How Paytrale collects, uses, shares, retains, and protects personal information across the website, app, and platform.

Paytrale Inc. is an Alberta-incorporated company based in Stettler, Alberta, Canada. We operate paytrale.com and the Paytrale field service management application for trades professionals.

Our designated Privacy Officer is accountable for compliance with applicable Canadian privacy law.

• Privacy Officer: Brayden Rowland
• Email: support@paytrale.com
• Address: Box 189, Stettler, Alberta, T0C 2L0, Canada
• Response time: requests are acknowledged within 5 business days and answered within 30 calendar days, or 45 calendar days where Alberta PIPA permits an extension.
• Regulators: Alberta Office of the Information and Privacy Commissioner and the Office of the Privacy Commissioner of Canada.

This is a unified Privacy Policy covering personal information collected, used, or disclosed by Paytrale across all platforms and touchpoints.

• Website: marketing and informational pages, waitlist signup, account sign-in and sign-up, owner billing access, and contact email flows.
• Application and platform: the iOS application, Android application, web platform, and all related services.
• Covered individuals include operators, administrators, team members, customers and contacts entered by operators, website visitors, direct contacts, and waitlist subscribers.
• Operators who enter customer information into Paytrale act as data controllers for that customer data. Paytrale acts as a data processor on the operator’s behalf for those records.
• If you are a customer of a Paytrale operator and want access, correction, or deletion, contact that operator directly first.
• Paytrale builds its privacy practices to satisfy both Alberta PIPA and PIPEDA.

App store disclosure summary

• Data linked to you may include contact information, invoice and payment-status information, manually entered service addresses, user content such as job notes, contracts, signatures, photos, messages, identifiers, and usage data.
• Data not linked to you includes anonymized crash logs and performance traces processed through Sentry.
• Data not collected includes precise real-time location, health data, sensitive information, browsing history, search history, device contacts, and financial account or raw card numbers.
• Security commitments include encryption in transit, encryption at rest, and hashed passwords.
• Users can delete their account and associated data from within the app.

Website-specific collection

• Waitlist signup: email address only, stored in Supabase, with an operational notification email sent to the Paytrale support inbox via Resend. Repeated submissions refresh the same record. A temporary copy may be held in browser session storage for confirmation-screen prefill and cleared after submission or session end.
• Support contact: information you include in email sent through a mailto link is provided voluntarily and received in the Paytrale support inbox.
• Account sign-up and sign-in: full name, email address, and password. Credentials are handled by Supabase Auth and website session state is maintained by the Supabase web client until sign-out.
• Billing access: account email, subscription plan, billing cycle, renewal date, and payment-method summary such as card brand, last four digits, and expiry, fetched on demand from billing APIs. Card entry occurs only on Stripe-hosted pages.

Application-specific information you provide

• Account and identity data such as full name, email, phone, business name, address, province, postal code, and password credentials.
• Team member records including names, email addresses, assigned roles, and invitation status.
• Customer and contact records entered by operators, including names, phone numbers, email addresses, service or mailing addresses, and notes.
• Job and service records such as job address, type, description, assigned technician, dates, materials, expenses, time entries, and costs.
• Estimates and invoices including line items, amounts, due dates, payment status, and payment history.
• Contracts and signatures including contract PDFs, electronic signature images, timestamps, and signed PDFs.
• Job photos uploaded by operators or technicians and messages created during service interactions.

Automatically collected application data

• Device and technical data such as device type, operating system version, app version, and push-notification token.
• Product telemetry covering high-signal usage events such as invoice lifecycle milestones, screen views, and feature-adoption events.
• Authentication and security records such as session tokens, OAuth state, integration tokens, webhook data, and audit events.
• Diagnostic and crash data, including anonymized errors and performance traces processed through Sentry.
• Mobile device local cache used for offline access and cleared on sign-out or account deletion.

Information we never collect

• Plaintext passwords or reversible password representations.
• Raw credit card numbers, CVVs, or bank account numbers.
• Social Insurance Numbers or government-issued ID numbers.
• Biometric identifiers.
• Health or medical information.
• Racial or ethnic origin, religious beliefs, political opinions, or sexual orientation.
• Precise real-time or background location.
• Device address-book contacts.
• Browsing history or cross-app tracking data.
• Personal information from individuals under 18.

