Effective date: April 9, 2026 | Last updated: April 9, 2026
OperantOS ("we," "us," or "our") operates an AI-powered business automation platform with three products: CloseBot (automated follow-up for trades businesses), LedgerPilot (bookkeeping automation), and FixFlow (maintenance request triage and dispatch). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our platform (the "Service").
OperantOS is operated from the Province of Ontario, Canada. We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation (CASL).
1. Data We Collect
a) Account Information
- Full name, email address, phone number
- Company name, business type, and workspace details
- Billing address (payment card details are handled exclusively by Stripe — we never see or store your full card number)
b) Business Data You Provide
- CloseBot: Estimate data, customer contact lists, follow-up message templates, and communication history
- LedgerPilot: Transaction data, receipts, invoices, and accounting records synced from QBO or Xero
- FixFlow: Maintenance requests, property/unit data, vendor contact information, and dispatch records
c) Communication Content
- SMS messages, email follow-ups, and chase messages sent through CloseBot and FixFlow on your behalf
- Delivery status, open rates, and response data for sent communications
d) Usage Analytics
- Feature usage patterns, login frequency, and Product activity
- Device type, browser type, IP address, and general location (country/region level)
- Page views, session duration, and interaction events within the dashboard
2. How We Use Your Data
- Provide the Service: Process your data to deliver CloseBot follow-ups, LedgerPilot bookkeeping, and FixFlow dispatch as you configure them
- Improve our Products: Analyze usage patterns to fix bugs, improve features, and develop new capabilities
- Generate anonymized benchmarks: Create industry benchmarks (e.g., average close rates by trade, common expense categories) from aggregated, anonymized data that cannot be traced to any individual user or business
- Send transactional emails: Account confirmations, billing receipts, subscription changes, security alerts, and service notifications
- Prevent fraud and abuse: Detect and investigate suspicious activity, spam, and Terms of Service violations
- Comply with legal obligations: Respond to lawful requests, maintain tax records, and meet regulatory requirements
3. Data We Do Not Collect
We want to be clear about what we do not do:
- No bank credentials: LedgerPilot connects to QBO and Xero via OAuth only. We never ask for or store your banking login credentials.
- No credit card storage: All payment card data is processed and stored exclusively by Stripe. We do not have access to your full card number, CVV, or expiry date.
- No unnecessary End Customer data: We only process End Customer data (names, phone numbers, email addresses) to the extent necessary to deliver the communications and services you have configured. We do not build profiles of your End Customers for our own purposes.
- No AI training on your data: Your inputs and outputs are not used to train AI models by OperantOS or our AI providers.
4. Third-Party Data Sharing
We share data with the following third-party service providers, each necessary for the operation of the Service. We do not sell your data to anyone.
| Provider | Purpose | Data Shared |
|---|
| Anthropic (Claude) | AI processing for all Products | Text inputs for AI generation (not used for training) |
| Twilio | SMS delivery (CloseBot, FixFlow) | Recipient phone numbers, message content |
| Resend | Transactional email delivery | Recipient email addresses, email content |
| Stripe | Payment processing | Billing name, email, payment method tokens |
| QuickBooks Online | Accounting sync (LedgerPilot) | Transaction data, chart of accounts (via OAuth) |
| Xero | Accounting sync (LedgerPilot) | Transaction data, chart of accounts (via OAuth) |
| Supabase | Database hosting and authentication | All platform data (encrypted at rest) |
Each provider is contractually obligated to protect your data. We will notify you of material changes to this list. We will never sell, rent, or trade your data to third parties.
5. PIPEDA Compliance
As a Canadian company, we comply with the ten fair information principles under PIPEDA:
- Accountability: We are responsible for all personal information under our control. Our team is trained on privacy obligations, and [email protected] serves as our privacy contact.
- Identifying Purposes: We identify the purpose for collecting personal information at or before the time of collection, as described in this Policy.
