Privacy Policy

Last updated: [DATE TO BE SET BEFORE LAUNCH]

This Privacy Policy explains how Vince AI Inc. ("Vince", "we", "us", "our") collects, uses, discloses, and protects your personal information when you use Vince, our AI-powered reference assistant for electricians ("the Service").

We are committed to handling your personal information in accordance with the Personal Information Protection and Electronic Documents Act ("PIPEDA") and other applicable Canadian privacy laws.

By using the Service, you consent to the collection, use, and disclosure of your personal information as described in this Policy.

1. Who We Are

Vince AI Inc. is an Ontario corporation that operates the Vince service at getvince.ca. We are the "organization" responsible for personal information collected through the Service for the purposes of PIPEDA.

For privacy inquiries, contact: support@getvince.ca

2. Personal Information We Collect

We collect the following categories of personal information:

Account information:

Email address (used for login, account verification, and notifications)
Password (stored only as a salted bcrypt hash — we cannot recover or view your password)
Display name (what Vince calls you in conversation)
Account creation date

Subscription and billing information:

Subscription plan and status
Trial start and end dates
Billing period dates
Question usage counts (how many questions you have used in the current billing period)
Top-up purchase history
Stripe customer identifier and subscription identifier (used to link your account to your Stripe records)

We do not collect or store your credit card number, expiry date, CVC, or other full payment card details. All payment information is collected directly by Stripe, Inc. and handled in accordance with Stripe's privacy practices.

Service usage information:

The content of your messages and queries submitted to Vince
Vince's responses to your queries
Files you upload (images, PDFs)
Saved conversations ("jobs") you create within the Service
Tool calls performed by Vince in response to your queries

Technical information:

IP address (used for rate limiting, security, and fraud prevention)
Session identifiers (stored in browser cookies for authentication)
Browser type and basic device information (where applicable)
Login timestamps and basic activity logs

Communications:

Records of your communications with our support team
Feedback you submit through the in-app feedback feature

We do not use third-party advertising trackers, web analytics services that track individual users (such as Google Analytics or Facebook Pixel), social media tracking pixels, or browser fingerprinting techniques.

3. How We Use Personal Information

We use your personal information for the following purposes:

To provide the Service:

Create and maintain your account
Authenticate you when you log in
Process your queries and generate responses
Save and retrieve your saved jobs
Track question usage against your subscription allotment

To process payments:

Bill your subscription on a recurring basis
Process top-up purchases
Manage subscription changes and cancellations

To communicate with you:

Send transactional emails (account verification, password resets, payment notifications, subscription changes)
Respond to your support inquiries and feedback
Send service announcements that materially affect your use of the Service
Send marketing communications, but only if you have provided express consent (see Section 6)

To secure and improve the Service:

Detect and prevent fraud, abuse, and unauthorized access
Enforce our Terms of Service and acceptable use policies
Investigate and respond to security incidents
Diagnose technical problems and improve service reliability
Monitor aggregate usage patterns to inform product development

To comply with legal obligations:

Respond to lawful requests from government authorities
Comply with tax, accounting, and reporting requirements
Defend our legal interests in disputes

4. Third-Party Service Providers and Data Residency

We use the following third-party service providers to operate the Service. Each processes some of your personal information on our behalf, subject to contractual obligations to safeguard that information.

Provider	Purpose	Data Location
Anthropic, PBC	AI processing of your queries (generates Vince's responses)	United States
Stripe Payments Canada, Ltd.	Payment processing, subscription management, Customer Portal	Canada and United States
Resend (Resend Labs, Inc.)	Transactional and marketing email delivery	United States
DigitalOcean, LLC	Application server hosting, file storage, database hosting	Toronto, Ontario, Canada
Cloudflare, Inc. (if applicable)	DNS and (if enabled) content delivery	Global edge network

Cross-border data transfer. The content of your queries and responses is transmitted to Anthropic in the United States for AI processing. Transactional email content and email addresses are transmitted to Resend in the United States. Payment data is processed by Stripe with infrastructure in both Canada and the United States. Personal information transferred to the United States may be subject to U.S. legal processes, including disclosure requests by U.S. government authorities, in addition to applicable Canadian and Ontario laws.

Application data. Your account information, saved jobs, conversation logs, and uploaded files are stored on our application servers located in Toronto, Ontario, Canada (DigitalOcean TOR1 region). Routine backups are stored in the same region.

We do not sell, rent, or lease your personal information to any third party for marketing or advertising purposes. We do not share your information with data brokers.

5. AI Processing and Your Queries

When you send a message to Vince, the content of your message (and conversation history for context) is transmitted to Anthropic, PBC for AI processing. Anthropic processes the message and returns a response, which we then deliver to you.

Anthropic's handling of API data is governed by Anthropic's commercial terms and privacy practices, which can be reviewed at anthropic.com. Under our agreement with Anthropic, your query content is not used to train Anthropic's AI models.

