Privacy Policy
This policy describes how Charcom ("we", "us", or "our") collects, uses, stores, and shares personal information. Charcom is operated by [OPERATOR LEGAL NAME] as a sole proprietorship in Ontario, Canada. We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec's Law 25. Privacy questions: [PRIVACY_EMAIL].
1. What we collect
- Account information — name, email, phone (if provided), real-estate license number (if provided), brokerage name (if provided).
- Payment information — handled by Stripe. Charcom does not store credit-card numbers. We see only the metadata Stripe returns (last 4 digits, brand, expiry, billing address).
- Site content — anything you upload to your tenant site: photos, listings, copy, logos.
- Lead data — personal information End Users submit through forms on your tenant site (name, email, phone, message, etc.). See Section 5.
- Technical data — IP address, user-agent string, log timestamps, cookies and similar technologies (see /cookies), and aggregated analytics data (where enabled).
2. Why we collect it
- Account creation and authentication
- Billing and tax compliance
- Service delivery (rendering your tenant site, processing leads, sending notifications)
- Customer support
- Security, fraud prevention, and abuse detection
- Legal compliance (CRA records, lawful requests)
- Product improvement (aggregate, de-identified analytics)
- Transactional emails (signup confirmation, billing receipts, security alerts)
We do not sell personal information to third parties. We do not share personal information with marketers. We do not use lead data captured on your tenant site for our own marketing.
3. Marketing emails
Marketing emails (newsletters, product announcements) are opt-in only and CASL-compliant. Every marketing email contains an unsubscribe link. Transactional emails (billing receipts, security alerts) are sent regardless of marketing preferences because they are required for the Service.
4. Lead-data clarification
Leads captured on your tenant site are processed by Charcom on behalf of you. With respect to lead data, you are the data controller and Charcom is the data processor, governed by the Data Processing Addendum. Charcom does not use lead data for its own marketing or sell it to anyone.
5. Sub-processors
Charcom relies on the following sub-processors. Each maintains its own privacy policy and data-protection commitments. Personal information may be processed in the United States or other jurisdictions by these providers.
| Provider | Purpose | Privacy policy |
|---|---|---|
| Stripe | Payments, billing | stripe.com/privacy |
| Vercel | Hosting (where used) | vercel.com/legal/privacy-policy |
| Cloudflare | Hosting, CDN, edge delivery | cloudflare.com/privacypolicy |
| Supabase | Database, authentication, storage | supabase.com/privacy |
| Resend | Transactional email | resend.com/legal/privacy-policy |
| Mapbox | Maps (where embedded) | mapbox.com/legal/privacy |
| Google Analytics | Analytics (only if enabled) | policies.google.com/privacy |
We will publish a live, version-controlled list of sub-processors at /legal/sub-processors. Subscribers may subscribe to be notified by email when a sub-processor is added or replaced. Subscribers who object to a new sub-processor may terminate the Service per the Data Processing Addendum.
6. Cookies
We use cookies and similar technologies described in the Cookies Policy. For visitors in jurisdictions that require it (EU/EEA, UK, Quebec), we display a consent banner with granular toggles and a "Reject Non-Essential" button presented with equal prominence to "Accept All". Consent decisions are recorded in our LegalAcceptance audit log.
7. Retention
- Account and tenant data — retained while your subscription is active and for 90 days after termination, then deleted.
- Operational backups — purged within 12 months.
- Billing and legal records — retained for 7 years as required by the Canada Revenue Agency.
- LegalAcceptance audit records — retained for the lifetime of the account plus 7 years for evidentiary purposes.
8. Security
We use TLS in transit, encryption at rest via Supabase, PCI-DSS-compliant payment processing via Stripe, Row-Level Security for tenant isolation, and offer two-factor authentication. No system is 100% secure. Charcom commits to reasonable industry-standard safeguards but cannot guarantee absolute security against all threats.
9. Your rights under PIPEDA
You have the right to:
- Access — request a copy of personal information we hold about you.
- Correct — request correction of inaccurate or out-of-date personal information.
- Withdraw consent — withdraw consent for any processing where consent is the legal basis (some processing is required by law and cannot be withdrawn without canceling the Service).
- Complain — file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) if you believe we have not handled your information properly.
Quebec residents (Law 25) also have the right to data portability and the right to be forgotten, subject to applicable retention exceptions. Send Quebec Law 25 requests to [PRIVACY_EMAIL] and reference "Law 25".
To exercise any of these rights, email [PRIVACY_EMAIL] from the address on file. We will respond within 30 days.
10. Children
The Service is not directed at, and we do not knowingly collect personal information from, anyone under 18. If you believe a minor has provided personal information to Charcom, contact [PRIVACY_EMAIL] and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email at least 30 days before they take effect. The current effective date is shown at the top of the page.
12. Contact
Privacy questions, access or correction requests: [PRIVACY_EMAIL]
Mailing address: [POSTAL ADDRESS] (placeholder until confirmed).