Privacy Policy

1. Introduction

MyRavex Inc. ("MyRavex," "we," "us") provides a business management platform for home-services contractors. This Privacy Policy explains what personal information we collect from Contractors and their Clients, how we use and share it, and the rights you have over it.

This policy applies to the MyRavex web application, the MyRavex mobile applications, the public quote/invoice portals, our marketing site, and any related APIs (collectively, the "Service"). If you do not agree to this policy, do not use the Service.

2. Information We Collect

2.1 Account information you provide

• ▸Name, email address, phone number, business address.
• ▸Business name, trade, services offered, business hours.
• ▸Tax identifiers (HST number, GST number, state sales-tax registration, EIN).
• ▸Profile photo, business logo, brand colour.

2.2 Business and Client data you upload

• ▸Client records (names, emails, phones, service addresses, notes).
• ▸Quotes, invoices, jobs, expenses, signatures, and attached photos.
• ▸Service templates, terms-and-conditions packs, recurring schedules.

Important: you are the controller of Client data uploaded to the Service. You are responsible for obtaining your Clients' consent and for honouring their privacy rights under applicable law.

2.3 Payment information

We do not store full card numbers, CVV codes, or bank account numbers. When you pay a MyRavex Subscription, or when one of your Clients pays an invoice online, the card data flows directly to Stripe and we receive only a Stripe customer or payment token, the last four digits of the card, the card brand, and the transaction status.

For Stripe Connect we receive metadata about your connected account (status, capabilities, payout schedule) but never the underlying bank credentials.

2.4 Usage and device data

• ▸IP address, browser type, device type, operating system, language, timezone.
• ▸Pages visited, features used, click events, error logs, request timing.
• ▸Mobile push tokens (Expo / APNs / FCM) when you grant notification permission.

2.5 Communications

Support tickets, replies to in-app messages, content of emails or SMS messages you send to your Clients through the Service (so we can deliver them), and any feedback you provide.

3. How We Use Information

We use the information described above to:

• ▸Provide, maintain, and improve the Service, including generating PDFs, sending invoices and quotes, processing payments, and running cron jobs (overdue reminders, recurring invoices).
• ▸Bill Subscriptions, prevent and investigate fraud, charge backs, or other suspicious activity.
• ▸Provide customer support and respond to your requests.
• ▸Send service-related notifications (account, security, billing). These are not promotional and you cannot opt out while your account is active.
• ▸Send product updates, feature announcements, and tips. You may opt out at any time from Settings → Notifications.
• ▸Analyse aggregate usage to improve performance, prioritise features, and diagnose bugs.
• ▸Comply with legal obligations and respond to lawful requests from regulators or courts.

We do not sell personal information. We do not share Client data across Contractors, and we do not use Content to train any third-party machine-learning model without prior, explicit consent.

4. Third-Party Services and Sub-Processors

We engage the following sub-processors to deliver the Service. Each processes personal information only on our instructions and under a data-protection agreement:

• ▸Stripe (USA / Ireland): Subscription billing, online payments from your Clients, Stripe Connect onboarding. Receives card data, customer email, billing address, invoice amounts.
• ▸SendGrid (Twilio, USA): Transactional email delivery (invoice emails, password resets, notifications). Receives recipient email, message content, and rendering metadata.
• ▸Twilio (USA): SMS delivery to your Clients. Receives the recipient phone number and message body.
• ▸Supabase (USA, Singapore depending on project): Postgres database, Supabase Auth, file Storage. Holds the canonical copy of your account, business data, and uploaded files.
• ▸Vercel (USA): Hosts the web application and runs serverless functions and cron jobs. Receives request metadata (IP, user-agent, path).
• ▸Google (analytics & optional OAuth, USA): Optional product analytics, optional Google Calendar sync, optional sign-in. Receives only what you choose to connect.
• ▸OpenAI / Anthropic (USA): Powers AI Assistant, AI Insights, and other AI-suggested content. Receives the prompts and context you choose to send; does not train on customer data per their enterprise agreements.
• ▸Expo / Apple APNs / Google FCM: Push notifications to the MyRavex mobile app. Receives device push tokens and notification payloads (no PII beyond what you include).

We do not advertise on third-party networks and we do not place advertising tags or pixels on the authenticated Service.

