Privacy Policy

Evalystar Inc. is a Canadian B2B SaaS company registered in Alberta and Ontario, Canada. We build a vendor accountability platform for facility managers in schools, hospitals, corporations, and home care organizations. We are the "data controller" for personal information collected through our website and the "data processor" for personal information our customers upload or generate inside the platform.

We have designated a Privacy Officer who is accountable for our compliance with this policy and with applicable Canadian privacy legislation, including the federal Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, and Alberta's Personal Information Protection Act (PIPA), S.A. 2003, c. P-6.5. To reach our Privacy Officer, write to legal@evalystar.com.

We collect only the personal information necessary to provide and improve our Service. The categories of information we collect are as follows.

Personal contact information. When you sign up or contact us, we collect your name, work email address, phone number, and job title. This information is used to create your account, communicate with you, and provide support.

Account and authentication data. We collect usernames, securely hashed passwords (we never store passwords in plain text), login timestamps, and session tokens. This data is necessary to authenticate you and protect your account from unauthorized access.

Billing and payment data. We collect your billing address and company name for invoicing purposes. Payment card details are collected and processed directly by our payment processor (currently Stripe, Inc.) and are never stored on Evalystar servers. We receive only a tokenized reference and the last four digits of your card for display purposes.

Usage and analytics data. As you use the Service, we automatically collect information about your interactions, including features used, clickstreams, session duration, in-app events, error logs, device type, browser version, operating system, and IP address. This data helps us understand how the product is used, diagnose technical issues, and prioritize improvements.

Third-party integration data. Customers may connect Evalystar to other tools such as CRM systems, calendars, or email providers. Any data exchanged through those integrations is treated as customer data: we process it on your behalf, do not use it for our own commercial purposes, and handle it subject to our Data Processing Agreement.

We use personal information only for the purposes identified at the time of collection or for purposes a reasonable person would consider appropriate given the circumstances. Our primary purposes are:

• Providing, operating, and improving the Service
• Creating and managing your account
• Processing transactions and sending related notices such as invoices and receipts
• Responding to support requests, questions, and feedback
• Sending service announcements and security notices (these are non-promotional and cannot be opted out of while you hold an active account)
• Sending marketing communications about Evalystar products and features, where you have provided express or implied consent as described in Section 7
• Conducting internal analytics to understand usage patterns and improve the product
• Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity
• Complying with legal obligations

We will not use your personal information for any new purpose that is materially different from those listed above without first obtaining your consent or as otherwise permitted by applicable law.

Under PIPEDA and Alberta PIPA, we rely on your consent as the primary legal basis for collecting and using your personal information. Where you provide your information to create an account, purchase a subscription, or contact us, you are providing consent to us processing that information for the purposes described in this policy.

In limited circumstances, we also rely on legitimate business interests as a basis for processing where obtaining consent would be impractical and where your privacy interests do not override ours. This applies principally to security monitoring, fraud prevention, internal analytics that use anonymized or aggregated data, and maintaining service integrity. We apply a careful balancing test before relying on legitimate interest as a basis, and we will not rely on it for any purpose that is likely to cause you harm or that you would find objectionable.

You have the right to withdraw your consent to processing at any time by contacting us at legal@evalystar.com. Please be aware that withdrawing consent may affect our ability to provide some or all of the Service to you. We will advise you of the consequences before acting on a withdrawal request.

We do not sell your personal information. We do not trade, rent, or share personal information with third parties for their own marketing purposes. We disclose personal information only in the following circumstances.

Service providers and sub-processors. We engage trusted third-party companies to help us operate and deliver the Service. These include cloud infrastructure providers, payment processors, analytics tools, customer support platforms, and email delivery services. Each sub-processor is contractually bound to process personal information only on our documented instructions, to implement security measures equivalent to those described in this policy, and to refrain from using the data for any purpose other than delivering the contracted service. A current list of our sub-processors is available upon request by writing to legal@evalystar.com.

Legal and regulatory disclosure. We may disclose personal information when required to do so by law, court order, regulatory authority, or government agency, or when we reasonably believe disclosure is necessary to protect the rights, property, or safety of Evalystar, our customers, or the public.

Business transfers. In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, personal information may be transferred to the successor entity. We will notify affected users by email and post a notice on our website before personal information is transferred and becomes subject to a materially different privacy policy.

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.

Account data (contact information, profile data, and settings) is retained for the duration of your active subscription and for 90 days following the termination or expiry of that subscription. During the 90-day grace period you may export your data or request its deletion. After that period, your account data is permanently deleted from our production systems.

Billing records, including invoices and transaction logs, are retained for seven years following the date of the transaction in compliance with Canadian tax law requirements under the Income Tax Act and the Excise Tax Act.

Usage and analytics data is retained in identifiable form for up to 24 months, after which it is aggregated and anonymized. Anonymized data is no longer personal information and may be retained indefinitely for statistical and product improvement purposes.

You may request deletion of your personal information at any time. We will process deletion requests within 30 days, subject to any legal obligation to retain certain data longer or where retention is necessary for an ongoing dispute or regulatory investigation.

