Privacy Policy

Last Updated: August 20, 2025

10000090921 ONTARIO INC., doing business as "SAYYARA" (the "Company", "we", "us", or "our"), is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our automotive shop management software, marketplace platform, and related services (collectively, the "Services").

This policy applies to all users including Service Providers (automotive shops), Vehicle Owners (customers), employees, and Platform Administrators. We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Québec's Law 25, applicable provincial privacy laws (including requirements in BC and Québec), and relevant U.S. state privacy laws to the extent they apply (e.g., California CPRA). If this policy conflicts with a mandatory local law that applies to you, we will follow the stricter requirement.

By using our Services, you consent to the collection, use, and disclosure of your personal information as described in this policy. If you do not agree, please discontinue use of our Services.

This Privacy Policy is for general informational purposes and does not constitute legal advice. If you have questions about your rights or obligations, please consult a qualified lawyer in your jurisdiction.

1. Personal Information We Collect

1.1 Information You Provide Directly

  • Account Information: Name, email address, phone number, password (encrypted), business name and address (Service Providers)
  • Business Information (Service Providers): Shop details, services offered, pricing, employee information, business licenses
  • Vehicle Information (Vehicle Owners): Vehicle make, model, year, VIN, maintenance history, service preferences
  • Communication: Messages, reviews, ratings, support inquiries, feedback
  • Payment Information: Billing address, payment method details (processed securely by Stripe)

1.2 Information Collected Automatically

  • Technical Data: IP address, browser type, device information, operating system, referral URLs
  • Usage Data: Pages visited, features used, time spent, click patterns, search queries
  • Location Data: General location (city/region) for service matching, GPS location if you enable location services
  • Cookies and Tracking: Authentication tokens, preferences, analytics data (see Cookie Policy)

1.3 Information from Third Parties

  • Authentication Services: Information from social login providers (if used)
  • Payment Processors: Transaction data from Stripe (for billing and payment processing)
  • Integrations: Data from connected services like accounting software (with your explicit consent)

2. How We Use Your Personal Information

We use your personal information for the following purposes, with appropriate legal basis:

2.1 Service Operations (Contractual Necessity)

  • Account creation, authentication, and management
  • Processing subscriptions, billing, and payments
  • Facilitating connections between Service Providers and Vehicle Owners
  • Managing work orders, appointments, and service history
  • Providing customer support and technical assistance
  • Processing digital vehicle inspection reports (when available)

2.2 Business Operations (Legitimate Interests)

  • Platform security, fraud prevention, and abuse detection
  • Service improvement, feature development, and optimization
  • Analytics and usage monitoring to enhance user experience
  • Internal business operations and administrative purposes
  • Backup, disaster recovery, and business continuity

2.3 Communication (Consent/Legitimate Interests)

  • Sending transactional emails (account notifications, receipts, security alerts)
  • Marketing communications (with explicit consent, following CASL requirements)
  • Product updates and feature announcements (with opt-out options)
  • Surveys and feedback requests (optional participation)

2.4 Legal Compliance

  • Compliance with applicable laws, regulations, and court orders
  • Tax reporting and business license compliance
  • Response to lawful requests from government authorities
  • Enforcement of our Terms of Service and other policies

3. Information Sharing and Disclosure

We do not sell your personal information. We also do not “share” your information for cross‑context behavioral advertising as those terms are defined under the California Privacy Rights Act (CPRA). If we begin engaging in targeted advertising that uses personal information, we will provide a clear opt‑out mechanism and honor Global Privacy Control (GPC) signals where legally required.

We may share your information in the following limited circumstances:

3.1 Within the Platform

  • Service Provider information is visible to Vehicle Owners for service selection
  • Vehicle Owner contact information is shared with selected Service Providers for service delivery
  • Reviews and ratings are publicly visible (anonymized when requested)

3.2 Service Providers and Partners

  • Stripe: Payment processing and subscription billing (governed by Stripe's privacy policy)
  • Email Services: Transactional and marketing email delivery (Nodemailer, Resend)
  • Cloud Infrastructure: Data hosting and processing via cloud platforms and content delivery networks; we rely on their published security and privacy practices
  • Analytics: Usage analytics and performance monitoring (anonymized data only)

We enter into data processing agreements with our service providers that require appropriate technical and organizational safeguards and limit use of your personal information to the provision of contracted services.

3.3 Legal Requirements

  • When required by law, court order, or governmental request
  • To protect our rights, property, or safety, or that of our users
  • In connection with legal proceedings or investigations
  • To enforce our Terms of Service or other agreements

3.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, with appropriate notice and protection measures.