5. Cookies and Similar Technologies

We use a small number of cookies and similar technologies:

• ▸Strictly necessary: session and auth cookies set by Supabase Auth to keep you signed in, and a small CSRF token. The Service cannot function without these.
• ▸Preferences: theme, language, sidebar collapsed state. Stored in localStorage to remember your settings between visits.
• ▸Analytics: optional, used in aggregate to improve the product. May be disabled with browser do-not-track signals where supported.

We do not place third-party advertising cookies on the authenticated Service. Marketing landing pages may use first-party analytics only.

6. Data Retention

We retain personal information for as long as your account is active. When you close your account:

• ▸Operational data (clients, quotes, jobs, photos, AI conversations) is deleted within 30 days.
• ▸Billing, invoice, and tax records are retained for 7 years to meet Canadian and U.S. tax-record retention requirements (CRA, IRS, provincial and state revenue agencies).
• ▸Anti-fraud signals and chargeback evidence may be retained for up to 7 years to protect MyRavex and other Users.
• ▸Aggregated, de-identified usage metrics may be retained indefinitely for analytics.

Audit and security logs are retained for up to 12 months.

7. Your Rights

7.1 Canada (PIPEDA and provincial privacy laws)

• ▸Right to access the personal information we hold about you.
• ▸Right to correct inaccurate information.
• ▸Right to withdraw consent, subject to legal or contractual restrictions (you can close your account at any time).
• ▸Right to complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your provincial privacy regulator.

7.2 California (CCPA / CPRA)

• ▸Right to know what categories of personal information we collect and how we use them.
• ▸Right to delete personal information, subject to legal exceptions.
• ▸Right to correct inaccurate personal information.
• ▸Right to opt out of sale or sharing for cross-context behavioural advertising. We do not sell or share for advertising.
• ▸Right to non-discrimination for exercising your rights.

7.3 European Union / UK (GDPR / UK GDPR)

Although MyRavex primarily serves Canada and the United States, if you access the Service from the EU or the UK you may have the following rights:

• ▸Access, rectification, erasure, restriction of processing, data portability, and objection to processing.
• ▸Right to lodge a complaint with a supervisory authority.

To exercise any of these rights, contact privacy@myravex.com. We will respond within the time required by applicable law (typically 30 days). We may verify your identity before processing requests.

8. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information:

• ▸Encryption in transit: TLS 1.2+ for all traffic between your browser/app and the Service.
• ▸Encryption at rest: AES-256 (or equivalent) at the Supabase database and Storage layer.
• ▸Password hashing: bcrypt via Supabase Auth — we never see or store plaintext passwords.
• ▸Access controls: Row-Level Security (RLS) policies enforce tenant isolation; staff access is limited to those who need it, requires SSO with MFA, and is logged.
• ▸Backups: Daily encrypted database backups with point-in-time recovery.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we will respond to incidents in accordance with section 11.

9. International Data Transfers

MyRavex is headquartered in Ontario, Canada. Personal information may be processed and stored in:

• ▸The United States (Supabase, Stripe, Vercel, SendGrid, Twilio, OpenAI, Anthropic).
• ▸Canada (MyRavex office, certain backup snapshots).
• ▸Other regions where our sub-processors operate global infrastructure (for example, content-delivery networks).

Where personal information leaves Canada, we rely on contractual safeguards with our sub-processors and on adequacy frameworks where applicable. You acknowledge that data processed in the United States may be subject to U.S. law, including lawful access requests.

10. Children's Privacy

The Service is not directed to, and is not intended for, persons under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact privacy@myravex.com and we will delete it.

11. Data Breach Notification

If we become aware of a breach of security that creates a real risk of significant harm, we will notify affected Users without undue delay and, in any event, within 72 hours of confirming the breach. We will also notify the Office of the Privacy Commissioner of Canada and any other regulator required by law (including PIPEDA section 10.1 and applicable U.S. state breach-notification statutes). See section 13 of our Terms and Conditions for the full process.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes we will provide at least 30 days' advance notice by email or in-app notification and may require you to re-accept the updated policy before continuing to use the Service. Non-material changes (clarifications, typos, link updates) may be made without prior notice.

13. Contact

If you have questions or wish to exercise any privacy right, contact:

MyRavex Inc. — Privacy Office
169 Greer Street, Lower Unit
Barrie, ON L9J 0R7, Canada
privacy@myravex.com