Canada's Anti-Spam Legislation (CASL), S.C. 2010, c. 23, governs any commercial electronic messages we send to Canadian recipients. We will send you marketing emails, newsletters, or product announcements only where you have provided express consent at sign-up or through a preference centre, or where we have implied consent because you are an existing customer and the message relates to products or services similar to those you have previously purchased from us.

You may withdraw consent to marketing communications at any time by clicking the unsubscribe link included in every marketing email, by updating your notification preferences in your account settings, or by writing to legal@evalystar.com. We will honor unsubscribe requests within 10 business days. Withdrawing consent to marketing communications does not affect our ability to send you transactional and service messages related to your account.

Our website and platform use cookies and similar tracking technologies. Strictly necessary cookies are required for the Service to function and cannot be disabled. Analytics cookies help us understand how visitors interact with the site and are set only with your consent. You can manage your cookie preferences using the cookie preference centre accessible from the "Cookies" link in our footer.

We do not use third-party advertising cookies or participate in cross-site behavioral advertising networks.

We implement technical and organizational measures designed to protect your personal information against unauthorized access, disclosure, alteration, and destruction. Our measures include encryption of data in transit using TLS 1.2 or higher, encryption of data at rest using AES-256, strict role-based access controls that limit internal access to personal information on a need-to-know basis, and regular third-party security audits and vulnerability assessments.

In the event of a privacy breach that creates a real risk of significant harm to individuals, we will notify affected customers and the Office of the Privacy Commissioner of Canada (OPC) as required under PIPEDA's mandatory breach of security safeguards rules (Breach of Security Safeguards Regulations, SOR/2018-64). We will provide notification without unreasonable delay and within 72 hours of becoming aware of the breach to the extent practicable. We will also maintain an internal breach register as required by law.

While we work diligently to protect your information, no security system is perfect. We encourage you to use a strong, unique password for your Evalystar account and to notify us immediately at legal@evalystar.com if you suspect any unauthorized activity.

Under PIPEDA and Alberta PIPA, you have the following rights in relation to your personal information held by Evalystar.

• Right of access. You may request a copy of the personal information we hold about you and information about how it is used and disclosed.
• Right of correction. If you believe any personal information we hold about you is inaccurate or incomplete, you may request that we correct it.
• Right to withdraw consent. As described in Section 4, you may withdraw consent to our processing of your personal information at any time, subject to legal and contractual restrictions.
• Right to challenge compliance. You may challenge our privacy practices and lodge a complaint with us or with the applicable supervisory authority.

To exercise any of these rights, submit a written request to legal@evalystar.com. We will acknowledge receipt within five business days and provide a substantive response within 30 days. In limited cases where a request requires additional time to fulfill, we will notify you of the extended timeline and the reasons for it.

You may also file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca. Alberta residents may additionally contact the Office of the Information and Privacy Commissioner of Alberta at www.oipc.ab.ca.

The Evalystar Service is directed exclusively at businesses and the professionals who manage them. It is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If we learn that we have inadvertently collected personal information from a minor, we will delete it promptly. If you believe a minor has provided personal information to us, please notify us at legal@evalystar.com.

Evalystar is a Canadian company and your personal information is stored on servers located in Canada. Certain sub-processors (for example, cloud infrastructure and analytics providers) may process data in other jurisdictions, including the United States. Where personal information is transferred outside Canada, we take steps to ensure it receives equivalent protection, including through contractual safeguards with sub-processors.

This section will apply to California residents once Evalystar begins operating commercially in the United States. It does not apply at this time.

When active, California residents will have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA): the right to know what personal information is collected, used, shared, or sold; the right to delete personal information held by us; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information; and the right not to receive discriminatory treatment for exercising any CCPA/CPRA right.

Evalystar does not sell personal information, and will not do so upon US market entry. To submit a request, California residents will be able to contact us at legal@evalystar.com.

This section will apply when Evalystar processes personal data of residents of the European Economic Area, the United Kingdom, or Switzerland. It does not apply at this time.

When active, our lawful bases for processing under GDPR Article 6 will include: performance of a contract (Article 6(1)(b)) for processing necessary to provide the Service; compliance with a legal obligation (Article 6(1)(c)) for regulatory requirements; and legitimate interests (Article 6(1)(f)) for security monitoring, fraud prevention, and product analytics, where those interests are not overridden by your rights and interests.

Residents of the EEA, UK, and Switzerland will have the following rights: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and the right to object to processing based on legitimate interests. You will also have the right to lodge a complaint with your local data protection supervisory authority.

For international transfers of personal data from the EEA, UK, or Switzerland, we will rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission (or UK-approved equivalents) as the transfer mechanism, unless an alternative adequacy decision or approved safeguard applies.

Upon Evalystar's entry into EU markets, we will designate a Data Protection Officer (DPO) and update this policy with their contact details. Until then, privacy inquiries may be directed to legal@evalystar.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make a material change, we will post the revised policy on this page, update the "Last updated" date at the bottom, and send you an email notification if the change materially affects how we handle your personal information. Your continued use of the Service after the effective date of any update constitutes acceptance of the revised policy.

If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal information, please contact our Privacy Officer:

We will acknowledge your inquiry within five business days and make every reasonable effort to resolve your concern promptly and fairly.