Privacy Policy

Effective: April 18, 2026

1. Who we are

This Privacy Policy describes how INU Technologies Inc., a corporation incorporated under the laws of the Province of Ontario, with its registered office at 33 Alyssum Court, Richmond Hill, Ontario L4E 4M7, Canada (“INU Technologies”, “we”, “us”, or “our”), handles personal information in connection with the operation of the CarFix online marketplace (the “Platform”). INU Technologies is the operator of the Platform and is the business that contracts with Customers and Shops. “CarFix” is the brand under which INU Technologies offers the Platform; the legal entity is INU Technologies Inc.

We handle personal information in accordance with the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (“PIPEDA”); the Act respecting the protection of personal information in the private sector (CQLR c P-39.1), as amended by An Act to modernize legislative provisions as regards the protection of personal information (S.Q. 2021, c. 25) (together, “Quebec Law 25”); Canada's Anti-Spam Legislation (S.C. 2010, c. 23) (“CASL”); and other applicable provincial privacy legislation (including Alberta's Personal Information Protection Act and British Columbia's Personal Information Protection Act).

2. Our approach to privacy and governance

INU Technologies maintains an internal privacy-governance framework that sets out how personal information is classified, collected, used, disclosed, retained, and destroyed; how subprocessors are reviewed; how privacy-impact assessments are carried out where required (including for transfers outside Quebec under Quebec Law 25); how we respond to access, correction, and complaint requests; and how we handle security incidents. The title and contact details of the person in charge of the protection of personal information are set out in Section 18.

We follow the ten fair-information principles established under Schedule 1 to PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use and disclosure, accuracy, safeguards, openness, individual access, and challenging compliance. This Policy is written in plain language so that you can understand what we do with your information before you provide it. More technical governance documentation is held internally and is available on request, to the extent permitted by law, from the Privacy Officer.

3. What information we collect

We collect different categories of information depending on how you use the Platform. Some information you provide to us directly; some is generated automatically by your device or our systems. We treat the categories marked “private” and “sensitive” below with a higher level of access control than public content.

3.1 Account and contact information (identifying)

Your name, email address, phone number, a salted password hash (we never store passwords in plain text), your account role (customer, shop owner, team member, or administrator), and your notification preferences. For shop owners, we also collect a Know-Your-Customer (KYC) phone number used for verification.

3.2 Vehicle information (sensitive)

Your vehicle year, make, model, and trim; odometer readings; and, if you choose to provide it, your Vehicle Identification Number (VIN), licence plate, and powertrain code. Vehicle service history in your garage is populated from (a) entries you make manually, and (b) appointments completed through the Platform that you chose to associate with a vehicle. Vehicle information is visible to a Shop only when you expressly attach a vehicle to a quote request or a booking with that Shop. Vehicle information is not displayed publicly or shared with other users. VIN data, combined with mileage and service history, can be identifying in combination; we therefore restrict internal access to these fields to the circumstances described in Section 8.

3.3 Private service-coordination content (private)

The description of the problem you submit in a quote request; photos you attach to a quote or an appointment; messages you exchange with a Shop through the in-app messaging feature; and digital vehicle inspection findings recorded by a Shop for a job you authorized. This content is visible to the Shop you selected and to authorized CarFix staff under the conditions in Section 8. It is not displayed publicly.

3.4 Shop business information

For Shops: business legal name, trade name, business address, opening hours, services offered, pricing, amenities, certifications, specialties, public photos, insurance or licensing details uploaded during onboarding, team member records, and public business contact details. A Shop's public profile page is visible to anyone who visits the Platform; uploaded licensing or insurance documents are not public and are used only for verification and compliance.

3.5 Reviews and ratings (public)

Ratings and written reviews that you publish about a Shop after a completed service. Reviews are displayed publicly on the Shop's profile, and the name or handle you have chosen on your account is displayed with each review.

3.6 Support communications

The content of support tickets, emails, and chat messages you send to our support team, together with any attachments you upload.

3.7 Subscription billing information (Shops only)

CarFix bills subscribed Shops for the cost of their monthly or annual plan. For this purpose only, our Subscription Payment Processor, Stripe Payments Canada, Ltd. and its affiliates, provides us with a transaction identifier, the card brand, the last four digits of the card, the billing postal code, and the outcome of each charge. We do not receive or store full card numbers, CVV values, or full billing addresses. CarFix does not process, receive, or route any payment between a Customer and a Shop for repair services.

