[ LEGAL ]
Privacy Policy
Last updated: 2026-05-25
Effective date: 2025-01-17
Version: v1.1
1. Who We Are
1361513 BC LTD. ("OPS," "we," "us") provides job management software for specialized trade businesses. This Privacy Policy describes how we collect, use, and protect personal information through opsapp.co and our iOS and Android applications (the "Service").
We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec Law 25 (Act Respecting the Protection of Personal Information in the Private Sector) and Canada's Anti-Spam Legislation (CASL).
Privacy Officer: Jack S. — info@opsapp.co
2. What Information We Collect
2.1 Account and Company Information
When you register an account or set up your company in OPS, we collect:
- First name, last name, email address, phone number
- Company name, industry type, crew size
- Company code (6-character unique identifier)
- Your role (Admin, Office Crew, or Field Crew)
2.2 Professional Contacts (Your Clients)
When you enter your business clients into OPS, we store on your behalf:
- Client company names, contact names, phone numbers, email addresses
- Job site addresses and GPS coordinates
- Project and task notes and descriptions
- Estimates, invoices, and payment records related to your clients
Important: This data belongs to you. We process it as a service provider under your direction. Your clients are not our customers and have no account with OPS.
2.3 Job and Operational Data
Data generated through the normal use of the Service:
- Projects, tasks, task status updates, calendar events
- Job site photos (stored on AWS S3)
- Turn-by-turn navigation routes and GPS data used during active navigation sessions
- Crew assignments and scheduling data
2.4 Financial Data
For customers using the OPS web application financial features:
- Pipeline/CRM opportunity records
- Estimate and invoice records (line items, amounts, dates)
- Payment records (date, amount, method, reference number — not card data)
- Products and services catalog
We do not store credit card or bank account numbers. All payment card data is handled exclusively by Stripe, Inc. We only receive confirmation of payment and a Stripe payment reference ID.
2.5 Authentication Data
When you sign in via Google or Apple, we receive a unique identifier and your name and email address from that provider. We do not receive your Google or Apple password. Email/password accounts are managed through Firebase Authentication.
A 4-digit PIN is stored locally on your device in the device Keychain and is never transmitted to our servers.
2.6 Usage and Analytics Data
We collect usage data through Firebase Analytics, including:
- App screens visited and features used
- Session duration and frequency
- Device type, operating system version, and language
- Crash reports and performance data
This data is used to improve the Service and is associated with an anonymous device identifier, not your name or email.
2.7 Client Portal Access
If your business clients access the Client Portal (to view estimates, approve quotes, or pay invoices), we collect their email address and issue a time-limited magic link session token. No password is created. Portal sessions expire after 30 days.
2.8 QuickBooks Integration (Optional)
If you choose to connect your QuickBooks Online account to OPS, we access your QuickBooks account via Intuit's OAuth 2.0 API solely to provide the accounting sync feature you have authorized. Specifically:
Data OPS sends to QuickBooks on your behalf:
- Invoice records (invoice number, line items, amounts, due dates, client name)
- Payment records (amount, date, payment method, reference number)
Data OPS receives from QuickBooks:
- OAuth access token and refresh token (to maintain the authorized connection)
- Your QuickBooks company ID (Realm ID), used to route sync requests to the correct account
What we do not do:
- We do not access QuickBooks data beyond what is necessary to perform the sync you authorize
- We do not share QuickBooks data with any third party other than as required to provide the Service
- We do not use your QuickBooks data for advertising, profiling, or any purpose unrelated to the sync
Revoking access: You may disconnect your QuickBooks account at any time from OPS Account Settings. You may also revoke OPS's access directly from your Intuit account at myapps.intuit.com. Disconnecting removes OPS's OAuth tokens and stops all future sync activity. It does not delete data already synced into QuickBooks.
2.9 SPEC Engagement Data
If you purchase a SPEC engagement, we collect additional categories of data necessary to design, build, and deliver Custom Modules inside your OPS instance.
