PlanRelevé — Privacy Policy
This English version is provided for convenience. The French version ("Politique de confidentialité") is the official version and prevails in the event of any discrepancy.
1. About this Policy
This Privacy Policy explains how Infotech Canada collects, uses, discloses, retains and protects personal information when you use PlanRelevé. It is written to comply with:
- Québec's Act respecting the protection of personal information in the private sector, as amended by Act 25 (formerly Bill 64) ("Law 25");
- the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") and its substantially similar provincial equivalents (Alberta PIPA, British Columbia PIPA); and
- other applicable Canadian privacy legislation.
"Personal information" means any information that relates to a natural person and allows that person to be identified, directly or indirectly.
PlanRelevé is a business-to-business service. It is not directed to consumers or to children (see Section 14).
2. Two roles — please read
Personal information moves through PlanRelevé in two distinct ways, and our responsibilities differ for each:
- Information we collect to run the Service (e.g., the email address you use to sign in, billing metadata, security logs). For this information, Infotech Canada determines the purposes and acts as the enterprise responsible for it under Law 25. This Policy governs that information.
- Content you upload (electrical, fire-protection, security and telecom plans and related documents, together "Customer Content"). These files may contain personal information about third parties — for example, client names, site addresses, or the stamps of architects and engineers. For this information, your organization decides why and how it is processed, and Infotech Canada acts on your organization's behalf and instructions as a service provider. Your organization is responsible for having the authority and any consents required to upload it. Our handling of Customer Content is also governed by the Terms of Service and the data-protection commitments in it.
3. Person in charge of the protection of personal information
In accordance with section 3.1 of Law 25, Infotech Canada has designated a person responsible for the protection of personal information:
Person in charge of the protection of personal information
Infotech Canada, Joliette, Québec, Canada
Email: info@it-ca.tech
You may contact this person to exercise your rights (Section 11), ask questions about this Policy, or make a complaint.
4. Personal information we collect, and why
We practise data minimization: we collect only what we need to provide the Service. Notably, a user account stores your email address only — we do not ask for or store your name, telephone number, photo, or job title.
| Category | What it includes | Purpose |
|---|---|---|
| Account & identity | Email address; hashed password (argon2id); organization membership and roles; email-verification status; and whether two-factor authentication is required (an organization-level setting) | Create and secure your account; authenticate you; apply your permissions |
| Security state | Failed-login counter and temporary lockout; session revocation timestamp; one-time codes (stored only as a hash) for 2FA; a hashed "trusted device" token | Protect accounts against unauthorized access |
| Customer Content | The plans and documents you upload, and everything derived from them (renders, take-offs, exports). May contain third-party personal information | Provide the take-off, estimating and export features you use (processed on your organization's instructions) |
| Usage & activity logs | Audit-log entries: the acting user's email and ID, the action performed, the affected project/organization, and a timestamp. Application logs (technical events) | Security, traceability, troubleshooting, and legal compliance |
| Billing metadata | Stripe customer and subscription identifiers, plan, seat count, and storage-usage measurements | Manage your subscription, seats, taxes and invoices |
| AI-feature metadata | For each AI request: the feature used, model, token counts, cost, latency, and success/error status. Copilot chat: the text of your conversations with the assistant and any price-list files you attach to it | Provide and meter the optional AI features you enable; let you revisit your assistant conversations |
| Cookies | A session cookie, a language-preference cookie (lang), and a "trusted device" cookie | Keep you signed in, remember your language, and reduce repeated 2FA prompts (see Section 13) |
What we do NOT collect: We do not record your IP address or browser user-agent in our audit logs. We use no advertising, analytics or tracking technologies of any kind (no Google Analytics, no pixels, no third-party trackers). We do not sell or rent personal information, ever.
5. Consent
- At account creation and use, you consent to the processing described in this Policy for the purposes of providing the Service.
- AI features are turned off by default. They are enabled only when your organization's administrator explicitly turns them on, through two separate, granular controls:
- AI features (
ai_enabled) — enables assistant, part-search, estimate-check and similar features, which send the structured data and text you provide (queries, catalog/legend text, and any price-list files you attach) to our AI provider (see Section 7). - Sending plan content to AI (
ai_plan_content_enabled) — a second, separate consent required before any feature may send the content of your plans or specification documents to the AI provider. Without this second toggle, your plan content is not sent off-platform for AI processing.
- AI features (
- You may withdraw your consent at any time, including by turning the AI controls off or by closing your account. Withdrawal does not affect processing already carried out.