3.8 Technical and security information

Usage data. Pages and screens visited, features used, click and tap events, and session timestamps.
Device and connection data. IP address, user-agent string, browser type, operating system, device type, and coarse language and time-zone settings.
Security and abuse-prevention signals. Login attempts, rate-limit triggers, suspicious-pattern flags, and CAPTCHA results.
Cookies. Session and preference cookies used to keep you signed in and to remember settings. Analytics cookies are set only where you have given consent. We do not use third-party advertising cookies.

3.9 Approximate location (user-provided)

A city or postal code you type into the shop-search form so that we can show you nearby Shops. We do not collect precise device GPS coordinates. If a future feature requires GPS, we will ask for your permission separately through your browser or device before enabling it.

4. Required versus optional information

Some information is required for the Platform to work; other information is discretionary. If you choose not to provide the required information, we may not be able to provide the corresponding feature.

Required to create an account: name, email address, phone number, password.
Required to submit a quote request: vehicle make, model, year, and a description of the issue.
Required to book an appointment: a confirmed account, the accepted quote, and the time slot you select.
Required for a Shop to go live: business name, address, services, opening hours, owner contact details, and owner identity verification.
Optional everywhere: VIN and licence plate, mileage logs, photos attached to a quote, avatar image, social-media links, secondary contacts on your account, and marketing communications.
Optional per search: city or postal code; you can browse without entering either.

We rely on your consent to collect, use, and disclose personal information. Consent may be express (for example, ticking an opt-in box) or implied from the circumstances (for example, submitting a quote request implies that the information in the request may be sent to the Shops you selected). You may withdraw consent at any time, subject to reasonable notice and to legal or contractual restrictions, by contacting our Privacy Officer using the details in Section 18. Withdrawing consent may limit our ability to provide some or all of the Platform's features.

Marketing communications require separate, express opt-in consent. Creating an account, submitting a quote request, or booking an appointment does not, by itself, constitute consent to receive marketing (see Section 12).

5. How we use your information

We use the information described in Section 3 for the purposes below, and only to the extent necessary for each purpose:

To create and maintain your account and to authenticate your sessions.
To operate the marketplace, match Customers with Shops, and deliver quote requests, quote responses, bookings, and appointment confirmations.
To provide informational features, including maintenance reminders, mileage prompts, warranty tracking, and recall notifications relayed from the U.S. National Highway Traffic Safety Administration (NHTSA).
To bill subscribed Shops for their CarFix plan and to handle accounting, chargebacks, invoices, and tax reporting related to that subscription billing.
To send service-related communications (receipts, reminders, policy updates, security alerts). These are transactional and are not marketing.
To send marketing communications, only where you have given separate express consent.
To provide customer support and to investigate issues reported by you or by another user.
To detect, investigate, and prevent fraud, abuse, spam, credential compromise, security incidents, and breaches of our Terms of Service.
To comply with legal obligations, respond to lawful requests from regulators, law-enforcement authorities, or courts, and to establish, exercise, or defend legal claims.
To measure how features are used and to improve the Platform, using aggregated or de-identified information that does not identify you individually.

We do not sell your personal information, and we do not rent or trade it. We do not use your personal information to target third-party advertising to you on other platforms.

6. What CarFix does not do

To avoid any ambiguity about how your data flows, the following activities are outside the scope of the Platform:

CarFix does not process or route payments between a Customer and a Shop for repair, maintenance, diagnostic, or any other motor-vehicle service. Service payment happens directly between the Customer and the Shop at the appointment.
CarFix does not store full payment card numbers, CVV values, or full billing addresses.
CarFix does not collect customer deposits, does not issue refunds for repair services, and does not operate a payout system to Shops for those services.
CarFix does not sell, rent, or trade your personal information to advertisers or data brokers.
CarFix does not share your personal information with third-party generative artificial intelligence providers for the purpose of training their models.
CarFix does not collect precise device GPS coordinates without your permission.
CarFix does not knowingly collect personal information from individuals under the age of 18 (see Section 17).

7. Service providers and what data they receive

We rely on the third-party service providers (subprocessors) listed below to operate the Platform. Each provider is engaged under a written agreement that restricts its use of personal information to the services we engage it to perform and requires appropriate safeguards. The description against each provider is the category of personal information that reaches it in the normal course of operations.

