Legal

Legal agreements and Canadian compliance

Governing law: British Columbia, Canada · Last updated: April 23, 2026

Van Permit Audit is operated by a Canadian company under the laws of British Columbia, Canada. Every agreement on this page is written to sit inside Canada's privacy, consumer-protection, and anti-spam regulatory framework (PIPEDA, BC PIPA, CASL, and the BC Business Practices and Consumer Protection Act) rather than being retrofitted from US templates. This page indexes the four governing documents, explains how Canadian law changes what each one can say, and gives you a single place to request negotiated versions for enterprise use.


The four documents that govern your use

Self-serve customers (individuals and small firms paying per-report) are bound by the Terms of Service and Privacy Policy. Organizations processing personal data through the service, or Enterprise customers with negotiated terms, are additionally governed by the MSA and DPA below.


How Canadian law shapes these documents

Van Permit Audit is headquartered in British Columbia, serves customers primarily within BC, and stores the operational data it can in Canada-adjacent infrastructure. Four Canadian statutes directly govern what the documents below can and cannot say. Rather than leaving you to dig through them, here is the short version of each:

PIPEDA: Personal Information Protection and Electronic Documents Act

The federal privacy law. Requires meaningful consent before personal data is collected, a documented purpose for each use, a retention period tied to that purpose, the ability for a data subject to access or correct their data, and mandatory breach notification when a breach creates a real risk of significant harm. Our Privacy Policy and DPA are written to the ten PIPEDA principles.

BC PIPA: Personal Information Protection Act (British Columbia)

The provincial law that applies to private-sector organizations operating inside BC. It is substantially similar to PIPEDA but adds a BC-specific Privacy Commissioner as the complaint body and a shorter default response-to-access-request window. Our practice is to meet the stricter of the two standards on every data right.

CASL: Canada's Anti-Spam Legislation

CASL governs commercial electronic messages sent to Canadian recipients. We send no unsolicited marketing email. Transactional email (your report receipt, your account confirmation, a breach notification) is not a commercial electronic message under CASL and is sent without consent. Any future marketing email will include explicit express-consent opt-in, identification of the sender, and an unsubscribe mechanism that functions within ten business days, as CASL requires.

BC Business Practices and Consumer Protection Act

BC's consumer-protection statute governs refund practices, unfair trade practices, and unconscionable contract terms. It is the backing law behind our 7-day refund policy, and it is the reason our limitation-of-liability clause does not exclude liability that cannot legally be excluded under BC consumer law.


Master Service Agreement

Standard template, effective when countersigned or when an Enterprise subscription is activated. Self-serve plans are governed by the Terms of Service only.

Provider: Van Permit Audit Inc., registered in British Columbia, Canada

Customer: The entity identified in the Order Form or Enterprise subscription

Effective date: Date of countersignature or Enterprise subscription activation

1. Services

Provider will make the Van Permit Audit platform available to Customer on a subscription basis as described in the applicable Order Form. Provider may update the platform at any time provided that material reductions in functionality are communicated with 30 days' notice.

2. Permitted use and restrictions

Customer may use the platform solely for its internal business purposes. Customer may not resell, sublicense, or white-label the platform without a separate written agreement. Customer is responsible for ensuring all users comply with the Terms of Service.

3. Fees and payment

Fees are set out in the Order Form. Subscription fees are billed monthly or annually in advance. All fees are in Canadian dollars (CAD) unless otherwise stated, and are non-refundable except as expressly stated. Provider may increase fees on 60 days' written notice; Customer may terminate without penalty before the increase takes effect.

4. Service level commitment

Provider targets 99.5% monthly uptime for the API and analysis pipeline, excluding scheduled maintenance (notified 48 hours in advance) and events outside Provider's reasonable control. If monthly uptime falls below 99.5%, Customer's sole remedy is a service credit equal to 5% of the monthly fee per full percentage point below the target, up to a maximum of 30% of the monthly fee. Credits do not accrue as cash and expire 90 days after issuance.

5. Data ownership and licence

Customer retains all rights to documents uploaded and reports generated. Customer grants Provider a limited, non-exclusive licence to process Customer data solely to deliver the service. Provider will not use Customer data to train AI models or share it with third parties except as necessary to operate the service (see the DPA below).

6. Confidentiality

Each party agrees to keep the other party's non-public business information confidential for the term of this agreement and for two years after termination. Confidential information does not include information that is publicly known, independently developed, or disclosed by a third party without restriction.

7. Intellectual property

Provider retains all rights to the platform, models, knowledge base, and underlying technology. Customer retains all rights to its uploaded documents, extracted data, and generated reports. No rights are granted beyond those expressly stated.

