Privacy Policy
Last updated: May 4, 2026
Diamond Signal ("we", "our", "us") is committed to protecting the privacy of its users. This policy explains what personal data we collect, for what purposes, how it is processed, shared and retained, and what your rights are.
This policy complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) at the Canadian federal level, as well as with the Act respecting the protection of personal information in the private sector (Loi 25) applicable in Quebec.
1. Identity and contact details
Data controller: [COMPANY_NAME] [ADDRESS] [PROVINCE], Canada Email: support@[DOMAIN]
Personal Information Officer (Loi 25 – Quebec): [OFFICER_NAME] Email: privacy@[DOMAIN]
You may contact the Personal Information Officer for any question concerning the processing of your data or to exercise your rights.
2. Personal information collected
We collect only the personal information strictly necessary to provide the service.
2.1 At registration
- Email address (required for account creation and authentication)
- Authentication information from the third-party provider you choose (Apple ID or Google): name and email only
2.2 At payment
Credit card information is never stored by Diamond Signal. It is collected and processed directly by our payment provider Stripe Inc. We only receive:
- The Stripe customer identifier (anonymous token)
- Subscription status (active, cancelled, past due, etc.)
- Billing dates
2.3 During use of the service
- IP address and technical connection data (browser, operating system), for security and fraud prevention purposes
- Service usage data (pages viewed, projections followed) for product improvement
- User preferences (language, notification preferences)
3. Purposes of processing
Your data is processed exclusively for the following purposes:
| Purpose | Legal basis |
|---|---|
| Provide the subscribed service | Contract performance |
| Authenticate the user | Contract performance |
| Process payments and invoice | Contract performance |
| Send transactional emails (magic link, receipts) | Contract performance |
| Send push notifications (with explicit opt-in) | Consent |
| Improve the product (aggregated, anonymized analytics) | Legitimate interest |
| Prevent fraud and abuse | Legitimate interest |
| Comply with legal obligations (tax, accounting) | Legal obligation |
No data is used for targeted marketing without your prior explicit consent.
4. Sharing of data with third parties
Your data may be shared with the following processors, strictly as necessary to provide the service:
| Processor | Role | Location |
|---|---|---|
| Stripe Inc. | Payment processing | United States |
| Supabase | Database hosting and authentication | United States (primary region) |
| Vercel | Web application hosting | United States |
| Render | Backend application hosting | United States |
| [Transactional email service] | Email delivery (magic link, receipts) | [LOCATION] |
4.1 Transfers outside Canada
In accordance with Loi 25, we inform you that your personal information may be communicated, hosted and processed outside Canada, primarily in the United States. The processors listed above are bound by contractual commitments providing a level of protection comparable to what is required in Canada (Standard Contractual Clauses or equivalent).
4.2 No data resale
Diamond Signal never sells and never rents your personal information to third parties for commercial purposes.
5. Retention period
| Data | Retention period |
|---|---|
| Active user account | As long as the account remains active |
| Inactive user account (no login) | 24 months, then automatic deletion |
| Billing history and receipts | 7 years (Canadian accounting obligation) |
| Authentication and security logs | 12 months |
| Anonymized analytics data | Indefinitely, in aggregated and non-identifying form |
Upon expiration of these periods, data is permanently deleted or irreversibly anonymized.
6. Your rights
Pursuant to PIPEDA and Loi 25, you have the following rights:
- Right of access: obtain confirmation that your data is being processed and receive a copy.
- Right to rectification: request correction of inaccurate or incomplete data.
- Right to erasure (right to be forgotten): request deletion of your personal data, subject to overriding legal obligations (notably accounting).
- Right to data portability: receive your data in a structured, commonly used and machine-readable format, or request its direct transmission to another data controller.
- Right to withdraw consent: at any time, withdraw consent given for a specific processing (for example push notifications).
- Right to cease dissemination (Loi 25): request that the dissemination of personal information cease, or that any hyperlink allowing access to it be de-indexed.
To exercise these rights, contact our Personal Information Officer at privacy@[DOMAIN]. We will respond within a maximum of 30 days.
If our response does not satisfy you, you may file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, for Quebec residents, with the Commission d'accès à l'information du Québec (cai.gouv.qc.ca).
7. Data security
We implement reasonable technical and organizational measures to protect your personal information against loss, unauthorized access, disclosure, alteration or destruction. These measures include:
- encryption of communications (HTTPS/TLS) and data at rest;
- strict role-based access controls;
- separation of authentication keys (anonymous for reads, service-role for writes);
- access logging for sensitive data;
- periodic security audits.
In the event of a confidentiality incident presenting a serious risk, in accordance with Loi 25, we will notify you without delay and inform the Commission d'accès à l'information du Québec where applicable.
8. Cookies and similar technologies
The service uses cookies strictly necessary for authentication and user session. No advertising or third-party tracking cookies are placed without your prior explicit consent.
| Cookie type | Purpose | Duration |
|---|---|---|
| Authentication session | Maintain your logged-in session | 30 days (renewed on each visit) |
| Preferences | Remember chosen language | 12 months |
9. Minors
The service is not intended for individuals under 18 years of age, and we do not knowingly collect any personal information from them. If you believe a minor has provided data, contact us for immediate deletion.
10. Policy modifications
This policy may be updated to reflect changes in practices or legal obligations. Any substantial modification will be notified by email at least 30 days before its entry into force. The last updated date is shown at the top of the document.
11. Contact
For any questions concerning this policy or the processing of your personal information:
privacy@[DOMAIN] [COMPANY_NAME] [ADDRESS] [PROVINCE], Canada