Privacy Policy — MindSyte

1. The short version

MindSyte is a safety, maintenance, and compliance platform for businesses. We collect the data your company gives us so the app can work. We don't sell your data. We don't use it to train AI models. We store it on Google Firebase Cloud servers located in Canada. You can request a copy or deletion at any time by emailing privacy@mindsyte.ca.

Plain English principle: Your company's data belongs to your company. We're just the software that helps you organize it.

2. Who we are

MindSyte is operated by ProtocolOne, a Canadian company based in Montréal, Quebec. The "data controller" for the personal information you give us is ProtocolOne. You can reach us at privacy@mindsyte.ca.

3. What we collect

Information you give us directly

Account information: name, email address, phone number, employee ID, company name, role
Content you create: incident reports, maintenance requests, safety audits, chemical inventory entries, internal messages, documents you upload, photos attached to records
Communications: support emails, demo requests, feedback you send us

Information collected automatically

Usage data: which features you use, when you sign in, how long sessions last
Device information: phone model, OS version, app version (used to debug crashes)
Push notification tokens: required to send you notifications

Information we do NOT collect

We do not collect your location continuously in the background
We do not access your contacts, photos, or files outside what you explicitly share with the app
We do not track you across other websites or apps
We do not collect biometric data

4. How we use your data

We use the data you and your company provide to:

Operate the MindSyte service — let you sign in, save your work, send notifications, etc.
Provide AI-powered safety insights based on YOUR company's data (we do not use your data to train models that benefit other customers)
Send service-related emails (welcome, password reset, security alerts)
Provide customer support when you contact us
Diagnose bugs and crashes (using anonymized error data)
Comply with legal obligations (e.g., responding to lawful subpoenas)

5. How we share your data

We share your data only in these specific cases:

Within your company: data added by one employee is visible to other authorized employees in your company, based on their role and permissions
Service providers: we use Google Firebase (Google Cloud Platform) to host data, Apple/Google Push Notification Services for notifications, and Web3Forms for contact form delivery
Legal requirements: we will disclose data if required by law (court order, subpoena, etc.) but will challenge requests we believe are overbroad
Business transfers: if MindSyte is sold or merged with another company, your data may transfer — you'll be notified before that happens

We never sell your data to third parties. We never share it with advertisers. We never use it to train external AI models.

6. Where your data lives

Your data is stored on Google Firebase Cloud servers in the Montréal, Canada (northamerica-northeast1) region. Data is encrypted in transit (HTTPS/TLS) and at rest (Firebase default encryption).

If you access MindSyte from outside Canada, your data is still hosted in Canada and subject to Canadian privacy law.

7. How long we keep your data

Active accounts: we keep your data for as long as your company maintains an active MindSyte subscription
After account deletion: data is deleted from our active systems within 30 days; encrypted backups may retain data for up to 90 days before being permanently purged
Legal hold: some data may be retained longer if required by law (e.g., financial records for tax purposes)

8. Your rights

Depending on your location, you have the right to:

Access — request a copy of the personal data we hold about you
Correct — fix inaccurate or outdated information
Delete — ask us to delete your personal data (subject to legal retention requirements)
Export — receive your data in a portable format (JSON or CSV)
Object — opt out of specific processing activities (like marketing emails)
Withdraw consent — for any processing based on consent

To exercise any of these rights, email privacy@mindsyte.ca. We'll respond within 30 days.

9. Children

MindSyte is a B2B workplace safety platform. It is not intended for use by children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Security

We implement industry-standard security measures:

All data in transit is encrypted with TLS 1.2+
All data at rest is encrypted by Firebase
Role-based access controls limit who can see what within your company
Authentication is handled by Firebase Authentication (Google's identity platform)
We do not store your password in plain text — only secure hashes

No system is 100% secure. If you discover a vulnerability, please report it to security@mindsyte.ca.

11. Changes to this policy

We may update this privacy policy from time to time. Material changes will be announced via email and a notice in the app at least 30 days before taking effect. The "Last updated" date at the top of this page shows the most recent change.

12. Contact us

Privacy questions, requests, or complaints:

Email: privacy@mindsyte.ca
Mail: ProtocolOne, Privacy Office, Montréal, Quebec, Canada

If you're not satisfied with our response, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your local data protection authority.