Privacy Policy
Last updated: March 19, 2026
PRIVACY POLICY
Last Updated: March 19, 2026
1. INTRODUCTION
SwiftMEP Inc. ("SwiftMEP," "we," "us," or "our"), a corporation incorporated under the laws of the Province of [YOUR PROVINCE], provides an automated, AI-augmented takeoff service for the Mechanical, Electrical, Plumbing, and Fire Protection trades (the "Service").
We are committed to protecting the proprietary nature of your construction drawings and the privacy of your business data. This Privacy Policy (the "Policy") explains how we collect, use, disclose, and safeguard your information when you use Swiftmep.ca (the "Website") and our Service.
This Policy is incorporated by reference into our Terms of Service. Capitalized terms used but not defined herein have the meanings assigned to them in the Terms of Service.
By accessing or using the Service, you consent to the data practices described in this Policy. If you do not agree with any provision herein, you must immediately cease all use of the Service.
2. DEFINITIONS
For purposes of this Policy:
- "Personal Information" means information about an identifiable individual, as defined under applicable privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA).
- "Project Data" means construction drawings, blueprints, specifications, and other documents you upload to the Service for analysis.
- "Usage Data" means technical information collected automatically about your interaction with the Service.
- "User" means any individual or entity using the Service.
3. THE DATA WE COLLECT
3.1 Information You Provide
| Category | Data Collected | Purpose |
|---|---|---|
| Account Information | Name, email address, company name, phone number, billing address | Account creation, authentication, communication, invoicing |
| Project Data | PDF files, construction drawings, blueprints, specifications, design notes | Service delivery — performing quantity takeoffs |
| Communication Data | Support tickets, email correspondence, feedback | Customer support, service improvement |
| Payment Data | Processed entirely by Stripe, Inc. | Transaction processing |
We do not store credit card numbers, CVV codes, or bank account information. All payment data is handled directly by Stripe, a PCI-DSS Level 1 compliant payment processor.
3.2 Information Collected Automatically
| Category | Data Collected | Purpose |
|---|---|---|
| Technical Data | IP address, browser type and version, operating system, device type | Security monitoring, fraud prevention |
| Usage Data | Pages visited, features used, time spent, click patterns | Service optimization, user experience improvement |
| Cookies | Session cookies, preference cookies, essential cookies | Authentication, functionality, security |
3.3 Cookies & Tracking Technologies
We use the following types of cookies:
| Type | Purpose | Duration | Opt-Out |
|---|---|---|---|
| Essential Cookies | Authentication, security, core functionality | Session | Required for service |
| Preference Cookies | Remember user settings | 1 year | Browser settings |
| Analytics Cookies | Anonymous usage analysis (Google Analytics) | 26 months | Browser settings / GA opt-out |
You may control cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning properly.
4. HOW WE USE YOUR INFORMATION
4.1 Primary Uses
We use your information for the following purposes:
| Purpose | Legal Basis (for GDPR/EU) |
|---|---|
| To provide, operate, and maintain the Service | Contract performance |
| To process and complete takeoff requests | Contract performance |
| To communicate with you about your account | Contract performance |
| To send service-related notifications | Legitimate interest |
| To respond to support inquiries | Contract performance |
| To monitor and analyze usage patterns | Legitimate interest |
| To detect, prevent, and address technical issues | Legitimate interest |
| To comply with legal obligations | Legal obligation |
4.2 Artificial Intelligence & Machine Learning
CRITICAL: HOW WE USE YOUR DATA FOR AI
4.2.1 Service Delivery (Real-Time Processing)
When you upload Project Data, our systems process your drawings in real-time using Google Vertex AI to generate your takeoff. This processing is transient and occurs only for the duration necessary to complete your requested job.
4.2.2 The "No-Training" Guarantee
Under our enterprise configuration with Google Vertex AI:
- Your raw Project Data and proprietary blueprints are expressly excluded from any training datasets.
- Google is contractually prohibited from using your content to improve its foundation models or any global AI systems.
- This is a binding commitment under our Data Processing Addendum (DPA) with Google Cloud.
4.2.3 Anonymized, De-Identified Data for Model Improvement
To improve our internal algorithms, we may retain de-identified, geometry-only data derived from your Project Data AFTER your 30-day retention period. This means:
| Removed | Retained |
|---|---|
| Your name, email, company | Duct connection patterns |
| Project names and addresses | Typical equipment spacing |
| Firm names from title blocks | Common symbol placements |
| Handwritten identifiers | Standard industry patterns |
| Any metadata linking data to you | Aggregated, statistical data |
This data can never be traced back to you, your firm, or your specific projects. It exists only as mathematical patterns to help the system recognize standard industry configurations.