6. How we use personal information (purposes)
We use personal information only to:
- provide, operate, secure and maintain the Service;
- authenticate users and enforce access permissions;
- manage subscriptions, seats, storage metering, taxes and billing;
- provide customer support and respond to your requests;
- provide the optional AI features you have enabled;
- detect, prevent and respond to fraud, abuse and security incidents; and
- comply with legal obligations and enforce our Terms.
We do not use personal information for purposes incompatible with those above without obtaining your consent.
7. Third-party service providers (sub-processors)
We rely on a small number of service providers to operate the Service. We disclose to them only the information they need, under contractual confidentiality and security obligations. We do not authorize them to use your information for their own purposes.
| Provider | Role | Location of processing | Personal information involved |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, storage (S3), transactional email (AWS SES, or a configured SMTP relay) | Canada — ca-central-1 (Montréal) for the application and your stored files. Some ancillary AWS services (e.g., the marketing site's CDN/CloudFront, and optional application-log monitoring) may operate outside ca-central-1 | All account data and Customer Content — but files are encrypted by us before storage, so AWS storage holds ciphertext only |
| Stripe | Payment processing and subscription billing | United States (Stripe account established in Canada) | Organization/owner email, subscription and seat data, storage-usage measurements. Card details are entered directly with Stripe; we never receive or store them |
| Microsoft (Entra ID / Microsoft Graph) | Optional single sign-on (SSO) | United States / global | Only if you sign in with Microsoft: your email, name and tenant identity from your sign-in. We do not retain Microsoft access tokens |
| DeepInfra | AI inference for optional AI features | United States (see Section 8) | Only if AI is enabled: the queries, structured data, text and any files you submit to AI features; and, only under the second toggle, plan/specification content |
| SearXNG (self-hosted) + outbound web requests | Web-search and page-fetch tools used by the AI assistant | Our own infrastructure; outbound requests reach the public websites/search engines the assistant queries | Only the text of the search queries the assistant issues on your instruction |
We keep an up-to-date list of sub-processors and will update this Policy when it changes materially.
Certifications and contractual commitments of our sub-processors. Our "adequate protection" assessment (Section 8) relies in part on the recognized security certifications and data-processing agreements (DPAs) of each of our sub-processors:
- Amazon Web Services (AWS) — certified to SOC 1, 2 and 3, ISO/IEC 27001, 27017 and 27018 and PCI DSS, and assessed under the Canadian Centre for Cyber Security (CCCS) programs. Our servers and your files reside in the Canadian
ca-central-1(Montréal) region. AWS compliance programs. - Stripe — PCI DSS Service Provider Level 1 (the highest level), with SOC 1 and SOC 2 Type II reports produced annually; card data encrypted at rest (AES-256) and in transit (TLS 1.2+). Stripe publishes a Data Processing Agreement (DPA) and a list of its sub-processors.
- Microsoft (Entra ID / Microsoft Graph) — ISO/IEC 27001, 27017, 27018 and 27701 and SOC 1 and SOC 2 (Entra ID and Microsoft Graph are within the certified scope). Microsoft offers the Products and Services Data Protection Addendum (DPA).
- DeepInfra — states that it is SOC 2 and ISO/IEC 27001 certified, with technical and organizational measures aligned to GDPR and HIPAA. Per its terms, DeepInfra does not sell your submissions or use them to train models, and retains inputs and outputs only briefly, for debugging purposes. DeepInfra data privacy.
8. Communication of personal information outside Québec
Some of our service providers process personal information outside Québec — principally in the United States (Stripe, Microsoft, DeepInfra) and, for certain ancillary services, elsewhere. In accordance with section 17 of Law 25, before communicating personal information outside Québec we assess whether the information would receive adequate protection, taking into account the sensitivity of the information, the purposes, the protective measures (including contractual clauses), and the legal framework of the destination.
Where your data is stored, in plain terms:
- Your plans and files are stored encrypted in Canada (AWS
ca-central-1). They do not leave Canada for storage. - Plan content leaves Canada only if you explicitly enable it — through the separate "Sending plan content to AI" consent — in which case that content is sent to our AI provider (currently in the United States) to produce the result you requested.
- Certain account and billing metadata is processed by providers in the United States (Stripe for billing; Microsoft if you use Microsoft sign-in).
Note on AI provider data handling. According to our AI provider's terms (DeepInfra), data submitted to AI features is processed in the United States; it is not sold or used to train models, and is retained only briefly, if at all, for debugging purposes. The provider states that it complies with SOC 2 and ISO/IEC 27001 standards. AI features remain disabled by default and require your explicit consent.
