Privacy Policy

1. Introduction

Patchy Home Services Inc. ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our marketplace platform and visit our website. This policy applies to all users, including customers (homeowners) and service providers (contractors/Patchymen).

We operate in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. By using our platform, you consent to the data practices described in this policy.

2. Information We Collect

Personal Information

We may collect personal information that you voluntarily provide to us when you:

• Create an account and sign in (via email OTP or Google authentication)
• Create service orders or submit bids
• Upload photos, documents, or other files
• Communicate through the in-app chat or support system
• Submit reviews and ratings
• Subscribe to our newsletter
• Contact us via phone, email, or our website

This information may include: name, email address, phone number, address, payment information, and service preferences.

Payment Information

When you make a payment, you enter your card details directly on Stripe's secure checkout page. Patchy does not receive, store, or process your full card number. If you choose to save a card to your account, we store only a non-sensitive reference issued by Stripe (Stripe customer ID, payment method ID, card brand, last four digits, expiration month/year, card funding type, and saved-card status). The card itself is held by Stripe and can be detached from Stripe and from Patchy at any time from your profile.

Contractor (Patchyman) Information

If you register as a Patchyman, we additionally collect:

• Professional profile information (bio, specialization, work areas)
• Verification and licensing documentation
• Stripe Connect payout account identifier and capability status (account ID, payouts/transfers/card-payments capability flags, onboarding completion timestamp). Patchymen onboard their Stripe account directly with Stripe; identity, banking, and tax details collected during Stripe's onboarding flow are stored by Stripe, not by Patchy.
• Work completion photos uploaded for completed orders
• Platform rules acceptance records

Google User Data

Google User Data: When you authenticate using Google, we collect Google user data including your name, email address, and profile picture (as provided by you through your Google account). For detailed information about how we collect, use, store, and share Google user data, please see Section 7 below.

User-Generated Content

We collect and store content you create on the platform, including:

• Chat messages: In-app messages between customers and contractors are stored to facilitate order communication
• File uploads: Photos (JPEG, PNG, GIF, WebP) and PDF documents uploaded with orders are stored in cloud storage
• Reviews and ratings: Customer reviews including quality, communication, punctuality, cleanliness, and appearance ratings
• Work photos: Completion photos uploaded by Patchymen, which may be displayed publicly in their portfolio

Automatically Collected Information

When you visit our website, we may automatically collect certain information about your device and usage, including:

• IP address and browser type
• Pages visited and time spent on our site
• Referring website information
• Device and operating system information
• Session interaction data (see Session Replay in Section 8)

3. How We Use Your Information

We use the information we collect to:

• Operate and maintain the marketplace platform
• Connect customers with contractors and facilitate orders
• Process payments and manage financial transactions
• Enable in-app communication between users
• Send transactional emails (order confirmations, bid notifications, payment links)
• Send newsletters and promotional materials (with your consent)
• Respond to inquiries and provide customer support
• Display contractor profiles, portfolios, reviews, and ratings
• Analyze usage patterns to improve our platform and services
• Measure advertising campaign effectiveness
• Comply with legal obligations and protect our rights

We limit our use of all data, including Google user data, to providing or improving user-facing features of our application. For detailed information about how we specifically use Google user data, please see Section 7 below.

4. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties without your consent, except in the following circumstances:

• Service providers who assist us in operating our business (listed in Section 5)
• Legal requirements or to protect our rights and safety
• Business transfers (mergers, acquisitions, asset sales)
• With your explicit consent

Between Platform Users: When a Customer accepts a Patchyman's bid, certain information is shared between the parties to facilitate the service, including names, order details, and in-app chat messages.

We do not sell Google user data to third parties. We do not transfer or disclose your Google user information to third parties for purposes other than providing or improving our application's functionality. For detailed information about how we share Google user data, please see Section 7 below.

5. Service Providers

We use the following third-party service providers to operate our platform. These providers process data on our behalf and are contractually obligated to use it solely for providing services to us:

• Stripe: Payment processing, saved-card storage, and connected-account onboarding. When you make a payment through the platform, your card details are entered directly on Stripe's secure checkout page; Patchy does not handle full card numbers. When you save a card to your account, Stripe stores the card and provides Patchy with non-sensitive references for future off-session charges. Patchymen connect Stripe Connect payout accounts (Express configuration) to receive marketplace payouts; Stripe collects the identity, banking, and tax information required by financial regulations directly from the Patchyman. Stripe's privacy policy governs their use of payment, saved-card, and connected-account data.
• Resend: Transactional email delivery. We share your email address with Resend to send order confirmations, bid notifications, payment links, and newsletters. We may also create a contact record in Resend for newsletter management.
• Telegram: Customer support. When you use our support chat, your messages and basic contact information (name, email) may be forwarded to our support team via Telegram for faster response times.
• Supabase: Database infrastructure and cloud storage. Your data, including uploaded files, is stored securely on Supabase's infrastructure.
• Vercel: Website hosting and deployment. Vercel hosts our web application and may collect anonymous performance analytics.

6. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using secure protocols (HTTPS/TLS)
• Storage of payment instrument data exclusively with Stripe; Patchy retains only non-sensitive references (such as card brand and last four digits) needed to display the saved card
• Row-level security policies on our database to restrict data access
• Secure authentication using one-time passwords (OTP) or OAuth
• Limited access to personal data on a need-to-know basis

However, no method of transmission over the internet or electronic storage is 100% secure.

7. Third-Party Authentication and Google User Data

We offer the option to sign in to our services using third-party authentication providers, including Google. This section specifically addresses how we access, use, store, and share Google user data.

Google User Data We Collect

When you choose to authenticate through Google, we collect the following Google user data that you have provided to us:

• Your name (as provided in your Google account)
• Your email address (as provided in your Google account)
• Your profile picture (if available and shared by you)

We do not collect, access, or store your Google password or any other sensitive authentication credentials. We only receive the basic profile information that you authorize Google to share with us during the authentication process.

How We Use Google User Data

We use the Google user data we collect solely for the following purposes:

• To provide you with access to our platform and enable you to create orders or submit bids
• To create and manage your user account on our platform
• To communicate with you about your orders and our services
• To improve the functionality and user experience of our application
• To provide customer support and respond to your inquiries

We do not use Google user data for: targeted advertising, selling to data brokers, providing to information resellers, determining credit-worthiness, lending purposes, user advertisements, personalized advertisements, retargeted advertisements, interest-based advertisements, creating databases, or training AI models. We limit our use of Google user data strictly to providing and improving user-facing features of our application.

How We Share, Transfer, or Disclose Google User Data

We do not sell, trade, or otherwise transfer your Google user data to third parties. We may share Google user data only in the following limited circumstances:

• Service Providers: We may share Google user data with trusted service providers who assist us in operating our business, such as payment processors and email delivery services. These service providers are contractually obligated to use the data solely for the purpose of providing services to us and are prohibited from using it for any other purpose, including advertising or data reselling.
• Legal Requirements: We may disclose Google user data if required by law, court order, or governmental regulation, or to protect our rights, property, or safety, or that of our users or others.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, Google user data may be transferred as part of the transaction, but only to the extent necessary and subject to the same privacy protections.

We do not transfer Google user data to third parties for: targeted advertising, selling to data brokers, providing to information resellers, determining credit-worthiness, lending purposes, user advertisements, personalized advertisements, retargeted advertisements, or interest-based advertisements. Any sharing of Google user data is limited to providing or improving our application's functionality.

How We Protect Google User Data

We implement appropriate technical and organizational security measures to protect your Google user data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using secure protocols (HTTPS/TLS)
• Secure storage of data with access controls and authentication
• Regular security assessments and updates to our systems
• Limited access to Google user data on a need-to-know basis
• Security procedures and protocols to maintain the confidentiality of your data

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Google user data, we cannot guarantee absolute security.

Data Retention and Deletion of Google User Data

We retain your Google user data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

• We store your Google user data for the length of time needed to provide you with our services and maintain your account
• When the data retention period expires or when you request deletion, we will delete or destroy your Google user data
• Some data may be retained for longer periods if required by law or for legitimate business purposes (such as resolving disputes)

You may request deletion of your Google user data at any time by:

• Sending an email to info@patchy.ca with the subject line "Google User Data Deletion Request"
• Including your full name and email address associated with your account
• Revoking our access through your Google account settings at myaccount.google.com/permissions

We will process your deletion request within 30 days and confirm the deletion in writing. Please note that some data may be retained for legal or regulatory purposes, and we will inform you of any such retention.

Your Control Over Google User Data

You have control over your Google user data:

• You can revoke our access to your Google account at any time through your Google account settings
• You can request access to, correction of, or deletion of your Google user data by contacting us
• You can choose not to use Google authentication and instead sign in with an email-based one-time password (OTP)

Your use of Google authentication is also governed by Google's Privacy Policy, available at policies.google.com/privacy.

8. Cookies, Tracking Technologies, and Session Replay

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyze site traffic, and understand where our visitors are coming from. Cookies are small text files that are placed on your device when you visit a website. They help us understand how you use our site and improve your experience.

Session Replay

We use Amplitude Session Replay to record and replay your interactions with our website. This includes mouse movements, clicks, scrolls, and page navigation. Session replays help us understand how users interact with our platform so we can identify and fix usability issues. Session replays do not capture passwords, payment card numbers, or other sensitive form fields. You can opt out of session replay by disabling analytical cookies.

Server-Side Tracking

In addition to client-side cookies and pixels, we use server-side tracking to measure advertising effectiveness:

• Facebook Conversions API (CAPI): We send conversion event data (such as order completions) from our servers directly to Facebook/Meta to measure ad campaign performance. This data may include hashed identifiers and event details.
• Reddit Conversion API: We send conversion event data from our servers to Reddit to measure ad campaign performance on the Reddit platform.

Server-side tracking operates independently of browser cookies and cannot be blocked by browser cookie settings. To opt out of server-side tracking, please contact us at info@patchy.ca.

Types of Cookies

We use the following types of cookies:

• Essential Cookies: These cookies are necessary for the website to function properly. They enable basic functions like page navigation and access to secure areas of the website.
• Analytical Cookies: These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. This includes session replay data.
• Marketing Cookies: These cookies are used to track visitors across websites to display relevant advertisements.

You can control cookies through your browser settings. However, disabling cookies may affect the functionality of our website.

Cookies We Use

The following table lists the cookies we use on our website:

Third-Party Services

We use the following third-party services that may set cookies on your device:

• Google Tag Manager: We use Google Tag Manager to manage and deploy marketing and analytics tags on our website. Google Tag Manager is a tag management system that allows us to control how tags are loaded and fired, which helps us manage our analytics and marketing tools more efficiently. Google Tag Manager may set cookies to manage tag loading and prevent duplicate tag firing. For more information, please visit Google's Privacy Policy and Google's Cookie Policy.
• Google Analytics: We use Google Analytics to understand how visitors interact with our website. This service uses cookies to collect information about your browsing behavior, including pages visited, time spent on pages, and user interactions. Google Analytics helps us analyze website traffic and improve our services. For more information, please visit Google's Privacy Policy and Google's Cookie Policy.
• Amplitude Analytics: We use Amplitude Analytics to understand how visitors interact with our website. This service uses cookies to collect information about your browsing behavior, including pages visited, time spent on pages, and user interactions. Amplitude also provides session replay functionality, which records your screen interactions (mouse movements, clicks, scrolls) to help us improve our website experience. Session replays do not capture sensitive form inputs such as passwords or payment details. For more information, please visit Amplitude's Privacy Policy.
• Meta Pixel (Facebook Pixel) and Conversions API: We use Meta Pixel (client-side) and Meta Conversions API (server-side) to measure the effectiveness of our advertising campaigns and to deliver personalized ads on Facebook and Instagram. The client-side pixel uses cookies to track conversions and create custom audiences. The server-side Conversions API sends event data directly from our servers to Meta for more accurate conversion measurement. For more information, please visit Meta's Privacy Policy.
• Reddit Pixel and Conversion API: We use Reddit Pixel (client-side) and Reddit Conversion API (server-side) to measure the effectiveness of our advertising campaigns on Reddit and to deliver relevant ads to users. The pixel uses cookies to track page visits and conversions, while the Conversion API sends event data server-to-server. For more information, please visit Reddit's Privacy Policy.
• Vercel Analytics: We use Vercel Analytics to analyze website performance and user behavior. This service collects anonymous usage data to help us improve our website. For more information, please visit Vercel's Privacy Policy.
• Stripe: Stripe sets cookies on its checkout and setup-intent pages to support fraud prevention and session continuity. These cookies are set on Stripe's domain when you are redirected to a Stripe-hosted page. For more information, please visit Stripe's Privacy Policy and Stripe's Cookie Policy.

Managing Your Cookie Preferences

You can manage your cookie preferences in several ways:

• Use the cookie consent banner that appears when you first visit our website to accept cookies
• Adjust your browser settings to block or delete cookies. Most browsers allow you to refuse cookies or alert you when cookies are being sent. However, if you disable cookies, some features of our website may not function properly
• For more information on cookies, including how to see what cookies have been set on your device and how to manage and delete them, please visit www.aboutcookies.org
• To opt out of server-side tracking (Facebook CAPI, Reddit Conversion API), contact us at info@patchy.ca

Please note that disabling cookies may impact your experience on our website, as some features may not function properly without cookies.

9. Your Rights and Choices

Under PIPEDA and applicable provincial privacy legislation, you have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Withdrawal of consent: Withdraw your consent for the collection, use, or disclosure of your personal information
• Opt-out: Unsubscribe from marketing communications
• Data portability: Request your data in a portable format
• Complaint: File a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated

To exercise these rights, please contact us using the information provided below. We will respond to your request within 30 days.

Requesting Data Deletion

If you wish to request the deletion of your personal data, you can do so by:

• Sending an email to info@patchy.ca with the subject line "Data Deletion Request"
• Including your full name and email address associated with your account
• Specifying which data you would like deleted

We will process your deletion request within 30 days and confirm the deletion in writing. Please note that some data may be retained for legal or regulatory purposes, and we will inform you of any such retention.

10. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

We store your personal information for a period of time that is consistent with our business purposes. We will retain your personal information for the length of time needed to fulfill the purposes outlined in this privacy policy unless a longer retention period is required or permitted by law.

When the data retention period expires for a given type of data, we will delete or destroy it using secure methods. For specific information about Google user data retention and deletion, please see Section 7 above.

You may request deletion of your data at any time by contacting us at info@patchy.ca. We will process deletion requests within 30 days, subject to any legal or regulatory requirements that may require us to retain certain information for longer periods.

11. Data Breach Notification

In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will:

• Report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA
• Notify affected individuals as soon as feasible, describing the nature of the breach, the information involved, and steps we are taking to reduce the risk of harm
• Maintain records of all breaches of security safeguards, regardless of whether they meet the threshold for notification

12. Children's Privacy

Our services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

14. Service Areas

This Privacy Policy applies to all users of our platform. We currently operate in the following areas:

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

You may also contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca if you have concerns about how we handle your personal information.