Privacy Policy

1. Who We Are

Shovel Radar ("we", "us", "our") is a B2B commercial intelligence service operated from Calgary, Alberta, Canada. We provide weekly permit, business-licence, and procurement intelligence Reports to contractors, trade businesses, brokers, lenders, and specialty vendors operating across 382 Canadian cities in every province and 3 territories. Our website is shovelradar.com.

For privacy-related inquiries, contact us at: matthew@shovelradar.com

Cette politique est également disponible en français : Politique de confidentialité (français)

2. Scope — PIPEDA, Alberta PIPA, BC PIPA, and Québec Law 25

This policy is governed by Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and the substantially-similar provincial regimes for organizations operating in Alberta (Personal Information Protection Act, PIPA), British Columbia (Personal Information Protection Act, BC PIPA), and Québec (Act respecting the protection of personal information in the private sector, as amended by Law 25). By submitting information through our website or engaging our services, you consent to the collection, use, and disclosure of your personal information as described in this policy.

Subscribers and prospects located in Québec may submit privacy requests in French and will be responded to in French.

3. Information We Collect

We collect personal information only for legitimate business purposes. The categories we collect are:

• Contact information: your name, company name, email address, and phone number, submitted via our website contact form or our product matcher. Form submissions are handled by a Vercel-hosted serverless function we operate and emailed directly to us — no third-party form processor stores your data.
• Matcher answers: your business type, deal size, and lead-freshness selections from the homepage product matcher (used to recommend products and pre-fill the contact form). These are submitted with your contact request.
• Billing information: payment details collected and processed by Stripe, Inc. We do not store credit card numbers on our servers. Stripe provides us a customer ID, your billing email, and subscription metadata.
• Subscription state: if you subscribe, we maintain a secure record on our servers of your customer ID, email, company name, subscribed products, plan tier, subscription start date, and last delivery timestamp. This is the operational data needed to deliver your reports.
• Delivery and email logs: we maintain per-row delivery records (which lead rows have been shipped to which customer) and per-email send records (which weekly delivery emails went out and whether they succeeded). These logs prevent duplicate deliveries and protect against grab-and-leave abuse — see Section 13 of our Terms.
• Account fingerprint: a one-way SHA-1 hash of (email + company name + phone + address) is stored alongside your subscription. Used solely to detect duplicate accounts created to bypass the first-delivery date floor or sample policy. The fingerprint cannot be reversed to recover the underlying inputs.
• Usage data: pages visited, time on site, and general location (city/country) collected via Google Analytics (anonymized IP).
• Communications: emails, messages, or notes you send us in the course of a business relationship.

We do not knowingly collect personal information from individuals under 18 years of age. Our services are directed exclusively at business professionals.

4. How We Use Your Information

We use the information we collect to:

• Respond to your inquiries and schedule demonstrations.
• Deliver subscribed intelligence reports to your email address, watermarked with your company name and customer ID for licence attribution (see Terms Section 7).
• Process payments and manage your subscription via Stripe.
• Send service-related communications (file delivery, billing notifications, product updates, onboarding emails on day 1, day 7, and day 28 of new subscriptions).
• Maintain operational records (subscription state, delivery log, email log) required to deliver the service correctly and to enforce the anti-abuse provisions of the Terms.
• Detect duplicate accounts via fingerprint comparison (Section 6.3 of the Terms).
• Improve our website and service through aggregated, anonymized analytics.
• Comply with applicable laws and regulations.

We do not use your personal information for automated decision-making or profiling beyond the duplicate-account detection described above. We do not sell your information to third parties.

5. Legal Basis for Processing

We process your personal information on the basis of your consent (given when you submit our contact form or purchase a subscription) and the performance of a contract (delivering the subscription service you have paid for). You may withdraw consent at any time by contacting us at matthew@shovelradar.com, though withdrawal may affect our ability to deliver the service.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information. We share it only with the following trusted service providers, solely to deliver our service:

All providers are required to handle data in accordance with applicable privacy laws. Cross-border transfers to the United States are made under contractual safeguards consistent with PIPEDA Schedule 1 Principle 7.