Intake responses. When you complete the SPEC intake form at /spec/intake/[token], we store your answers as structured form data in our database. The intake covers business basics (company name, legal entity type, years operating, primary trade, secondary trades, service area), team composition (size, roles, seasonal vs year-round), revenue band (optional), average job size, current tools you use, your workflow narrative from lead to invoice, top pain points, your 90-day success picture, and regulated-workflow attestations. The intake form is the foundation of the discovery work and the Scope Document.
File uploads. The intake form allows you to upload existing process documents — screenshots, PDFs, sample invoices, photos of your current paper workflows, or anything else that helps OPS understand how your business operates today. Files are stored in a Supabase Storage bucket named spec-intake under a folder keyed to your engagement record. Maximum size 25 MB per file. Accepted file types are limited by an allow-list (common document, image, and spreadsheet formats). Files are scoped to your engagement and are not shared with other customers.
Scope Document content. The Scope Document drafted during discovery and counter-signed at scope sign-off is stored as structured content tied to your engagement record, with a content hash for integrity verification. Each revision is preserved as a versioned record so prior versions remain available to you on request.
Satisfaction survey responses. After the midpoint demo and the delivery walkthrough, we may invite you to rate each feature on a 1-to-5 scale and to add free-text comments. The ratings and comments are stored against your engagement and identified to you. They are non-binding feedback under the SPEC Engagement Terms of Service.
Communications log. OPS logs the substantive communications associated with each engagement — outbound emails, inbound replies, scheduled and held call summaries, and links to walkthrough recordings. This log forms part of the evidence chain in any Stripe dispute and is retained alongside the engagement record.
Stripe billing data. When you complete the SPEC checkout flow, Stripe collects your name, email, phone, billing address (line 1, line 2, city, province, postal code, country), and any GST/HST number you choose to provide. Stripe stores your payment card data; we do not. We receive from Stripe a customer identifier, a payment intent identifier, the billing address recorded at checkout, your consent state for our terms of service, and (where applicable) the GST/HST number you entered. We use the billing address to enforce our Canadian (excluding Quebec) eligibility rules; see the SPEC Engagement Terms of Service for details.
Attribution data. When you arrive on the SPEC marketing page from an advertising source, we store first-touch attribution data on a 30-day cookie set on your browser. The cookie holds the campaign parameters in the URL (utm_source, utm_medium, utm_campaign, utm_content, utm_term, Google Click ID gclid, Meta Click ID fbclid), the landing URL, and the time of first touch. The cookie is SameSite=Lax and is not shared with third parties from the browser. At deposit time, the cookie values are written into your engagement record as the attribution context for that engagement.
Owner-approval and acceptance events. For SPEC engagements where the buyer is not the OPS account holder, we record the account holder's electronic approval — including the IP address, user agent, signature method, and a content hash of the version of the SPEC Engagement Terms of Service they reviewed — as a binding acceptance event. Each substantive acceptance step in the engagement lifecycle (terms of service acceptance, scope sign-off, midpoint acceptance, delivery acceptance, change order acceptance) is recorded as a separate acceptance event with the same fields.
We collect the SPEC engagement data above to perform the SPEC engagement under contract with you (PIPEDA lawful basis: necessary for performance of a contract). We use the data for the limited purposes described in § 3 below.
