Privacy Policy

Our privacy policy and how we use your data

Last updated: May 7, 2026

At CondoAide ("we", "our" or "us"), we are committed to protecting the privacy of our users. This privacy policy explains how we collect, use, disclose and protect your personal information when you use our condo management platform. This policy is governed by Quebec's Law 25 (Act respecting the protection of personal information in the private sector) and by the Personal Information Protection and Electronic Documents Act (PIPEDA) for users residing elsewhere in Canada.

1. Information We Collect

We collect the following types of information:

  • Account information: name, email address, phone number and postal address during registration
  • Condo information: information about your syndicate, buildings, units and equipment
  • Usage data: information about your use of the platform, pages viewed and features used
  • Subscription payment information: to pay your CondoAide subscription, we collect either credit card information (Visa, Mastercard, American Express), or banking details (institution number, transit number, account number) if you choose pre-authorized debit (PAD/ACSS Debit). This information is processed directly by our payment provider Stripe (PCI DSS Level 1 certified, the highest level). CondoAide never stores your raw card or bank account numbers — only a secure token that does not allow reconstruction of the original number. Important note: PAD via Stripe is used exclusively for paying the syndicate's subscription to CondoAide. Collection of co-owner contributions by syndicates (when that feature is enabled) is handled by a separate system and a different sub-processor, and will be addressed in a separate update to this policy at launch.
  • PAD mandate for the subscription: if you pay your subscription by PAD, we retain the mandate metadata (Stripe SetupIntent and Mandate identifiers, authorization date, status, revocation events). The signed mandate document itself is retained by Stripe on our behalf, in accordance with Payments Canada Rule H1 (7-year retention after the mandate ends).
  • Subscription transaction history: amounts, dates, statuses (successful, failed, returned), failure reasons where applicable — for billing and accounting compliance
  • Communications: messages exchanged through our support service
  • Uploaded documents: any documents you upload to the Service (registers, attestations, reports, photos, etc.)

2. Use of Information

We use your information to:

  • Provide and improve our condo management services
  • Process your payments and manage your subscription
  • Send you important communications about your account
  • Inform you of updates and new features (with the option to unsubscribe from non-essential communications)
  • Ensure compliance with Bill 16, the regulation adopted under decree 991-2025, and other applicable regulations
  • Respond to your support requests
  • Detect and prevent fraud, abuse, and violations of our Terms of Service

3. Sharing of Information

We do not sell your personal information. We share certain information with the following sub-processors, who act on our behalf and are bound by a data processing agreement:

  • Supabase Database hosting and file storage. Categories: all application data. Location: Canada (ca-central-1 region).
  • Vercel Web application hosting. Categories: application traffic, no permanent storage. Location: United States and Canada (multiple regions).
  • Stripe Subscription payment processing only (credit cards + PAD/ACSS Debit bank withdrawals from the syndicate to CondoAide). Categories: payer name, email, billing address, payment method, subscription transaction history. Location: Canada and United States.
  • Brevo Transactional and marketing emails. Categories: email addresses, email content. Location: European Union.
  • Anthropic AI assistant (opt-in features only). Categories: user requests on opt-in AI features. Location: United States.
  • OpenAI AI assistant (opt-in features, fallback). Categories: user requests on opt-in AI features. Location: United States.
  • This list is updated when we add or remove a sub-processor. Significant changes will be communicated through this policy and by email.
  • Members of your syndicate: depending on the permissions configured in your account, certain information may be visible to other members of your syndicate (for example, your name and payment status may be visible to administrators and the treasurer).
  • Legal authorities: we may disclose your personal information if required by law, by court order, or to protect our rights, your safety, or that of others.

4. Data Security

We take the security of your data seriously:

  • Encryption in transit: TLS 1.3 between your browser and our servers
  • Encryption at rest: AES-256 on the database, backups and stored files
  • Passwords: hashed with bcrypt (never stored in plain text, never reversible)
  • Authentication tokens: cryptographically signed with HMAC-SHA256 for integrity
  • Authentication: secure authentication with two-factor authentication options
  • Hosted in Quebec: application served by Vercel (Montreal / yul1 region); database and stored files on Supabase (ca-central-1 / Montreal region). Your condo association data is not transferred outside Canada in normal operation of the Service. Exceptions (subscription payments, opt-in AI features) are described in section 9.
  • Access controls: strict role-based permissions, logging of all sensitive actions
  • Backups in Quebec: Supabase backups with point-in-time recovery (7 days) and daily snapshots; additional backups kept at two distinct Quebec providers (Montreal and Beauharnois), 30-day retention, with automated weekly restore verification
  • Tokenization: bank and credit card information is never stored in plain text on our servers — it is tokenized by Stripe (PCI DSS Level 1 certified)
  • Certified sub-processors: Supabase and Vercel are SOC 2 Type 2 certified; Stripe is SOC 2 Type 2 and PCI DSS Level 1 certified
  • We commit to an annual third-party penetration test ("pentest") starting in late 2026.

5. Data Retention

We retain your information as long as your account is active or as required by law. Specific retention periods:

  • General account data 90 days after account closure, unless otherwise required by law.
  • Condo documents (registers, log book, attestations) According to the periods prescribed by Bill 16 and the Civil Code of Quebec.
  • PAD mandate for subscription payment (metadata held by us; signed document retained by Stripe on our behalf) 7 years after the mandate ends, in accordance with Payments Canada Rule H1.
  • Subscription transaction data (payments to CondoAide) 7 years for tax, accounting and regulatory compliance purposes.
  • Audit logs (sensitive actions) 7 years for compliance purposes.
  • Support communications 3 years after the last interaction.
  • After the periods above, data is permanently deleted from our production systems. Copies may persist in backups for an additional period (up to 30 days) before rotation and destruction.

6. Your Rights

In accordance with Quebec's Law 25, PIPEDA, and applicable laws, you have the right to:

  • Access your personal information
  • Correct inaccurate or incomplete information
  • Request deletion of your data (subject to our legal retention obligations, for example PAD mandates retained for 7 years)
  • Withdraw your consent to certain processing (opt-in AI features can be disabled at any time)
  • Receive your data in a structured and portable format (JSON or CSV export)
  • Object to processing (notably marketing communications)
  • De-automate: refuse a decision based solely on automated processing (Law 25 art. 12.1)
  • Revoke your PAD mandate for the subscription at any time, free of charge, in accordance with Payments Canada Rule H1
  • File a complaint with the Commission d'accès à l'information du Québec (cai.gouv.qc.ca) or the Office of the Privacy Commissioner of Canada (priv.gc.ca) for users outside Quebec
  • To exercise any of these rights, contact our Person Responsible for the Protection of Personal Information (see section 7).

7. Person Responsible for the Protection of Personal Information

In accordance with Article 3.1 of Law 25, CondoAide has designated a Person Responsible for the Protection of Personal Information. This person is your point of contact for any question relating to the processing of your personal information, to exercise your rights, or to report a concern.

  • Name: Nicolae Racovita
  • Title: President of CondoAide and Person Responsible for the Protection of Personal Information
  • Email: privacy@condoaide.ca
  • Postal address: 4143 chemin Ste-Angélique, Saint-Lazare (Quebec) J7T 2N5, Canada

8. Privacy Incident Notification

In accordance with Law 25, in the event of a privacy incident presenting a risk that serious harm will be caused to a person concerned, we commit to:

  • Inform the Commission d'accès à l'information du Québec within reasonable timeframes. Our internal target is to notify within 72 hours of incident confirmation.
  • Inform affected individuals without undue delay, by email or any other appropriate means.
  • Document each incident in an internal register, including the nature, causes, corrective measures and lessons learned.
  • Take necessary measures to limit the harm and prevent recurrence.
  • Cooperate fully with personal information protection authorities in case of investigation.

9. International Data Transfers

Some of our sub-processors process personal information outside Quebec or Canada (see the list in section 3). For transfers outside Canada:

  • We assess the adequacy of protections offered in the destination jurisdiction
  • We put in place appropriate contractual protections with each sub-processor (Data Processing Agreements)
  • We limit transfers to what is necessary for the provision of the Service
  • For AI features (Anthropic, OpenAI), requests are only sent if you explicitly enable the relevant opt-in features
  • If you have questions about a specific transfer or wish to object to a particular processing activity, contact privacy@condoaide.ca.

10. Cookies and Similar Technologies

For more information on the use of cookies and similar technologies, please see our Cookie Policy.

11. Information Concerning Children

The Service is not intended for persons under 14 years of age. We do not knowingly collect personal information from children. If you believe a child has provided personal information to CondoAide, contact privacy@condoaide.ca so that we can proceed with deletion.

12. Changes

We may modify this policy from time to time. We will notify you of material changes by email or through the platform. The last update date is indicated at the top of this page. Continued use of the Service after a modification constitutes your acceptance of the updated version.

13. Contact Us

For any questions about this policy or to exercise your rights:

Person Responsible for the Protection of Personal Information: privacy@condoaide.ca

General support: support@condoaide.ca

Postal address: CondoAide, 4143 chemin Ste-Angélique, Saint-Lazare (Quebec) J7T 2N5, Canada

Appendix — Change History

Version history of this policy:

  • Version 1.0 — February 1, 2025 Initial version.
  • Version 1.1 — May 7, 2026 Added PAD/ACSS Debit payment method; public designation of the Person Responsible for the Protection of Personal Information; expansion of the sub-processor list; addition of the privacy incident notification section; addition of the international data transfers section; addition of PIPEDA and Office of the Privacy Commissioner of Canada references.