Privacy Policy

Last updated: February 18, 2026

1. Introduction

PRCV Tech Inc. ("PRCV Tech," "we," "us," or "our") is a corporation incorporated under the federal laws of Canada with its principal place of business in Ontario, Canada. We operate the GigaTime mobile application (available on iOS and Android) and the gigatime.io website (collectively, the "Services"). This includes any forms, surveys, or data collection tools hosted on or linked from our Services (such as waitlist signups, contact forms, and feedback surveys).

GigaTime is a business management platform designed primarily for tradespeople, contractors, and business professionals. The Services are intended for business and professional use, including time tracking, invoicing, expense management, client management, job scheduling, and document storage.

This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Services. We are committed to protecting your privacy in accordance with:

The Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable Canadian provincial privacy laws
The California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA")
The General Data Protection Regulation ("GDPR"), where applicable to users in the European Economic Area

We collect only the personal information necessary to provide and improve the Services. We do not sell your personal information, and we do not use advertising trackers, analytics SDKs, or cross-app tracking technologies.

By using our Services, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use our Services.

2. Information We Collect

2.1 Information You Provide Directly

Website Inquiries and Waitlist:

Email address (when you join our waitlist or submit a contact form on gigatime.io)
Name and message content (when you submit a contact form)
Any information you voluntarily provide through feedback surveys or forms linked from our Services (e.g., Google Forms)

Account Information:

Full name
Email address
Phone number (optional)
Profile photo (optional)
Password (stored securely by our authentication provider; we never store passwords in plain text)
Multi-factor authentication (MFA) credentials, if you enable MFA (TOTP secrets and backup codes, stored encrypted)

Business Information:

Business/organization name
Business address, city, province/state, country, and postal code
Business phone number and email
Business website (optional)
Tax identification number (optional)
Industry type and organization size
Organization logo (optional)
Currency preference and tax settings

Client Information (your customers):

Client name and contact person name
Email addresses and phone numbers
Billing and shipping addresses
Website (optional)
Tax ID and tax exemption status (optional)
Notes you add about your clients

Financial Information:

Invoice details (amounts, dates, line items, payment terms, tax calculations)
Expense records (amounts, dates, vendors, categories, receipt images, approval status)
Payment records (amounts, methods, dates, reference numbers, processing fees)
Service catalog items (descriptions, rates, categories)
Subscription and billing information (plan tier, billing email; payment card details are handled directly by Stripe and are never stored on our servers)

Time and Shift Data:

Clock-in and clock-out times
Shift schedules, durations, and break times
Job assignments and service records
Hourly rates and shift-level cost breakdowns

Documents and Files:

Receipt images and scanned documents
Business documents (contracts, licenses, certifications, tax forms, insurance documents)
File metadata (name, size, file type, upload date)

Team and Invitation Data:

When you invite team members: their email address and assigned role
Invitation tokens (automatically generated, expire after 72 hours)

2.2 Information Collected Automatically

Device and Usage Information:

Device type, operating system, and version
App version
Crash reports and error logs (collected via Sentry without personally identifiable information — sendDefaultPii is disabled)
General app interaction patterns (e.g., features used, screens visited)

Location Information:

If you enable location permissions, we collect your geographic coordinates (latitude, longitude, and accuracy) only when you clock in or clock out of shifts, for geofencing purposes
Location data is collected only when the app is in active use — we do not track your location in the background
Location data is classified as Sensitive Personal Information under the CPRA
You can disable location permissions at any time in your device settings

Security and Audit Information:

On security-sensitive actions (such as login, password changes, account deletion, and consent updates), we log your IP address and user agent (browser/device identifier) as part of our audit trail
Jailbreak/root detection status is checked on app launch; if detected, a security event is logged to our servers (including platform and detected indicators)

Push Notification Tokens:

If you enable push notifications, we store a device token issued by our push notification provider (Expo) to deliver notifications to your device
This token is a random identifier and does not contain personal information

Calendar Access:

If you grant calendar permissions, we read and write calendar events related to your service bookings and job scheduling
We do not access unrelated calendar data

Microphone Access:

Our app requests microphone permission for planned future features (e.g., voice notes)
This permission is not currently used. No audio data is collected or transmitted. We will update this Privacy Policy before activating any microphone-based features

2.3 Information We Do NOT Collect

We do not access your contacts, call logs, or text messages
We do not record audio or video (camera access is used solely for capturing receipt and document images)
We do not use advertising trackers, analytics SDKs, or tracking pixels
We do not sell or share your personal information with data brokers or advertisers
We do not engage in cross-app or cross-site tracking
We do not store your payment card numbers, bank account details, or other payment credentials (these are handled exclusively by Stripe)

