InvestatechBack to login →

Investatech Platform — Privacy Policy

Last updated: May 14, 2026

This Privacy Policy explains how Investatech Inc. (“Investatech”, “we”, “us”) collects, uses, and protects personal information in connection with the multi-tenant SaaS platform at rcicapp.ca(formerly app.investatech.com). It applies to both our tenant customers (“Tenants”) and to the end-clients whose bookings, payments, or agreements pass through the Platform. Use of the Platform is governed by our Terms of Service.

1. Our Role

When a Tenant uses the Platform to provide services to their own clients, the Tenant is the controllerof their clients’ personal information and Investatech is a service provider(or processor under applicable law). Our handling of end-client data is governed by the Tenant’s own privacy notice. When the information in question is about the Tenant’s own account (email, password, business profile), Investatech is the controller.

2. Information We Collect

  • Account information. Tenant email, password (hashed), business name, slug, timezone, currency, phone, address, website, logo, theme, and — if applicable — the regulated-consultant details (RCIC name, registration number, scope, languages) the Tenant chooses to store.
  • Booking + invoice data. Client name, email, phone, notes, service selection, time slot, payment status, discount usage, additional-attendee details, and reference numbers. This is data the Tenant or their client submits through the Platform.
  • Agreement snapshots.Text the client accepts (CICC or custom) and the timestamp of acceptance, retained as an audit record on the Tenant’s behalf.
  • Attachments. Files (PDFs / images) a client uploads during an agreement flow are stored transiently in our private Supabase Storage bucket, emailed to both parties, and deleted from our storage after delivery. The email is the record of record.
  • Transfer Room files.Files uploaded by the Tenant or by a client through the Transfer Room module (Premium subscribers) are encrypted under the Tenant’s per-tenant data key (DEK) and stored in our private Supabase Storage bucket for a limited window. See §6 for the retention timings. We never deliver Transfer Room files as email attachments — notifications carry only a link to the portal.
  • Transfer Room portal access data. For each client portal session we hold: the participant email address (lookup key), the one-time 6-digit code hash, the verification timestamp, an HMAC-signed session cookie, and the IP address + user-agent of the authenticating device (for the audit log). The portal session expires after 30 minutes of inactivity.
  • Payment metadata.We never see or store full card numbers. Stripe processes payments directly on the Tenant’s connected Stripe account; we retain only payment identifiers (intent IDs, status, amounts, refund history) needed to reconcile with the booking / invoice.
  • Technical telemetry. Server logs (timestamps, request paths, status codes, IP address, user-agent), error traces, and aggregate analytics. We keep these for operational and security purposes.

3. How We Use Information

  • To provide the Platform’s features to Tenants and their clients.
  • To send transactional email (signup confirmation, password reset, booking confirmations, cancellations, reschedules, invoices, signed agreements, payment receipts).
  • To detect, prevent, and respond to fraud, abuse, and security incidents — including rate-limiting and reCAPTCHA.
  • To comply with legal obligations.
  • To improve the Platform: we may analyze aggregate, de-identified usage patterns. We do not sell personal information and we do not use your content to train AI models.

4. Third-Party Services We Share With

We only share personal information with third parties that are necessary to deliver the Platform and only for the purposes below. Each provider has its own privacy policy governing its processing.

  • Supabase (hosting, Postgres database, authentication, object storage).
  • Stripe / Stripe Connect (payment processing, identity verification of connected accounts).
  • Google (Google Calendar for scheduling sync, Google OAuth for sign-in to Calendar, Google Drive — when the Tenant connects Drive from the Transfer Room module on the Premium tier, to copy received files into a folder the Tenant controls, and — when the Tenant uses AI features available with the Premium tier — Google Gemini for document analysis and drafting assistance, and Google Translate for client-page translation).
  • Anthropic (Claude API for Service Agreement drafting assistance, used when the Tenant uses AI features available with the Premium tier).
  • Our SMTP provider (Siteground, for sending transactional email from info@investatech.com).
  • Vercel (application hosting and CDN).
  • Google reCAPTCHA (bot protection on signup, password-reset, and booking-submission forms). When a form you submit is protected by reCAPTCHA, Google may collect device and browsing data subject to Google’s Privacy Policy and Terms of Service. Use of the Platform constitutes your acceptance of those terms for that purpose.

5. International Transfers

The providers listed above may process information in the United States or other countries outside Canada. Where required, we rely on standard contractual clauses or equivalent safeguards offered by each provider. By using the Platform you acknowledge this cross-border processing.

6. Data Retention

  • Active accounts: we keep account, booking, invoice, and agreement data for as long as the Tenant has an active account.
  • After account deletion: we retain data for up to 90 days to allow reactivation, then it may be permanently deleted (see Terms §14).
  • Agreement attachments: kept only long enough to be emailed, then deleted from our storage.
  • Transfer Room files: short-by-design. Each transfer expires after the Tenant-configured window (14 days default, 1–30 days). Once a recipient downloads a file, its bytes are purged within 72 hours. Once a file is copied to the Tenant’s connected Google Drive, its bytes are purged within 24 hours. Files in revoked transfers are purged within 72 hours after revocation.
  • Transfer Room audit log:the append-only event log (who activated a room, sent a transfer, viewed it, downloaded it, revoked it) is retained for the life of the Tenant’s account because Tenants may need to reconstruct the chain of custody for their professional records. IP addresses in the audit log are redacted to a /24 (IPv4) or /64 (IPv6) before storage.
  • Server logs: typically 30–90 days, longer if required for a security investigation or by law.

