Privacy Policy

10000090921 ONTARIO INC., doing business as "SAYYARA" (the "Company", "we", "us", or "our"), is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our automotive shop management software, marketplace platform, and related services (collectively, the "Services").

This policy applies to all users including Service Providers (automotive shops), Vehicle Owners (customers), employees, and Platform Administrators. We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Québec's Law 25, applicable provincial privacy laws (including requirements in BC and Québec), and relevant U.S. state privacy laws to the extent they apply (e.g., California CPRA). We do not target or onboard users in the EU/UK. If this policy conflicts with a mandatory local law that applies to you, we will follow the stricter requirement.

By using our Services, you consent to the collection, use, and disclosure of your personal information as described in this policy. If you do not agree, please discontinue use of our Services.

This Privacy Policy is for general informational purposes and does not constitute legal advice. If you have questions about your rights or obligations, please consult a qualified lawyer in your jurisdiction.

1. Personal Information We Collect

1.1 Information You Provide Directly

• Account Information: Name, email address, phone number, password (encrypted), business name and address (Service Providers)
• Business Information (Service Providers): Shop details, services offered, pricing, employee information, business licenses
• Vehicle Information (Vehicle Owners): Vehicle make, model, year, VIN, maintenance history, service preferences
• Inspection and Estimate Media: Photos and videos uploaded for digital inspections and estimates
• Communication: Messages, reviews, ratings, support inquiries, feedback
• Invoice and Payment Records: Invoice details, amounts, payment method type, and transaction identifiers recorded by Service Providers
• Subscription Billing: Billing address and payment method details for subscriptions (processed securely by Stripe)
• Notification Preferences: Channel settings and web push opt-in status

1.2 Information Collected Automatically

• Technical Data: IP address, browser type, device information, operating system, referral URLs
• Usage and Log Data: Feature usage, timestamps, and system logs collected for security, debugging, and performance monitoring (including Cloudflare Observability logs)
• Location Data: General location (city/region) for service matching, GPS location if you enable location services
• Push Tokens: Browser/device push tokens when you enable web push notifications
• Cookies and Tracking: Authentication tokens and preferences (see Cookie Policy)

1.3 Information from Third Parties

• Authentication Services: Information from social login providers (if used)
• Payment Processors: Transaction data from Stripe (for billing and payment processing)
• Service Providers: Vehicle Owner contact and vehicle information provided by Service Providers, including for Vehicle Owners who do not have an account
• Accounting Integrations: Data from connected services like Intuit QuickBooks, including imported customer contact information (name, email, phone number, billing address) and synced customers, invoices, and payments. Invoice sync may include a vehicle summary in the invoice private note (display name, VIN, license plate, odometer, and technician name), and payment sync may include transaction identifiers in the payment private note, when a repair order is completed (with your explicit consent). We are not responsible for any incorrect, incomplete, or inaccurate data synced with QuickBooks, nor for any sync failures or data discrepancies. You are responsible for verifying the accuracy of data in connected third-party services.

2. How We Use Your Personal Information

We use your personal information for the following purposes, with appropriate legal basis:

2.1 Service Operations (Contractual Necessity)

• Account creation, authentication, and management
• Processing subscriptions, billing, and payments
• Facilitating connections between Service Providers and Vehicle Owners
• Managing repair orders, appointments, and service history
• Recording invoices and payment details and syncing customers, invoices, and payments to QuickBooks when connected and a repair order is completed, including vehicle summaries in invoice private notes (display name, VIN, license plate, odometer, and technician name) and payment transaction identifiers in payment private notes
• Providing cross‑shop service history to Service Providers for operational context, limited to repair order date, services, parts, notes, and vehicle information. Prices, totals, status, repair order numbers, and the originating shop name are only visible to the originating shop. This feature is not currently optional.
• Providing customer support and technical assistance
• Processing digital vehicle inspection reports and estimates, including photos and videos
• Sending transactional notifications (inspection ready, estimate updates, ready for pickup, and invoice/payment updates) via email, SMS, in-app, and web push

2.2 Business Operations (Legitimate Interests)

• Platform security, fraud prevention, and abuse detection
• Service improvement, feature development, and optimization
• Service usage monitoring for security and performance (no third-party product analytics)
• Internal business operations and administrative purposes
• Backup, disaster recovery, and business continuity
• System logging and observability (Cloudflare)