4. Your Privacy Rights and Choices

4.1 Access and Portability Rights

  • Right to Access: Request a copy of your personal information we hold. Contact legal@sayyara.io
  • Data Portability: Request your data in a machine-readable format for transfer
  • Business Data Export: Service Providers can export their business data and analytics

4.2 Correction and Update Rights

  • Update your account information directly through your account settings
  • Request correction of inaccurate or incomplete information
  • Update communication preferences and consent settings

4.3 Deletion Rights

  • Account Deletion: Delete your account and associated personal information
  • Right to Erasure: Request deletion of specific personal information (subject to legal retention requirements)
  • Data Minimization: We retain only necessary information for legitimate business purposes

4.4 Communication Preferences

  • Marketing Opt-out: Unsubscribe from marketing communications at any time
  • CASL Compliance: All marketing follows Canadian Anti-Spam Legislation requirements
  • Transactional Communications: Essential service communications cannot be disabled

5. Data Retention and Storage

5.1 Retention Periods

  • Account Data: Retained while the account is active. Upon account closure, we delete or anonymize routine personal information within 24 months, unless longer retention is required by law or necessary for legitimate business purposes (e.g., dispute resolution, fraud prevention).
  • Transaction Records: Retained for 7 years as required by Canadian business law
  • Communication Records: Retained for up to 24 months or as legally required
  • Technical Logs: Retained for 12 months for security and performance purposes
  • Marketing Consent: Retained until withdrawn, then archived for compliance records

We will also retain records of any privacy or security incidents in accordance with applicable law, including maintaining a log of confidentiality incidents under Québec Law 25 and retaining breach records under PIPEDA.

5.2 Data Storage Locations

  • Primary Storage: Canada (Supabase Canadian region when available)
  • Backup Storage: If and when backups are enabled in the future, they may include US-based cloud storage with appropriate safeguards
  • Processing: Backend processing and frontend hosting may occur in US data centers with adequate protection measures
  • Third-party Services: Payment, email delivery, and related processors may operate in various regions and are subject to their own privacy policies

6. Data Security and Protection

6.1 Technical Safeguards

  • Encryption: Data is encrypted in transit and at rest by our providers. We do not make specific cryptographic guarantees.
  • Access Controls: Authentication is email-and-password based. MFA is not currently supported.
  • Infrastructure: We host the Services on reputable providers and rely on their published security controls. We do not currently hold SOC 2 or similar certifications.
  • Monitoring: We do not provide 24/7 active monitoring. We address issues on a best-effort basis and rely on providers for infrastructure-level monitoring.
  • Backups: No automatic backups are performed by us while operating on the Supabase free tier. Backup features may be enabled if we upgrade to a paid plan.

6.2 Organizational Safeguards

  • Staff Training: Privacy and security training for all employees
  • Access Limitation: Personal information access limited to authorized personnel only
  • Confidentiality: All staff bound by confidentiality agreements
  • Incident Response: Documented procedures for privacy breach notification and response

Important: While we implement industry-standard security measures, no system is completely secure. We cannot guarantee absolute protection against all security threats.

7. Children's Privacy

  • Our Services are not intended for individuals under 18 years of age, and we do not knowingly collect personal information from children. We also do not knowingly collect personal information from children under 13 years of age. If you believe a child under 13 has provided us information, contact us so we can delete it.
  • If we discover we have collected information from a child, we will delete it promptly.
  • Parents or guardians may contact us at legal@sayyara.io to request deletion of any such information.

8. International Data Transfers

  • Canadian Operations: We are a Canadian company and prioritize storing data in Canada when technically feasible.
  • Cross-border Processing: Some data may be processed in the United States or other countries for technical or business reasons.
  • Safeguards: All international transfers include appropriate contractual protections and comply with applicable privacy laws. Where required by Québec Law 25, we conduct a privacy impact assessment (PIA) for cross-border disclosures and ensure that the information will receive adequate protection.
  • Third-party Services: Services like Stripe may process data globally; their privacy policies apply.

9. Third-Party Integrations and Links

  • Categories of Integrations: Payment processors, managed databases/auth, email delivery, hosting/CDN, backend platform tooling, and analytics (if enabled)
  • Third-party Responsibility: We are not responsible for privacy practices of linked websites or integrated services
  • Integration Notice: We will update this policy when new integrations share personal information

External Data Sources: For certain vehicle data features (e.g., make/model/variant selection and VIN decoding), we may use public/government APIs. We do not guarantee the accuracy, completeness, timeliness, or availability of third-party data.