We log the content of your queries and Vince's responses on our servers for the purposes of (a) providing the saved jobs feature, (b) diagnosing service issues, (c) detecting abuse, and (d) improving the Service. These logs are retained according to the retention schedule in Section 9.

Please do not include in your queries any information you would not want logged on our servers and transmitted to Anthropic. Do not submit credit card numbers, social insurance numbers, passwords, confidential client information, or other sensitive data that is not necessary for your OESC reference questions.

6. Marketing Communications and CASL Consent

We comply with Canada's Anti-Spam Legislation ("CASL"). We will only send you marketing communications (such as product updates, feature announcements, promotions, or newsletters) if you have provided express consent.

At signup, you may opt in to marketing communications by checking the appropriate box. You may withdraw your consent at any time by:

Clicking the "unsubscribe" link in any marketing email
Updating your communication preferences in your account settings
Emailing support@getvince.ca with your withdrawal request

Withdrawal of marketing consent does not affect transactional emails (account verification, password resets, payment notifications, subscription changes, security alerts), which we will continue to send as necessary to operate the Service.

7. Cookies and Local Storage

The Service uses a small number of essential cookies and browser storage mechanisms for the purposes of:

Maintaining your login session (a server-side session cookie with HttpOnly, Secure, and SameSite=Lax attributes)
Storing your authentication state between visits
Service Worker registration to enable Progressive Web App ("PWA") features

We do not use cookies for advertising, tracking across other websites, or analytics. We do not use third-party cookies.

You may disable cookies in your browser settings; however, doing so will prevent you from logging in or using the Service.

8. Security

We take reasonable physical, technical, and administrative measures to protect your personal information against loss, theft, and unauthorized access, use, or disclosure. These measures include:

HTTPS/TLS encryption for all communications between your browser and our servers (HSTS enforced)
Bcrypt hashing of passwords with a cost factor of 12 (your password is never stored in plaintext and cannot be recovered, only reset)
Session cookies with secure attributes (HttpOnly, Secure, SameSite=Lax)
Rate limiting on authentication endpoints to deter brute-force attacks
Server-side firewall and exploit-path blocking at the web server layer
Password complexity requirements (minimum 8 characters, uppercase, digit)
Multi-factor email-based verification at signup
Audit logs of authentication events
Restricted access to production systems with key-based authentication
Regular backups stored in the same data residency region

No security system is impenetrable. We cannot guarantee absolute security. If we become aware of a security breach affecting your personal information, we will notify you and, where required, the Office of the Privacy Commissioner of Canada in accordance with PIPEDA's breach notification requirements.

9. Retention

We retain your personal information only as long as necessary for the purposes set out in this Policy:

Account information: retained while your account is active and for up to 7 years after account closure to support legal, tax, accounting, and dispute-resolution obligations
Subscription and billing records: retained for 7 years to comply with Canadian tax and accounting requirements
Conversation logs and saved jobs: retained while your account is active; deleted within 90 days of account deletion, except where retention is required by law
Authentication and security logs: retained for up to 12 months
Marketing consent records: retained for the duration of your consent plus 3 years after withdrawal
Support communications: retained for 3 years from the date of the communication

After applicable retention periods, we delete or anonymize the information so that it can no longer be associated with you.

10. Your Rights Under PIPEDA

You have the following rights with respect to your personal information:

Right of access: You may request access to the personal information we hold about you and information about how it has been used and to whom it has been disclosed.
Right of correction: You may request that we correct inaccurate or incomplete information. Some basic information (display name, email) can be updated directly in your account settings.
Right of withdrawal of consent: You may withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal and contractual restrictions. Withdrawing consent for processing that is necessary to provide the Service will result in termination of your account.
Right of deletion: You may request that we delete your personal information. Deletion requests are subject to our legal retention obligations described in Section 9.
Right to complain: If you believe we have not handled your personal information appropriately, you may file a complaint with us at support@getvince.ca. You also have the right to file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

To exercise any of these rights, contact support@getvince.ca. We will respond to your request within 30 days. We may ask you to verify your identity before fulfilling certain requests.

11. Children's Privacy

The Service is not directed to individuals under 18 years of age, and we do not knowingly collect personal information from anyone under 18. If we learn that we have collected information from a person under 18, we will delete that information promptly. If you believe we have inadvertently collected information from a minor, please contact support@getvince.ca.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the email address associated with your account at least 30 days before they take effect. The "Last updated" date at the top of this Policy reflects the most recent revision. Your continued use of the Service after changes take effect constitutes your acceptance of the revised Policy.

13. Contact

For privacy-related questions, requests, or complaints, contact:

Vince AI Inc.
Attn: Privacy Officer
[REGISTERED OFFICE ADDRESS TO BE INSERTED]
Email: support@getvince.ca