Privacy Policy
Effective date: April 21, 2026
1. Introduction
ClimaInsight ("we", "us", or "our") respects your privacy. This Privacy Policy describes the personal information we collect when you use our climate physical risk assessment service (the "Service"), how we use and share it, and the rights you have over it. This policy is written with reference to Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and comparable provincial privacy laws.
2. Information We Collect
Account information (when you register): email address, first and last name, company, and a securely hashed password.
Assessment inputs: Canadian postal codes, street addresses (Pro tier only), user-provided property identifiers, and financial metrics if you choose to supply them.
Payment information: handled entirely by our payment processor, Stripe. We do not see or store your full card details; we retain only the Stripe customer and subscription identifiers necessary to manage your account.
Usage analytics: pages visited, assessments run, hazard types selected, approximate geographic region, browser type, and IP address. We use these to understand how the Service is used and to prevent abuse.
Communications: if you contact us via the contact form or email, we retain your message and contact details to respond.
3. How We Use Your Information
- Deliver and operate the Service — geocoding, running risk assessments, generating AI commentary, producing reports.
- Maintain your account, authenticate you, and support password resets.
- Send transactional emails (e.g. verification, password reset, billing receipts).
- Enforce usage limits, detect abuse (such as scraping or circumvention), and maintain platform security.
- Improve the Service — analyse aggregate usage patterns, debug errors, refine models.
- Comply with legal, tax, and regulatory obligations.
4. Sub-Processors and Third Parties
We rely on the following trusted sub-processors to operate the Service. Some of these process data outside Canada (principally in the United States). By using the Service you consent to this transfer, subject to contractual protections with each provider.
| Provider | Purpose | Data processed |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, storage, secrets management | All application data |
| Stripe | Payment processing for Pro subscriptions | Name, email, billing details, card data |
| Mapbox | Address-level geocoding (Pro tier) | Property addresses you submit |
| Google (Gemini) / Anthropic (Claude) | AI-generated risk commentary | Hazard scores and location names; no personal identifiers |
| Google Analytics | Aggregate site analytics | IP address, page views, device type |
| SMTP email provider | Transactional email delivery | Email address, message body |
We do not sell your personal information, and we do not share it with third parties for their independent marketing.
5. AI Commentary
When the Service generates AI commentary, it transmits the hazard scores, location names, and portfolio summary to the configured AI provider (Google Gemini or Anthropic Claude). We do not send your name, email, password, account identifiers, or any payment data to these providers. AI providers process this data under their respective enterprise-grade agreements, which prohibit use of the submission for training their base models.
6. Cookies and Sessions
We use a session cookie to keep you signed in. We use Google Analytics cookies for aggregate usage measurement. We do not use cookies for cross-site advertising or profiling. You can disable cookies in your browser settings; some features (such as sign-in) will not work without them.
7. Data Retention
We retain account and assessment data for as long as your account is active. You may request deletion of your account at any time by contacting us; we will delete your personal information within 30 days of the request, except where we are legally required to retain it (for example, billing records are kept for up to 7 years to meet Canada Revenue Agency requirements).
8. Your Privacy Rights (PIPEDA)
Subject to applicable law, you have the right to:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete information.
- Delete your account and associated personal data.
- Withdraw consent to future processing (this may limit your ability to use the Service).
- Port your assessment data in a portable format.
- Complain to the Office of the Privacy Commissioner of Canada if you believe your rights have been violated (priv.gc.ca).
To exercise any of these rights, use the contact form on our homepage at climainsight.ca/#contact. We may need to verify your identity before responding.
9. Security
We protect your information with industry-standard measures: HTTPS/TLS for all traffic, hashed passwords (using Werkzeug/bcrypt-equivalent algorithms), environment-isolated secrets managed via AWS Secrets Manager, access controls, and regular dependency patching. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.
10. Data Location
Our primary application data is hosted in AWS infrastructure configured for Canadian operation. Certain sub-processors listed above (Stripe, Mapbox, Google, Anthropic) may process data in the United States or other jurisdictions under their own security and privacy commitments.
11. Children
The Service is intended for business users and is not directed to anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date. For material changes affecting registered users, we will also notify you by email.
13. Contact
To make a privacy-related request or ask a question about this policy, use the contact form on our homepage at climainsight.ca/#contact.