9. Automated processing and artificial intelligence
PlanRelevé offers optional, assistive AI features (for example, part search, estimate checks, and a project assistant). These features suggest information for a human to review; they do not make decisions about you that produce legal effects or similarly significant effects based exclusively on automated processing. A qualified person in your organization remains responsible for reviewing and approving any estimate, quantity or specification.
If we ever introduce a feature that makes a decision about an individual based exclusively on automated processing, we will inform the individual as required by section 12.1 of Law 25, including of the personal information used, the principal factors leading to the decision, and the right to have it reviewed and to submit observations.
10. Retention and destruction
- We retain account and Customer Content for as long as your organization's account is active.
- When an organization's account is deleted, the account is suspended and then, after a 30-day grace period, all of the organization's records and stored files are permanently deleted. Certain platform-level audit entries required for security and legal purposes are retained without directly identifying content (see below).
- Audit logs are retained for 7 years by default (configurable), after which they are deleted.
- Application (technical) logs are retained for approximately 30 days.
- Some minimal transactional records (for example, a log that an email was sent, without its body) may persist for operational and security reasons.
When personal information is no longer required for the purposes for which it was collected, we destroy or anonymize it in accordance with applicable law.
11. Your rights
Subject to the conditions and exceptions in applicable law, you have the right to:
- Access the personal information we hold about you;
- Rectify information that is inaccurate, incomplete or out of date;
- Withdraw your consent to processing (including turning AI features off);
- Request deletion (erasure) of your personal information;
- De-indexing / cessation of dissemination where the legal conditions are met;
- Data portability — obtain the computerized personal information you provided to us in a structured, commonly used technological format (Law 25, in force since September 2024). Organization administrators can generate a data export directly from the Service;
- Information about automated processing (Section 9); and
- Submit observations to the person in charge.
How to exercise your rights. Contact the person in charge at info@it-ca.tech. We may need to verify your identity before responding. If you are a member of a customer organization, some requests may be handled through your organization's administrator, who controls the Customer Content; we will assist as required by law. We will respond within 30 days.
Complaints. If you are dissatisfied with our response, you may lodge a complaint with the applicable regulator:
- Commission d'accès à l'information du Québec (CAI) — cai.gouv.qc.ca
- Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca (for matters under PIPEDA), or your provincial commissioner.
12. Confidentiality incidents (security breaches)
We maintain measures to detect and respond to confidentiality incidents (unauthorized access to, use of, loss of, or communication of personal information). In accordance with sections 3.5 to 3.8 of Law 25, we:
- maintain a register of confidentiality incidents;
- assess whether an incident presents a risk of serious injury; and
- where such a risk exists, notify the Commission d'accès à l'information and the affected individuals with reasonable diligence, and take reasonable measures to reduce the risk and prevent recurrence.
13. Cookies and similar technologies
PlanRelevé uses only strictly necessary / functional cookies. It does not use advertising, analytics, profiling or cross-site tracking cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Keeps you signed in; marked Secure in production and inaccessible to scripts | Session |
lang | Remembers your interface language (FR/EN) | Up to 1 year |
pt_trusted_device | Lets you skip repeated 2FA prompts on a device you trusted | 30 days |
Your browser also stores small non-personal preferences locally (e.g., light/dark theme, symbol-palette favourites); these never leave your device. You can clear cookies and local storage in your browser at any time; doing so may sign you out or reset preferences.
14. Children and minors
PlanRelevé is a professional, business-to-business tool. It is not directed to children or minors, and we do not knowingly collect personal information from anyone under the age of majority. Accounts are intended for authorized users of business customers.
15. Security measures
We protect personal information with technical and organizational safeguards, including:
- Encryption of your files with a per-organization AES-256 key, applied in chunks (AES-256-GCM) before data reaches storage — plaintext never reaches the storage backend;
- Encryption in transit (TLS/HTTPS);
- Strong password hashing (argon2id), account lockout after repeated failed logins, and optional email-based two-factor authentication;
- Strict tenant isolation so one organization cannot access another's data (cross-tenant access is denied);
- Role-based access controls, encryption-key rotation, and least-privilege operational access;
- Audited support access — our staff cannot browse your content casually; support impersonation is limited, logged, and requires confirmation for sensitive actions.
No system is perfectly secure, but we work to protect your information proportionately to its sensitivity.
16. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you. Your continued use of the Service after an update constitutes acknowledgement of the revised Policy.
17. Contact us
Infotech Canada — PlanRelevé
Email: info@it-ca.tech
Joliette, Québec, Canada