4.2.4 Opt-Out Right
If you do NOT want your data used for AI training purposes even in de-identified form:
- Email privacy@swiftmep.ca within seven (7) days of your first upload
- Include "AI TRAINING OPT-OUT" in the subject line
- Provide your account email and/or company name
We will honor your request and ensure your data is excluded from all training pipelines.
5. DATA SHARING & DISCLOSURE
5.1 Service Providers
We share information with trusted third-party service providers who help us operate our business:
| Provider | Purpose | Data Shared | Safeguards |
|---|---|---|---|
| Google Cloud (Vertex AI) | AI processing of Project Data | Drawings during analysis | Enterprise DPA, no training clause |
| Google Cloud Storage | Secure file storage | Uploaded plans, outputs | Encryption, access controls |
| Stripe | Payment processing | Payment confirmation (no card data) | PCI-DSS Level 1 |
| Supabase | Database hosting | Account data, metadata | Row-level security, encryption |
| Google Analytics | Anonymous usage analytics | Anonymized usage data | IP anonymization |
| Resend | Transactional emails | Email address | Confidentiality agreement |
All service providers are bound by:
- Written data processing agreements;
- Confidentiality obligations;
- Restrictions on using your data for their own purposes;
- Compliance with applicable privacy laws.
5.2 We Do NOT
- Sell your Personal Information
- Share your Project Data with third parties (except as necessary to provide the Service)
- Use your plans for any purpose except your requested takeoff
- Rent, trade, or exchange your data
- Provide your data to advertisers or marketing platforms
5.3 Legal Requirements
We may disclose information if required by law, including:
- In response to a valid court order, subpoena, or government request;
- To comply with applicable laws and regulations;
- To enforce our Terms of Service;
- To protect our rights, property, or safety, or the rights, property, or safety of others;
- To investigate and defend against third-party claims.
5.4 Business Transfers
If SwiftMEP is involved in a merger, acquisition, financing, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email and prominent notice on our Website at least thirty (30) days before your information becomes subject to a different privacy policy.
6. DATA RETENTION & THE "30-DAY PURGE"
SwiftMEP minimizes data risk through a strict, automated retention policy:
6.1 Retention Periods
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Uploaded Plans (Project Data) | 30 days after upload | AUTOMATIC, permanent, irreversible |
| Generated Takeoff Outputs | 30 days after generation | AUTOMATIC deletion with plans |
| Account Data | While account active + 90 days | Manual deletion on request |
| Payment Records | 7 years (legal requirement) | Stripe retains, we keep transaction IDs |
| Usage Analytics | 26 months (Google Analytics max) | Rolling deletion |
| Email Communications | Until unsubscribe | Immediate opt-out |
| De-identified Training Data | Perpetual (see Section 4.2.3) | Not linked to you |
6.2 The "30-Day Purge" Explained
Automatic Deletion: All uploaded plans and generated outputs are permanently deleted from our active Google Cloud Storage buckets thirty (30) days after upload or generation via automated lifecycle rules.
Non-Recoverable: Once deleted, data cannot be recovered by SwiftMEP staff or any User. No exceptions.
Ephemeral Processing: Local temporary files created during AI analysis are wiped from our environment immediately upon completion of each API call.
6.3 Your Responsibility
It is your sole responsibility to download and preserve all desired outputs within this thirty (30) day retention window. SwiftMEP assumes no liability for data loss resulting from failure to download within the retention period.
6.4 Early Deletion
You may request early deletion of your files at any time by contacting support@swiftmep.ca. Such requests will be processed within five (5) business days.
7. DATA SECURITY
7.1 Security Measures
We implement industry-standard "Defense-in-Depth" security:
| Layer | Measure |
|---|---|
| Encryption in Transit | TLS 1.3 for all data transmitted between your device and our servers |
| Encryption at Rest | AES-256 encryption for all stored data |
| Access Controls | Strict role-based access control (RBAC) with least-privilege principles |
| Authentication | JWT tokens, Supabase Row-Level Security (RLS) |
| Multi-Factor Authentication | Available for all user accounts (recommended) |
| Monitoring | 24/7 intrusion detection and automated threat response |
| Audit Logs | Comprehensive logging of all access to production systems |
| Penetration Testing | Regular third-party security assessments |
| Data Isolation | Strict tenant isolation ensures no cross-user data access |
7.2 Multi-Tenancy & Isolation
We use Supabase Row-Level Security (RLS) and JWT authentication to ensure:
- Your plans and results are strictly isolated from all other users;
- Unauthorized access is blocked at the database level;
- Even our employees cannot access your data without explicit, audited authorization.