7. Your Rights

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws in Canada, you may:

  • request access to your personal information we hold;
  • ask us to correct inaccurate information;
  • request deletion of your account and associated data (as a Tenant, you can do this from Settings → Delete Account; as an end-client, please contact your Tenant first, since they control your information);
  • withdraw consent for optional processing (e.g. by declining the AI features on a given document or cancelling your Premium subscription);
  • lodge a complaint with the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, email us at info@investatech.com. We will respond within 30 days.

8. Security

We use industry-standard measures to protect personal information: encrypted transport (TLS), encrypted storage at the database and object-storage layer, row-level security tenant isolation, hashed passwords, short-lived signed URLs for file uploads, secret-key-protected webhooks, and least-privilege service-role access. No system is perfectly secure; if we learn of a material breach affecting your data we will notify you in accordance with applicable law.

9. Cookies

Every cookie the Platform sets is strictly necessary to deliver the service you signed up for. We do not use advertising or cross-site tracking cookies on the Platform, which is why rcicapp.ca does not show a cookie banner — there is nothing on this domain you would need to consent to or reject.

The cookies the Platform sets:

  • Authentication. Supabase sets HttpOnly session cookies (sb-*-auth-token) so you stay signed in across page loads.
  • Idle session timeout. iv_session_activity is an HttpOnly, HMAC-signed cookie that records the last time you interacted with the dashboard. After 20 minutes of inactivity the Platform forces a sign-out for your security; this cookie is how the server enforces that limit.
  • Device trust.When you tick “Remember this device for 30 days” after entering the email sign-in code, we setinvestatech_device_trust (HttpOnly) so you can skip the code on the same browser for 30 days.
  • Language preference. investatech_locale remembers whether you chose English or French in the dashboard.
  • Dashboard theme. investatech_theme remembers your Light / Colourful / Dark Lite choice (one of three known values, no personal data).
  • Referral attribution.If you arrived from another tenant’s referral link,iv_ref records the referral code for up to 60 days so we can credit the referrer if you subscribe. The cookie carries the referral code only, no personal data.
  • Superadmin impersonation banner. impersonator_email (HttpOnly) is set only when an Investatech operator is actively impersonating a tenant account for support and is cleared the moment impersonation ends. It exists so a visible banner makes clear who is signed in.
  • Consent record. Thecookie_consent_v1 cookie (set by the marketing site at investatech.com) records your choices from the marketing-site cookie banner. The Platform itself does not write to this cookie.

Third-party scripts (Stripe Checkout, Google Calendar OAuth, Google reCAPTCHA) may set their own cookies when you interact with them. For the full cross-domain list see our Cookie Policy.

10. Children

The Platform is not directed at children under 16. Tenants are responsible for ensuring they have lawful authority to collect information about any end-client who is a minor.

11. AI Features

If a Tenant uses AI features available with the Premium tier, content they choose to send to Google Gemini (document analysis, drafting assistance, client-page translation) or to Anthropic Claude (Service Agreement assistance) is transmitted to the relevant provider and handled under that provider’s terms for paid API usage. Those terms, at the time of publication, state that paid API inputs and outputs are not used to train the provider’s models. Providers may change those terms; we will surface material changes we become aware of, and the Tenant can decline the AI features on any document or cancel the Premium subscription at any time. Investatech does not use your content to train AI models.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If a change is material we will notify Tenants by email or dashboard banner at least 30 days before it takes effect.

13. Email Communications and Consent (CASL)

We send tenants three categories of email. Different consent rules apply to each category under Canada’s Anti-Spam Legislation (CASL).

Transactional and account-related email. Signup confirmation, login one-time codes, password resets, billing receipts, booking notifications, signed-agreement deliveries, account suspension or closure notices, and similar messages required for the service to function. These are not Commercial Electronic Messages under CASL and we send them regardless of marketing consent. You cannot opt out of these while your account remains active.

Service alerts. Bug fixes that affect your account, security incidents, scheduled maintenance, and mandatory product changes. Default ON when you create your account; you may opt out via your notification preferences page. We reserve the right to send a service alert regardless of opt-out status when the message is materially important to your account security or data integrity.

Product updates and marketing. Feature announcements, training-session promotions, referral campaigns, and other Commercial Electronic Messages. Default OFF; we send these only when you have given express consent at signup or via your notification preferences page. Every such email carries an unsubscribe link that takes effect immediately.

Withdrawing consent.You may withdraw consent for service alerts or product updates at any time from Dashboard → Settings → Notifications, or by clicking the unsubscribe link in the footer of any such email. We honour unsubscribe requests immediately and keep a record of the change date, source, and IP address for our CASL compliance records.

Tenant-to-client emails.When the platform sends an email from your firm to your client (booking confirmation, signed agreement, written consultation answer, transfer-room notification, and so on), you are the CASL-responsible sender. We are the carrier. You collected the client’s consent when they interacted with you; the unsubscribe mechanism in those emails reaches you, not Investatech.

Sender of record. Investatech Inc., Toronto, Ontario, Canada. Email info@investatech.com for any consent question or to request a copy of your consent record.

14. Contact

Questions or requests: info@investatech.com — Investatech Inc., Toronto, Ontario, Canada.