3. How We Use Your Information
| Purpose | Legal basis (PIPEDA) |
|---|---|
| Providing the Service (account management, job scheduling, billing) | Contract performance |
| Processing subscription payments via Stripe | Contract performance |
| Sending transactional emails (receipts, payment confirmations, service alerts) | Contract performance |
| Improving the Service (analytics, crash reports, product development) | Legitimate interest |
| Sending product update emails and feature announcements | Implied consent (existing customers within 2 years — CASL) |
| Sending marketing or promotional emails | Express consent only |
| Syncing invoice and payment data to your connected QuickBooks account | Consent (you explicitly connect the integration) |
| Responding to support requests | Legitimate interest |
| Complying with legal obligations | Legal obligation |
| Delivering a SPEC engagement: discovery, scope drafting, build, midpoint demo, walkthrough, support window, retainer support | Contract performance |
| Processing SPEC milestone payments and refunds via Stripe | Contract performance |
| Sending operational SPEC emails (deposit confirmations, owner approvals, intake reminders, invoices, refund confirmations, dispute notices, support-window notices) | Contract performance |
| Sending commercial SPEC emails (Retainer offers, referral program promotions, SPEC marketing follow-ups) | Express or implied CASL consent, as applicable |
| Enforcing eligibility rules — including the Canada-excluding-Quebec geographic restriction and the regulated-workflow exclusions | Legitimate interest; legal obligation |
| Measuring SPEC ad-campaign performance through conversion tracking to Meta and Google | Legitimate interest; consent where required by applicable law |
| Detecting fraud and misuse of the SPEC pipeline — including chargeback fraud, self-referral attempts, and Quebec-misrepresentation cases | Legitimate interest |
| Preserving an evidence chain for Stripe disputes and refund decisions | Legitimate interest |
We do not sell your personal information to third parties. We do not use your business client data for any purpose other than providing the Service to you.
We do not sell SPEC engagement data, and we do not use intake content, scope content, communications, or satisfaction ratings for advertising targeting. Conversion tracking sends only hashed identifiers (email, phone) and aggregate event signals (deposit click, deposit completed, intake submitted, discovery booked) to Meta and Google; the raw intake content, scope content, and communications never leave OPS infrastructure or its DPA-covered subprocessors.
4. Third-Party Processors
We share data with the following service providers to operate the Service. Each is bound by contractual data protection obligations.
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe, Inc. | Subscription billing and client invoice payments; for SPEC engagements: milestone payments and invoices, Stripe Tax for GST/HST/PST, Stripe Connect for referral payouts (Phase 2), Stripe Tax IDs for customer-supplied GST/HST numbers | Customer name, email, phone, billing address, GST/HST number, transaction history, terms-of-service consent state | USA |
| Bubble Group, Inc. (Bubble.io) | Backend database — operational data | Employee data, client contacts, projects, tasks, calendar | USA |
| Supabase, Inc. | Database — financial and CRM data; for SPEC: SPEC engagement records, intake responses, scope documents, satisfaction ratings, communications log, acceptance events, and the spec-intake Storage bucket for file uploads | Pipeline, estimates, invoices, payment records, all SPEC engagement data described in § 2.9 | USA |
| Amazon Web Services (AWS S3) | Photo and file storage | Job photos you upload | USA |
| Google LLC (Firebase) | Authentication and usage analytics | Email, auth tokens, anonymous usage data | USA |
| Apple Inc. | Sign-In with Apple authentication | Name, email (first sign-in only) | USA |
| Intuit Inc. (QuickBooks) | Accounting sync (if enabled by you) — OPS sends invoice and payment data to your QuickBooks account; Intuit provides OAuth tokens to authenticate the connection | Invoice records, payment records, OAuth credentials | USA |
| Sage Group plc | Accounting sync (if enabled by you) | Invoice and payment data you authorize | UK/USA |
| Twilio, Inc. (SendGrid) | Transactional and commercial SPEC emails (deposit confirmations, owner approvals, intake reminders, milestone invoices, refund confirmations, retainer offers, referral promotions) | Customer email address, name, engagement reference, message content | USA |
| Vercel, Inc. | Hosting of the SPEC marketing page (/spec), the OPS-Web product surface, and the SPEC server routes that handle checkout creation, owner-approval, refund-request submission, and cron-driven nudges. Edge cache for the OPS Board public read | Request metadata, IP addresses, customer-provided form data in transit | USA, with global edge cache |
| Meta Platforms, Inc. (Meta Conversions API) | Server-side conversion tracking for SPEC ad campaigns on Facebook and Instagram | Hashed email address, hashed phone number, event metadata (event name, value, currency, deduplication ID), browser cookies fbp and fbc | USA |
| Google LLC (Google Ads Enhanced Conversions) | Server-side conversion tracking for SPEC ad campaigns on Google Search and YouTube | Hashed email address, hashed phone number, Google Click ID (gclid), event metadata | USA |
| Cal.com, Inc. | Scheduling discovery sessions and delivery walkthroughs for SPEC engagements | Customer name, email, optional phone, scheduled session metadata, time-zone preference | USA/EU depending on Cal.com instance |
Note on QuickBooks: When you connect your QuickBooks account, Intuit acts as both a data recipient (receiving invoice/payment records from OPS) and an authentication provider (issuing OAuth tokens). OPS's use of QuickBooks API data is governed by the Intuit Developer Terms of Service. You can review and revoke OPS's access at any time at myapps.intuit.com.
