Privacy policy.

12756528 Canada Inc., operating as Aspireco, headquartered in Toronto, Ontario, is the data controller for the information you share with us through aspireco.ca, app.aspireco.ca, our audit and dossier engine, our marketing automation services, our chat widget, and any email you send us.

For privacy questions or to exercise the rights described below, write to our privacy officer at info@aspireco.ca with the subject line “Privacy.”

We collect different categories of information depending on how you interact with us:

Information you give us directly

• Audit and quote forms:business name, your name, email, phone (optional), website URL, industry, and what you're looking to fix.
• Account signup: business name, contact email, password (hashed), and the tier you select.
• Billing: we use Stripe for all payment processing; we never see or store your full card number. We retain a Stripe customer ID, the last four digits and card type, and the billing address you provide to Stripe.
• Chat conversations: messages you send through the widget, plus the email you provide if you choose to identify yourself for follow-up.
• Onboarding handoffs: credentials you authorize us to hold (Google Business Profile access, ad account access, social platform access). These are stored encrypted in our secrets manager; only the operator actively working on your account can decrypt them.

Information we generate from your business

• Audit dossiers, score reports, and recommendations we produce by analyzing your public website and search presence.
• Performance reports we generate from connected platforms (Google Analytics, Google Search Console, Google Business Profile, Meta Ads, Google Ads, review platforms).
• Knowledge-base entries — anonymized patterns we extract from past audits to make future audits faster.

Information collected automatically

• Usage data: page views, which features you click, how you navigate. We use this to improve the product. We do not build behavioural advertising profiles.
• Technical data: IP address, browser type and version, device type, referrer URL, timestamps. Used for security, fraud prevention, and basic analytics.
• Cookies: see section 6.

We collect the categories above for the following purposes and no others:

• To deliver the services you signed up for.
• To run the audit and dossier engine (your URL is fetched, parsed, and analyzed; no audit material is shared with other customers).
• To bill you and prevent fraudulent transactions (handled by Stripe).
• To communicate with you about your account, service changes, and (only with your consent) marketing announcements.
• To improve our services — by reviewing aggregated, anonymized usage patterns. We do not use individual customer data to train external AI models. Identifiable data is never sold.
• To meet our legal, tax, and accounting obligations under Canadian law.

Our legal basis: contract performance (delivering services), our legitimate interest (running and improving the business), legal obligation (taxes, fraud prevention), and consent (marketing communications you can withdraw at any time).

We share your data with a small set of subprocessors that help us operate. We have data processing agreements with each:

• Stripe Payments Canada Ltd. — payment processing; receives billing details directly from you.
• Supabase Inc. (USA, EU) — primary database for accounts, audits, leads, and dashboards. Configured with row-level security so each customer can only see their own records.
• Cloudflare, Inc. — DNS and edge security for our domains.
• Railway Corp. — application hosting for our marketing site, app, and n8n workflows.
• Anthropic PBC / OpenRouter — large language models used in audit-dossier generation and copy production. Prompts include only the public information from your website, never your private credentials. No data we send is used to train their models when called through API access.
• Google LLC — for the PageSpeed Insights API used in lite audits, and for the Google APIs we use to manage your GBP and ad accounts on your behalf (with your authorization).
• Twilio Inc. — for SMS sends in the automation workflows you opt into.
• Chatwoot — for the live chat widget, self-hosted on our infrastructure.

We do not sell your personal information to anyone. We do not share it with advertising networks for behavioral targeting. We do not share it with anyone else outside the list above unless we're legally required to (e.g. by a valid Canadian court order) or you give us specific permission.

Most of your data is stored in Supabase's North American data centers; some operational data flows through Cloudflare and Railway facilities. By using our services you consent to your data being processed in Canada and the United States. We use only providers that offer data-protection commitments compatible with PIPEDA.

We use a small set of cookies and equivalent storage:

• Strictly necessary — keep you logged in, maintain CSRF protection, remember your tier in checkout. These cannot be disabled if you want to use the site.
• Analytics— privacy-respecting product analytics so we can understand which pages convert. We don't use Google Analytics in the marketing surface.
• Chat widget — the Chatwoot widget stores a contact ID locally so your conversations persist across page loads.

We do not use third-party tracking pixels, advertising cookies, or cross-site behavioral profiling. Your browser's “Do Not Track” or Global Privacy Control (GPC) signal is respected for analytics.

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws, you have the right to:

• Accessthe personal data we hold about you. We'll respond within 30 days.
• Correct any inaccurate information about you.
• Withdraw consentfor processing not required to deliver the service you're paying for.
• Request deletionwhen the data is no longer needed for the purpose collected. We'll honour this except where we're legally required to retain records (e.g. tax filings).
• Receive your data in a portable format (CSV / JSON exports of your account, audits, and reports).
• Complainto the Office of the Privacy Commissioner of Canada. We'd ask you to give us a chance to fix the issue first, but the right is yours regardless.

To exercise any of these, email info@aspireco.ca with subject line “Privacy — [request type].” We may ask you to verify identity before disclosing data.

Data retention windows:

• Account and subscription records: kept for the duration of your subscription plus 7 years after termination, for Canadian tax and accounting purposes.
• Audit dossiers and reports:kept for 3 years after delivery, then archived. You can export anytime; we'll send you a copy on request.
• Lead form submissions (no account): 24 months, then deleted. Earlier on request.
• Chat transcripts: 12 months, then archived in aggregate-only form for product improvement.
• Server logs and security data: 90 days.

We protect your data with: TLS 1.3 in transit, AES-256 encryption at rest for all secrets and credentials, scoped access (operator-level only, with audit logs), short-lived session tokens, mandatory two-factor authentication on all admin accounts, regular dependency and infrastructure patching, and a documented incident-response process.

No system is impenetrable; if we ever experience a breach that affects your data, we'll notify affected customers without unreasonable delay (and within 72 hours of confirmation, where required by law) and report to the Office of the Privacy Commissioner of Canada per PIPEDA section 10.1.

We send transactional emails (billing, service updates, account changes) for as long as you're a customer — you can't opt out of these without cancelling service, because they're necessary to operate your account.

For optional marketing messages (newsletters, new-feature announcements, audit reminders) we use express opt-in only and provide a working unsubscribe link in every message, per Canada's Anti-Spam Law (CASL).

Our services are intended for businesses, not individuals under 18. We don't knowingly collect data from children. If you believe we've received data about a child, email us and we'll delete it.

We may update this policy as our services or the legal landscape evolves. Material changes will be communicated by email at least 30 days before they take effect. The current version always lives at this URL with a “last updated” date at the top.

Privacy officer: info@aspireco.cawith subject line “Privacy.” You may also write to us at 12756528 Canada Inc., operating as Aspireco, Toronto, ON, Canada.

If you're unsatisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.