- Consent: We obtain meaningful consent for the collection, use, and disclosure of personal information. You can withdraw consent at any time, subject to legal or contractual restrictions.
- Limiting Collection: We only collect information that is necessary for the purposes we have identified. We do not collect data beyond what is needed to provide the Service.
- Limiting Use, Disclosure, and Retention: We use and disclose personal information only for the purposes for which it was collected, and we retain it only as long as necessary to fulfill those purposes.
- Accuracy: We keep personal information as accurate, complete, and up-to-date as necessary. You can update your information through your dashboard or by contacting us.
- Safeguards: We protect personal information with security safeguards appropriate to the sensitivity of the data, including encryption in transit (TLS 1.2+) and at rest (AES-256), row-level security, and access controls.
- Openness: This Privacy Policy makes our practices readily available. We will answer questions about our privacy practices upon request.
- Individual Access: Upon request, we will inform you of the existence, use, and disclosure of your personal information and provide access to it.
- Challenging Compliance: You may challenge our compliance with PIPEDA by contacting us at [email protected] or by filing a complaint with the Office of the Privacy Commissioner of Canada.
6. Data Retention
| Data Category | Retention Period |
|---|
| Active account data (profile, business info, configurations) | Retained while your account is active |
| Closed account data | 30 days after account closure, then permanently deleted |
| Billing receipts and tax records | 7 years (CRA requirement for tax records) |
| Communication logs (SMS/email sent via CloseBot/FixFlow) | Retained while account is active, deleted 30 days after closure |
| Usage analytics | 24 months, then aggregated and anonymized |
| Anonymized benchmarks | Retained indefinitely (cannot be traced to any individual or business) |
7. Your Rights
You have the following rights regarding your personal information:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your personal information, subject to legal retention requirements (e.g., 7-year CRA requirement for billing records)
- Data Export: Export your data in a machine-readable format directly from your Settings page, or by emailing [email protected]
- Withdraw Consent: Withdraw your consent to data processing at any time, with the understanding that this may limit your ability to use certain features
- Challenge Compliance: File a complaint with us or with the Office of the Privacy Commissioner of Canada if you believe we are not complying with PIPEDA
To exercise any right, email [email protected] with the subject line "Privacy Rights Request." We will respond within 30 days.
8. Cookies
We use only essential session cookies required to keep you logged in and maintain your session state. Specifically:
- A Supabase authentication session cookie (required for login)
- No analytics cookies
- No advertising or tracking pixels
- No third-party cookies
For full details, see our Cookie Policy.
9. Children
The Service is designed for business use and is not intended for individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected information from a minor, we will delete it promptly. If you believe a minor has provided us with personal information, please contact us at [email protected].
10. Data Security
We protect your data with industry-standard security measures, including:
- Encryption in transit (TLS 1.2 or higher)
- Encryption at rest (AES-256)
- Row-level security ensuring workspace data isolation
- Access controls limiting employee access on a need-to-know basis
- Regular security monitoring and assessments
No method of electronic transmission or storage is 100% secure. While we take reasonable measures, we cannot guarantee absolute security.
11. Data Breach Notification
In the event of a data breach that poses a real risk of significant harm, we will:
- Notify the Office of the Privacy Commissioner of Canada as required under PIPEDA's Breach of Security Safeguards Regulations
- Notify affected individuals without unreasonable delay
- Provide details about the nature of the breach, likely consequences, and steps taken to address it
12. CASL Compliance
We comply with Canada's Anti-Spam Legislation (CASL). We only send you commercial electronic messages with your express or implied consent. All marketing emails include a clear unsubscribe mechanism, and we honor opt-out requests within 10 business days. Transactional messages related to your account or subscription are exempt from CASL consent requirements.
13. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice by email and by posting the updated policy. Your continued use after changes take effect constitutes acceptance.
14. Contact
For privacy questions, data rights requests, or complaints:
- Email: [email protected]
- Subject Line: "Privacy Inquiry" or "Privacy Rights Request"
- Address: Ontario, Canada
If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.