PermitIndex

Last updated: 2026-06-29

Privacy Policy

PermitIndex (“we,” “us,” or “our”) operates permitindex.ca. This policy explains what personal information we collect, why we collect it, and your rights under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

This policy will be reviewed by a Canadian privacy/IP lawyer before the public launch of PermitIndex (Phase 3). Until that review is complete, treat this as a working draft.

1. What we collect

A. Your account information

  • Email address — used to create your account and deliver alert digests. Required.
  • Consent record — timestamp, IP address, and exact wording of the opt-in consent you gave when creating an alert. Required for CASL compliance.
  • Saved searches — the trade × area × value filters you configure. Stored to run your daily alerts.
  • Subscription status — your plan (Free / Pro / Business) and billing status, managed by our payment processor.

B. Permit data (not personal information about you)

We display Toronto Building Permit records from the City of Toronto Open Data portal. This data consists of property addresses, estimated construction values, work types, and dates. We do not store or display any contractor or owner names — v1 intentionally excludes those fields because they are ~95% blank in the source data and raise different privacy considerations.

C. Technical logs

Standard server access logs (IP, user-agent, timestamp) for security and debugging. Retained for 30 days. We never log magic-link tokens or session JWTs.

2. Why we collect it

  • To operate the service — auth (magic-link sign-in), storing your saved searches, running the daily alert engine, and gating features to your plan.
  • To send you the daily digest — only if you have expressly opted in and created a saved search. This is the core product feature.
  • To process payment — billing is handled by our payment processor (Stripe or LemonSqueezy); we do not store card numbers.
  • To comply with CASL — we log consent so we can demonstrate it on demand.

3. Who we share it with

  • Supabase — database and authentication provider (servers in the USA; Supabase is SOC 2 Type II certified).
  • Resend — transactional email provider for the daily digest.
  • Stripe or LemonSqueezy — payment processor. They handle card data; we handle only the resulting subscription status.
  • Vercel — hosting provider (Next.js app).
  • Google — geocoding API for converting permit addresses to lat/long (addresses only, no account data sent).

We do not sell, rent, or trade your personal information. We do not share it with advertisers.

4. Retention

We retain your account data (email, consent record, saved searches) for as long as your account is active. If you delete your account, we delete your profile, saved searches, alert history, and consent record within 30 days. Some data may be retained longer in encrypted backups for up to 90 days, after which it is purged.

5. Your rights

Under PIPEDA, you have the right to:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to correct inaccurate information.
  • Deletion — delete your account from your account settings page, which removes your personal information. You may also email us to request deletion.
  • Withdraw consent — unsubscribe from alert emails at any time using the link in any digest email or from your account alerts page. Withdrawal stops future sends within one business day.

6. Security

We use HTTPS for all traffic, database-level Row-Level Security (Supabase RLS) so that each user can only read their own data, and server-side enforcement of all data access gates. Payment data never touches our servers. We use standard security headers (HSTS, Content-Security-Policy, X-Content-Type-Options).

If we become aware of a security breach that poses a real risk of significant harm to you, we will notify the Office of the Privacy Commissioner of Canada and affected individuals as required by PIPEDA.

7. Permit data and PIPEDA

Toronto Building Permit records are public data published by the City of Toronto under the Open Government Licence – Toronto. By design, v1 stores and displays only property addresses, permit values, work types, and dates — no individual names. We operate a takedown process (see our data sources page) for anyone who believes a specific address should be suppressed. Our privacy posture on this data has been reviewed against PIPEDA's publicly-available-information exception and the Globe24h.com (2017 FC 114) precedent. Consult privacy@permitindex.ca with any concern about a specific record.

8. Contact

Privacy questions, access requests, correction requests, or complaints:

Privacy Officer, PermitIndex
privacy@permitindex.ca

9. Changes

We will update this policy before the public launch following the lawyer review (Phase 3). Material changes will be emailed to account holders before they take effect.

Contains information licensed under the Open Government Licence – Toronto.