Privacy Policy

Popsicle Inc. ("Popsicle," "we," "us," or "our") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Popsicle platform and related services. This policy is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applies to all users of the Service, including account holders, team members, and staff whose information is processed through the platform. Please read this policy carefully. By using the Service, you consent to the practices described herein.

1 Information We Collect

We collect information that you provide directly to us when you register for an account, configure your profile, or use the Service. This includes your name, email address, phone number, company name, business address, role, and billing information including credit card details. Credit card information is processed by our payment provider and is not stored on our servers.

We also collect information about the staff and contractors you manage through the platform, including their names, phone numbers, roles, hourly rates, and work history. You are responsible for ensuring you have obtained proper consent from these individuals before uploading their personal information to the Service.

Automatically collected information includes log data (IP address, browser type, pages visited, time stamps), device information, and usage analytics. We use this data to monitor and improve the Service, detect security threats, and troubleshoot technical issues.

2 How We Use Your Information

We use the information we collect to provide, operate, and maintain the Service — including creating and managing your account, processing transactions, sending SMS notifications on your behalf, and generating reports and reconciliation data. We also use your information to communicate with you about the Service, including account updates, security alerts, and support responses.

Usage data and analytics help us understand how the Service is being used so we can improve features, optimize performance, and prioritize development efforts. We may also use aggregated, non-personally identifiable data for analytical purposes, such as identifying usage trends across the platform.

We do not sell your personal information. We do not use your operational data to build marketing profiles or advertising audiences. We do not share your data between tenant accounts. Your data is used solely for the purposes described in this policy.

3 Information Sharing & Disclosure

We share your information only with service providers who assist us in operating the platform — specifically, our hosting provider (Canadian data centres), our SMS delivery provider (ClickSend), and our payment processor (for credit card handling). Each provider is contractually obligated to protect your data and use it only for the purposes we specify.

We may disclose your information if required to do so by law, in response to a valid legal request (such as a court order or subpoena), or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email of any such change in ownership and the choices available to you regarding your information.

4 Data Security

We implement industry-standard security measures to protect your information, including AES-256 encryption at rest, TLS 1.3 encryption in transit, bcrypt password hashing, role-based access control, and tenant-isolated data architecture. Our infrastructure is hosted in SOC 2 Type II certified Canadian data centres with continuous monitoring for unauthorized access and security threats.

While we strive to use commercially acceptable means to protect your information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining the highest practicable standards and responding promptly to any security incident.

5 Data Retention

We retain your personal information and account data for as long as your account is active or as needed to provide you the Service. Upon account termination, we retain your data for a period of 30 days to allow for data export requests, after which all data is permanently and irreversibly deleted from our systems, including backups.

We may retain certain information for longer periods as required by law, for dispute resolution, or to enforce our agreements. When data is retained beyond the standard period, it is subject to the same security and privacy protections described in this policy.

6 Your Rights & Choices

Under PIPEDA and applicable provincial privacy laws, you have the right to access your personal information, request corrections to inaccurate or incomplete data, withdraw consent for data processing (subject to legal and contractual restrictions), and request deletion of your personal information. You may exercise these rights by contacting us at privacy@popsicle.app.

You may export all of your data at any time through the Service's built-in export features, including staff records, event histories, and reconciliation reports. Data exports are provided in standard formats (CSV, PDF) at no additional cost.

We will respond to access, correction, or deletion requests within 30 days. We may require verification of your identity before fulfilling a request. There is no fee for making a request, unless the request is manifestly unfounded or excessive.

7 SMS Communications

Popsicle sends SMS messages on your behalf to staff and contractors for operational purposes, including shift reminders, check-in and check-out links, schedule updates, and event notifications. These messages are initiated by you or your team through the Service and are not promotional in nature. Phone numbers used for SMS delivery are stored securely and are not shared with third parties for marketing purposes.

You are responsible for ensuring that you have obtained proper consent from individuals before sending them SMS messages through the Service. Popsicle is not liable for any failure to obtain such consent. All SMS communications are logged within the platform for audit purposes and may be reviewed by authorized account administrators.

8 Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the new policy on our website and sending an email to the address associated with your account at least 30 days before the changes take effect. We encourage you to review this Privacy Policy periodically for any updates.

Continued use of the Service after changes become effective constitutes acceptance of the revised policy. If you do not agree with the changes, you must discontinue use of the Service and request deletion of your account and data.