PlanCertify

Privacy Policy

Effective: June 13, 2026 · AllSpark Enterprises Ltd.

Legal Disclaimer: This document provides general information only and does not constitute legal, tax, or professional advice. Laws vary by province and change over time. Consult a licensed lawyer or CPA for advice specific to your situation.

1. Introduction

AllSpark Enterprises Ltd. (“we”, “us”, or “our”) operates PlanCertify at https://plancertify.ca (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), the Canadian Anti-Spam Legislation (CASL), and applicable provincial privacy law.

By using the Service, you consent to the practices described in this Policy.

2. Who We Are

AllSpark Enterprises Ltd.
Devlin, Ontario, Canada

Privacy contact: stephenlavoie@allsparkenterprisesltd.com

3. Applicable Privacy Legislation

  • Federal — PIPEDA: applies in all provinces without substantially similar legislation.
  • Quebec — Law 25: stricter than PIPEDA. Requires mandatory PIAs for cross-border transfers, 72-hour breach notification to the CAI, and expanded individual rights (portability, de-indexing, automated decision review). Quebec residents have these additional rights.
  • British Columbia — BC PIPA: applies to private-sector organizations in BC.
  • Alberta — Alberta PIPA: applies to private-sector organizations in Alberta.
  • Ontario — PHIPA: governs personal health information only. PlanCertify does not collect health information; PHIPA does not apply.

We apply the highest applicable standard across all provinces we serve.

4. Information We Collect

4.1 Information You Provide

  • Account registration: name, email address, password (hashed — never stored in plain text)
  • Business profile: company name, industry, province of operation
  • Payment information: billing details processed by Square Inc. (we do not store card numbers)
  • Partner information: professional credentials, licence number, banking details (held by Stripe Connect)
  • Business plan content: text, data, and documents you input to generate plans
  • Support communications: messages and inquiries sent to our team

4.2 Information Collected Automatically

  • Session cookies: authentication tokens issued by Supabase
  • Usage data: pages visited, features used, session duration, timestamps
  • Device information: browser type, operating system, IP address, referring URL
  • Server logs: retained for security and debugging

4.3 Cookies

We use first-party session cookies (Supabase auth tokens) for authentication, and may use optional analytics cookies. See our Cookie Policy for details and opt-out instructions.

5. How We Use Your Information

  • To create, manage, and secure your account
  • To generate AI-assisted business plans based on your inputs
  • To process client payments and issue receipts (Square)
  • To pay partner professionals upon job completion (Stripe Connect)
  • To send transactional emails (account confirmation, security alerts, payout notifications) via SendGrid — exempt from CASL opt-out requirements
  • To send commercial electronic messages (promotions, newsletters) only with your express or implied consent under CASL — see Section 6
  • To detect fraud, abuse, and unauthorized access
  • To improve the Service using anonymized, aggregated analytics
  • To comply with Canadian tax law, PIPEDA, and CASL

6. CASL — Commercial Electronic Messages

  • Express consent: we obtain your written consent before sending promotional emails. Consent is recorded with timestamp and IP address.
  • Implied consent: we may send CEMs without express consent where CASL permits (e.g., existing business relationship within the past 2 years).
  • Unsubscribe: every commercial email includes a functioning unsubscribe mechanism processed within 10 business days.
  • Transactional messages (verification, password reset, payout confirmation, security alerts) are not CEMs and are sent regardless of marketing consent.
  • We do not harvest email addresses by automated means or purchase email lists.

7. Third-Party Service Providers

  • Supabase Inc. — authentication and database hosting (US/EU)
  • Square Inc. — inbound payment processing (PCI-DSS Level 1; US)
  • Stripe Inc. — partner payout processing via Stripe Connect (US)
  • Twilio SendGrid — transactional and commercial email delivery (US)
  • Vercel Inc. — Next.js application hosting (US)

We do not sell, rent, or trade your personal information for marketing purposes.

8. Cross-Border Data Transfers

All sub-processors are US-based. We mitigate this through contractual DPAs, SOC 2 Type II / PCI-DSS certified processors, and TLS + AES-256 encryption.

Quebec Residents — Law 25

Before transferring your information outside Quebec, we conduct a Privacy Impact Assessment (PIA). A summary is available on request. You may request restriction of cross-border transfer; however, this will prevent use of the Service as all infrastructure is US-hosted.

BC and Alberta: cross-border transfers are conducted under contractual protections required by BC PIPA and Alberta PIPA.

9. Data Retention

  • Account data: duration of account + 3 years after closure
  • Business plan content: until deleted or account closed
  • Payment records: 7 years (CRA / Income Tax Act)
  • CASL consent records: 3 years after withdrawal or end of relationship
  • Security breach logs: 24 months (PIPEDA Security Breach Regulations SOR/2018-64)
  • Server logs: 90 days

10. Security Breach Notification

Under PIPEDA Security Breach Regulations (SOR/2018-64) we are required to notify the OPC of any breach posing a real risk of significant harm, notify affected individuals, and maintain a breach log for 24 months.

Quebec residents: the CAI must be notified within 72 hours of a breach likely to cause serious injury (Law 25).

Suspected breach? Contact us immediately at stephenlavoie@allsparkenterprisesltd.com.

11. Your Privacy Rights

Under PIPEDA you have the right to access, correct, delete your personal information, and withdraw consent. We respond within 30 days.

Additional Rights for Quebec Residents (Law 25)

  • Data portability: receive your data in a structured, technology-based format
  • De-indexing: request removal of information that may harm your reputation
  • Automated decision review: request human review of automated decisions

Contact stephenlavoie@allsparkenterprisesltd.com to exercise any right, or file a complaint with the Office of the Privacy Commissioner of Canada.

12. Children

The Service is not directed to individuals under 18. We do not knowingly collect personal information from minors.

13. Changes to This Policy

We will notify you of material changes by email and by posting an updated Policy with a revised effective date. Continued use constitutes acceptance.

14. Contact

AllSpark Enterprises Ltd.
Devlin, Ontario, Canada

stephenlavoie@allsparkenterprisesltd.com

OPC: www.priv.gc.ca | 1-800-282-1376