8. Warranties and disclaimer

Provider warrants that the platform will perform materially as described in the documentation. The platform is an AI-assisted decision-support tool and does not constitute professional engineering, architectural, or legal advice. All compliance outputs must be reviewed by a licensed professional before use in a permit application.

EXCEPT FOR THE EXPRESS WARRANTY ABOVE, THE PLATFORM IS PROVIDED "AS IS". PROVIDER DISCLAIMS ALL IMPLIED WARRANTIES INCLUDING MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, except to the extent such disclaimers are prohibited by BC consumer-protection law.

9. Limitation of liability

Neither party is liable for indirect, incidental, consequential, or punitive damages. Provider's total aggregate liability arising out of or related to this agreement is limited to the greater of: (a) fees paid by Customer in the 12 months preceding the claim, or (b) CAD $5,000. Nothing in this clause limits liability that cannot be limited by BC law, including liability for willful misconduct or for breach of statutory consumer rights.

10. Indemnification

Customer will indemnify Provider against claims arising from Customer's violation of applicable law, misuse of the platform, or infringement of third-party rights through Customer's uploaded content.

11. Term and termination

This agreement continues until all Order Forms have expired or been terminated. Either party may terminate for material breach on 30 days' written notice if the breach is not cured within that period. Provider may suspend service immediately for non-payment or violation of the acceptable-use policy.

12. Governing law and dispute resolution

This agreement is governed by the laws of British Columbia, Canada, without regard to conflict-of-law principles. Disputes will first be submitted to good-faith negotiation for 30 days, then to binding arbitration in Vancouver, BC under the BC Arbitration Act.

To request a countersigned copy, negotiated amendments, or an Order Form, email enterprise@vanpermitaudit.com.


Data Processing Agreement

Applies when Customer is an organization processing personal information of its own clients or employees through the platform, as defined under PIPEDA.

Controller: Customer (the organization uploading documents and receiving reports)

Processor: Van Permit Audit Inc.

Applicable law: PIPEDA (Canada), with reference to BC PIPA where applicable

1. Scope of processing

Processor will process personal information solely as instructed by Controller and solely to provide the compliance-analysis service. Personal information that may be processed includes: names and addresses appearing in uploaded permit documents; email addresses of registered users; and billing contact information.

2. Purpose limitation

Processor will not use personal information for any purpose other than delivering the service. This explicitly prohibits: using inputs to train AI or ML models, building marketing profiles, or sharing data with third parties except the sub-processors listed in clause 4.

3. Data minimization and retention

Uploaded PDFs are extracted to plaintext in memory and not persisted to disk beyond the analysis run. Only the extracted text and analysis results are stored. Processor will not retain personal information beyond the periods specified in the retention schedule:

Uploaded PDF content (extracted text): 90 days

Analysis results and reports: Life of account

User account data: Life of account + 30-day deletion grace

Request / audit logs: 12 months

Stripe payment records: 7 years (CRA / tax obligation)

4. Sub-processors

Controller authorizes use of the following sub-processors:

Sub-processorPurposeLocation
Anthropic, PBCAI compliance analysisUnited States
Render Inc.Backend hosting & storageUnited States
Vercel Inc.Frontend CDN deliveryGlobal / United States
Stripe Inc.Payment processingUnited States
Cloudflare Inc.DNS and edge securityGlobal / United States

Cross-border transfers to US sub-processors occur under contractual safeguards consistent with PIPEDA's accountability principle. Processor will notify Controller of any material changes to this sub-processor list with 30 days' notice.

5. Security measures

Processor maintains the technical and organizational measures described on the Security & Trust page, including: TLS 1.3 in transit, AES-256 block-storage encryption at rest, bcrypt password hashing, JWT session management, rate limiting, and server-side input sanitization.

6. Data subject rights

Processor will assist Controller in responding to data-subject requests under PIPEDA (access, correction, deletion). Requests should be submitted to privacy@vanpermitaudit.com. Account deletion requests are fulfilled within 30 days.

7. Breach notification

Processor will notify Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal-data breach that poses a real risk of significant harm to individuals, as required under PIPEDA's mandatory breach-reporting obligations. Breach reports are made in writing and include the facts available at the time of notification, the likely consequences, and the mitigation steps taken or planned.

8. Audit rights

Controller may, on 30 days' written notice and no more than once per year, request a written summary of Processor's security controls or the results of any third-party security assessment. On-site audits are available to Enterprise customers by arrangement.

9. Termination and return of data

On termination of the service agreement, Processor will delete all Controller personal information within 30 days, except where retention is required by law. On request, Processor will provide a written confirmation of deletion.

To execute this DPA with a countersignature, or to discuss amendments for your specific compliance requirements, email privacy@vanpermitaudit.com.


Related