Supabase (Supabase Inc.). Primary database and file storage, Canadian region. Receives and stores all structured Platform data, including account records, vehicle data, quote and appointment records, private messages, review content, and uploaded files.
Vercel (Vercel Inc.). Application hosting and global edge network. Processes inbound HTTPS requests, request logs (including IP address and user-agent), performance telemetry, and build artifacts. User content is served from Vercel's edge without persistent storage on Vercel beyond standard request logs.
Stripe (Stripe Payments Canada, Ltd. and its affiliates). Subscription billing for Shops only. Receives the Shop owner's name, email address, billing postal code, and card details entered at checkout, and returns a transaction identifier and outcome. Stripe is not engaged for Customer-to-Shop payments, and no payments between Customers and Shops pass through Stripe.
Resend (Resend, Inc.). Transactional email delivery. Receives the recipient's email address and the subject and body of each outgoing email we send on your behalf.
Twilio (Twilio Inc.). SMS delivery for appointment reminders, status updates, and security codes. Receives the recipient's phone number and the text of each message. Twilio does not receive account identifiers or contact directories.
Upstash (Upstash, Inc.). Rate-limiting and short-lived key-value storage. Receives non-identifying keys derived from IP address or user ID and numeric counters. Does not receive message content, account details, or vehicle data.
Sentry (Functional Software, Inc., d.b.a. Sentry). Technical error monitoring used for security and reliability. Receives stack traces, exception messages, request paths, HTTP status codes, and a limited set of request metadata. Personal identifiers, request bodies, and user-submitted field values are scrubbed before transmission through our Sentry configuration. We use Sentry because it is necessary to detect and fix faults in the Platform; it is not used for analytics or advertising.
Anthropic (Anthropic PBC). Claude API, used for the in-app support assistant and for the optional “improve my description” tool. Receives only the text that you enter into the relevant feature, together with a short system prompt. It does not receive your account identifiers, your vehicle history, your private messages with Shops, or your billing information. Our commercial agreement with Anthropic prohibits use of this content for training Anthropic's models, and enrols our API traffic in zero-retention handling where eligible.
Google (Google LLC). Google Business Profile integration for Elite-tier Shops that opt in. Applies only to Shops that connect their Google Business Profile; receives OAuth tokens and the review content the Shop elects to import or respond to. No Customer personal information is sent to Google.
NHTSA (U.S. National Highway Traffic Safety Administration). Public recall-lookup API. Receives the VIN of a vehicle when a recall check is requested for it. NHTSA does not receive Customer identifiers.

We may also disclose personal information to professional advisers (such as lawyers and auditors), and to regulators, law-enforcement authorities, or courts, where required by law, pursuant to valid legal process, or to establish, exercise, or defend legal claims.

8. When CarFix staff can access your data

Access to personal information by INU Technologies personnel is limited to what is reasonably necessary for an authorized business purpose. Access is role-based and logged. Staff may access the categories of information in Section 3, including private service-coordination content (quote descriptions, photos, and in-app messages) and vehicle information, only in the following situations:

When responding to a support ticket or enquiry you have submitted, and only to the extent necessary to answer it.
When investigating a report of abuse, harassment, fraud, safety risk, or a breach of our Terms of Service, and only to the extent necessary for that investigation.
When reviewing a Shop application or an audit flag related to Shop verification.
When operating, debugging, or repairing the Platform, in which case personal identifiers are minimized or pseudonymized where possible.
When responding to a lawful request from a regulator, law-enforcement authority, or court, after a reasonableness check.
When establishing, exercising, or defending a legal claim that involves your use of the Platform.

Staff access to these categories is subject to access controls and is recorded in an internal audit log. We do not allow staff to browse private messages, vehicle information, or quote content for curiosity, marketing, or any purpose outside the situations listed above.

9. Storage location and cross-border processing

Our primary application database and Customer file storage are hosted in Canada. Some service providers listed in Section 7 are based outside Canada or operate global infrastructure, and may process limited personal information outside Canada in the course of providing their service. In particular:

Vercel's edge network and CDN may route requests through points of presence outside Canada.
Stripe may process subscription-billing data in the United States and in other jurisdictions where its infrastructure operates.
Resend, Twilio, Sentry, Upstash, Anthropic, and Google may operate from, or route traffic through, the United States or other jurisdictions.
NHTSA recall queries are sent to servers operated by the United States government.

