← Back to Vista Sign

Privacy Policy

Last updated: April 8, 2026

Vista Sign(“we”, “us”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains what we collect, how we use it, and your rights under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

1. Information we collect

Account information. Name, email address, company name (optional), and a hashed password when you sign up with email. For OAuth signups via Google or GitHub, we receive your name, email, and profile image from the provider.

Usage data. API requests you make, addresses you score, projects you create, saved locations, and timestamps. We use this to enforce plan quotas, show you your usage history, and improve the Service.

Billing information. Payment details are handled by Stripe, our payment processor. We do not store your credit card number. We keep your Stripe customer ID, subscription status, and billing period dates in our database.

Technical data. IP address, browser user agent, and request timestamps in our server logs (retained for 30 days for security and debugging).

2. How we use your information

  • To provide and operate the Service (scoring, reports, projects);
  • To authenticate you and secure your account;
  • To process payments and manage subscriptions via Stripe;
  • To enforce usage quotas and rate limits;
  • To send transactional emails (receipts, password resets, security notices);
  • To respond to support requests;
  • To improve accuracy of scoring and fix bugs;
  • To comply with legal obligations.

We do not sell your personal information to third parties. We do not use your scoring history or project data to train AI models.

3. Legal basis

We process your personal information on the basis of: (a) the contract between you and us (to deliver the Service you signed up for); (b) your consent (for marketing emails, which you may unsubscribe from at any time); (c) our legitimate interests (to secure the Service and prevent abuse); and (d) legal obligations (to comply with tax and accounting laws).

4. Third-party service providers

We use the following processors to operate the Service. Each has access only to the data necessary to perform its function:

  • Stripe — payment processing. See Stripe’s privacy policy.
  • Neon (PostgreSQL) — database hosting. Data is stored in AWS US East.
  • Vercel — application hosting and CDN.
  • Google / GitHub — OAuth identity providers (if you use them to sign in).
  • Anthropic — AI model provider for the natural language query feature. We send your query text (not your account details) to Anthropic. Anthropic does not train on API inputs by default.
  • OpenStreetMap Nominatim — geocoding. We send the address you type. Nominatim is a free public service; see their usage policy.

5. Data retention

  • Account data: retained while your account is active and for 30 days after deletion (for fraud prevention and billing reconciliation).
  • Server logs: 30 days, then automatically purged.
  • Billing records: 7 years (required by Canadian tax law).
  • Usage history and projects: retained for the life of your account.

6. Your rights under PIPEDA

You have the right to:

  • Access the personal information we hold about you;
  • Correct inaccurate information (most fields are editable from your settings page);
  • Withdraw consent and delete your account at any time from the settings page;
  • File a complaint with the Office of the Privacy Commissioner of Canada if you believe we have mishandled your data.

To exercise any of these rights, email privacy@vistasign.ca.

7. Data security

We use industry-standard practices to protect your data: encrypted connections (TLS), password hashing (bcrypt), OAuth for federated login, hashed API keys, and regular security updates. No method of transmission or storage is 100% secure; we cannot guarantee absolute security but we do take it seriously.

8. Data transfers

Your data is stored on servers operated by our hosting providers in the United States. By using the Service, you consent to the transfer of your information to the U.S., where privacy laws may differ from those in Canada. We rely on our providers’ security safeguards and contractual commitments.

9. Cookies

We use essential cookies for authentication (the session token set by NextAuth) and security. We do not use tracking cookies for advertising. Future updates may add analytics cookies, which we will disclose here and which you will be able to opt out of.

10. Children

The Service is not directed to children under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us information, please email us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy periodically. Material changes will be announced via email or a prominent in-product notice. Your continued use after the effective date of the updated policy constitutes acceptance.

12. Contact

Questions or concerns about your privacy? Reach us at privacy@vistasign.ca.

This document is a template provided as a starting point. Before accepting paying customers, review this Privacy Policy with a lawyer licensed in your jurisdiction and ensure it accurately describes your actual data handling practices.