Quebec Law 25 compliant assessment of data processing practices
This assessment concludes that Sergio presents a low overall privacy risk due to limited collection of basic, non-sensitive personal information, strong technical and organizational safeguards, and contractual protections for all cross-border transfers.
Only basic personal information necessary for field service operations is collected
No sensitive personal information (health, financial, biometric) is collected
All cross-border transfers protected by Data Processing Agreements
Technical safeguards meet or exceed industry standards
Privacy-by-design principles embedded in platform
Softphone (VoIP/SMS via Telnyx) adds telecommunications data processing with appropriate safeguards
AI features (Claude by Anthropic) process queries, images, and voice commands (Sergio Skipper) with no data used for AI training
Contact info, billing address, payment method (via Stripe)
Retention: Active + 7 years
Name, email, role, GPS location (opt-in only)
Retention: Active + 1 year | GPS: 24 hours
Name, contact info, service address, property details
Retention: Active + 7 years
Provisioned phone numbers, call detail records, SMS metadata, voice recordings (opt-in)
Retention: CDRs/SMS 2 years | Voice recordings 90 days (configurable)
Support bot queries, Glass Expert images, photo moderation images, Sergio Skipper voice commands. AI data is NOT used for training models.
Retention: Queries 90 days | Images per job retention | AI logs 12 months
Before/after job photos, photo metadata (timestamp, GPS), property exterior photos, receipt images
Retention: Active + 7 years | Encrypted AES-256 at rest
Internal team chat messages sent within the platform. Messages are visible to all members of your company account. Employers/administrators can view all team chat messages.
Retention: Active + 1 year
Android device identifier (ANDROID_ID, unique per app per device) collected for security audit logging including authentication events, biometric changes, and security violation detection. Not used for advertising or cross-app tracking.
Retention: Security audit logs 2 years
| Processor | Service | Location | DPA |
|---|---|---|---|
| Supabase | Database, Auth, Storage | Canada (Montreal) | |
| Stripe | Payments | United States | |
| QuickBooks (Intuit) | Accounting Integration | United States | |
| Mapbox | Mapping | United States | |
| Resend | United States | ||
| Telnyx | VoIP/SMS | United States | |
| Anthropic | AI Inference | United States | |
| Cloudflare | CDN/Security | Global | |
| Nylas | Email/Calendar Integration | United States | |
| Google Firebase | Push Notifications | United States | |
| Zapier | Workflow Automation | United States | |
| Plaid | Banking Data | United States | |
| Wave | Accounting | United States | |
| Sentry (Functional Technology, Inc.) | Error Monitoring, Session Replay | United States | |
| hCaptcha (Intuition Machines) | Bot Protection | United States |
DPA Signed|DPA Pending
| Category | Risk Level | Justification |
|---|---|---|
| Data Sensitivity | LOW | Basic contact and service information only |
| Data Volume | LOW-MEDIUM | SMB customer base, limited records per business |
| Cross-Border Transfers | MEDIUM | US-based sub-processors with signed DPAs |
| Security Controls | LOW | Comprehensive technical and organizational measures |
| Overall Privacy Risk | LOW | Proportionate safeguards in place |
Get the complete Privacy Impact Assessment document for your records or legal review.
View & Print Full DocumentOpens in new tab. Use Print to Save as PDF.