Where personal information is transferred outside Canada, it may become subject to the laws of the foreign jurisdiction, including laws permitting access by foreign courts, law-enforcement authorities, and national-security agencies. We require our service providers to protect personal information at a comparable standard through contract, and we conduct a privacy-impact assessment before engaging a new provider that will handle personal information outside Quebec, as required under Quebec Law 25 (section 17). You may contact our Privacy Officer for more details about a particular transfer.

10. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against loss, theft, and unauthorized access, disclosure, copying, use, or modification. These include: encryption in transit (TLS); encryption at rest for our primary database; salted-hash password storage; role-based access controls; separate environments for development, staging, and production; security logging and monitoring; rate limiting; application-layer input validation; and periodic review of access rights, dependencies, and security configurations. No method of electronic storage or transmission is perfectly secure, and while we use commercially reasonable means, we cannot guarantee absolute security.

11. Retention

We keep personal information only for as long as reasonably necessary for the purposes for which it was collected, for legal or regulatory obligations, or for the establishment, exercise, or defence of legal claims. Our retention periods by category are, at the date of this Policy, approximately:

Account records. For as long as your account is open, plus thirty (30) days after you request deletion, after which personal identifiers are removed or irreversibly anonymized.
Vehicle and garage data (including VIN). While the vehicle is in your garage. If you remove a vehicle, we retain it for up to twelve (12) months for fraud prevention and dispute support, unless a longer period is required by law. On account deletion, vehicle data is handled on the same schedule as account records.
Quote requests and appointments. Twenty-four (24) months from the date of the quote or the appointment, for service continuity, warranty support, and dispute resolution.
In-app messages and chat transcripts. Twenty-four (24) months from the last message in a thread.
Photos attached to a quote or appointment. While the related quote or appointment is retained, plus twelve (12) months.
Reviews. While the reviewing account exists and the Shop remains on the Platform. Removed reviews are retained in an internal archive for up to twelve (12) months in case of appeal.
Subscription-billing records (Shops). Seven (7) years, consistent with the Canada Revenue Agency's general books-and-records retention requirement.
Security, audit, and abuse-prevention logs. Twelve (12) months, with shorter retention for verbose debug logs.
Marketing-consent records. For the period you are opted in, and for three (3) years after withdrawal of consent, to demonstrate compliance with CASL.
Privacy-incident and breach register. At least twenty-four (24) months, as required by the Breach of Security Safeguards Regulations (SOR/2018-64).

After the applicable retention period, we delete personal information or irreversibly anonymize it. In some cases, such as legal holds or active investigations, a longer retention period may apply.

12. Marketing communications and CASL

CASL requires consent before most commercial electronic messages may be sent to a Canadian recipient. We treat marketing email, marketing SMS, and marketing push notifications as subject to CASL. We request your consent separately from acceptance of the Terms of Service, through an unchecked opt-in box or equivalent affirmative action. We keep a record of the date, method, and scope of your consent.

You may withdraw marketing consent at any time by: using the unsubscribe link in an email; replying STOP to an SMS; turning off push notifications in your device or account settings; or emailing privacy@carfix.to. Withdrawal takes effect within ten (10) business days, which is the maximum period permitted by CASL. Service-related communications (receipts, reminders, security alerts, policy updates, and warranty or recall notifications for vehicles you have added to your garage) are not marketing and are not subject to CASL consent.

13. Your rights

Under PIPEDA, Quebec Law 25, and other applicable provincial privacy legislation, you have the rights set out below. Each right is subject to the conditions, exceptions, and limits imposed by the applicable legislation.

Access. You may ask us for a copy of the personal information we hold about you, together with a description of how it is used and to whom it has been disclosed, subject to limits under PIPEDA section 9 (for example, information subject to legal privilege or that would reveal personal information about another individual).
Correction. You may ask us to correct information that is inaccurate, incomplete, or out of date.
Withdrawal of consent. You may withdraw consent to the collection, use, or disclosure of personal information, subject to reasonable notice and to legal or contractual restrictions. Withdrawing consent may prevent us from providing some or all of the Platform to you.
Deletion. You may ask us to delete personal information, subject to the retention periods in Section 11, legal obligations that require us to keep it, and interests that legitimately outweigh the request (such as active dispute resolution or a legal hold).
Portability (Quebec Law 25). Where technically feasible and legally required, you may ask us to provide, in a structured and commonly used technological format, the computerized personal information you have given us.
De-indexing and cessation of dissemination (Quebec Law 25, section 28.1). Where the conditions set out in that section are met, you may ask us to stop disseminating your personal information or to de-index a hyperlink that is causing serious injury to your reputation or privacy.
Automated decision-making (Quebec Law 25, section 12.1). Where a decision that affects you is made based exclusively on automated processing of your personal information, you may ask to be informed of the information used, the reasons and principal factors that led to the decision, and the right to have the decision reviewed by a human. At the date of this Policy, CarFix does not make exclusively automated decisions that produce legal or significant effects on users.
Objection to marketing. You may object to the use of your personal information for marketing at any time, using the channels described in Section 12.