For Meta and Google conversion tracking, we hash email and phone with SHA-256 before sending. Raw identifiers are not transmitted to the advertising platforms. We use this data solely to optimize SPEC ad campaigns; we do not allow Meta or Google to use the data for retargeting beyond the campaigns we run.
We will update this list when we add or replace SPEC-specific subprocessors. Notice is given 30 days in advance to active engagements by email and through the in-app notification rail, except where the change is non-material (for example, a sub-subprocessor change within an existing processor's stack that does not change the data-handling category).
Cross-border transfers: Your data may be processed in the United States. We rely on contractual safeguards with each processor. For Quebec residents, we conduct Privacy Impact Assessments before transferring personal data to US-based processors as required by Quebec Law 25.
5. Location Data
Certain features require device location:
- Job site navigation: GPS is used during active navigation to provide turn-by-turn directions. This is initiated by the user and does not persist after the navigation session ends.
- Background location: The app may use background location while navigation is actively running and the app is backgrounded. This stops when navigation is ended.
- Job site coordinates: Addresses and coordinates you enter for projects are stored as part of your project records.
We do not track employee location continuously or outside of navigation sessions. If you use OPS to manage field crew, you are responsible for informing your employees about location use in compliance with applicable employment and privacy laws in your jurisdiction.
6. Your Rights
Under PIPEDA and applicable provincial privacy laws, you have the right to:
- Access — Request a copy of the personal information we hold about you
- Correction — Request correction of inaccurate or incomplete information
- Withdrawal of consent — Withdraw consent for uses based on consent (note: this may affect your ability to use the Service)
- Deletion — Request deletion of your personal information (see Section 8)
- Complaint — File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca
Quebec residents additionally have the right to:
- Data portability — Receive your data in a structured, commonly used format
- De-indexing — Request removal from automated indexes where applicable
- Disclosure of automated decisions — Learn when automated processing affects you
To exercise any of these rights, contact us at info@opsapp.co. We will respond within 30 days.
7. Data Security
We implement appropriate technical and organizational measures to protect your personal information, including:
- Encrypted data transmission (TLS/HTTPS)
- Encryption at rest for database records
- Row-Level Security (RLS) policies ensuring each company's data is isolated
- Access controls limiting staff access to customer data
- Stripe handles all payment card data under PCI-DSS compliance — we never receive raw card numbers
In the event of a data breach that poses a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada and affected individuals as required by PIPEDA. Where required by Quebec Law 25, the Commission d'acces a l'information (CAI) will be notified within 72 hours.