3. How We Use Your Information

We use your information for the following purposes:

To Provide and Operate the Services:

Create and manage your account and organization
Process time tracking, invoicing, expense management, and payment recording
Store and organize your business documents
Deliver push notifications you have opted into (e.g., shift reminders, invoice updates)
Send transactional emails (e.g., invoice delivery, account verification, password resets, data export notifications, team invitations)
Process team invitations and manage user roles within your organization

To Process Payments:

Manage your subscription billing through Stripe, our payment processor
Maintain records of subscription events, plan changes, and billing history
Process Stripe webhook events to keep your subscription status current

To Improve and Maintain the Services:

Monitor app stability through crash reporting (Sentry)
Identify and fix bugs and performance issues
Develop new features based on aggregate usage patterns
Create anonymized, aggregated, or de-identified data derived from your use of the Services for product improvement, industry research, and benchmarking purposes (this data cannot be used to identify you)

To Ensure Security:

Detect and prevent fraud, unauthorized access, and abuse
Maintain audit logs of security-sensitive actions (e.g., login, password changes, role changes, data exports, account deletion)
Perform device security checks (e.g., jailbreak/root detection)
Rate-limit authentication requests to prevent brute-force attacks

To Comply with Legal Obligations:

Retain financial records as required by the Canada Revenue Agency (CRA) and applicable tax authorities
Respond to lawful requests from government authorities
Enforce our Terms of Service

To Communicate with You:

Respond to your support requests and contact form inquiries
Notify you about product availability if you joined our waitlist
Send service-related announcements (e.g., maintenance notices, policy updates, security alerts)
Send marketing communications only if you have explicitly opted in (you can opt out at any time)

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We do not share your personal information for cross-context behavioral advertising. We share your information only in the following limited circumstances:

4.1 Service Providers

We use trusted third-party service providers to operate our Services. These providers process your information only as necessary to provide services to us and are contractually required to protect your information:

Provider	Purpose	Data Shared	Location
Supabase	Authentication, database hosting, file storage	Account credentials (hashed passwords handled by Supabase), all business data, uploaded files	United States (AWS)
Stripe	Subscription billing and payment processing	Billing email, payment amounts, subscription status, Stripe customer ID	United States
Sentry	Crash reporting and error monitoring	Crash stack traces, device info (PII collection disabled)	United States
Expo (EAS)	Push notification delivery, OTA app updates	Device push token, notification content	United States
Resend	Transactional email delivery	Recipient email, name, email body content	United States
Vercel	Backend API hosting	HTTP request/response metadata	United States / Global CDN
Hostinger	Website hosting (gigatime.io)	HTTP server logs (IP address, browser type, pages visited)	Global (Lithuania-based)
Google (Google Forms)	Optional feedback surveys	Survey responses you voluntarily submit	United States
Upstash	Rate limiting for authentication	User ID strings as rate-limit keys	United States

4.2 At Your Direction

When you send an invoice to a client by email, the client receives invoice details (amounts, line items, your business information)
When you invite a team member, they receive an invitation email with your organization name
When you export your data, a download link is delivered to your email address

4.3 Legal Requirements

We may disclose your information if required to do so by law, or if we believe in good faith that such action is necessary to:

Comply with a legal obligation, court order, or lawful government request
Protect and defend our rights or property
Prevent fraud or investigate potential violations of our Terms of Service
Protect the personal safety of users or the public

4.4 Business Transfers

If PRCV Tech Inc. is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice within the Services before your information is transferred and becomes subject to a different privacy policy.

5. Data Storage, Transfers, and Security

5.1 Where Your Data Is Stored

Your data is primarily stored on servers located in the United States, operated by our service providers (Supabase for database and file storage, Vercel for API hosting). Our website hosting provider (Hostinger) operates globally from infrastructure based in Lithuania and other locations.

5.2 Cross-Border Data Transfers

Because our service providers are located outside of Canada, your personal information is transferred to and processed in the United States and potentially other jurisdictions. By using our Services, you acknowledge and consent to this transfer.

Important: When your personal information is stored or processed outside of Canada, it may be accessible to law enforcement and government authorities in those jurisdictions under their local laws. We take steps to ensure that our service providers maintain safeguards consistent with PIPEDA requirements, including through contractual obligations requiring them to protect your information to a standard comparable to Canadian privacy law.

For users in the European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for data transfers outside the EEA. See Section 10 for details.

