Privacy Policy

For our business customers’ accounts, the business that subscribes to MainteQC is the controller of its own clients’, employees’ and technicians’ information; MainteQC acts as a processor. For information tied to your own administrator account and subscription billing, MainteQC is the controller. See our Data Processing Agreement summary. Data Processing Agreement (DPA).

• Identity & access: name, email, hashed credentials, two-factor authentication factors, sessions and IP address — to authenticate, secure and control access.
• Operations: client, property, asset records, addresses and service history — for dispatch, scheduling and service delivery.
• Time, mileage & payroll: on-site GPS arrival points only (no continuous tracking), work days, mileage and pay — for payroll and tax compliance.
• Billing & payments: invoices, payment tokens (via Stripe; we do not store full card numbers) and tax IDs — to bill and remit taxes.
• Documents & AI: uploaded documents, OCR text, search embeddings, PII-redacted AI prompts/responses and usage logs — for document search and assistance.

We never sell your personal information and do not use it for third-party advertising profiling.

• Access — obtain a copy of the information we hold about you.
• Rectification — correct inaccurate or incomplete information.
• Portability — receive your information in a structured, commonly used technological format.
• Erasure & de-indexing — request deletion or that we cease disseminating your information, subject to regulatory retention floors.
• Withdraw consent — withdraw a previously granted consent, without retroactive effect.

To exercise a right, write to our Privacy Officer (below) or use the support form. If you are a client, employee or technician of a subscribing business, first direct your request to that business (the controller); we will assist them as the processor. Support.

The MainteQC platform Privacy Officer can be reached at: privacy@mainteqc.com. Each subscribing business also designates its own officer, whose contact appears in its register of processing activities (ROPA).

Your primary data (database, authentication, uploaded files) is hosted in Canada (ca-central-1 region). Our primary AI provider processes requests in Canada (northamerica-northeast1 region), with fallback to a Toronto-based provider.

Some of our subprocessors process information outside Canada (mainly the United States and, for product analytics, the European Union): Stripe (payments), Mapbox (maps), Resend and Postmark (email), Twilio (SMS), Google Cloud Vision and Google Vertex AI (OCR and AI), Sentry (error monitoring), Cloudflare (CDN, R2, Turnstile), Vercel (web hosting), Expo/EAS (mobile builds), and Apple and Google (App Store, Play, push). Cohere (AI fallback) processes in Canada. Each subprocessor is bound by a data processing agreement (DPA) with contractual safeguards. Before any transfer outside Quebec, we conduct a privacy impact assessment as required by Law 25.

See the full, up-to-date subprocessor list.

For interprovincial or international commercial activity, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) also applies. We handle personal information per its ten fair-information principles (accountability, identifying purposes, consent, limiting collection, limiting use and retention, accuracy, safeguards, openness, individual access, and the ability to challenge compliance). You may complain to the Office of the Privacy Commissioner of Canada, and in Quebec to the Commission d’accès à l’information.

• Account & identity: life of the account plus a 30-day deletion grace period.
• Financial, tax, payroll and mileage records: 7 years (CRA / Revenu Québec).
• Documents: per-document retention, subject to regulatory floors.
• AI audit: retained; voice audio deleted after 30 days.

We apply encryption in transit and at rest, tenant isolation via row-level security, mandatory two-factor authentication for sensitive roles, and access logging. In the event of a confidentiality incident presenting a risk of serious injury, we will promptly notify affected individuals, the controlling business and the competent authorities (Commission d’accès à l’information), as required by Law 25.

Our technician mobile app collects additional information (background location, push tokens, camera, NFC, device identifiers). These are described in the mobile privacy appendix. Mobile privacy appendix.

We may update this policy. Material changes will be signaled in-app or by email. The last-updated date appears at the top of this page.