Privacy Policy

Effective: April 21, 2026 · Version 1.0

ShopBayHQ (“we”, “us”) is operated by James Olusogain Toronto, Ontario, Canada. This policy describes what we collect, why, how long we keep it, who we share it with, and your rights. It is written to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25.

Short version:We collect the minimum needed to run your shop. We don't sell your data. We don't train AI models on it. Your data stays in North America. You can export or delete everything at any time.

1. Privacy Officer

Our designated Privacy Officer under PIPEDA is James Olusoga. All privacy requests, concerns, and breach inquiries: privacy@shopbayhq.com. We respond within 30 calendar days.

2. What we collect

  • Account data — name, email, bcrypt-hashed password or Google OAuth subject ID, role, organization.
  • Workspace data — vehicles (VIN, plate, make/model), advisors, lots, service types, intake photos, staff hour entries, comments — created by you inside your workspace.
  • Staff PINs — stored hashed (bcrypt), never recoverable in plaintext.
  • Billing data — handled entirely by Stripe. We store only a Stripe customer ID and subscription status. We never see your card number.
  • Operational telemetry — request logs (path, status code, timing), error stack traces (via Sentry), aggregated performance metrics. Authorization headers and cookies are automatically scrubbed before logs leave our servers.
  • Session cookie — HTTP-only, Secure, SameSite=Strict.

3. What we don't do

  • We do not sell, rent, or share your data with advertisers.
  • We do not train AI or machine learning models on your workspace data.
  • We do not read your workspace data except to diagnose an issue you've reported.
  • We do not share data between tenants — every query is scoped to your organization.
  • We do not use tracking cookies. No Google Analytics, no Facebook Pixel, no ad networks.

4. Where your data lives

Application data is stored in managed PostgreSQL hosted in Canada (Azure East US 2 via Neon with Canadian data-residency option on request). Photos are stored in Cloudflare R2, encrypted at rest. Backups are encrypted and kept in the same region. We do not transfer personal data outside North America.

5. How long we keep it

  • Active account data — for as long as your subscription is active.
  • Staff hours — retained for 3 years (Ontario Employment Standards Act requirement), auto-archived after, permanently deleted at 7 years.
  • Vehicle records + photos — retained for 1 year after the vehicle is archived, then deleted.
  • Session records — expire after 7 days of inactivity.
  • Audit logs — retained 7 years for legal defensibility.
  • Backups — rolling 30 days, encrypted.
  • When you cancel — data kept 30 days (in case you return), then purged. Export available any time before purge.

6. Subprocessors

We use a minimal set of vendors, each under contract:

  • Cloudflare (USA / global edge) — DNS, CDN, tunnel, R2 storage, WAF, bot protection.
  • Neon (USA) — managed PostgreSQL database.
  • Stripe (USA) — payment processing. PCI-DSS Level 1.
  • Sentry (USA) — error tracking. PII scrubbing enabled.
  • Vercel (USA) — marketing site hosting only. No customer workspace data touches Vercel.
  • Google (USA, optional) — only if you sign in with Google OAuth; they share email and name.

We review this list quarterly. Material changes will be announced via email.

7. Your rights under PIPEDA & Law 25

You have the right to:

  • Access — request a copy of all personal information we hold about you.
  • Portability — receive your data in a structured, commonly used, machine-readable format (JSON + CSV).
  • Correction — request corrections to inaccurate information.
  • Deletion — request permanent deletion of your account and all associated data.
  • Withdrawal — withdraw consent to processing (ends your subscription).
  • Complaint — file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, in Quebec, the Commission d'accès à l'information.

Email privacy@shopbayhq.com with your request. We respond within 30 days at no charge.

8. Security

  • HTTPS everywhere (TLS 1.3, HSTS preload, A+ SSL Labs rating).
  • Passwords hashed with bcrypt at cost 12+; staff PINs hashed separately.
  • Cloudflare WAF blocking OWASP top-10 attack patterns at the edge.
  • Every database query scoped by organization to prevent cross-tenant leakage.
  • Secrets stored in macOS Keychain (dev) and Cloudflare-encrypted environment (prod).
  • Rate limits on authentication endpoints; Turnstile bot challenge on signup.
  • All admin access logged to an immutable audit trail.

9. Breach notification

If we detect a security breach involving your personal information that poses a real risk of significant harm, we will notify you and the Office of the Privacy Commissioner of Canada as soon as feasible, and in any event within 72 hours of confirming the breach. We maintain a record of all breaches as required by PIPEDA.

10. Children

ShopBayHQ is a business tool. We do not knowingly collect information from anyone under 16. If you believe we have, contact us and we will delete it.

11. Changes to this policy

We may update this policy. Material changes will be announced by email at least 30 days before taking effect, giving you time to export your data or cancel if you disagree. The effective date at the top of this page always reflects the current version.

Contact

Privacy Officer: James Olusoga
Email: privacy@shopbayhq.com
Postal: available on request to verified account holders
Jurisdiction: Ontario, Canada