2.3 Communication (Consent/Legitimate Interests)

• Sending transactional messages (account notifications, inspection/estimate updates, ready for pickup, and invoice/payment updates)
• SMS and email are sent to Vehicle Owners for transactional purposes only; Service Providers cannot send marketing content or outbound campaigns through the platform. By providing your phone number, you consent to receive transactional SMS
• If a Service Provider provides your contact information, we may send transactional messages related to your service even if you do not have an account
• In-app and web push notifications may be sent to Vehicle Owners and Service Providers; web push requires opt-in in profile settings
• We do not send marketing communications at this time. If we introduce marketing, we will obtain appropriate consent and provide opt-out options

2.4 Legal Compliance

• Compliance with applicable laws, regulations, and court orders
• Tax reporting and business license compliance
• Response to lawful requests from government authorities
• Enforcement of our Terms of Service and other policies

2.5 Pricing and Processing Costs

• Subscription pricing is set to include our payment processing costs; you will see a single subscription charge.
• We currently accept cards via Stripe; no separate processing fee line is shown.

3. Information Sharing and Disclosure

We do not sell your personal information. We also do not “share” your information for cross‑context behavioral advertising as those terms are defined under the California Privacy Rights Act (CPRA). If we begin engaging in targeted advertising that uses personal information, we will provide a clear opt‑out mechanism and honor Global Privacy Control (GPC) signals where legally required.

We may share your information in the following limited circumstances:

3.1 Within the Platform

• Service Provider information is visible to Vehicle Owners for service selection
• Vehicle Owner contact information is shared with selected Service Providers for service delivery
• Reviews and ratings are publicly visible (anonymized when requested)
• Cross‑shop service history is available to Service Providers who have an active relationship with the Vehicle Owner. For repair orders created by other shops, only date, services, parts, notes, and vehicle information are shown; pricing, status, order numbers, and the originating shop name are not disclosed. This feature is not currently optional.

3.2 Service Providers and Partners

• Hosting/CDN/Edge: Vercel (frontend hosting), Cloudflare Workers and Queues (backend execution and messaging), Cloudflare Observability (system logs)
• Database/Auth/Realtime: Supabase (free tier; no managed backups enabled on current plan)
• Payments: Stripe (subscription billing)
• Accounting: Intuit QuickBooks (when connected)
• Email/SMS: NotificationAPI.com for SMS/email; Resend as email fallback; carrier networks for message delivery
• Push and In-App: Supabase Realtime (in-app notifications); browser/platform push services (e.g., Apple, Google, Mozilla) for web push delivery when enabled
• Other Third Parties: Public/government APIs for vehicle data (e.g., VIN decoding). We do not currently use product analytics, session replay, or third-party error monitoring vendors.

We enter into data processing agreements with our service providers that require appropriate technical and organizational safeguards and limit use of your personal information to the provision of contracted services.

3.3 Legal Requirements

• When required by law, court order, or governmental request
• To protect our rights, property, or safety, or that of our users
• In connection with legal proceedings or investigations
• To enforce our Terms of Service or other agreements

3.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, with appropriate notice and protection measures.

4. Your Privacy Rights and Choices

4.1 Access and Portability Rights

• Right to Access: Request a copy of your personal information we hold. Contact legal@sayyara.io
• Data Portability: Request your data in a machine-readable format for transfer
• Business Data Export: Service Providers can export their business data and analytics

4.2 Correction and Update Rights

• Update your account information directly through your account settings
• Request correction of inaccurate or incomplete information
• Update communication preferences and consent settings

4.3 Deletion Rights

• Account Deletion: Delete your account and associated personal information
• Right to Erasure: Request deletion of specific personal information (subject to legal retention requirements)
• Data Minimization: We retain only necessary information for legitimate business purposes

4.4 Communication Preferences

• Transactional Communications: Essential service communications may be sent via email and SMS. You can update your contact information or request changes by contacting support
• SMS Consent Collection: Consent to receive transactional SMS (e.g., vehicle ready for pickup, inspection ready, invoice sent) may be collected verbally by shop staff when you provide your phone number in person, via web forms, or through other electronic means. Service Providers are solely responsible for ensuring they have obtained appropriate consent before enabling SMS notifications or providing your contact information to us. We are not responsible for SMS messages sent as a result of a Service Provider enabling notifications without obtaining proper consent.
• SMS Opt-Out: You may opt out of SMS notifications at any time by replying "STOP" to any message. Standard opt-out keywords including "STOP", "UNSUBSCRIBE", "CANCEL", "END", and "QUIT" are honored. To re-enable SMS notifications, reply "START" or update your preferences in account settings.
• Web Push: Push notifications are optional and can be enabled or disabled in your profile settings
• Marketing Communications: We do not send marketing communications at this time. If we introduce marketing, you will have opt-out options

