Draft for review. This document is a template and must be reviewed and approved by qualified legal counsel before Edinergy relies on it in production.

Privacy Policy

Last updated: July 2, 2026

1. Who we are

Edinergy ("Edinergy", "we", "us") is an AI-assisted building energy-audit platform operated by [Legal Entity Name], based in the Province of Quebec, Canada. We provide our services to organizations and their authorized users in Canada and the United States.

This policy explains what personal information we collect, how we use and share it, how long we keep it, and the rights you have under Quebec's Law 25 (Act respecting the protection of personal information in the private sector) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

2. Information we collect

We collect the following categories of information:

  • Account information — name, email address, organization name, role, and authentication data used to create and secure your account.
  • Building and energy data — information about the buildings you audit, including addresses, physical characteristics, equipment, and energy consumption records you enter or import.
  • Uploaded documents — utility bills and supporting files you upload. These documents may contain personal information such as account holder names, service addresses, and account numbers.
  • Usage and device information — limited technical data (pages viewed, actions taken, approximate location derived from IP) collected only where you have consented to analytics cookies.
  • Billing information — handled by our payment processor; we do not store full card numbers.

3. How we use your information

  • To provide, operate, and secure the Edinergy platform.
  • To process the documents and data you submit and generate audit outputs.
  • To communicate with you about your account, security, and service changes.
  • To process payments and manage subscriptions.
  • To improve reliability and, where you consent, to understand product usage.
  • To comply with legal obligations and enforce our Terms of Service.

4. AI processing of your documents

Edinergy uses large language models to extract information from, and reason about, the documents and data you submit. To do this, relevant content — which may include personal information contained in utility bills — is sent to Anthropic, which processes it on our behalf as a service provider (processor) solely to return results to us. We apply redaction and data-minimization measures where practicable. Content processed through the platform is not used to train third-party foundation models.

5. Service providers and subprocessors

We rely on the following service providers to operate Edinergy. Each processes personal information only as needed to provide their service to us and under contractual confidentiality and security obligations. Some may process or store data in the United States.

  • Supabase — database, authentication, and file storage.
  • Google Cloud Platform (GCP) — application hosting and compute.
  • Anthropic — large language model processing of submitted content.
  • Stripe — payment processing and subscription billing.
  • Resend — transactional email delivery.
  • Inngest — background job and workflow processing.
  • Upstash — rate limiting and caching.
  • PostHog — product analytics (only with your consent).
  • Sentry — error monitoring and diagnostics.

Because some providers are located in the United States, your personal information may be transferred outside Quebec and Canada. We take reasonable steps to ensure it receives an equivalent level of protection, as required by Law 25.

6. Retention

We keep personal information only as long as necessary for the purposes above or as required by law. In particular:

  • Uploaded utility bills and extracted audit records: retained for up to 7 years as part of the professional audit trail.
  • AI input payloads: retained for up to 90 days, then purged.
  • Account and contact information: retained until you request deletion, subject to legal retention requirements.
  • Analytics data: retained according to our analytics provider settings and your consent.

7. Cookies and analytics

We use essential cookies that are strictly necessary to sign you in and keep the platform secure; these are always active. We use analytics cookies (PostHog) only after you accept them through our cookie banner. If you decline, analytics are never initialized. You can change your choice at any time by clearing the analytics-consent preference stored in your browser.

8. Your rights

Subject to legal limits, you have the right to access, rectify, and delete your personal information, to withdraw consent, and to receive a portable copy of the data you provided. Account holders can export their data and request account deletion directly from Settings → Privacy in the app.

Because organization audit data belongs to the organization and is subject to retention obligations, deletion requests are reviewed and completed manually in accordance with our retention schedule and applicable law.

9. Privacy officer and complaints

As required by Law 25, we have designated a person responsible for the protection of personal information. You may contact them with questions, access or deletion requests, or complaints:

  • Privacy Officer: [Name / Title]
  • Email: [privacy@your-domain.example]
  • Mailing address: [Operator mailing address, Quebec, Canada]

If you are not satisfied with our response, you may file a complaint with the Commission d'accès à l'information du Québec (CAI) or the Office of the Privacy Commissioner of Canada (OPC).

10. Security

We protect personal information with technical and organizational safeguards, including encryption in transit, access controls with tenant isolation, least-privilege permissions, and monitoring. No system is perfectly secure, but we work to protect your information against unauthorized access, loss, or misuse.

11. Breach notification

If a confidentiality incident involving your personal information presents a risk of serious injury, we will notify affected individuals and the relevant authorities (including the CAI and/or OPC) without undue delay, and maintain a register of incidents, as required by Law 25 and PIPEDA.

12. Changes to this policy

We may update this policy from time to time. We will post the updated version here and revise the "Last updated" date above. Material changes will be communicated through the platform.