InvestatechBack to login →

Investatech Platform — Privacy Policy

Last updated: April 20, 2026

This Privacy Policy explains how Investatech Inc. (“Investatech”, “we”, “us”) collects, uses, and protects personal information in connection with the multi-tenant SaaS platform at rcicapp.ca(formerly app.investatech.com). It applies to both our tenant customers (“Tenants”) and to the end-clients whose bookings, payments, or agreements pass through the Platform. Use of the Platform is governed by our Terms of Service.

1. Our Role

When a Tenant uses the Platform to provide services to their own clients, the Tenant is the controllerof their clients’ personal information and Investatech is a service provider(or processor under applicable law). Our handling of end-client data is governed by the Tenant’s own privacy notice. When the information in question is about the Tenant’s own account (email, password, business profile), Investatech is the controller.

2. Information We Collect

  • Account information. Tenant email, password (hashed), business name, slug, timezone, currency, phone, address, website, logo, theme, and — if applicable — the regulated-consultant details (RCIC name, registration number, scope, languages) the Tenant chooses to store.
  • Booking + invoice data. Client name, email, phone, notes, service selection, time slot, payment status, discount usage, additional-attendee details, and reference numbers. This is data the Tenant or their client submits through the Platform.
  • Agreement snapshots.Text the client accepts (CICC or custom) and the timestamp of acceptance, retained as an audit record on the Tenant’s behalf.
  • Attachments. Files (PDFs / images) a client uploads during an agreement flow are stored transiently in our private Supabase Storage bucket, emailed to both parties, and deleted from our storage after delivery. The email is the record of record.
  • Payment metadata.We never see or store full card numbers. Stripe processes payments directly on the Tenant’s connected Stripe account; we retain only payment identifiers (intent IDs, status, amounts, refund history) needed to reconcile with the booking / invoice.
  • Technical telemetry. Server logs (timestamps, request paths, status codes, IP address, user-agent), error traces, and aggregate analytics. We keep these for operational and security purposes.

3. How We Use Information

  • To provide the Platform’s features to Tenants and their clients.
  • To send transactional email (signup confirmation, password reset, booking confirmations, cancellations, reschedules, invoices, signed agreements, payment receipts).
  • To detect, prevent, and respond to fraud, abuse, and security incidents — including rate-limiting and reCAPTCHA.
  • To comply with legal obligations.
  • To improve the Platform: we may analyze aggregate, de-identified usage patterns. We do not sell personal information and we do not use your content to train AI models.

4. Third-Party Services We Share With

We only share personal information with third parties that are necessary to deliver the Platform and only for the purposes below. Each provider has its own privacy policy governing its processing.

  • Supabase (hosting, Postgres database, authentication, object storage).
  • Stripe / Stripe Connect (payment processing, identity verification of connected accounts).
  • Google (Google Calendar for scheduling sync, Google OAuth for sign-in to Calendar, and — when the Tenant enables the add-on — Google Gemini for AI features and Google Translate for client-page translation).
  • Our SMTP provider (Siteground, for sending transactional email from info@investatech.com).
  • Vercel (application hosting and CDN).
  • Google reCAPTCHA (bot protection on signup, password-reset, and booking-submission forms). When a form you submit is protected by reCAPTCHA, Google may collect device and browsing data subject to Google’s Privacy Policy and Terms of Service. Use of the Platform constitutes your acceptance of those terms for that purpose.

5. International Transfers

The providers listed above may process information in the United States or other countries outside Canada. Where required, we rely on standard contractual clauses or equivalent safeguards offered by each provider. By using the Platform you acknowledge this cross-border processing.

6. Data Retention

  • Active accounts: we keep account, booking, invoice, and agreement data for as long as the Tenant has an active account.
  • After account deletion: we retain data for up to 90 days to allow reactivation, then it may be permanently deleted (see Terms §14).
  • Agreement attachments: kept only long enough to be emailed, then deleted from our storage.
  • Server logs: typically 30–90 days, longer if required for a security investigation or by law.

7. Your Rights

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws in Canada, you may:

  • request access to your personal information we hold;
  • ask us to correct inaccurate information;
  • request deletion of your account and associated data (as a Tenant, you can do this from Settings → Delete Account; as an end-client, please contact your Tenant first, since they control your information);
  • withdraw consent for optional processing (e.g. by disabling the AI add-on);
  • lodge a complaint with the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, email us at info@investatech.com. We will respond within 30 days.

8. Security

We use industry-standard measures to protect personal information: encrypted transport (TLS), encrypted storage at the database and object-storage layer, row-level security tenant isolation, hashed passwords, short-lived signed URLs for file uploads, secret-key-protected webhooks, and least-privilege service-role access. No system is perfectly secure; if we learn of a material breach affecting your data we will notify you in accordance with applicable law.

9. Cookies

We use strictly necessary cookies to keep you signed in (via Supabase’s auth session cookies) and to remember your language preference (investatech_locale). When you tick “Remember this device for 30 days” after entering the email sign-in code, we also set aninvestatech_device_trust HttpOnly cookie that lets you skip the code on the same browser for 30 days. Acookie_consent_v1cookie records your choices from the cookie banner so we don’t keep asking. We do not use advertising or cross-site tracking cookies on the Platform. Third-party scripts (Stripe Checkout, Google Calendar OAuth, Google reCAPTCHA) may set their own cookies when you interact with them. For the full list see our Cookie Policy.

10. Children

The Platform is not directed at children under 16. Tenants are responsible for ensuring they have lawful authority to collect information about any end-client who is a minor.

11. AI Features

If a Tenant enables the optional AI add-on, content they choose to send to Google Gemini is transmitted to Google and handled under Google’s paid API terms. Those terms, at the time of publication, state that paid API inputs and outputs are not used to train Google’s models. Google may change those terms; we will surface material changes we become aware of, and the Tenant can disable the add-on at any time. Investatech does not use your content to train AI models.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If a change is material we will notify Tenants by email or dashboard banner at least 30 days before it takes effect.

13. Contact

Questions or requests: info@investatech.com — Investatech Inc., Toronto, Ontario, Canada.