Website data purposes

• Waitlist email address: maintain a record of interest, contact you when Paytrale becomes available, and handle deletion requests.
• Account name and email: create your account and authenticate your identity.
• Account password: authenticate you into your account through the authentication provider.
• Billing display data: show your subscription, payment method, and invoice history during a signed-in session.
• Support email content: respond to inquiries, coordinate support, and maintain records for dispute resolution.

Application data purposes

• Create, authenticate, and manage accounts and send account-related notices.
• Enable multi-user access and role-based permissions within an organization.
• Support job creation, service delivery, invoicing, scheduling, and client communication.
• Generate invoices, maintain accounting records, and support warranty or dispute resolution.
• Support electronic contracts and signatures.
• Document service work with photos and messages.
• Deliver push notifications, optimize the app, maintain security, diagnose reliability issues, and enable offline access.

We use personal information only for the purposes identified at the time of collection. We do not use personal information for new purposes without identifying the new purpose and, where required, obtaining new consent.

• Operate and deliver the Paytrale Service, including account management, job creation, invoice generation, payment tracking, scheduling, and contract creation.
• Manage the website waitlist and contact interested businesses when Paytrale becomes available.
• Create and authenticate accounts across the website and application.
• Display subscription and billing information during signed-in sessions.
• Process payments through our third-party payment processor and maintain financial records.
• Send transactional communications such as invoices, payment confirmations, job updates, security alerts, and account notices.
• Provide support and respond to inquiries, complaints, and access requests.
• Maintain platform security and integrity, including fraud detection, access control, and breach investigation.
• Improve and develop the Service using de-identified and aggregated telemetry data.
• Comply with legal obligations and enforce the Terms of Service.
• Send commercial messages only with separate express consent.

We do not sell, barter, rent, or trade personal information lists, and we do not share personal information for advertising purposes.

• Service providers acting as processors under contractual restrictions and safeguard requirements.
• Law enforcement, regulators, courts, or government authorities when disclosure is required by law or lawful demand.
• Parties involved in fraud investigations, security incidents, or legal claims.
• Prospective counterparties and their advisors in mergers, acquisitions, financings, or asset sales, subject to confidentiality protections.
• Professional advisors such as lawyers, accountants, auditors, and insurers where needed for them to provide services to Paytrale.

Paytrale engages service providers under data processing agreements or equivalent protections.

• Supabase: database, authentication, and file storage for waitlist emails, credentials, operator account data, customer records, job data, contract files, signatures, and job photos.
• Stripe: payment processing and billing portal services. Raw card numbers are not stored by Paytrale.
• Twilio: SMS and voice messaging for invoice reminders and communications in the app.
• Resend: waitlist notifications and transactional email delivery.
• Sentry: anonymized error monitoring and performance traces.
• Google: optional calendar integration when authorized by the user.
• Intuit QuickBooks: optional accounting sync when authorized by the user.
• Hosting providers: infrastructure hosting and standard server request logs.

Paytrale has infrastructure for possible future AI features, but those features are not currently live and no personal information is currently sent to any AI provider.

The service providers identified above are headquartered in the United States, and personal information may be transferred to and processed on servers in the United States or other countries outside Canada.

Foreign laws may permit government access to information in those jurisdictions without notice to you or to Paytrale.

Paytrale uses contractual measures and due diligence to require foreign processors to protect information with safeguards equivalent to those required by Alberta PIPA and PIPEDA.

• Data processing agreements requiring PIPEDA-equivalent protections.
• Breach-notification requirements without unreasonable delay.
• Return or destruction requirements on contract termination.
• Security-practice due diligence before transfer.
• By using the Service or submitting information through the website, you acknowledge and consent to these cross-border transfers under the protections described in this policy.

Express consent

• Accepting this Privacy Policy and the Terms of Service at account registration.
• Opting in to commercial electronic messages at account setup.
• Authorizing integrations such as Google Calendar or QuickBooks.
• Authorizing electronic signatures on work orders and contracts.