7. Data About Third Parties in Our Reports

Our intelligence Reports contain information about businesses, permit holders, and licence holders sourced from publicly available open-data datasets across Canada. The data relates predominantly to commercial entities, not private individuals. Where the data incidentally includes a named contact, it has been sourced from public records. We do not use this data to build personal profiles and we do not share it beyond the subscribing client. The licence terms of each source are listed in the READ ME tab of every Excel workbook we deliver.

Municipal — 382 cities, including:

• Alberta: City of Calgary, City of Edmonton, City of Lethbridge, City of Red Deer, City of Airdrie, City of Medicine Hat, City of Grande Prairie, City of St. Albert, City of Camrose.
• British Columbia: City of Vancouver, Surrey, Burnaby, Richmond, Saanich, Victoria, Coquitlam, Kelowna, Nanaimo, Kamloops, Chilliwack, Abbotsford, Langley.
• Ontario: City of Toronto, City of Ottawa, City of Mississauga, City of Brampton, plus 31 additional Ontario municipalities.
• Québec: Ville de Montréal, Laval, Gatineau, Longueuil, Québec, Sherbrooke, Lévis, Trois-Rivières, Saguenay, plus 5 others (via Données Québec).
• Atlantic: Halifax Regional Municipality, Cape Breton Regional Municipality, City of Fredericton, City of Moncton, City of Saint John, City of Charlottetown, City of St. John's.
• Prairies: City of Winnipeg, City of Saskatoon, City of Regina, City of Brandon.
• Territories: City of Yellowknife, City of Whitehorse.

Per-municipal coverage: building permits, business licences, development permits, property assessments, inspection outcomes, trade permits, tenancy changes, land-use redesignations, 311 service requests, BIA boundaries, heritage properties, lobbyist registries (where published). Full per-city list at shovelradar.com/cities/.

Provincial:

• Alberta: Alberta Health Services (AHS) public inspection portal, Alberta Gaming Liquor & Cannabis (AGLC) licensee directories, Alberta Energy Regulator (AER) well-licence data.
• Ontario: Open Data Ontario, MERX provincial solicitations, ACT (Alcohol & Gaming) licensee data, public health unit inspection portals.
• Québec: Données Québec catalog, Régie des alcools, des courses et des jeux (RACJ) licensee directories.
• British Columbia: BC Data Catalogue, public health inspection portals.
• Atlantic + Prairies: provincial open-data portals where published (NS, NB, PE, NL, MB, SK).

Federal:

• open.canada.ca (CKAN) — Government of Canada open-data portal.
• CanadaBuys, MERX, APC — federal procurement awards and solicitations.
• Statistics Canada (StatCan) — aggregate demographic / labour / industry statistics.
• CMHC — housing market data.
• CRA T3010 — public charity disclosures.

Contact enrichment (commercial only):

• Google Places API — business phone numbers, names, and addresses. Subject to the Google Maps Platform Terms of Service. We do not redistribute Google-authored editorial content.
• Google Gemini API — large-language-model service used to extract structured fields (services offered, when-to-call signal, decision-maker hints) from publicly accessible web pages. We do not send subscriber personal information to the Gemini API; only public business-record content.
• DuckDuckGo HTML search — public web search results scraped to discover Facebook / Instagram URLs associated with business entities (used solely for cross-reference enrichment).
• Apollo.io — public B2B contact directory used for decision-maker lookup (job title, work email) on commercial entities only, where Apollo's terms permit.

8. Data Retention

We retain your personal information for as long as your subscription is active and for a period of 24 months thereafter, to comply with legal and tax obligations. Specific retention periods:

• Subscription state (customers.csv): retained while subscription is active; archived for 24 months after cancellation.
• Delivery log (which rows shipped to which customer): retained for 24 months from delivery date, then anonymized (customer_id stripped, row hashes retained for our internal deduplication).
• Email send log: retained for 24 months for support and billing-dispute purposes.
• Account fingerprint (SHA-1 hash): retained for 36 months to detect repeat-offender duplicate accounts even after deletion of the originating record.
• Anonymized analytics (Google Analytics): may be retained indefinitely.

You may request deletion of your personal information at any time (see Section 10). Deletion of subscription state will end your service.