7.3 Incident Response
In the event of a data breach affecting your Personal Information:
- We will notify affected users within seventy-two (72) hours of confirmation;
- We will provide details of what was exposed, to the extent known;
- We will take immediate corrective action to contain and remediate;
- We will offer guidance to protect yourself, if applicable.
7.4 No Absolute Security
While we implement industry-leading security measures, no system is 100% secure. You acknowledge and accept that:
- We cannot guarantee against all breaches, intrusions, or unauthorized access;
- You assume some residual risk inherent in any cloud-based service;
- We are not liable for breaches despite our reasonable security measures, subject to applicable law.
8. INTERNATIONAL DATA TRANSFERS
8.1 Storage Locations
Your data is primarily processed and stored in:
- Primary: Google Cloud data centers in Montreal, Canada and Toronto, Canada
- Secondary: Limited, secured backup locations in the United States (when necessary for redundancy)
8.2 Cross-Border Transfers
Where data must transit across borders (e.g., for processing or redundancy), we rely on:
| Mechanism | Description |
|---|---|
| Adequacy Decisions | Where recipient country has adequate privacy protections |
| Standard Contractual Clauses (SCCs) | EU-approved model clauses for data transfers |
| Binding Corporate Rules | For internal transfers within corporate group |
| Data Processing Agreements | Contractual commitments from all sub-processors |
8.3 PIPEDA Compliance
As a Canadian entity, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). All data handling, including international transfers, maintains PIPEDA-level protection through the mechanisms above.
8.4 Your Consent
By using the Service, you consent to the transfer of your information to Canada and, where necessary, the United States, for the purposes described in this Policy.
9. YOUR RIGHTS & CHOICES
9.1 All Users
Regardless of your location, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Right to Access | Request a copy of your Personal Information | Email privacy@swiftmep.ca |
| Right to Correction | Correct inaccurate or incomplete information | Update account settings or email |
| Right to Deletion | Request deletion of your account and data | Email privacy@swiftmep.ca |
| Right to Portability | Receive data in machine-readable format | Download during retention or email |
9.2 Marketing Communications
You may opt out of marketing emails at any time:
- Click the "unsubscribe" link in any marketing email;
- Update your preferences in account settings;
- Email privacy@swiftmep.ca with "OPT-OUT" in subject line.
Service-related communications (account notifications, password resets, payment confirmations) cannot be opted out of as they are necessary for Service delivery.
9.3 Cookie Controls
Most browsers allow you to control cookies through settings. Disabling essential cookies may affect functionality.
9.4 Do Not Track
We currently do not respond to "Do Not Track" signals, as no uniform standard exists.
10. CALIFORNIA RESIDENT RIGHTS (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:
10.1 Right to Know
You may request, up to twice in a 12-month period, the following information about Personal Information collected, used, disclosed, or sold in the preceding 12 months:
- Categories and specific pieces of Personal Information collected;
- Categories of sources;
- Business purpose for collection;
- Categories of third parties with whom we share.
10.2 Right to Delete
You may request deletion of your Personal Information, subject to certain exceptions (e.g., to complete transactions, detect security incidents, comply with legal obligations).
10.3 Right to Opt-Out
We do NOT sell Personal Information, so no opt-out is necessary. We do not and will not sell your data.
10.4 Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights.
10.5 Authorized Agent
You may designate an authorized agent to make requests on your behalf. We will require proof of authorization.
To Exercise CCPA Rights: Email privacy@swiftmep.ca with "CCPA REQUEST" in the subject line. We will verify your identity.