8. Data Retention
| Data type | Retention |
|---|---|
| Active account data | Retained for the life of your subscription |
| Deleted projects/clients (soft delete) | Retained 90 days then purged |
| Account data after cancellation | Retained 30 days after cancellation, then deleted |
| Firebase Analytics data | Up to 14 months (per Google's retention settings) |
| Stripe payment records | Retained as required by Stripe and financial record-keeping law |
| Portal session tokens | Expire after 7 days (unused) or 30 days (active) |
| QuickBooks OAuth tokens | Retained while integration is connected; deleted within 24 hours of disconnection |
| SPEC engagement record (project, scope versions, milestone payments, acceptance events, refund records) | 7 years from the date of engagement close, then deleted. Retention is anchored on the Canada Revenue Agency 6-year minimum for tax and accounting records, with a one-year buffer for dispute resolution. |
SPEC intake responses and file uploads in the spec-intake Storage bucket | Retained for the active life of the engagement plus 7 years from engagement close. Intake responses are part of the evidence chain for any chargeback or refund dispute, and are treated as engagement records for retention purposes. |
| Scope Document content (all versions, including superseded versions) | 7 years from engagement close, same as engagement records. |
| SPEC communications log (emails sent, replies received, call summaries, walkthrough recording URLs) | 7 years from engagement close, same as engagement records. |
| Satisfaction survey ratings and comments | Identifiable form for 2 years, then anonymized into aggregate metrics. Anonymized aggregates may be retained indefinitely. |
| Attribution data (UTM, gclid, fbclid, landing URL, first-touch timestamp) | Stored on the engagement record for 7 years; deleted on engagement-record deletion. |
| SPEC ad-campaign conversion-tracking outbox (retried sends to Meta and Google) | 30 days after the event was successfully transmitted or permanently failed. |
| SPEC blocked-buyer records (for Quebec-misrepresentation and other ToS-breach cases) | 7 years from the date of blocking, then deleted. Used solely to prevent re-purchase under a different account by the same individual or entity. |
You may request deletion of your account data at any time by contacting info@opsapp.co. After deletion, we may retain anonymized, aggregated data that cannot identify you.
Where retention is required by law (Canadian tax and accounting record-retention rules, in particular), we are obligated to retain the records for the legally required period regardless of your deletion request; we will tell you when this applies to a specific category of data.
After deletion, we may retain anonymized aggregate metrics that cannot be re-identified to you — for example, conversion rates by ad source, average time from deposit to walkthrough, refund rates by package tier — for the indefinite purpose of improving the SPEC service.
9. Cookies
The OPS web application uses cookies and similar technologies for:
- Essential cookies: Session management, authentication state
- Analytics cookies: Firebase/Google Analytics (anonymous usage data)
We do not use advertising or tracking cookies for third-party ad targeting.
10. Children
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 16, we will delete it promptly.
11. Communications
Transactional emails (subscription receipts, payment confirmations, service alerts, password resets) are sent as part of your contract with us and do not require separate consent.
Product update emails (new features, release notes) are sent to existing customers under implied CASL consent and include an unsubscribe link.
Marketing emails (promotions, referral offers) will only be sent with your express consent (an opt-in box you actively check — never pre-ticked). You may withdraw consent at any time using the unsubscribe link in any email.
All commercial emails include:
- Our company name and physical address (1361513 BC LTD., 303-1121 Oscar Street, Victoria BC V8V2X3)
- A functional unsubscribe link (processed within 10 business days)
For SPEC engagements specifically, you receive two categories of email:
- Operational/transactional messages — deposit receipts, owner-approval requests and decisions, intake reminders, scope-sign-off confirmations, milestone invoices, refund confirmations, Stripe dispute notices, support-window notices, and Custom Module status alerts. These messages are required to complete the SPEC contract and are not subject to CASL consent requirements. You receive them regardless of marketing preferences.
- Commercial messages — Retainer offers around the close of the support window, SPEC referral-program promotions, and SPEC marketing follow-ups. Each commercial message identifies OPS as sender, includes our mailing address (303-1121 Oscar Street, Victoria BC V8V2X3), provides a functional unsubscribe link processed within 10 business days, and states the consent basis (express or implied under the existing-business-relationship two-year window).
The SPEC referral program is link-based. We do not send commercial messages on your behalf to your referrals. Messages to referred prospects start only after the referred party submits a form, starts checkout, or otherwise expressly opts in to OPS communications.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before the new policy takes effect. Continued use of the Service after the effective date constitutes acceptance.
The current version of this policy is always available at opsapp.co/privacy.
13. Contact
Privacy Officer: Jack S. Email: info@opsapp.co Mail: 1361513 BC LTD., 303-1121 Oscar Street, Victoria BC V8V2X3
To make a privacy request, file a complaint, or ask questions about this policy, contact us at info@opsapp.co. If you are not satisfied with our response, you may contact:
- Office of the Privacy Commissioner of Canada: 1-800-282-1376 | priv.gc.ca
- Commission d'acces a l'information (Quebec): 1-888-528-7741 | cai.quebec.ca