5.3 How We Protect Your Data

We implement industry-standard security measures, including:

Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
Encryption at rest: Data stored in our database and file storage is encrypted at rest by our infrastructure providers
Secure authentication: Token-based authentication (JWT) with support for multi-factor authentication (MFA)
Access controls: Role-based access controls within the application; multi-tenant data isolation ensures each organization can only access its own data
Audit logging: Security-sensitive actions are logged with timestamps, IP addresses, and user agent information (over 47 distinct action types tracked)
File validation: Uploaded files are validated for type (magic byte detection) and size to prevent malicious uploads
Rate limiting: Authentication endpoints are rate-limited to prevent brute-force attacks
Credential isolation: Payment card data is handled exclusively by Stripe (PCI DSS compliant) and never touches our servers

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee absolute security. If you discover a security vulnerability, please report it to info@gigatime.io.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by law. Specific retention periods are as follows:

Data Category	Retention Period
Account data	Retained while active. Anonymized upon account deletion.
Business data	Retained while active. Soft-deleted upon account deletion.
Financial records	7 years after creation (CRA requirement). Anonymized upon account deletion.
Financial documents	7 years alongside related financial records.
Personal documents	Permanently deleted upon account deletion.
Audit logs	Up to 24 months (configurable), then purged.
Notifications	Permanently deleted upon account deletion.
Crash reports (Sentry)	Per Sentry retention policy (typically 90 days).
Team invitations	Expire after 72 hours. Deleted upon account deletion.
Server logs	Per provider policies (typically 30–90 days).
Data exports	Download link valid 24 hours; file deleted after 7 days.

7. Cookies and Local Storage

7.1 Mobile Application

The GigaTime mobile application does not use cookies. We use secure local device storage to maintain your login session and app preferences. This local storage is essential for the app to function and cannot be disabled.

7.2 Website (gigatime.io)

Our website at gigatime.io is primarily a static marketing and subscription management site. It may use:

Essential cookies: Required for website functionality (e.g., session management for subscription pages, security tokens). These cannot be disabled.

We do not use analytics cookies, advertising cookies, or tracking pixels on gigatime.io. You can manage cookies through your browser settings at any time.

8. Your Privacy Rights (Canada — PIPEDA)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian provincial privacy laws, you have the following rights:

8.1 Right to Access

You have the right to request access to the personal information we hold about you. You can view most of your information directly within the app under Settings.

8.2 Right to Correction

You have the right to request correction of inaccurate or incomplete personal information. You can update most information directly within the app, or contact us for assistance.

8.3 Right to Data Export (Portability)

You can export a complete copy of your data at any time:

In the app: Settings → Privacy → Export My Data
Formats available: JSON or CSV
You will receive a secure download link via email, valid for 24 hours
Data exports include your full account, business, client, financial, and audit data
Data exports are rate-limited to one per week

8.4 Right to Account Deletion

You can delete your account at any time:

In the app: Settings → Account → Delete Account
On the web: At gigatime.io/delete-account
By email: Contact info@gigatime.io

Before deletion, you will see a preview of exactly what will be deleted and what will be retained. Upon deletion:

Your personal information (name, email, phone, avatar, MFA credentials) is anonymized
Your authentication identity is permanently deleted
Your uploaded personal files are permanently deleted from file storage
Your notifications, dashboard preferences, and team invitations are permanently deleted
Financial records are retained for 7 years with anonymized personal information, as required by Canadian tax law (CRA)

8.5 Right to Withdraw Consent

You can withdraw consent for optional data processing at any time:

Marketing communications: Unsubscribe via the link in any marketing email, or toggle off in Settings → Privacy → Consent Preferences
Analytics and crash reporting: Toggle off in Settings → Privacy → Consent Preferences
Push notifications: Disable in your device's notification settings
Location access: Revoke in your device's location permissions
Camera and photo access: Revoke in your device's app permissions
Calendar access: Revoke in your device's calendar permissions

Consequences of withdrawing consent: If you withdraw consent for core services (e.g., by deleting your account), you will no longer be able to use the Services. Withdrawing consent for optional features will not affect your ability to use the core Services. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.

8.6 Right to Complain

If you believe we have not handled your personal information appropriately, you may:

Contact our Privacy Officer at info@gigatime.io — we will investigate and respond within 30 days
File a complaint with the Office of the Privacy Commissioner of Canada: www.priv.gc.ca · 1-800-282-1376

9. Your Privacy Rights (California — CCPA/CPRA)

This section applies to residents of California and supplements the rest of this Privacy Policy with disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA").