Implied consent

We rely on implied consent for non-sensitive personal information where the purpose is obvious to a reasonable person within the existing service relationship.

Withdrawing consent

• Commercial communications: use the unsubscribe link or email support@paytrale.com.
• Third-party integrations: disconnect the integration in account settings.
• All data: close your account and follow the deletion process described in Section 11.
• Withdrawal requests are processed within 10 business days for commercial messages and within 30 calendar days for other withdrawals.

App permission requests

• Push notifications: used for invoice status updates, payment reminders, and job alerts. You can disable them in device settings.
• Camera: optional and used only for photo upload features.
• Photo library: optional and used only for photo selection in job documentation.
• Paytrale does not request access to device contacts, microphone, precise location, health data, or other device capabilities not listed above.

Website browser storage

• Waitlist email prefill may be stored temporarily in session storage and cleared after submission or session end.
• The Supabase authentication session is stored in browser storage and cleared on sign-out.

Application cookies and storage

• Strictly necessary and functional mechanisms are used to maintain authentication and logged-in state.
• Aggregate analytics are used for product improvement on a de-identified basis.
• Mobile applications do not use cookies; offline storage on the device is not cookie-based tracking.

What we do not use

The Paytrale website and application do not use advertising cookies, retargeting pixels, cross-site behavioral tracking, or third-party marketing analytics scripts. Because no non-essential tracking is currently present on the website, Paytrale does not operate a cookie consent banner.

We retain personal information only as long as necessary for the purposes for which it was collected or as required by law. When a purpose is fulfilled and no legal, accounting, security, or dispute-related need justifies retention, we destroy, delete, or anonymize the information.

Retention schedule

• Waitlist email addresses: retained while actively needed and deleted on request.
• Account and organization records: retained for the duration of the active account plus a post-closure window.
• Customer and contact records: retained for the duration of the relationship and deleted on account closure.
• Job and service records, invoices, estimates, and payments: generally retained for up to 7 years where statutory or accounting obligations apply.
• Contracts and signatures: retained for the relationship plus up to 7 years for dispute resolution and electronic-commerce compliance.
• Consent records: retained for the relationship plus at least 3 years to demonstrate valid consent.
• Security breach records: retained for at least 24 months.
• Messages and communications: retained for up to 3 years where relevant to support, CASL compliance, or dispute resolution.
• Auth and session records: retained on a rolling 12-month basis.
• Raw product telemetry: retained for 365 days; aggregate telemetry for up to 730 days.
• Training dataset snapshots for future AI work, if ever used, are planned to be privacy-reviewed and de-identified only.
• Device-local cache is cleared on sign-out or account deletion.
• Support emails, browser session storage, and infrastructure logs are retained only as long as operationally necessary under provider policies.

Account deletion

• Deleting an account triggers deletion of contract storage objects, signature images, signed PDFs, job photos, organization and team records, customer, job, invoice, contract, message, telemetry, and session records, the Supabase auth user record, and device-local cached data.
• Records that may be retained after deletion include tax and financial records, Stripe-side records, Twilio and Resend delivery logs, aggregated anonymized analytics, mandatory security breach logs, and infrastructure backups on normal rotation.

Waitlist deletion

There is currently no self-service deletion flow for waitlist entries stored in Supabase. Email support@paytrale.com to request deletion. Requests are acknowledged within 5 business days and confirmed within 30 calendar days.

AI-driven accounts receivable and workflow automation features are not currently live, and no personal information is currently sent to any AI language model provider.

If AI features become available, Paytrale will update this policy, send advance notice, obtain any required fresh consent, and describe the specific capabilities, data used, provider arrangements, retention windows, human review, and any right to challenge materially significant AI-assisted decisions.

Paytrale uses safeguards appropriate to the sensitivity of the information involved.

