Privacy

Privacy Policy

Effective date: March 28, 2026 · Last updated: April 23, 2026

This policy describes (honestly and specifically) what personal data Van Permit Audit collects, how it flows through the service, which third-party sub-processors see what, how long each category of data is retained, and how you can exercise your rights under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (BC PIPA). No plain-English summary that's secretly vague: every sub-processor, every retention period, and every cross-border transfer is listed by name.


1. Who we are

Van Permit Audit Inc. ("Van Permit Audit", "we", "us") is a British Columbia company operating an AI-assisted permit-compliance screening service for construction and development projects in Vancouver and Metro Vancouver. Our registered office is in Vancouver, BC, Canada. Our privacy contact is privacy@vanpermitaudit.com.

2. What personal information we collect

The service collects only what is needed to run an analysis, issue a certificate, and support your account. Specifically:

  • Account data: email address and bcrypt-hashed password when you register. No birthday, no phone number, no physical address.
  • Uploaded documents: the PDF permit files you submit for analysis. These may contain personal information (owner name, property address, architect name) if your drawing title blocks include them.
  • Analysis results: the AI-generated compliance report associated with your account: findings, confidence scores, bylaw citations, certificate metadata.
  • Payment data: Stripe processes your card details. We store only a Stripe session ID, an amount, and a success flag. We never see the card number, the CVC, or the cardholder name beyond the email associated with the purchase.
  • Usage logs: timestamped API requests, error events, IP addresses for rate-limiting and fraud-prevention, and shadow-audit metadata used to improve model accuracy. Retained 12 months.

3. How the data flows through the service

Every analysis follows the same path. Understanding it is the best way to understand what each third party sees:

  1. Your browser uploads the PDF over TLS 1.3 to our API, hosted on Render.
  2. The PDF is extracted to plaintext in memory using pypdf. The original binary PDF is not written to persistent disk.
  3. Chunks of the extracted text relevant to compliance are sent over TLS to Anthropic's Claude API for analysis.
  4. Anthropic returns structured findings, which our server composes into a report.
  5. The report is stored in a SQLite database on Render's persistent disk. Payment (if any) is processed by Stripe. The review PDF is generated on demand from the stored report.

Source documents are processed as text, not as images. We do not perform OCR on scanned documents: text-based PDFs only.

4. AI non-training commitment

Your uploaded documents and analysis data are never used to train third-party AI or machine-learning models. We send document content to Anthropic's Claude API solely to generate your requested analysis. Anthropic's API terms (under which we operate) explicitly prohibit using API inputs to train foundation models. We do not separately license, sell, or share document content with any other AI pipeline, research organization, or data broker.

5. Where the data is stored, and why

Our backend currently runs in Render's US West region (Oregon, United States). Supporting services (Anthropic, Stripe, Cloudflare, Vercel) are also US-based or globally distributed. Under PIPEDA's accountability principle, we remain responsible for your data regardless of which country processes it, and we use contractual safeguards (data-processing terms, breach notification clauses, PIPEDA-equivalent access-rights commitments) with every sub-processor.

Canadian-soil data residency is available to Enterprise customers by arrangement. If your organization's PIPEDA obligations require Canadian-only processing, contact enterprise@vanpermitaudit.com before subscribing.

6. Sub-processors: who we share your data with and why

Sub-processorWhat it seesLocation
Anthropic, PBCExtracted permit text (not the binary PDF) for compliance analysisUnited States
Render Inc.Backend server hosting, SQLite database persistenceUnited States (US West)
Vercel Inc.Frontend static hosting and CDN deliveryGlobal edge / US
Stripe Inc.Card processing: sees card data, not your uploaded documentsUnited States
Cloudflare Inc.DNS and edge security; does not see the extracted permit contentGlobal edge / US

This list is exhaustive for the current self-serve product. Changes to the sub-processor list are communicated to active paying customers with 30 days' notice so they can object or terminate before the change takes effect.

7. How long each category of data is retained

CategoryRetention periodReason
Uploaded PDF binaryNot persistedExtracted to text in memory; original discarded after run
Extracted permit text90 daysDebugging and accuracy review; then purged
Analysis results & reportsLife of accountAccessible in your Permit Vault
Certificate metadataLife of accountRequired for QR verification to function
Account data (email, hash)Life of account + 30 days30-day grace to reverse accidental deletion
Usage / audit logs12 monthsFraud prevention and security monitoring
Stripe payment records7 yearsCanada Revenue Agency tax record retention

You can request earlier deletion of any category (subject to legal-hold obligations like the 7-year CRA record requirement) by contacting privacy@vanpermitaudit.com. We act on valid requests within 30 days.

8. Your rights under PIPEDA and BC PIPA

Under Canada's PIPEDA and British Columbia's PIPA, you have the right to:

  • Access: request a copy of the personal information we hold about you. We respond within 30 days in clear language, free of charge for reasonable requests.
  • Correction: request correction of inaccurate personal information. We update the record and, where the inaccuracy has been disclosed to a third party, notify the third party if practicable.
  • Deletion: withdraw consent and request deletion of your data, subject only to legal-hold obligations (e.g. CRA record retention for payments). We act within 30 days and confirm deletion in writing.
  • Complaint: file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the BC Information and Privacy Commissioner (oipc.bc.ca) if you believe we have mishandled your personal data.

To exercise any of these rights, email privacy@vanpermitaudit.com. Please identify yourself by the email address associated with your account so we can authenticate the request.

9. Disclosure to third parties

We do not sell or rent personal data. We may disclose data only to:

  • The sub-processors listed in section 6, under data-processing terms that prohibit secondary use.
  • Law enforcement or regulators when compelled by a valid legal order issued under Canadian law, and only after internal review to verify the order is lawful and narrow.
  • A successor entity in the event of a merger or acquisition, with at least 14 days' advance written notice to you, and with equivalent privacy protections required of the successor.

10. Security measures

Passwords are stored as bcrypt hashes (never plaintext). All data in transit is protected by TLS 1.3. Database storage is encrypted at rest at the block-storage layer (AES-256). User input is sanitized before storage and before being used as part of a prompt. Session tokens are JWT-based with a 72-hour expiry. We conduct regular security reviews and promptly address identified vulnerabilities. A more detailed description of controls is on the Security & Trust page.

11. Breach notification

If a personal-data breach poses a real risk of significant harm to you, we will notify you without undue delay (and in any event within 72 hours of becoming aware) as required under PIPEDA's mandatory breach-reporting regulations. Notifications include the facts of the breach, the categories and approximate number of individuals affected, the likely consequences, and the mitigation steps we have taken or plan to take. We also notify the Office of the Privacy Commissioner of Canada when required to do so.

12. Cookies and tracking

We use a single HTTP-only authentication cookie equivalent (a JWT in localStorage) to keep you signed in. We do not use advertising cookies, cross-site tracking pixels, session replay tools, or third-party analytics that build behavioral profiles. Site traffic is measured via privacy-respecting edge metrics at Vercel.

13. Children

The service is not directed at children under 16 and we do not knowingly collect personal information from them. If you believe a minor has registered, contact privacy@vanpermitaudit.com and we will delete the account.

14. Changes to this policy

Material changes to this policy (changes that expand data collection, add a sub-processor, shorten a retention period, or affect data-subject rights) are communicated by email to registered users at least 14 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the revised policy.

15. Contact

Van Permit Audit Inc.
Vancouver, BC, Canada
privacy@vanpermitaudit.com


Related