Privacy Policy

Last updated July 18, 2026

1. What we collect

Account data: your name, email and organization details. Compliance records you create: client and deal information, identity-verification records and uploaded documents, screening results and evidence, training records, reviews and reports. Lead data: if you request the free checklist, your email, business type and the campaign code that brought you.

Compliance records necessarily contain personal information about your clients (for example identification details and beneficial-ownership information). You are the custodian of that information; Provasure processes it on your instructions to operate the service.

2. Where data lives

Application data and uploaded files are stored at rest in Canada (ca-central-1). Uploaded documents live in private storage buckets; they are only ever served through short-lived signed links. The application servers that handle requests may process data outside Canada while responding to them; the data itself remains stored in Canada.

3. How we use it

To operate the product: rendering your records, generating documents and binders, sending the reminder and monthly digest emails your plan includes. We do not sell personal information, use your compliance records for advertising, or train machine-learning models on your data.

4. Service providers

We use a small number of service providers to run the service: Supabase (database, authentication, file storage), Vercel (application hosting), Resend (transactional email), and Anthropic (AI-assisted data import, only when you use that feature). Each provider processes data solely to deliver its service to us. If we add or replace a provider that handles personal information — for example a payment processor when paid billing launches — we will update this policy.

5. Retention and deletion

Reporting entities are expected to retain compliance records for at least five years, so records you delete in the product are soft-deleted (hidden but recoverable) rather than destroyed immediately. On account closure we will delete or return your data on request, subject to that retention duty and our legal obligations. Every change to your records is captured in an append-only audit log.

6. Security

Data is encrypted in transit and at rest. Access is isolated per organization at the database level (row-level security), file access requires short-lived signed URLs, and the audit trail is tamper-evident (hash-chained).

7. Your rights

You can export your organization's complete data from within the product at any time. Under PIPEDA you may request access to, or correction of, personal information we hold about you: contact our privacy officer at hello@provasure.ca. If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner of Canada.

8. Email and CASL

Marketing email (like the checklist follow-ups) is sent only with consent recorded at capture, and every message carries one-click unsubscribe. Transactional email (reminders, digests, receipts) is part of the service.

9. Contact

Privacy questions or complaints: Provasure · hello@provasure.ca. We respond to privacy requests within 30 days.