• TLS 1.2 or higher for data in transit.
• AES-256 or equivalent protections for data at rest where applicable.
• Passwords are never stored in plaintext and are hashed using bcrypt or Argon2.
• Raw card numbers and CVVs are never stored; Stripe processes and tokenizes payment data.
• Role-based access controls and least-privilege access.
• Multi-factor authentication is available for operator accounts.
• Diagnostic scrubbing to exclude personal identifiers, customer data, and auth tokens from error monitoring.
• Processor contracts requiring equivalent protections.
• Privacy and data-handling training for team members with access to personal information.

No system is completely secure, but Paytrale maintains an incident response plan and is committed to prompt breach notification where required.

• Contain and investigate the breach immediately.
• Assess whether the breach creates a real risk of significant harm.
• If that threshold is met, notify the Alberta OIPC and/or OPC Canada as soon as feasible using the required forms.
• If that threshold is met, notify affected individuals directly with the required breach details, mitigation steps, and Privacy Officer contact information.
• Notify third parties such as law enforcement or payment processors where they may help reduce harm.
• Maintain records of all breaches, whether or not they meet the reporting threshold, for at least 24 months.

Under Alberta PIPA and PIPEDA, you can contact support@paytrale.com to exercise your privacy rights.

• Right of access to information Paytrale holds, the purposes for holding it, and third parties to whom it has been disclosed.
• Right to correction of inaccurate or incomplete information.
• Right to withdraw consent subject to legal or contractual limits.
• Right to delete your account and associated data from within the app.
• Right to request deletion of your waitlist entry by emailing support@paytrale.com.
• Right to complain to Paytrale, the Alberta OIPC, or OPC Canada.

Transactional messages

• Invoice delivery, payment confirmations, and payment-status updates.
• Job status notifications and scheduling updates.
• Account security alerts, password resets, and login notifications.
• Privacy breach notifications and legally required disclosures.

Commercial messages

Paytrale sends commercial electronic messages only with express consent. Commercial messages identify Paytrale by legal name and physical address and include a working unsubscribe mechanism processed within 10 business days.

Website-specific note

The website does not currently run a newsletter or outbound promotional email program. The current website-triggered email is the internal operational waitlist notice sent to Paytrale, not a commercial message sent to the subscriber.

The Paytrale Service and website are designed for business professionals aged 18 and older. Paytrale does not knowingly collect personal information from individuals under 18.

If Paytrale learns that a minor has provided personal information, it will delete that information promptly upon verification.

• Updated policies will be posted at paytrale.com/privacy and within the Paytrale application.
• The effective date and version number will be updated.
• Users will receive email and/or in-app notice at least 30 days before material changes take effect.
• Fresh express consent will be obtained for a new use of previously collected information or a material reduction in rights.
• Prior versions are available on request from the Privacy Officer.

This Privacy Policy and all privacy matters are governed by the laws of the Province of Alberta and the applicable laws of Canada, including Alberta PIPA and PIPEDA.

Disputes that cannot be resolved through Paytrale’s internal complaint process are subject to the jurisdiction of the courts of Alberta or the applicable privacy regulator.

Nothing in this policy limits any right you have to file a complaint with the relevant privacy authority.

• Alberta PIPA: Personal Information Protection Act, Alberta’s private-sector privacy statute.
• CASL: Canada’s Anti-Spam Legislation.
• CEM: Commercial electronic message encouraging participation in commercial activity.
• Data controller: organization determining the purposes and means of processing personal information.
• Data processor: organization processing personal information on behalf of a controller.
• DPA: data processing agreement governing processor handling of personal information.
• Operator: business owner, administrator, or team member who creates and manages a Paytrale account.
• OPC Canada: Office of the Privacy Commissioner of Canada.
• OIPC: Office of the Information and Privacy Commissioner of Alberta.
• Personal information: information about an identifiable individual, whether recorded or not.
• PIPEDA: Personal Information Protection and Electronic Documents Act.
• Privacy Officer: the individual designated by Paytrale as accountable for privacy compliance.
• RROSH: real risk of significant harm, the threshold for mandatory breach reporting.
• Service: the Paytrale mobile application, web platform, website, and related services.
• TLS: transport layer security, with Paytrale requiring TLS 1.2 or higher.