Privacy Policy

Last updated: June 12, 2026

MécanoFlow ("we", "us", "our") is a shop management platform built for independent auto repair shops in Canada. We take your privacy seriously. This policy explains what personal information we collect, why we collect it, how we use it, and what rights you have over it.

This policy applies to shop owners and staff who use MécanoFlow, as well as their customers whose information is stored in the platform.

1. What Information We Collect

Shop owners and staff:

  • Name, email address, and password (for your account)
  • Shop name, address, phone number, and province
  • Payment information (processed by Stripe; we do not store card numbers)

Customers of shops using MécanoFlow:

  • Name, phone number, and email address
  • Vehicle information (year, make, model, VIN, mileage)
  • Service history, estimates, invoices, and repair notes
  • Photos uploaded during inspections or bookings
  • SMS and email communication records
  • Consent records (when and how consent was given)

Automatically collected:

  • IP address and browser user-agent (for security logging; automatically purged after 90 days)
  • Usage data and feature interactions (aggregated, not sold)

2. How We Use Your Information

  • Service delivery: Creating estimates, work orders, invoices, and managing appointments.
  • Communication: Sending appointment reminders, estimate approvals, invoice links, and service updates via SMS and email.
  • AI processing: Generating repair estimates, customer-friendly summaries, and repair guidance using AI models. Vehicle and service data is sent to our AI provider for processing but is not used to train their models.
  • Security and compliance: Audit logging, fraud prevention, and maintaining the integrity of the platform.
  • Improvement: Understanding how features are used to improve the product.

3. SMS and Email Communications

MécanoFlow sends two types of messages on behalf of shops:

Transactional messages (service-related):

  • Appointment confirmations and reminders
  • Estimate approval requests
  • Work order status updates
  • Invoice and payment links

These are sent when a customer has given SMS consent during booking or estimate approval.

Marketing messages (promotional):

  • Seasonal promotions
  • Referral program invitations
  • Review requests

These are only sent to customers who have explicitly opted in to marketing communications.

How to opt out:

  • Reply STOP to any SMS message to immediately unsubscribe from all messages
  • Contact the shop directly to update your communication preferences
  • Shop staff can update your preferences in MécanoFlow at any time

4. Data Retention

  • Customer and vehicle data: Retained for as long as the shop account is active and for 12 months after account closure.
  • Audit logs: Retained indefinitely for compliance, but IP addresses and user-agent strings are automatically stripped after 90 days.
  • Communication records: Retained for 24 months for dispute resolution and compliance.
  • Account data: Deleted within 30 days of a verified deletion request.

5. Subprocessors and International Transfers

We use the following service providers ("subprocessors") to operate MécanoFlow. Some are located in, or store data in, the United States — meaning your information may be processed outside Canada and be subject to the laws of those jurisdictions:

ProviderPurposeData location
VercelApplication hostingUnited States
Supabase (AWS)Database and authenticationUnited States
TwilioSMS deliveryUnited States
SendGridEmail deliveryUnited States
StripePayment processing (we never store card numbers)United States
OpenAIAI estimate generation (not used to train models)United States

We use contractual safeguards with each subprocessor to require protection comparable to Canadian privacy law. Each provider has its own privacy policy.

5a. Cookies

MécanoFlow uses only essential cookies: authentication session cookies (to keep you signed in) and a language preference. We do not use advertising or cross-site tracking cookies, and we do not sell personal information.

6. Your Rights

Under Canadian privacy law (PIPEDA), you have the right to:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Ask us to correct inaccurate or incomplete information.
  • Deletion: Request that we delete your personal information, subject to legal retention requirements.
  • Withdraw consent: Opt out of marketing communications at any time. Note that withdrawing consent for transactional messages may affect our ability to provide service updates.

For customer data held by a specific shop, please contact the shop directly. They are the data controller for their customer records.

7. PIPEDA and CASL Compliance

We follow the ten fair information principles of PIPEDA (Personal Information Protection and Electronic Documents Act):

  1. Accountability — a designated privacy officer is responsible for compliance (see Contact below).
  2. Identifying purposes — we state why we collect information at or before collection.
  3. Consent — we collect, use, and disclose personal information only with consent, except where law permits.
  4. Limiting collection — we collect only what the Service needs to function.
  5. Limiting use, disclosure, retention — information is used only for stated purposes and retained per Section 4.
  6. Accuracy — you can correct your information at any time in the app.
  7. Safeguards — see Security (Section 8).
  8. Openness — this policy describes our practices in plain language.
  9. Individual access — you may request a copy of your information (Section 6).
  10. Challenging compliance — complaints can be raised with us and with the Office of the Privacy Commissioner of Canada.

CASL(Canadian Anti-Spam Legislation) — All commercial electronic messages include sender identification and an unsubscribe mechanism. Marketing messages require express consent. Transactional messages (appointment reminders, service updates) are sent under implied consent from the existing business relationship. Replying STOP to any SMS unsubscribes immediately.

7a. Quebec Residents — Law 25

For shops and customers in Quebec, we comply with the Act respecting the protection of personal information in the private sector as amended by Law 25:

  • Consent — consent requests are presented separately, in clear and simple language, in French where required.
  • Right to erasure and de-indexing — you may request deletion of your personal information; verified requests are honoured within 30 days, subject to legal retention duties.
  • Data portability — you may request your personal information in a structured, commonly used technological format (we provide CSV exports).
  • Confidentiality incidents— we maintain an incident register and will notify affected individuals and the Commission d'accès à l'information (CAI) of any incident presenting a risk of serious injury.
  • Person in charge of protection of personal information — reachable at privacy@mecanoflow.ca (see Contact below).

8. Security

  • All data is encrypted in transit (TLS) and at rest
  • Authentication is handled by Supabase Auth with bcrypt password hashing
  • Row-level security policies restrict data access to authorized shop members
  • Audit logs track all significant actions for security monitoring
  • Sensitive data (passwords, tokens, API keys) is never logged

9. Contact Us

For privacy questions, data access requests, or concerns:

MécanoFlow Privacy

Email: privacy@mecanoflow.ca

Ottawa, Ontario, Canada

We will respond to all privacy requests within 30 days.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised.