Who we are
Markup ("Markup," "we," "our," or "us") operates the website at getmarkup.ca and the Markup software-as-a-service platform (the "Service"). Markup is a sole proprietorship registered in Canada.
This Privacy Policy describes how we collect, use, and disclose personal information in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.
Accountability
Markup's designated Privacy Officer is responsible for compliance with this policy. You can reach them at privacy@getmarkup.ca.
What personal information we collect
We collect only the information necessary to provide the Service:
Account information: name, email address, business name, trade type, province, and HST/GST registration number.
Usage data: pages visited, features used, and actions taken within the platform (via server-side logs and first-party analytics).
Business data you enter: quotes, invoices, client names, job descriptions, payment records, and subcontractor information including T5018-related data.
Payment information: billing address and last four digits of your card. Full card numbers are processed by our payment processor (Stripe) and are never stored on our servers.
Communications: emails, support requests, and feedback you send us.
How we collect information
We collect information directly from you when you create an account or use the Service.
Automatically through server logs, cookies, and similar technologies when you visit getmarkup.ca.
From third-party authentication providers if you sign in via a magic link or OAuth.
We use cookies for session management, preference storage, and first-party product analytics (described below). We do not use advertising trackers, and we do not sell advertising or your personal information.
IP addresses and server logs
When you use the Service, our hosting provider (Vercel) and database provider (Supabase) automatically record your IP address, user agent, request method, and timestamp on each request. We use these logs to detect abuse, debug platform issues, and meet our security obligations.
Outside the audit log described below, we do not associate IP addresses with user-identifying data inside our application database. Server logs are retained by our processors for up to 30 days under their standard retention policies, then deleted.
For PIPEDA accountability purposes (Principle 4.1), we maintain a server-side audit log of sensitive account actions: data exports, password changes, account-deletion requests and cancellations, profile edits to legal identifiers (HST/GST registration number, business email), sudo-mode re-authentication, and Stripe subscription cancellations. Each audit log entry includes your user ID, the IP address, user agent, and timestamp of the request. This log exists so we can investigate a security incident or substantiate a right-of-access response. To preserve this accountability trail, audit log entries are retained for our compliance obligations and may persist, with your account identifiers removed, after your account is deleted.
We disclose IP addresses only when compelled by a valid Canadian court order or legitimate regulatory request, or when necessary to investigate suspected fraud or platform abuse.
Why we collect and use your information
We use personal information to: provide, operate, and improve the Service; send transaction-related emails (quotes sent, invoices, payment confirmations); send CRA deadline reminders you have opted into; respond to support requests; detect and prevent fraud or abuse; and meet our legal obligations (e.g., tax and accounting records).
We will not use your personal information for purposes other than those identified above without your consent, unless required by law.
Product analytics
We use PostHog, a product-analytics service acting as our data processor, to understand how the Service is used so we can improve it. PostHog records a small set of explicit product events (for example: account signup, onboarding completion, and creating or sending a quote or invoice) together with the page you are viewing.
We deliberately limit what is sent. Events are associated with your opaque account identifier only. We do not send your name, email address, HST/GST number, client details, or any business document content to PostHog. Automatic event capture is turned off, so only the specific events described above are collected.
PostHog uses cookies and similar browser storage to measure usage within and across sessions. This data is processed by PostHog Cloud and may be stored outside Canada under contractual protections consistent with PIPEDA. We do not use this information for advertising, and we do not sell it.
Who we share information with
We do not sell, rent, or trade personal information. We share it only with:
Service providers acting as data processors under contractual obligation: Supabase (database and authentication), Stripe (payments), Brevo (transactional and reminder emails), Vercel (hosting), DeepSeek (AI quote suggestions), and PostHog (product analytics). Each is bound to process data only as directed by us.
Cross-border processing: DeepSeek is operated from the People's Republic of China. When you use the AI quote builder, the job description you submit is transmitted to DeepSeek for processing in the PRC. We send only the text of the job description and your past line-item prices; we do not transmit client names, addresses, or other identifying contact information to the AI. PRC data-processing laws differ from PIPEDA, and we disclose this transfer explicitly so you can make an informed decision about using the AI quote builder. If you would prefer to compose quotes manually instead, that option is always available.
Legal authorities when required by a court order, law, or legitimate regulatory request.
Successor entities in the event of a sale of substantially all assets of the sole proprietorship, provided the successor maintains equivalent privacy protections.
Where data is stored
Your data is stored in Canada and the United States on servers operated by our service providers. When data is transferred outside Canada, we ensure adequate protections are in place through contractual clauses consistent with PIPEDA requirements.
How long we keep your information
We keep your account and business data for as long as your account is open. When you request deletion, we permanently delete all of your data after a 7-day grace period (during which you can cancel the request). We do not keep a copy.
The CRA requires construction businesses to keep their financial records for seven (7) years. Because we do not retain a copy after deletion, we prompt you to download a complete export of your data before your account is deleted and ask you to confirm you have done so. After deletion, keeping those records to meet your CRA obligations is your responsibility.
You can also request deletion or export at any time by contacting privacy@getmarkup.ca.
Your rights
Under PIPEDA, you have the right to: know what personal information we hold about you; challenge the accuracy and completeness of your information, and have it corrected; withdraw consent (where consent is the legal basis), subject to legal and contractual restrictions; request deletion of data we are not required to retain; and file a complaint with the Office of the Privacy Commissioner of Canada.
To download a copy of every record we hold for your account at any time, sign in and use the "Export my data" button on your Profile page. The export is delivered as a JSON file and includes your business profile, clients, projects, quotes, invoices, payments, expenses, subcontractors, and suppliers. It excludes records held by third-party processors (Stripe, Brevo) and platform server logs (Vercel, Supabase). To request those, contact us at the address below.
To exercise any other right, email privacy@getmarkup.ca. We will respond within 30 days.
Security
We use industry-standard technical and organizational measures including TLS encryption in transit, encrypted storage at rest, access controls, and regular security reviews. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.
Changes to this policy
We will notify registered users by email at least 30 days before making material changes to this policy. The effective date at the top of this page reflects the most recent revision.
Contact us
privacy@getmarkup.ca