Privacy
Privacy Policy
Effective date: March 28, 2026 · Last updated: April 23, 2026
This policy describes (honestly and specifically) what personal data Van Permit Audit collects, how it flows through the service, which third-party sub-processors see what, how long each category of data is retained, and how you can exercise your rights under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (BC PIPA). No plain-English summary that's secretly vague: every sub-processor, every retention period, and every cross-border transfer is listed by name.
1. Who we are
Van Permit Audit Inc. ("Van Permit Audit", "we", "us") is a British Columbia company operating an AI-assisted permit-compliance screening service for construction and development projects in Vancouver and Metro Vancouver. Our registered office is in Vancouver, BC, Canada. Our privacy contact is privacy@vanpermitaudit.com.
2. What personal information we collect
The service collects only what is needed to run an analysis, issue a certificate, and support your account. Specifically:
- Account data: email address and bcrypt-hashed password when you register. No birthday, no phone number, no physical address.
- Uploaded documents: the PDF permit files you submit for analysis. These may contain personal information (owner name, property address, architect name) if your drawing title blocks include them.
- Analysis results: the AI-generated compliance report associated with your account: findings, confidence scores, bylaw citations, certificate metadata.
- Payment data: Stripe processes your card details. We store only a Stripe session ID, an amount, and a success flag. We never see the card number, the CVC, or the cardholder name beyond the email associated with the purchase.
- Usage logs: timestamped API requests, error events, IP addresses for rate-limiting and fraud-prevention, and shadow-audit metadata used to improve model accuracy. Retained 12 months.
3. How the data flows through the service
Every analysis follows the same path. Understanding it is the best way to understand what each third party sees:
- Your browser uploads the PDF over TLS 1.3 to our API, hosted on Render.
- The PDF is extracted to plaintext in memory using pypdf. The original binary PDF is not written to persistent disk.
- Chunks of the extracted text relevant to compliance are sent over TLS to Anthropic's Claude API for analysis.
- Anthropic returns structured findings, which our server composes into a report.
- The report is stored in a SQLite database on Render's persistent disk. Payment (if any) is processed by Stripe. The review PDF is generated on demand from the stored report.
Source documents are processed as text, not as images. We do not perform OCR on scanned documents: text-based PDFs only.
4. AI non-training commitment
Your uploaded documents and analysis data are never used to train third-party AI or machine-learning models. We send document content to Anthropic's Claude API solely to generate your requested analysis. Anthropic's API terms (under which we operate) explicitly prohibit using API inputs to train foundation models. We do not separately license, sell, or share document content with any other AI pipeline, research organization, or data broker.
5. Where the data is stored, and why
Our backend currently runs in Render's US West region (Oregon, United States). Supporting services (Anthropic, Stripe, Cloudflare, Vercel) are also US-based or globally distributed. Under PIPEDA's accountability principle, we remain responsible for your data regardless of which country processes it, and we use contractual safeguards (data-processing terms, breach notification clauses, PIPEDA-equivalent access-rights commitments) with every sub-processor.
Canadian-soil data residency is available to Enterprise customers by arrangement. If your organization's PIPEDA obligations require Canadian-only processing, contact enterprise@vanpermitaudit.com before subscribing.
6. Sub-processors: who we share your data with and why
| Sub-processor | What it sees | Location |
|---|---|---|
| Anthropic, PBC | Extracted permit text (not the binary PDF) for compliance analysis | United States |
| Render Inc. | Backend server hosting, SQLite database persistence | United States (US West) |
| Vercel Inc. | Frontend static hosting and CDN delivery | Global edge / US |
| Stripe Inc. | Card processing: sees card data, not your uploaded documents | United States |
| Cloudflare Inc. | DNS and edge security; does not see the extracted permit content | Global edge / US |
This list is exhaustive for the current self-serve product. Changes to the sub-processor list are communicated to active paying customers with 30 days' notice so they can object or terminate before the change takes effect.
7. How long each category of data is retained
| Category | Retention period | Reason |
|---|---|---|
| Uploaded PDF binary | Not persisted | Extracted to text in memory; original discarded after run |
| Extracted permit text | 90 days | Debugging and accuracy review; then purged |
| Analysis results & reports | Life of account | Accessible in your Permit Vault |
| Certificate metadata | Life of account | Required for QR verification to function |
| Account data (email, hash) | Life of account + 30 days | 30-day grace to reverse accidental deletion |
| Usage / audit logs | 12 months | Fraud prevention and security monitoring |
| Stripe payment records | 7 years | Canada Revenue Agency tax record retention |
You can request earlier deletion of any category (subject to legal-hold obligations like the 7-year CRA record requirement) by contacting privacy@vanpermitaudit.com. We act on valid requests within 30 days.
8. Your rights under PIPEDA and BC PIPA
Under Canada's PIPEDA and British Columbia's PIPA, you have the right to:
- Access: request a copy of the personal information we hold about you. We respond within 30 days in clear language, free of charge for reasonable requests.
- Correction: request correction of inaccurate personal information. We update the record and, where the inaccuracy has been disclosed to a third party, notify the third party if practicable.
- Deletion: withdraw consent and request deletion of your data, subject only to legal-hold obligations (e.g. CRA record retention for payments). We act within 30 days and confirm deletion in writing.
- Complaint: file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the BC Information and Privacy Commissioner (oipc.bc.ca) if you believe we have mishandled your personal data.
To exercise any of these rights, email privacy@vanpermitaudit.com. Please identify yourself by the email address associated with your account so we can authenticate the request.
9. Disclosure to third parties
We do not sell or rent personal data. We may disclose data only to:
- The sub-processors listed in section 6, under data-processing terms that prohibit secondary use.
- Law enforcement or regulators when compelled by a valid legal order issued under Canadian law, and only after internal review to verify the order is lawful and narrow.
- A successor entity in the event of a merger or acquisition, with at least 14 days' advance written notice to you, and with equivalent privacy protections required of the successor.
10. Security measures
Passwords are stored as bcrypt hashes (never plaintext). All data in transit is protected by TLS 1.3. Database storage is encrypted at rest at the block-storage layer (AES-256). User input is sanitized before storage and before being used as part of a prompt. Session tokens are JWT-based with a 72-hour expiry. We conduct regular security reviews and promptly address identified vulnerabilities. A more detailed description of controls is on the Security & Trust page.
11. Breach notification
If a personal-data breach poses a real risk of significant harm to you, we will notify you without undue delay (and in any event within 72 hours of becoming aware) as required under PIPEDA's mandatory breach-reporting regulations. Notifications include the facts of the breach, the categories and approximate number of individuals affected, the likely consequences, and the mitigation steps we have taken or plan to take. We also notify the Office of the Privacy Commissioner of Canada when required to do so.
12. Cookies and tracking
We use a single HTTP-only authentication cookie equivalent (a JWT in localStorage) to keep you signed in. We do not use advertising cookies, cross-site tracking pixels, session replay tools, or third-party analytics that build behavioral profiles. Site traffic is measured via privacy-respecting edge metrics at Vercel.
13. Children
The service is not directed at children under 16 and we do not knowingly collect personal information from them. If you believe a minor has registered, contact privacy@vanpermitaudit.com and we will delete the account.
14. Changes to this policy
Material changes to this policy (changes that expand data collection, add a sub-processor, shorten a retention period, or affect data-subject rights) are communicated by email to registered users at least 14 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the revised policy.
15. Contact
Van Permit Audit Inc.
Vancouver, BC, Canada
privacy@vanpermitaudit.com