5. Data Retention and Storage

5.1 Retention Periods

• Account Data: Retained while the account is active. Upon account closure, we delete or anonymize routine personal information within 30 days, unless longer retention is required by law or necessary for legitimate business purposes (e.g., dispute resolution, fraud prevention).
• Transaction Records: Retained for 7 years as required by Canadian business law
• Communication Records: Retained for up to 24 months or as legally required
• Inspection Media and Service Records: Retained with service history and deleted or anonymized within 30 days of account closure unless longer retention is required by law
• Technical Logs: Retained for 12 months for security and performance purposes
• Marketing Consent: We do not send marketing communications at this time. If we do in the future, consent records will be retained until withdrawn and then archived for compliance purposes

We will also retain records of any privacy or security incidents in accordance with applicable law, including maintaining a log of confidentiality incidents under Québec Law 25 and retaining breach records under PIPEDA.

5.2 Data Storage Locations

• Primary Storage: Canada (Supabase Canadian region when available)
• Backup Storage: If and when backups are enabled in the future, they may include US-based cloud storage with appropriate safeguards
• Processing: Backend processing and frontend hosting may occur in US data centers with adequate protection measures
• Third-party Services: Payment, email delivery, and related processors may operate in various regions and are subject to their own privacy policies

6. Data Security and Protection

6.1 Technical Safeguards

• Encryption: Data is encrypted in transit and at rest by our providers. We do not make specific cryptographic guarantees.
• Access Controls: Authentication is email-and-password based. MFA is not currently supported.
• Infrastructure: We host the Services on reputable providers and rely on their published security controls. We do not currently hold SOC 2 or similar certifications.
• Monitoring: We do not provide 24/7 active monitoring. We address issues on a best-effort basis and rely on providers for infrastructure-level monitoring.
• Backups: No automatic backups are performed by us while operating on the Supabase free tier. Backup features may be enabled if we upgrade to a paid plan.

6.2 Organizational Safeguards

• Staff Training: Privacy and security training for all employees
• Access Limitation: Personal information access limited to authorized personnel only
• Confidentiality: All staff bound by confidentiality agreements
• Incident Response: Documented procedures for privacy breach notification and response

Important: While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute protection against all security threats.

7. Children's Privacy

• Our Services are not intended for individuals under 18 years of age, and we do not knowingly collect personal information from children. We also do not knowingly collect personal information from children under 13 years of age. If you believe a child under 13 has provided us information, contact us so we can delete it.
• If we discover we have collected information from a child, we will delete it promptly.
• Parents or guardians may contact us at legal@sayyara.io to request deletion of any such information.

8. International Data Transfers

• Territory: We serve customers in the United States and Canada and do not target or onboard users in the EU/UK.
• Canadian Operations: We are a Canadian company and prioritize storing data in Canada when technically feasible.
• Cross-border Processing: Some data may be processed in the United States or other countries for technical or business reasons.
• Safeguards: All international transfers include appropriate contractual protections and comply with applicable privacy laws. Where required by Québec Law 25, we conduct a privacy impact assessment (PIA) for cross-border disclosures and ensure that the information will receive adequate protection.
• Third-party Services: Services like Stripe may process data globally; their privacy policies apply.

9. Third-Party Integrations and Links

• Categories of Integrations: Payment processors, accounting software (QuickBooks), managed databases/auth/realtime, email/SMS delivery, hosting/CDN/edge, backend platform tooling, web push delivery services, and logging/observability
• Third-party Responsibility: We are not responsible for privacy practices of linked websites or integrated services
• Integration Notice: We will update this policy when new integrations share personal information

External Data Sources: For certain vehicle data features (e.g., make/model/variant selection and VIN decoding), we may use public/government APIs. We do not guarantee the accuracy, completeness, timeliness, or availability of third-party data.

Notes Caution: Notes entered by Service Providers on repair orders may be visible across shops as part of service history (this feature is not optional; originating shop name and pricing are hidden). Do not include personal health information, financial details, government IDs, or other sensitive personal information in notes.