9. Cookies and Tracking

We use the following cookies / browser storage. None are used for advertising or cross-site tracking; all are functional or first-party analytics with IP anonymization.

• portal_session (HttpOnly, Secure, SameSite=Strict) — set by /api/v1/auth_verify after magic-link sign-in. JWT proving you are a paying subscriber. Lifetime 24 hours; refreshed on sign-in.
• sr_city_slug (localStorage) — your selected city from the header picker. Lets us swap "Calgary" copy for your city across the site without a server round-trip.
• sr_ref (localStorage, 30-day TTL) — referral attribution if you arrived via ?ref=... link.
• sr_ab_buckets_v1 (localStorage) — your assigned variant per active A/B experiment. Used to keep your experience consistent across page loads.
• sr_roadmap_votes (localStorage) — your votes on the public roadmap. Stays in your browser only; we tally weekly via aggregate event counts, never per-visitor.
• sr_geocode_cache_v1 (localStorage) — cached map coordinates from your interactions with the public permit map. Reduces redundant Nominatim lookups.
• PostHog cookies / localStorage (if our PostHog key is configured) — first-party analytics for pageviews + funnel measurement. Autocapture is OFF; we only fire explicit events. IP anonymization is ON; session recording is DISABLED. PostHog's policy: posthog.com/privacy. You can opt out at any time by clearing localStorage for this domain or by emailing us; we will server-side opt your distinct_id out.

By using our website you consent to the above. If you would like Shovel Radar to forget your client-side state, clear cookies + localStorage for shovelradar.com in your browser.

10. Your Rights

Under PIPEDA, Alberta PIPA, and Québec Law 25, you have the right to:

• Request access to the personal information we hold about you.
• Request correction of inaccurate or incomplete information.
• Withdraw consent and request deletion of your personal information.
• File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.
• Québec residents: file a complaint with the Commission d'accès à l'information (CAI) at cai.gouv.qc.ca. You may also request that our Privacy Officer provide a technology-impact assessment if your information is used in an automated decision-making process.

To exercise any of these rights, email us at matthew@shovelradar.com, or use the self-serve data-deletion endpoint at POST /api/v1/data_deletion. We will respond within 30 days.

10b. Subscriber Portal Endpoints & Stored Data

If you are a paying subscriber, the following portal endpoints process and store data on your behalf in Vercel KV (a key-value store hosted in Canada Central or US East per Vercel's regional config). Each item lists what's stored + how to remove it.

• /api/v1/portal_state — reads your customer record + recent deliveries. No writes.
• /api/v1/portal_action — records subscription actions (pause / resume / cancel / change cadence). Stored in your customer record + audit log. Cancellation exit-reason + save-offer response are logged for retention analytics.
• /api/v1/portal_download — streams your weekly Excel files. We log timestamp + filename per download in state/portal_download_log.csv for usage attribution; no row-level content is logged.
• /api/v1/portal_seats — stores additional sign-in emails you authorize for your subscription. Stored in customer:<owner_email> + reverse-index at seat:<teammate_email>. Removing a seat deletes both keys.
• /api/v1/portal_searches — stores filters you register for saved-search alerts. Stored at saved_searches:<customer_id>. Deleting a search removes it from storage immediately.
• /api/v1/portal_pins — stores permits you bookmark. Stored at pinned_permits:<customer_id>. Unpinning removes the entry immediately.
• /api/v1/portal_feedback — captures optional ratings + comments. Persisted via SMTP to the operator inbox; not stored in our database.

Sending {action: "all"} to /api/v1/data_deletion requests deletion of all of the above (subject to the 6-year financial-record retention required by the Income Tax Act for Stripe transaction records, which we cannot delete and instead anonymize).

11. Security

We implement reasonable administrative and technical safeguards to protect your personal information against unauthorized access, disclosure, or misuse. All data in transit is encrypted via TLS. Payments are handled entirely by Stripe and are PCI-DSS compliant — we never see or store your full payment card details.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page and, where appropriate, by direct notification to active subscribers. Your continued use of the service after a change constitutes acceptance of the revised policy.

13. Contact