9.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information (as defined by the CCPA):

CCPA Category	Examples We Collect	Business Purpose
A. Identifiers	Name, email, phone, IP address, account ID, push token	Account management, security
B. Customer records	Name, address, phone, billing email, financial info	Service delivery, billing
C. Protected classifications	None collected	—
D. Commercial information	Subscription plan, billing history, invoices created	Billing, subscription management
E. Biometric information	None collected	—
F. Internet/network activity	App interaction data, crash reports, device info	App stability, bug fixes
G. Geolocation data	Precise GPS at clock-in/clock-out	Geofencing for time tracking
H. Sensory data	Receipt/document photos you capture	Expense and document management
I. Professional/employment info	Job assignments, hourly rates, shift records	Time tracking, invoicing
J. Education information	None collected	—
K. Inferences	None drawn	—

9.2 Sensitive Personal Information

Under the CPRA, we collect: account log-in credentials (email + password, MFA credentials) for authentication, and precise geolocation (GPS at clock-in/clock-out) for time tracking. We use Sensitive Personal Information only for the purposes necessary to provide the Services.

9.3 Your California Privacy Rights

Right to Know: Request what personal information we collect, use, and share about you
Right to Delete: Request deletion of your personal information (subject to legal retention requirements)
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising
Right to Limit Use of Sensitive Personal Information: Our use is already limited to purposes necessary to provide the Services
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

9.4 How to Exercise Your Rights

Email: info@gigatime.io
Web form: gigatime.io/privacy-request
In the app: Settings → Privacy

We will verify your identity and respond within 45 days (extendable to 90 days with notice). You may designate an authorized agent to submit a request on your behalf.

9.5 Do Not Sell or Share My Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals.

9.6 Financial Incentive Notice

We offer a Free Tier with limited features alongside paid Subscription plans. The Free Tier is not conditioned on providing additional personal information. All tiers collect the same categories of personal information. The difference in pricing reflects access to additional features — not the value of your personal information.

9.7 California "Shine the Light" (Cal. Civ. Code § 1798.83)

We do not disclose personal information to third parties for their direct marketing purposes.

10. Your Privacy Rights (European Economic Area — GDPR)

This section applies to users located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland.

10.1 Data Controller

PRCV Tech Inc.
23 Willoughby Way
Halton Hills ON L7G6C4
Email: info@gigatime.io

10.2 Legal Bases for Processing

Legal Basis	Processing Activities
Performance of a contract	Account creation, service delivery, billing, data export, account deletion
Consent	Marketing, analytics/crash reporting, location data, calendar access
Legitimate interests	Security monitoring, fraud prevention, audit logging, product improvement
Legal obligation	Tax record retention (7 years), responding to government requests

10.3 Your GDPR Rights

In addition to the rights in Section 8, EEA users have:

Right to Data Portability: Request your data in a structured, machine-readable format (JSON or CSV)
Right to Restrict Processing: Request restriction in certain circumstances
Right to Object: Object to processing based on legitimate interests
Right to Lodge a Complaint: With a supervisory authority in your EEA member state (edpb.europa.eu)
Right Not to Be Subject to Automated Decision-Making: We do not make solely automated decisions that produce legal effects

10.4 International Data Transfers

Your data is transferred to and stored in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Our service providers maintain their own data protection agreements incorporating SCCs or equivalent safeguards.

10.5 Data Processing Agreements

We have entered into data processing agreements with our sub-processors that require them to process personal information only on our instructions and to implement appropriate security measures.

11. Children's Privacy

GigaTime is a business management application designed for tradespeople and business professionals. You must be at least 16 years of age to create an account and use the Services. If you are between 16 and 18, you should review this Privacy Policy with a parent or guardian.

We do not knowingly collect personal information from children under 16. If we become aware that we have, we will delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at info@gigatime.io.

12. Third-Party Links and Services

Our Services may contain links to third-party websites or services (e.g., the Stripe-hosted subscription management page, Google Forms surveys). We are not responsible for the privacy practices of these third parties.

Your use of Stripe for subscription billing is subject to Stripe's own Privacy Policy and Terms of Service.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes:

We will update the "Last Updated" date at the top of this policy
For material changes, we will notify you via email or in-app notice at least 30 days before changes take effect
Your continued use after changes take effect constitutes acceptance
If you do not agree, you may delete your account

14. Privacy Officer and Contact Information

PRCV Tech Inc. has designated a Privacy Officer responsible for our compliance with this Privacy Policy and applicable privacy laws.

For any questions, concerns, or requests regarding your privacy:

PRCV Tech Inc.

Attn: Privacy Officer

Email: info@gigatime.io

Web: gigatime.io/privacy-request

23 Willoughby Way
Halton Hills ON L7G6C4

We will respond to all privacy-related inquiries within 30 days (PIPEDA). For CCPA/CPRA requests, we will respond within 45 days (extendable to 90 days with notice).