Capture d'appels manquésSites Web sur mesure
    À propos
    Changer de langue
    ·

    Privacy Policy

    Last updated: April 28, 2026

    1. Introduction

    XitPlan Inc. ("XitPlan", "we", "us", or "our") is a corporation incorporated under the laws of the Province of Ontario, Canada, with its principal office in Toronto, Ontario. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard personal information when you visit our website at xitplan.ca, sign a Website Services Agreement, pay for any of our services, or use the Missed Call Capture service.

    We comply with the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Where applicable to non-Canadian customers, we apply equivalent protections under the U.S. E-SIGN Act and, for European visitors, under the EU General Data Protection Regulation (GDPR).

    By using our services, you consent to the collection, use, and disclosure of your information as described in this policy.

    2. Information We Collect

    The categories of personal information we collect depend on which surface you use.

    Website visitors

    • Approximate location: we read the Cloudflare-supplied country code from your IP address (via the /api/geo Cloudflare Pages Function) so we can display prices in the right currency. The IP address itself is not stored on this path
    • Browser and device: user-agent, screen size, page URL, referrer, and similar technical metadata for analytics and abuse prevention
    • Local storage: we cache the live pricing payload in your browser's localStorage for 24 hours so subsequent page loads are instant. We do not place tracking cookies for advertising

    Lead and contact form submissions

    • Name, email address, phone number (if provided), business name, and any free-text message you include
    • Source page (eg. /websites, /missed-call-capture, /chat) so we know which service you asked about

    Website Services signing flow

    When you sign a Website Services Agreement at /websites/agreement/<tier>, we capture a binding legal record. This includes:

    • Typed signature name (the legal name you typed as your signature)
    • Plan tier, currency, and monthly fee as displayed at the moment of signing
    • Contract version and a SHA-256 hash of the rendered contract text so we can prove the exact wording you saw
    • IP address, user-agent string, and timestamp at the moment of signing, for legal proof of the signature under E-SIGN, PIPEDA, and the Ontario Electronic Commerce Act, 2000
    • The signed PDF, generated client-side from the contract text and your typed signature, stored privately in our Supabase storage bucket and accessible only via short-lived signed URLs we issue to you

    Stripe Checkout payment

    When you pay for any service, Stripe collects the information needed to process the payment. Stripe is the payment processor; XitPlan never sees your full card number. Stripe shares back to us:

    • Your email address
    • The "Full name" you entered in the Stripe custom field
    • The "Business name" you entered in the Stripe custom field, if any
    • Your billing country and postal address, where Stripe collects them for tax purposes
    • The Stripe customer ID, subscription ID, and session ID for billing recordkeeping

    We use the Stripe Checkout Session metadata to link the payment back to your signed agreement and update the agreement record to "paid" once Stripe confirms the transaction. Stripe's own privacy practices govern card-data handling; see stripe.com/privacy.

    Project brief (Website Services)

    • The URL of your existing website, if you have one (so we can lift services, photos, and existing copy)
    • Free-text brand notes (preferences, colors, fonts, sites you like, things to avoid)
    • An optional logo file you upload
    • The agreement ID linking the brief back to your signed agreement

    Missed Call Capture

    • Caller information: caller name, phone number, reason for calling, and preferred callback time, as captured by the AI assistant
    • Call metadata: call duration, timestamps, and routing identifiers
    • Configuration: your custom AI greeting, business name, notification email addresses, and email template preferences
    • Recordings and transcripts: short call audio and AI transcript, retained for the purposes described below

    Important: callers to your business interact with our AI assistant. As a Missed Call Capture customer, you are the data controller for the lead information your callers provide and you are responsible for any local disclosure or consent obligations applicable to call recording in your jurisdiction. XitPlan acts as your data processor for caller data.

    Account and support communications

    • Email correspondence with us
    • Notes and tickets created during onboarding, support, or billing conversations

    3. How We Use Your Information

    We use the information we collect only to:

    • Deliver, operate, and maintain the services you signed up for
    • Display the right pricing and currency on the website
    • Generate, store, and serve back your signed agreement PDF
    • Process payments via Stripe and reconcile them to your account
    • Build, host, and update your website (Website Services)
    • Handle calls and capture lead information on your behalf (Missed Call Capture)
    • Send service-related email (lead notifications, billing receipts, project updates, security or privacy notices)
    • Provide support and troubleshoot issues
    • Detect and prevent abuse, fraud, chargebacks, and security incidents
    • Comply with our legal, accounting, and tax obligations
    • Enforce our Terms of Service and any signed Agreement

    We do not use your information for behavioral advertising, do not sell or rent your personal information, and do not share it with third parties for their own marketing.

    4. Third-Party Service Providers

    We rely on a small set of third parties to operate the platform. We share only the minimum information needed for each provider to perform its function, and each is bound by its own published privacy and security commitments.

    • Stripe (payment processing, customer billing, subscription management)
    • Cloudflare (hosting on Cloudflare Pages, CDN, DDoS protection, geographic IP detection for currency)
    • Supabase (database, authentication, file storage for signed PDFs and project assets, edge function runtime)
    • Resend (transactional email delivery for lead notifications, agreement confirmations, founder alerts)
    • Telephony provider (voice routing, call ingestion, SMS delivery for Growth and Premium tiers)
    • AI assistant providers (one or more of OpenAI, Anthropic, or similar) for the natural language understanding that powers the Missed Call Capture service
    • Analytics for first-party page-view counts, sources, and aggregate usage. We do not deploy third-party advertising trackers

    Some of these providers process data outside Canada, including in the United States and the European Union. Where data is transferred across borders, we rely on each provider's contractual safeguards (Standard Contractual Clauses, Data Processing Agreements, cross-border transfer mechanisms approved under PIPEDA, GDPR, or equivalent).

    5. Disclosure of Information

    We do not sell or rent your personal information. We may disclose it only in the following circumstances:

    • With your consent, when you have given us explicit permission
    • To service providers listed in section 4, under contractual obligations to protect your data
    • To enforce a contract, including providing your signed Agreement, audit trail, payment record, and proof of delivery to a card issuer in the event of a chargeback or dispute
    • To comply with law, including in response to a subpoena, court order, search warrant, or other valid legal process
    • To protect rights, property, or safety of XitPlan, our customers, or the public, including investigating fraud or abuse
    • In a business transfer, where your information may be transferred as part of a merger, acquisition, sale of assets, or financing. We will notify you and require the acquirer to honor this Privacy Policy

    6. Data Retention

    We retain your information only as long as we need it.

    • Active account data (Website Services and Missed Call Capture): retained while your account is active and as needed to deliver the services
    • Signed Website Services Agreements and their audit trails (IP, user-agent, timestamp, contract version hash, signed PDF): retained for at least 7 years after the agreement ends, in accordance with Canadian recordkeeping and statute-of-limitations requirements for binding contracts
    • Caller and lead data (Missed Call Capture): retained for 90 days from capture, then deleted, unless you ask us to delete it sooner. Call recordings (where applicable) follow the same window
    • Project brief content and uploaded assets: retained while you are an active customer, then for an additional 12 months after termination so we can answer follow-up questions or restore service if you return. After that, deleted unless legal obligations require longer retention
    • Billing and payment records: retained for 7 years in accordance with Canadian tax, accounting, and audit requirements
    • Email and support correspondence: retained for 3 years
    • On account closure: personal data outside the categories above is deleted within 30 days of cancellation

    7. Your Privacy Rights

    Under PIPEDA (and equivalent provincial or international laws where they apply to you), you have the right to:

    • Access: request a copy of the personal information we hold about you
    • Correction: request correction of inaccurate or incomplete information
    • Deletion: request deletion of your personal data, subject to the legal retention requirements in section 6
    • Withdrawal of consent: withdraw your consent for ongoing data processing at any time, subject to legal or contractual restrictions (eg. we cannot delete a binding signed agreement during its retention window)
    • Data portability: request a copy of your data in a portable format (CSV or JSON)
    • Opt out of any non-transactional marketing communications at any time. Transactional and service-related emails (lead notifications, billing receipts, security notices) cannot be opted out of while you are a customer
    • Complain to the Office of the Privacy Commissioner of Canada or your provincial regulator if you believe we have not handled your information appropriately

    To exercise any of these rights, email [email protected] with the subject "Privacy Request". We will verify your identity and respond within 30 days.

    8. Data Security

    We apply industry-standard security measures, including:

    • TLS encryption for all data in transit
    • Encryption at rest for stored data (Supabase Postgres, Supabase Storage, Stripe records)
    • Role-based access controls limiting data access to the founder and authorized team members on a need-to-know basis
    • Row-level security policies on the database, denying public read or write to sensitive tables (signed agreements, customer billing records, captured leads)
    • Short-lived signed URLs for any private file (eg. signed contract PDFs) instead of public links
    • Secrets and API keys held only in Supabase secret storage and GitHub Actions secret storage, never in source code
    • Regular dependency updates, automated build checks, and code review on production changes

    No system is perfectly secure. If we ever experience a breach affecting your personal information, we will notify you and the relevant privacy regulator without unreasonable delay, in line with PIPEDA's mandatory breach notification rules.

    9. Cookies and Local Storage

    We use the following client-side storage on xitplan.ca:

    • localStorage: caches the live pricing response and your detected currency for 24 hours so the pricing page loads instantly. Cleared by clearing your browser storage
    • sessionStorage: stores a short reference to your most recent signed agreement so the thank-you page can offer the PDF download link. Cleared automatically when you close the tab
    • Functional cookies: we use only functional cookies needed for the site to work (eg. preserving language preference). We do not deploy third-party advertising or cross-site tracking cookies

    10. AI and Automated Processing

    The Missed Call Capture service uses third-party AI assistants (eg. OpenAI, Anthropic) to understand callers and capture lead details. AI processing is automated; XitPlan staff do not listen to calls in real time, but we may review individual calls for quality, debugging, abuse investigation, or compliance. Lead summaries are generated by the AI and may occasionally contain errors; you remain responsible for verifying lead details before acting on them.

    We do not allow third-party AI providers to use your data to train their public models; we configure our integrations with the no-training options each provider offers.

    11. Children's Privacy

    Our services are aimed at businesses and are not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact us and we will delete it.

    12. International Visitors

    XitPlan is based in Toronto, Ontario, Canada and primarily serves customers in Canada and the United States. If you visit or use our services from outside North America, you understand that your information will be transferred to and stored in Canada and the United States, where data protection laws may differ from those in your country. By using our services, you consent to this transfer.

    13. Changes to This Policy

    We may update this Privacy Policy from time to time. We will post the updated policy on this page with a revised "Last updated" date. For material changes, we will provide at least 30 days notice by email to active customers before the new policy takes effect. Continued use of our services after the effective date constitutes acceptance.

    14. Contact Us

    For privacy questions, requests, or complaints, contact our Privacy Officer:

    • Email: [email protected] with the subject "Privacy Request"
    • Company: XitPlan Inc., Toronto, Ontario, Canada

    If we are unable to resolve your concern, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.