Privacy Policy

1. Introduction

INU CarFix (“we”, “us”, “our”) operates an online marketplace connecting vehicle owners with auto repair shops across Canada. This Privacy Policy explains how we collect, use, disclose, and protect your personal information in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Law 25 (An Act to modernize legislative provisions as regards the protection of personal information), and applicable provincial privacy legislation.

2. Information We Collect

We collect information that you provide directly:

• Account information: Name, email address, phone number, password, and account role (customer or shop owner)
• Vehicle information: Year, make, model, VIN, mileage, and service history
• Shop information: Business name, address, services, opening hours, photos, and contact details
• Quote and booking details: Service descriptions, preferred dates/times, and communication with shops
• Payment information: Payment transactions are processed by Stripe. We do not store credit card numbers.
• Communications: Messages between customers and shops, support tickets, and reviews

We also collect information automatically:

• Usage data: Pages visited, features used, and interaction patterns
• Device information: Browser type, operating system, and device identifiers
• Location data: City and postal code for shop search (only when you provide it)

3. How We Use Your Information

• Providing and improving the CarFix marketplace platform
• Matching you with repair shops and facilitating quotes and bookings
• Processing payments through our payment processor (Stripe)
• Sending transactional notifications (appointment confirmations, status updates, reminders)
• Sending marketing communications (only with your express consent)
• Maintaining vehicle service history and maintenance reminders
• Responding to support inquiries and resolving disputes
• Ensuring platform security and preventing fraud
• Complying with legal obligations

4. Consent

We obtain your consent before collecting, using, or disclosing your personal information. Consent may be express (e.g., checking a consent box) or implied (e.g., providing information as part of a transaction). You may withdraw consent at any time by contacting us, subject to legal or contractual obligations. Marketing communications require separate, express opt-in consent and are not bundled with terms of service acceptance.

5. Third-Party Service Providers

We share personal information with these service providers:

• Supabase: Database hosting and file storage (Canadian region)
• Stripe: Payment processing (Stripe Connect for marketplace payments)
• Twilio: SMS notifications
• Resend: Email notifications
• Vercel: Application hosting
• Sentry: Error monitoring and performance tracking (PII is scrubbed before transmission; requires analytics consent)

Each provider processes data only for the purposes of providing their service to us and is contractually obligated to protect your information.

6. Data Storage and Security

We store your data on servers located in Canada. We implement appropriate technical and organizational safeguards including encryption in transit (TLS) and at rest, access controls, and regular security reviews. While no method of transmission over the Internet is 100% secure, we take reasonable steps to protect your personal information.

7. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes for which it was collected, or as required by law. Account data is retained while your account is active. After account deletion, we retain anonymized data for analytics purposes only. Financial records are retained as required by tax regulations.

8. Your Rights

Under Canadian privacy law, you have the right to:

• Access your personal information held by us
• Correct inaccurate personal information
• Withdraw consent for the use of your personal information
• Request deletion of your personal information (subject to legal retention requirements)
• Data portability - request your data in a structured, machine-readable format (as required by Quebec Law 25)
• De-indexation - request removal of your personal information from search results

To exercise any of these rights, contact our Privacy Officer at the address below. We will respond within 30 days.

9. Data Breach Notification

In the event of a data breach that poses a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada and affected individuals as required by law. We maintain a breach log as required by the Breach of Security Safeguards Regulations.

10. Children's Privacy

CarFix is not intended for use by anyone under the age of 18 (or the age of majority in your province). We do not knowingly collect personal information from minors.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the platform. Continued use of CarFix after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact our Privacy Officer: