Privacy Policy

Warranty Window ("we", "us") handles two kinds of personal information: dealership user information (the people who sign in and use the CRM) and end-customer information (records about dealership customers uploaded by the dealership for retention outreach). This Policy describes how we collect, use, and protect both, consistent with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

1. Information we collect

Dealership users: name, email address, role, assigned stores, login activity, and any profile fields voluntarily provided.

End customers (uploaded by the dealership): name, contact information, vehicle identifiers (VIN, make/model), warranty status fields, odometer readings, sale dates, dealership-entered notes and outreach logs.

2. How we use it

We use dealership user information to authenticate users, enforce per-store access, and provide support. We use end-customer information solely to deliver the Service to the uploading dealership — classification, outreach surfacing, activity logging, and conversion tracking. We do not use end-customer information to market directly to end customers.

3. Lawful basis and consent

End-customer information is uploaded by the dealership under a business relationship already established between the dealership and the customer (e.g., a prior vehicle sale). The dealership remains the controller of that information and is responsible for ensuring CASL and PIPEDA compliance in any outreach conducted through the Service.

4. Where your data lives

All data is stored in a Supabase Postgres project hosted in the Canada Centralregion. Row-Level Security enforces per-dealership isolation — no dealership’s data is visible to another dealership, and F&I managers see only the stores they are assigned to.

5. Subprocessors

We rely on a small, named list of subprocessors:

• Supabase — Postgres hosting, authentication, and row-level security (Canada Central region).
• Vercel — static and serverless hosting of the CRM and marketing site.
• Resend — transactional email delivery (demo-booking confirmations, password reset).

The current list is provided on request and will be updated if it changes materially.

6. Retention

Dealership user records are retained for the life of the account and deleted within ninety (90) days of termination. End-customer records uploaded by the dealership are retained until the dealership terminates the Service, at which point we provide a CSV export and delete within ninety (90) days.

7. Your rights

Individuals may request access to, correction of, or deletion of their personal information. Requests from end customers should be directed to the dealership that uploaded the information; we will support the dealership in fulfilling them. Requests from dealership users may be sent to george@warrantywindow.com.

8. Security

Data in transit is protected by TLS. Data at rest is encrypted by Supabase’s default-encrypted storage. Authentication uses email-and-password with Supabase-managed hashing. Row-Level Security ensures no dealership can query another dealership’s records. We do not export bulk customer data to our own systems for analytics.

9. Changes

We will revise this Policy as the Service evolves. Material changes will be announced by email to dealership owners at least thirty (30) days before taking effect.

10. Contact

Privacy questions: george@warrantywindow.com.

This Policy is a plain-English draft intended for early dealer engagements. A formal, lawyer-reviewed version will be published before the Service moves past the initial ten-dealership cohort.