Privacy Policy

Operator: Andrew Langevin (sole proprietor)
Business address: Brantford, Ontario, Canada
Privacy contact: privacy@haccplan.com
General contact: support@haccplan.com

Andrew is the Privacy Officer for the purposes of PIPEDA. You may direct any privacy questions, access requests, or complaints to the privacy email above. We respond within 30 days as required by PIPEDA.

We collect only the information needed to deliver the HACCPlan service. We do not sell personal information.

Account information. Email address, full name, password (stored as a hash, never plaintext), the company you create or join, your role (Owner / Manager / Operator / Viewer), the employee code you self-assign, and your account creation timestamp.

Workspace and compliance data. Information you enter into HACCPlan as part of operating your food-safety program: company profile (legal name, addresses, CFIA licence number, FDA registration), facility details, employee records, supplier names and contacts, product specifications, recipe ingredients, batch and shipment records, monitoring readings, deviations, sanitation logs, training records, and any uploaded files (Certificates of Analysis, photographs, scanned documents).

Customer-relationship data. Names and contact details of your suppliers, customers, and consultants that you enter into HACCPlan. This data belongs to you (your workspace owns it). We process it on your behalf as a service provider.

Usage data.When you use HACCPlan, we automatically collect: pages visited, features used, approximate geographic region (derived from IP address — we do not store the IP), browser type and version, device type, screen size, error events (sent to our error-tracking service Sentry), and session duration.

Cookies and similar. A session cookie set by our authentication provider (Supabase) so you stay logged in. A short-lived workspace-cache cookie. No third-party advertising or tracking cookies. No Google Analytics. No Facebook pixel.

We use your information only to:

• Deliver the HACCPlan service (account creation, login, records storage, file uploads, document generation, AI document scanning).
• Maintain food-safety traceability records as required by your regulator (CFIA, FDA, others).
• Respond to support requests.
• Send transactional emails (signup confirmation, password reset, billing receipts).
• Detect and prevent security incidents (failed login alerts, abuse).
• Improve the service (aggregate, anonymized usage patterns only).
• Comply with our legal obligations.

We do not use your information for advertising. We do not profile you. We do not sell, rent, or trade your information.

Our processing is grounded in PIPEDA’s ten fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance.

You consent to our processing by signing up. You may withdraw consent at any time by closing your account (Section 9), subject to legal retention obligations on certain food-safety records (Section 6).

We share information only with the following categories of third parties, each bound by data-processing terms:

• Supabase (database + authentication provider). Hosts your account credentials and workspace data. Data residency: AWS US-East. See supabase.com/privacy.
• Vercel (hosting provider). Serves the HACCPlan app. Processes request metadata in the course of serving pages. See vercel.com/legal/privacy-policy.
• Sender.net (transactional email). Delivers signup, password reset, and similar emails. See sender.net/privacy.
• Anthropic (AI processing). When you use the document scan feature, the file is sent to Anthropic for analysis. Anthropic does not retain content for training. See anthropic.com/legal/privacy.
• Sentry (error tracking). Receives error reports including the URL where the error occurred and a stack trace. Personally identifying fields are scrubbed before sending.
• Stripe (payment processor, when billing ships). Receives billing information directly from you when you subscribe; we never see card details. See stripe.com/privacy.

We do not share data with advertisers or marketers. We do not transfer your data outside of these processors except as required by law (e.g., a valid court order).

Account data: for the lifetime of your account, plus 90 days after closure for fraud-prevention purposes.

Workspace and compliance records: for the lifetime of your workspace. After you close the workspace, food-safety records are retained for an additional 2 yearsto satisfy CFIA’s record-retention requirement under the Safe Food for Canadians Regulations §90, and FDA’s under 21 CFR §117.330(d). After this period, records are permanently deleted from active systems within 30 days, and from backups within 60 days.

Usage data and logs: 90 days. Error reports (Sentry): 30 days. Backups: 30 rolling days.

You can request earlier deletion of personal data not subject to the 2-year retention by contacting privacy@haccplan.com. We will honour the request within 30 days unless an overriding legal obligation prevents it.

We protect your information with:

• TLS 1.2+ encryption in transit (HTTPS only).
• Encryption at rest for the database (managed by Supabase / AWS).
• Strict Row-Level Security (RLS) policies — your workspace’s data is technically inaccessible to other workspaces, including via the application’s own service code.
• Password hashing using industry-standard algorithms (bcrypt via Supabase Auth).
• Multi-factor authentication available on request (contact support@haccplan.com).
• Audit logs for material changes.

Despite reasonable safeguards, no system is perfectly secure. In the event of a breach creating a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada and affected individuals as soon as feasible and within the time required by PIPEDA.

Under PIPEDA you have the right to:

• Access the personal information we hold about you.
• Correct information that is inaccurate.
• Withdraw consent (subject to legal retention obligations).
• Challenge our compliance by contacting privacy@haccplan.com or, if unsatisfied, the Office of the Privacy Commissioner of Canada.

We respond to access and correction requests within 30 days. We do not charge a fee for routine requests.

You may close your account at any time by emailing privacy@haccplan.com. Within 24 hours we will:

1. Disable login.
2. Hide your data from active interfaces.
3. Begin the 2-year retention timer on food-safety records (see Section 6).
4. Delete all non-retained personal data within 30 days.

A workspace Owner who closes a workspace ends access for all members of that workspace.

HACCPlan is a business-use product. We do not knowingly collect data from anyone under 16. If you believe a minor has created an account, please email privacy@haccplan.com and we will close the account and delete the data.

If you are a California resident, you have the following additional rights under CCPA / CPRA:

• Right to know. What personal information we have collected, sources, purposes, and categories of third parties we share with. The complete list is in Sections 2 and 5 above.
• Right to delete. Subject to the food-safety retention obligation in Section 6.
• Right to correct. As described in Section 8.
• Right to opt out of sale or sharing.We do not sell or share your personal information for cross-context behavioural advertising — there is nothing to opt out of.
• Right to limit use of sensitive personal information. We do not collect categories of sensitive personal information beyond what is necessary to deliver the service.
• Right to non-discrimination. We will not retaliate against you for exercising any of these rights.

To exercise any right, email privacy@haccplan.com with “California rights request” in the subject line. We respond within 45 days.

HACCPlan is operated from Canada. Our hosting and database providers (Supabase / AWS) host data in the United States. By using the service, you acknowledge that your information will be processed in the United States, which may have different privacy protections than your home jurisdiction. We rely on industry-standard contractual safeguards (Standard Contractual Clauses, where applicable) with our processors.

If you are located in the EU/UK, please contact us before signing up to confirm we can accommodate your jurisdiction’s requirements.

We may update this policy. Material changes will be communicated via email to all account holders at least 30 days before they take effect. The “Effective date” at the top will be updated. Continued use of HACCPlan after the effective date constitutes acceptance.

Privacy questions, access requests, or complaints:

Email: privacy@haccplan.com
Mail: Andrew Langevin, Brantford, Ontario, Canada

If you are unsatisfied with our response, you may contact the Office of the Privacy Commissioner of Canada.