To exercise any of these rights, contact our Privacy Officer using the details in Section 18. We will acknowledge your request promptly and will respond within thirty (30) days, or within a shorter period where required by law. We may ask for information necessary to confirm your identity before processing your request. Exercising any of these rights is free of charge unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act, and we will tell you the reason.

14. Use of artificial intelligence

The Platform uses artificial intelligence in two user-facing features: a Claude-powered support assistant, and an optional tool that rewrites a Customer's description of a repair issue for clarity before it is sent to a Shop. For these features, only the text you enter into the feature, together with a short system prompt, is sent to Anthropic PBC's Claude API under a commercial agreement that prohibits use of the content for training Anthropic's models and that, where eligible, enrols our API traffic in zero-retention handling. Outputs from these features are informational only and do not replace professional advice; they are not used to make significant-effect automated decisions about you.

We do not sell, licence, or otherwise make your personal information available to third-party providers of generative AI for the purpose of training their models. We may use aggregated or de-identified information derived from Platform activity (which does not identify you individually) to improve the Platform's own features, such as search relevance, fraud detection, and service-quality measurement.

15. Breach notification

Where a breach of security safeguards creates a real risk of significant harm to an individual, we will notify the Office of the Privacy Commissioner of Canada and the affected individuals as soon as feasible, as required by PIPEDA and the Breach of Security Safeguards Regulations (SOR/2018-64). Where Quebec Law 25 applies to the incident, we will also notify the Commission d'accès à l'information du Québec (“CAI”). Where a provincial privacy statute imposes additional or different notification obligations (for example, in Alberta under the Personal Information Protection Act), we will comply with those obligations as well. We maintain an internal register of confidentiality incidents and breaches of security safeguards for at least twenty-four (24) months, and we will provide a copy of that register to the OPC or CAI on request.

16. Complaints process

If you have a concern about how your personal information has been handled, please raise it with our Privacy Officer first so that we have an opportunity to investigate and respond. The process is as follows:

How to submit. Email privacy@carfix.to or write to the address in Section 18. Please describe the concern as specifically as you can, including the account email or other identifier we can use to find the relevant records, the dates or time period in question, and what outcome you would like.
Acknowledgement. We will acknowledge receipt within five (5) business days.
Investigation and response. We will investigate the concern and provide a written response within thirty (30) days of the initial complaint, or within a shorter period where required by law. If the matter is complex and we need longer, we will tell you the reason and give you a revised timeline.
Outcome. Our written response will state the outcome, the reasons for our decision, any remedial action we are taking, and your right to escalate to a regulator.
Escalation. If you are not satisfied with our response, you may file a complaint with:
- the Office of the Privacy Commissioner of Canada (priv.gc.ca);
- if you are resident in Quebec, the Commission d'accès à l'information du Québec (cai.gouv.qc.ca);
- the Office of the Information and Privacy Commissioner in Alberta or British Columbia, where applicable to your circumstances; or
- the Canadian Radio-television and Telecommunications Commission (crtc.gc.ca) for complaints relating to CASL.

17. Children

The Platform is not directed to, and is not intended for use by, individuals under the age of 18, or the age of majority in the user's province or territory if higher. We do not knowingly collect personal information from a person we know to be a minor. If you believe we hold information about a minor, please contact our Privacy Officer and we will take appropriate steps to remove it.

18. Contact and changes to this Policy

If you have a question about this Policy, wish to exercise a right described in Section 13, or wish to file a complaint, please contact:

Privacy Officer
INU Technologies Inc. (operating as CarFix)
33 Alyssum Court
Richmond Hill, Ontario L4E 4M7
Canada
Email: privacy@carfix.to

We may update this Policy from time to time. If we make a material change, we will notify you by email, in-app notice, or a prominent notice on the Platform at least thirty (30) days before the change takes effect, unless a shorter period is required to address a legal or security risk. The effective date at the top of this Policy indicates when it was last updated. Earlier versions of this Policy are available from the Privacy Officer on request.