10. Cookies and Tracking Technologies

  • Essential Cookies: Required for authentication, security, and basic functionality
  • Analytics Cookies: Help us understand usage patterns and improve the Service
  • Preference Cookies: Remember your settings and preferences
  • Marketing Cookies: Used for targeted communications (with consent, where applicable)
  • Cookie Control: You can control cookies through your browser settings, though some features may not work properly

If we engage in cross‑context behavioral advertising, we will provide additional disclosures and an opt‑out mechanism as required by applicable law and honor Global Privacy Control (GPC) signals.

We do not currently implement multi-factor authentication (MFA). Authentication is email-and-password based. If that changes, we will update this policy and the Terms.

11. Future Features and AI

  • AI Assistance: We may introduce AI features for scheduling, analytics, or customer service
  • Automated Decisions: Any automated decision-making will be disclosed, with human review options when legally required
  • Digital Inspections: Future vehicle inspection reports may include photos, videos, and diagnostic data
  • Enhanced Analytics: Advanced business intelligence features for Service Providers
  • Notice Required: Material changes to data use will require updated consent and policy notification

12. Jurisdiction-Specific Rights

12.1 Canadian Residents (PIPEDA)

  • Right to access personal information and know how it's used
  • Right to request correction of inaccurate information
  • Right to withdraw consent (where legally permissible)
  • Right to file complaints with the Privacy Commissioner of Canada

12.2 Québec Residents (Law 25)

  • Right to be informed of cross‑border disclosures and safeguards
  • Right to access, rectification, and, as applicable, data portability
  • Right to withdraw consent where consent is the legal basis
  • Right to lodge a complaint with the Commission d’accès à l’information (CAI)

12.3 California Residents (CCPA/CPRA)

  • Right to know/access categories and specific pieces of personal information
  • Right to delete personal information (subject to exceptions)
  • Right to correct inaccurate personal information
  • Right to opt‑out of sale or sharing of personal information; we do not sell or share personal information as defined by CPRA
  • Right to opt‑out of certain profiling/automated decision making (as implemented)
  • Right to non‑discrimination for exercising privacy rights
  • We honor Global Privacy Control (GPC) signals where legally required

12.4 Other U.S. States

Residents of Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Oregon, Montana, Texas, Delaware, Tennessee, and other states with comprehensive privacy laws may have similar rights to access, delete, correct, and opt‑out of targeted advertising. Contact us to learn about rights applicable to your jurisdiction.

13. Privacy Breach and Confidentiality Incident Notification

We maintain an incident response plan and a log of confidentiality incidents. In the event of a breach posing a real risk of significant harm under PIPEDA or a confidentiality incident presenting a risk of serious injury under Québec Law 25, we will:

  • Notify affected individuals as soon as feasible/as soon as possible, including mitigation steps and contact information
  • Report to the Office of the Privacy Commissioner of Canada (OPC) and, where applicable, to provincial regulators (including the CAI in Québec)
  • Document the breach and retain records as required by law (including at least 24 months under PIPEDA)
  • Promptly take steps to contain the incident and prevent recurrence

14. Changes to This Privacy Policy

  • We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations.
  • Material changes that adversely affect your privacy rights will be communicated via email (to your registered address) or prominent platform notice.
  • Non-material changes will be posted with an updated "last modified" date.
  • Continued use of the Services after policy changes constitutes acceptance of the updated policy.

14. Marketing Communications (CASL)

  • We send commercial electronic messages only with appropriate consent as required by Canada’s Anti‑Spam Legislation (CASL)
  • Every marketing message identifies us and includes a working unsubscribe mechanism
  • Unsubscribe requests are processed without delay and no later than 10 business days
  • We maintain records of consent and unsubscribe requests in accordance with CASL

15. Contact Information and Privacy Officer

For privacy-related questions, concerns, or to exercise your rights, please contact us:

Privacy Officer (Law 25)
10000090921 ONTARIO INC. (d/b/a "SAYYARA")
202-100 Main Street East
#1504
Hamilton, ON L8N 3W4
Canada

Email: legal@sayyara.io
General Inquiries: support@sayyara.io
Legal: legal@sayyara.io

Response Time: We will respond to privacy requests within 30 days of receipt. Complex requests may require up to 60 days with notification of the extension.

Privacy Commissioner: Canadian residents may file complaints with the Privacy Commissioner of Canada at www.priv.gc.ca