11. EU/UK RESIDENT RIGHTS (GDPR)
If you are located in the European Union or United Kingdom, the General Data Protection Regulation (GDPR) provides you with additional protections:
11.1 Legal Bases for Processing
| Purpose | Legal Basis |
|---|---|
| Service delivery | Contract performance (GDPR Art. 6(1)(b)) |
| Account management | Contract performance (GDPR Art. 6(1)(b)) |
| Legal compliance | Legal obligation (GDPR Art. 6(1)(c)) |
| Security monitoring | Legitimate interest (GDPR Art. 6(1)(f)) |
| Service improvement | Legitimate interest (GDPR Art. 6(1)(f)) |
| Marketing | Consent (GDPR Art. 6(1)(a)) |
11.2 Your GDPR Rights
| Right | Description |
|---|---|
| Right of Access | Obtain confirmation of whether we process your data and access to it |
| Right to Rectification | Correct inaccurate personal data |
| Right to Erasure ("Right to be Forgotten") | Request deletion under certain circumstances |
| Right to Restriction | Restrict processing under certain circumstances |
| Right to Data Portability | Receive data in structured, commonly used format |
| Right to Object | Object to processing based on legitimate interests |
| Right to Withdraw Consent | Withdraw consent at any time (where processing is based on consent) |
11.3 Data Protection Officer
Contact our Data Protection Officer:
- Email: dpo@swiftmep.ca
- Subject: "GDPR REQUEST"
11.4 Supervisory Authority
You have the right to lodge a complaint with your local data protection authority:
- UK: Information Commissioner's Office (ICO)
- EU: Your member state's supervisory authority
12. CHILDREN'S PRIVACY
Our Service is not intended for individuals under the age of eighteen (18). We do not knowingly collect Personal Information from minors. If we discover we have collected data from a minor without verified parental consent, we will delete it immediately. If you believe we might have information from or about a minor, please contact us at privacy@swiftmep.ca.
13. THIRD-PARTY LINKS
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices or content of such third parties. We encourage you to read the privacy policies of every website you visit.
14. CHANGES TO THIS POLICY
14.1 Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
14.2 Notification of Material Changes
Material changes will be communicated via:
- Email notification to the address associated with your account at least thirty (30) days in advance;
- Prominent notice on our Website;
- In-app notification upon login.
14.3 What Constitutes a Material Change
Material changes include, but are not limited to:
- New uses of Personal Information;
- New sharing with third parties;
- Changes to retention periods;
- Changes to the "No-Training" guarantee.
14.4 Acceptance of Changes
Your continued use of the Service after the effective date of any changes constitutes acceptance of the revised Privacy Policy. If you do not agree to any modification, you must cease using the Service immediately.
15. DATA PROTECTION OFFICER & CONTACT INFORMATION
15.1 General Privacy Inquiries
SwiftMEP Inc.
[YOUR FULL BUSINESS ADDRESS]
[YOUR CITY, YOUR PROVINCE, POSTAL CODE]
Canada
Email: privacy@swiftmep.ca
Response Time: Within thirty (30) days as required by PIPEDA (typically 2-5 business days)
15.2 Data Protection Officer (DPO)
For GDPR, CCPA, or escalated privacy matters:
- Email: dpo@swiftmep.ca
- Subject: "PRIVACY ESCALATION"
15.3 Legal Requests
For subpoenas, court orders, or legal process:
- Email: legal@swiftmep.ca
- Subject: "LEGAL PROCESS"
15.4 AI Training Opt-Out
- Email: privacy@swiftmep.ca
- Subject: "AI TRAINING OPT-OUT"
16. CONSENT & ACKNOWLEDGMENT
BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTAND THIS PRIVACY POLICY AND CONSENT TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED HEREIN.
You specifically acknowledge and agree to:
- The collection and processing of Project Data as necessary to provide the Service;
- The "No-Training" guarantee protecting your raw Project Data;
- The use of de-identified, aggregated data for model improvement (with opt-out right);
- The 30-day retention period and automatic deletion thereafter;
- The transfer of your data to Canada and, where necessary, the United States;
- The limitations of liability and disclaimers set forth herein.
17. DEFINITIONS (FOR CLARITY)
| Term | Definition |
|---|---|
| Personal Information | Information about an identifiable individual |
| Project Data | Construction drawings, blueprints, specifications uploaded to the Service |
| De-identified Data | Data from which all identifiers have been removed, cannot be re-identified |
| Processing | Any operation performed on data, including collection, storage, use, disclosure |
| Service | SwiftMEP's AI-augmented takeoff platform |
18. GOVERNING LAW
This Privacy Policy is governed by the laws of the Province of [YOUR PROVINCE] and the federal laws of Canada applicable therein, without regard to conflict of laws principles, subject to any mandatory provisions of applicable privacy laws (e.g., GDPR, CCPA).
19. SEVERABILITY
If any provision of this Privacy Policy is found to be invalid or unenforceable by a court of competent jurisdiction, such provision shall be severed, and the remaining provisions shall remain in full force and effect.
20. CONTACT SUMMARY
| Purpose | Contact | Subject Line |
|---|---|---|
| General Privacy | privacy@swiftmep.ca | [Your question] |
© 2026 SwiftMEP. All Rights Reserved.