Privacy Policy
Last updated: April 12, 2026
1. Who we are
CanPermits ("we", "our", "the Service") is a Canadian-operated web application that aggregates and republishes publicly available building permit data from municipalities across Canada. We are operated as an independent service and are not affiliated with any municipality. The Service is available only to users who are at least 18 years old. We do not knowingly collect personal information from anyone under 18.
2. Data we collect
Account & billing information
When you subscribe, we collect your email address and process payment through Stripe. We do not store your credit card number. Stripe handles all payment data under their own privacy policy.
Saved searches & alert preferences
If you save a search, we store the filter criteria (keywords, municipality, project type, date range, value range) and your email address in order to send you permit alerts.
Usage data
We log standard web server access logs (IP address, user agent, pages visited, timestamps). These are used for debugging and abuse prevention and are not sold or shared.
Error reports
When the Service encounters an error, we collect technical information (URL, browser type, IP address, stack trace) via Sentry to diagnose and fix bugs. Error reports may incidentally contain your email address if you were logged in at the time.
Removal & support correspondence
If you email us at removals@,
privacy@, or
[email protected],
we retain the email address you wrote from and the contents of your message in order to
process and respond to your request.
Permit data
The permit records displayed on this site are sourced from municipal open data portals. They are public records and not private to you.
3. How we use your data
- To manage your subscription and grant access to paid features (alerts, watchlists, and saved-search digests on Basic and up; Toronto territory monitoring on Premium and up)
- To send permit alert emails based on your saved searches
- To process billing and handle subscription changes via Stripe
- To detect and prevent abuse of the Service
- To respond to support, removal, and privacy-related correspondence
We do not sell your personal data to third parties. We send only transactional emails related to your account, billing, and the alerts you have explicitly subscribed to. We do not send marketing emails or newsletters without separate opt-in consent.
4. Third-party services
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Email, payment details | United States |
| Resend | Transactional email (permit alerts) | Email address, permit data in alert body | United States |
| Sentry | Error monitoring & debugging | IP address, browser info, error context (may include email if logged in) | United States |
| OVHcloud | Web hosting & database | All data stored by the Service (account, subscriptions, permits, logs) | Canada (Beauharnois, QC) |
| Cloudflare | DNS, CDN, TLS termination & inbound email routing | IP address, request metadata, inbound email headers & bodies | Global (edge network) |
5. Data location & cross-border transfers
The Service is operated from Canada. Our primary hosting infrastructure (including the application server, the PostgreSQL database that stores all account, subscription, saved search, and permit data, and our scheduled data-collection jobs) runs on OVHcloud servers located in Beauharnois, Quebec, Canada. Personal information you provide is stored in Canada and subject to Canadian privacy law, including PIPEDA.
Some of the third-party processors listed in Section 4 are based outside Canada: Stripe, Resend, and Sentry process data on servers located in the United States, and Cloudflare operates a global edge network that may temporarily process request metadata and inbound email in the nearest available region. By using the Service, you acknowledge that limited personal information (for example, your email address when you receive an alert, or your IP address when you visit the site) may be transferred to, stored in, and processed in these jurisdictions and may be subject to access by foreign law-enforcement and government authorities under applicable local law. We rely on the contractual and security commitments of these providers to safeguard your data, but these protections may differ from those available under Canadian law.
6. Cookies & sessions
We use a signed session cookie (sub_session)
to remember your subscription status after checkout. This cookie contains only your email address (signed and encoded)
and expires after 90 days. We also set a first-party analytics cookie (_cp_vid)
containing a random identifier (UUID) that lets us distinguish new visitors from returning ones.
This cookie contains no personal information and expires after one year.
We do not use Google Analytics, Facebook Pixel, or any third-party advertising trackers.
We use a self-hosted, cookieless analytics tool (Umami) to understand how the site is used. This tool does not set cookies, does not collect personal information, and does not share data with third parties. Analytics data is stored on our own servers and is used solely to improve the product.
7. Data retention
- Subscription records are retained while your account is active and for 12 months after cancellation for billing dispute purposes.
- Saved searches and alert preferences are retained until you delete them or request deletion.
- Anonymous visitor analytics data is retained for 12 months, then deleted.
- Server access logs are retained for 30 days.
- Sentry error reports are retained for 90 days.
- Support, removal, and privacy correspondence is retained for 12 months after the matter is resolved.
- Stripe is required by law to retain payment and tax records for up to 7 years; this is outside our control and governed by Stripe's privacy policy.
8. Your rights under PIPEDA
Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:
- Access the personal information we hold about you
- Correct any inaccurate or incomplete information
- Delete your account and associated personal data
- Withdraw consent for non-essential processing at any time (subject to legal or contractual restrictions)
- Receive a copy of the personal information we hold about you in a portable format
To exercise any of these rights, email [email protected]. To delete your account, use the subject line "Delete my account" from the address associated with your subscription. We will respond within 30 days.
If you believe we have not handled your personal information appropriately, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC).
9. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to active subscribers by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
10. Contact
For privacy questions or data deletion requests, contact us at: [email protected]