Legal

Privacy Policy

Last updated: March 28, 2026 · Effective: March 28, 2026

This Privacy Policy describes how GapWatch (gapwatch.io) ("GapWatch," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with the GapWatch platform and website (the "Service").

We are committed to complying with the Personal Information Protection and Electronic Documents Act (PIPEDA), An Act respecting the protection of personal information in the private sector (Quebec Law 25 / Bill 64), and all other applicable Canadian privacy legislation.

1. Identity and Contact of the Person Responsible for Personal Information

The person responsible for the protection of personal information is the founder and CEO of GapWatch. You may contact them at any time:

2. Personal Information We Collect

We collect personal information in the following categories:

a) Information you provide directly

  • Account registration: email address, name, and password
  • Billing information: processed by our payment processor (Creem); we do not store full card numbers
  • Communications: messages you send to our support team
  • Waitlist: email address, first name, and optional referral code

b) Information collected automatically

  • Log data: IP address, browser type, pages visited, and timestamps
  • Device information: operating system and screen resolution
  • Usage data: features used, subscription tier, and session duration
  • Cookies and similar technologies (see Section 8)

c) Information from third parties

  • Authentication providers (if you sign in via a third-party OAuth provider)
  • Payment confirmation data from Creem (customer ID, subscription status)

3. Purposes for Collecting Personal Information

We collect and use personal information only for the following identified purposes:

  • To create and manage your GapWatch account
  • To provide and improve the Service, including personalized features
  • To process subscription payments and send receipts
  • To send transactional emails (account confirmations, billing alerts, password resets)
  • To send the weekly editorial digest and alerts, if you have opted in
  • To respond to your support requests
  • To detect, investigate, and prevent fraud or abuse
  • To comply with legal obligations
  • To analyze aggregate usage patterns and improve our platform

We will not use your personal information for any purpose other than those listed above without first obtaining your consent, except as required or permitted by law.

4. Legal Basis and Consent

We rely on your consent and the necessity of contract performance as the basis for processing your personal information. By creating an account or using the Service, you consent to the collection, use, and disclosure of your personal information as described in this Policy.

You may withdraw your consent at any time by contacting us at privacy@gapwatch.io or by deleting your account. Withdrawal of consent may limit your ability to use the Service.

5. Disclosure of Personal Information to Third Parties

We share your personal information only with the following categories of third parties, strictly for the purposes described above:

Supabase (database and authentication)

Stores your account credentials and subscription data. Servers are located in the United States. Privacy Policy

Creem (payment processing)

Processes subscription payments. We transmit your email and subscription details. Privacy Policy

Resend (transactional email)

Sends account and digest emails on our behalf. Your email address is transmitted to Resend. Privacy Policy

Vercel (hosting and infrastructure)

Hosts the GapWatch application. Log data including IP addresses may be processed by Vercel. Servers may be located in the United States or other jurisdictions. Privacy Policy

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

We may disclose your personal information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights or prevent harm.

6. Communication of Personal Information Outside Québec

As described in Section 5, your personal information may be communicated to service providers located outside Québec, including in the United States. Before communicating your information outside Québec, we conduct a privacy impact assessment and ensure that the information will receive equivalent protection through contractual means, in accordance with Quebec Law 25.

By using the Service, you acknowledge and consent to the transfer of your personal information to these jurisdictions.

7. Retention and Destruction of Personal Information

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

  • Account data is retained for the duration of your account and for up to 2 years after account deletion, for legal and audit purposes
  • Billing records are retained for 7 years as required by tax law
  • Server logs are retained for up to 90 days
  • Waitlist data is retained until you unsubscribe or request deletion

When personal information is no longer required, we securely destroy or anonymize it.

8. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

  • Essential cookies: Required for authentication and session management. Cannot be disabled without losing access to your account.
  • Analytics cookies: Used to understand how visitors use the Service (PostHog). Data is aggregated and anonymized where possible.

You may control cookies through your browser settings. Note that disabling essential cookies will impair the functionality of the Service.

9. Your Rights

Under PIPEDA and Quebec Law 25, you have the following rights with respect to your personal information:

  • Right of access: You may request a copy of the personal information we hold about you
  • Right to rectification: You may request correction of inaccurate or incomplete information
  • Right to withdrawal of consent: You may withdraw your consent to certain uses of your information
  • Right to erasure (right to be forgotten): You may request deletion of your personal information, subject to legal retention obligations
  • Right to data portability: You may request your personal information in a structured, machine-readable format
  • Right to de-indexation: Where applicable, you may request that hyperlinks to information about you be de-indexed

To exercise any of these rights, contact us at privacy@gapwatch.io. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

10. Security

We implement reasonable technical and organizational security measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These include encrypted data transmission (TLS/HTTPS), hashed passwords, and role-based access controls.

No method of transmission over the internet is 100% secure. If you believe your personal information has been compromised, please contact us immediately at privacy@gapwatch.io.

11. Minors

The Service is not directed to individuals under the age of 14. We do not knowingly collect personal information from children under 14. If you believe a child under 14 has provided us with personal information, please contact us at privacy@gapwatch.io and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 15 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated Policy.

13. Complaints

If you have a complaint about our privacy practices, please contact our privacy officer first at privacy@gapwatch.io. If you are not satisfied with our response, you may file a complaint with:

  • Commission d'accès à l'information du Québec (CAI)cai.gouv.qc.ca
  • Office of the Privacy Commissioner of Canada (OPC)priv.gc.ca

14. Contact Us

For any questions about this Privacy Policy or our privacy practices: