

European Union / European Economic Area
United Kingdom
Other international regions

If your business expands to include EU operations or employees, please contact us immediately. We plan to support international markets in 2027-2028 with appropriate legal documentation.

18. Definitions

Personal Information / Personal Data: Information about an identifiable individual, including name, email, phone number, IP address, device identifiers, and any other information that can reasonably identify a person.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, deletion, and modification.

Data Controller: The entity that determines the purposes and means of processing personal data.

Data Processor: The entity that processes personal data on behalf of and according to instructions from the data controller.

Consent: Voluntary agreement to collection, use, and disclosure of personal information, informed by adequate notice of purposes.

Anonymization: Irreversible process of removing personal identifiers such that individuals cannot be identified.

Sub-Processor: Third-party service provider engaged by a data processor to assist in processing activities.

19. Acknowledgment

By creating an account, using the Platform, or providing personal information, you acknowledge that:

You have read and understood this Privacy Policy
You consent to collection, use, and disclosure as described
You understand your privacy rights and how to exercise them
You have had opportunity to ask questions or seek clarification

For business customers: You represent that you have authority to consent on behalf of your organization and bind it to these terms.

END OF PRIVACY POLICY

Document Prepared: October 26, 2025 Last Updated: February 5, 2026 Next Review Date: June 21, 2026 (6 months - update before commercial launch) Approved By: Axenvoy Inc., Privacy Officer

DISCLAIMER: This Privacy Policy is provided for commercial use by Axenvoy Inc. While prepared with attention to applicable privacy laws, it has not been reviewed by external privacy counsel. Privacy laws are complex and rapidly evolving. Axenvoy Inc. recommends periodic review by qualified privacy counsel to ensure ongoing compliance as laws and regulations change.