Privacy Policy

Apertur ("we", "us", or "our") operates the Apertur service, accessible at apertur.ca and via our API. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our services. By accessing or using Apertur, you agree to this policy. If you do not agree, please discontinue use of the service.

We collect the following categories of information:

Account Data: When you register, we collect your name, email address, password (stored as a bcrypt hash), and mobile phone number. Your mobile phone number is required and verified via SMS during registration. It is used for account identification and security purposes, including verifying your identity, preventing duplicate accounts, and enabling secure account recovery. If you provide a mailing address, it is stored as part of your profile.

Usage Data: We log API requests, session creation events, image delivery attempts, webhook call outcomes, and dashboard activity. These logs include timestamps, IP addresses, HTTP status codes, and request metadata.

Payment Data: Billing is handled by Stripe, Inc. We do not store your full credit card numbers. We store your Stripe customer ID and subscription identifiers to manage your billing relationship. Stripe's privacy policy governs data processed on their platform.

Email Logs: We retain records of transactional emails (account confirmation, webhook failure notifications, billing receipts) for up to 12 months for deliverability and support purposes.

Login Records: We record the IP address, user agent, and timestamp of each successful and failed login for security auditing purposes. These records are retained for 3 months.

Cookies: We use session-only cookies for authentication. We do not use tracking cookies or third-party advertising cookies.

We use the information we collect to: (a) provide, operate, and maintain the Apertur service; (b) process payments and manage subscriptions; (c) send transactional communications such as account confirmations, password resets, and billing receipts; (d) detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activities; (e) analyze usage trends to improve our service; (f) comply with applicable legal obligations; (g) respond to your support requests; and (h) verify your identity via SMS during registration and for ongoing account security.

For users in the European Economic Area, the United Kingdom, and Switzerland, we process personal data under the following legal bases:

Contract Performance: Processing necessary to provide the service you have contracted for, including account management, API access, and billing.

Legitimate Interests: Processing for fraud prevention, security monitoring, service improvement, and abuse detection, where our interests are not overridden by your rights.

Legal Obligation: Processing required to comply with applicable laws, such as retaining billing records.

Consent: Where we rely on consent (e.g., optional marketing communications), you may withdraw consent at any time by contacting us.

Apertur complies with Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25.

Privacy Officer: We have designated a Privacy Officer responsible for the protection of personal information. You may contact our Privacy Officer at privacy@apertur.ca.

Consent: We collect personal information only with your knowledge and consent, except where otherwise permitted by law. You may withdraw consent subject to legal or contractual restrictions and reasonable notice.

Purpose Limitation: Personal information is collected for specific, explicit purposes described in this policy and is not used for incompatible purposes without your consent.

Security Incident Notification: In the event of a confidentiality incident involving your personal information that presents a risk of serious injury, we will notify the Commission d'accès à l'information du Québec and affected individuals as required by law.

Privacy Impact Assessments: We conduct privacy impact assessments for any new technology or system that processes personal information.

Apertur complies with Canada's PIPEDA and its 10 fair information principles:

1. Accountability — We are responsible for all personal information under our control and have designated a Privacy Officer. 2. Identifying Purposes — We identify the purposes for collecting personal information before or at the time of collection. 3. Consent — We obtain knowledge and consent for the collection, use, or disclosure of personal information. 4. Limiting Collection — We collect only information necessary for identified purposes. 5. Limiting Use, Disclosure, and Retention — Personal information is not used or disclosed for purposes other than those for which it was collected, and is retained only as long as necessary. 6. Accuracy — Personal information is as accurate, complete, and up-to-date as necessary. 7. Safeguards — We protect personal information with security safeguards appropriate to its sensitivity. 8. Openness — We make our policies and practices readily available. 9. Individual Access — Upon request, we will inform individuals of the existence, use, and disclosure of their personal information and give access to that information. 10. Challenging Compliance — Individuals may address a challenge concerning compliance with these principles to our Privacy Officer.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Access: You may request a copy of the personal information we hold about you.

Rectification: You may request that we correct inaccurate or incomplete personal information.

Erasure: You may request deletion of your personal information, subject to our legal obligations to retain certain records.

Data Portability: You may request your personal information in a structured, machine-readable format.

Objection: You may object to processing based on legitimate interests.

Restriction: You may request that we restrict processing of your personal information in certain circumstances.

To exercise these rights, contact us at privacy@apertur.ca. We will respond within 30 days.

If you are a California resident, you have the following rights under the CCPA:

Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which personal information was collected, the business purpose for collecting personal information, and the categories of third parties with whom we share personal information.

Right to Delete: You have the right to request deletion of personal information we have collected about you, subject to certain exceptions.

Right to Opt-Out: We do not sell personal information. You therefore have no need to opt out of any sale.

Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a request, contact us at privacy@apertur.ca. We will verify your identity before processing your request.

We retain personal information for the following periods:

Account Data: Retained while your account is active. Upon account deletion, your data is scheduled for permanent deletion after a 30-day grace period. Accounts that are inactive for 6 consecutive months may be automatically deactivated and subsequently deleted.

Upload Session Data: Upload sessions and associated metadata are retained per the configuration of your project. Images are not stored by Apertur — they are delivered directly to your configured endpoint.

Email Logs: Records of transactional emails are retained for 12 months.

Login Records: Login history (IP address, user agent, timestamp) is retained for 3 months.

Billing Records: Invoice and payment records are retained for 7 years as required by applicable tax laws.

Apertur is operated from Canada. Your data may be stored and processed in Canada. Our payment processor, Stripe, Inc., is based in the United States and may process your billing information there. Stripe complies with applicable data protection laws including Standard Contractual Clauses for EU data transfers. By using Apertur, you consent to your information being transferred to and processed in these jurisdictions.

Apertur is not directed to individuals under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@apertur.ca and we will delete it promptly.

We use session cookies to maintain your authenticated session on the dashboard. These cookies are deleted when you close your browser or log out. We do not use persistent tracking cookies, analytics cookies, or third-party advertising cookies. If you disable cookies, you will not be able to use the authenticated portions of the service.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on our website. The date at the top of this policy indicates when it was last updated. Your continued use of the service after any changes constitutes your acceptance of the updated policy.

For privacy-related inquiries, to exercise your rights, or to reach our Privacy Officer, please contact us at:

Apertur Privacy Officer Email: privacy@apertur.ca