Privacy notice

We collect the minimum personal information needed to operate the service, and let you export or delete everything yourself at any time.

What we collect

Account: email, display name, hashed password (or OAuth provider ID).
Inventory data you create: items, photos, values, shipping tags, sale settings.
In-app audit events (invitations, member changes, deletions, exports) timestamped to your account.
Payment metadata (if you purchase a report pass): handled by Stripe; we store only the Stripe IDs.

How we use it

Provide the inventory, sharing, export, and report features you request.
Detect abuse and protect the service.
Improve the product through aggregated, non-identifying analytics.

We do not sell personal information. AI item suggestion routes through Lovable AI Gateway to Google and OpenAI under their standard API terms, which prohibit training on API inputs by default; we do not separately log or retain prompt content.

Where it lives

The current public preview runs on the underlying platform's default region (EU today). The forthcoming GAC Edition is designed to run in Canadian regions before any Protected B pilot is loaded. See /security for the full residency, encryption, and sub-processor list.

Your rights (PIPEDA)

Access — download your full inventory and audit log as CSV from inside the app.
Correction — edit any item or profile field directly.
Deletion — delete your account from My Account; all inventories you own and their photos are permanently removed.
Withdraw consent — sign out and request deletion at any time.

Data retention

Active accounts: kept while the account exists. When you delete your account, your inventories, items, photos, invitations, and audit rows are removed immediately. Stripe retains payment records per their own policy and applicable Canadian tax law.

Breach notification

In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm, we will notify affected account holders and the Office of the Privacy Commissioner of Canada without unreasonable delay, in accordance with PIPEDA and the Breach of Security Safeguards Regulations. Notifications include the nature of the breach, the information affected, and the steps you can take to reduce risk.

Official languages

Service is available in English and French at parity. The interface, transactional emails, and public-facing pages (privacy, security, compliance, pricing, vendor) are maintained in both official languages.

Children

PostingPal is not directed to children under 13 and we do not knowingly collect their data.

Changes

We will post material changes here and notify account holders by email.

Contact

A dedicated privacy contact address will be published here before any Protected B pilot. In the meantime, please reach the project owner on WhatsApp the project owner (WhatsApp only, no phone calls). You may also contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Last updated May 15, 2026.