Media Caution: Photos and videos uploaded for DVI/estimates may include personal information. Do not upload driver licenses, payment cards, or any sensitive personal data in media. We are not responsible for personal data you choose to include in uploads.

10. Cookies and Tracking Technologies

• Essential Cookies: Required for authentication, security, and basic functionality
• Analytics Cookies: Not currently used. If enabled in the future, they will help us understand usage patterns and improve the Service
• Preference Cookies: Remember your settings and preferences
• Marketing Cookies: Not currently used. If enabled in the future, they will be used only with consent where required
• Cookie Control: You can control cookies through your browser settings, though some features may not work properly

If we engage in cross‑context behavioral advertising, we will provide additional disclosures and an opt‑out mechanism as required by applicable law and honor Global Privacy Control (GPC) signals.

We do not currently implement multi-factor authentication (MFA). Authentication is email-and-password based. If that changes, we will update this policy and the Terms.

11. Current and Future Features

• AI Assistance: We may introduce AI features for scheduling, analytics, or customer service
• Automated Decisions: Any automated decision-making will be disclosed, with human review options when legally required
• Digital Inspections: Vehicle inspection reports and estimates can include photos, videos, and diagnostic data
• Enhanced Analytics: Advanced business intelligence features for Service Providers
• Notice Required: Material changes to data use will require updated consent and policy notification

12. Jurisdiction-Specific Rights

12.1 Canadian Residents (PIPEDA)

• Right to access personal information and know how it's used
• Right to request correction of inaccurate information
• Right to withdraw consent (where legally permissible)
• Right to file complaints with the Privacy Commissioner of Canada

12.2 Québec Residents (Law 25)

• Right to be informed of cross‑border disclosures and safeguards
• Right to access, rectification, and, as applicable, data portability
• Right to withdraw consent where consent is the legal basis
• Right to lodge a complaint with the Commission d’accès à l’information (CAI)

12.3 California Residents (CCPA/CPRA)

• Right to know/access categories and specific pieces of personal information
• Right to delete personal information (subject to exceptions)
• Right to correct inaccurate personal information
• Right to opt‑out of sale or sharing of personal information; we do not sell or share personal information as defined by CPRA
• Right to opt‑out of certain profiling/automated decision making (as implemented)
• Right to non‑discrimination for exercising privacy rights
• We honor Global Privacy Control (GPC) signals where legally required

12.4 Other U.S. States

Residents of other U.S. states with comprehensive privacy laws may have similar rights to access, delete, correct, and opt‑out of targeted advertising or certain profiling. Contact us to learn about rights applicable to your jurisdiction.

We may need to verify your identity before fulfilling a request. Authorized agents may submit requests on your behalf with proof of authorization. If your request is denied, you may appeal by contacting legal@sayyara.io.

13. Privacy Breach and Confidentiality Incident Notification

We maintain an incident response plan and a log of confidentiality incidents. In the event of a breach posing a real risk of significant harm under PIPEDA or a confidentiality incident presenting a risk of serious injury under Québec Law 25, we will:

• Notify affected individuals as soon as feasible/as soon as possible after we become aware, including mitigation steps and contact information. We do not operate 24/7 monitoring, so discovery may depend on user reports or provider alerts.
• Report to the Office of the Privacy Commissioner of Canada (OPC) and, where applicable, to provincial regulators (including the CAI in Québec)
• Document the breach and retain records as required by law (including at least 24 months under PIPEDA)
• Promptly take steps to contain the incident and prevent recurrence

14. Changes to This Privacy Policy

• We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations.
• Material changes that adversely affect your privacy rights will be communicated via email (to your registered address) or prominent platform notice.
• Non-material changes will be posted with an updated "last modified" date.
• Continued use of the Services after policy changes constitutes acceptance of the updated policy.

15. Marketing Communications (CASL)

• We do not send marketing communications at this time. If we do, we will obtain appropriate consent as required by Canada’s Anti‑Spam Legislation (CASL)
• Every marketing message will identify us and include a working unsubscribe mechanism
• Unsubscribe requests are processed without delay and no later than 10 business days
• We maintain records of consent and unsubscribe requests in accordance with CASL

16. Contact Information and Privacy Officer

For privacy-related questions, concerns, or to exercise your rights, please contact us:

Response Time: We will respond to privacy requests within 30 days of receipt. Complex requests may require up to 60 days with notification of the extension.

Privacy Commissioner: Canadian residents may file complaints with the Privacy Commissioner of Canada at www.priv.gc.ca