1. Introduction
This Privacy Policy explains how GCS collects, uses, discloses, retains, and safeguards personal information and business information in connection with setup review, subscriptions, client workspaces, customer intake records, support, security, and billing. It is PIPEDA-aware but remains a draft requiring lawyer review.
2. Scope
This policy applies to visitors, account owners, client users, setup-review submitters, and customer information handled inside a client workspace. It does not replace a client business's own privacy obligations to its customers, employees, contractors, or prospects.
3. Accountability
GCS is responsible for personal information under its control and uses reasonable administrative, technical, and operational safeguards. Where GCS handles customer data for a client business, the client remains responsible for its customer relationship, lawful collection, consent where required, and accurate instructions.
4. What personal information GCS collects
GCS may collect account owner information, business profile information, client user names and emails, customer intake information, inquiry or request details, billing and subscription metadata, authentication and security logs, email delivery logs, support communications, and cookies or analytics information if those features are used.
5. How GCS collects information
Information may be collected directly from setup review forms, client portal users, account activation flows, customer intake forms, support messages, billing events from Stripe, security logs, provider events, browser cookies, and records imported or entered by an authorized client representative.
6. Purposes of collection and use
GCS uses information to create and operate client workspaces, prepare owner-review workflows, maintain customer request records, process subscriptions, provide support, secure accounts, send transactional account notices, troubleshoot provider issues, maintain audit records, and improve operational reliability.
7. Canadian consent and reasonable purposes
In Canadian plain language, GCS collects and uses information for purposes a reasonable person would consider appropriate for providing the service, operating a business account, securing access, processing payment, and preparing workflows requested by the client. Express or implied consent may apply depending on context and final legal review.
8. Customer data handled for client businesses
Customer data inside a workspace is generally supplied by or on behalf of the client business. GCS processes that data to provide the service, prepare follow-up records, organize owner-review tasks, and support the client. The client should maintain its own privacy notices and consent practices for customers.
9. Payment processing through Stripe
Stripe handles payment collection and card processing. GCS does not store card numbers or card security codes. GCS may store billing contact details, selected license tier, Stripe customer IDs, checkout session IDs, subscription IDs, price IDs, payment status, and billing event metadata.
10. Email automation data and activation codes
GCS may process email addresses, activation links, activation codes, message drafts, delivery records, unsubscribe or suppression status where configured, and account-notification logs. Customer-facing commercial drafts remain subject to client review and applicable consent and unsubscribe requirements.
11. Two-factor authentication and security data
If security features are enabled, GCS may process authentication events, hashed passwords, two-factor setup records, recovery-code status, login timestamps, IP addresses, user-agent details, session metadata, and security incident notes. These records help protect accounts and investigate suspicious activity.
12. Call, intake, and voice data if enabled later
If call intake, voicemail, transcription, or voice-provider features are later enabled, GCS may process caller details, timestamps, call notes, transcripts, recordings, routing metadata, and provider logs. Recording notices, consent, retention, and telecom-provider terms require separate legal and configuration review.
13. Service providers and subprocessors
GCS may use providers for hosting, database storage, payment processing, email, security, logging, analytics, customer support, and voice services if enabled. Provider lists, subprocessors, cross-border terms, and contractual privacy commitments should be finalized in lawyer-reviewed commercial documents.
14. Cross-border processing and hosting
Information may be processed or stored outside the province or country where the client or customer is located. Cross-border processing can make information subject to lawful access by courts, governments, or regulators in other jurisdictions. Clients should review cross-border needs with counsel.
15. Retention
GCS retains records as needed to provide the service, maintain billing and tax records, preserve security logs, support account recovery, resolve disputes, comply with law, and maintain business operations. Retention periods may differ by record type and should be finalized in production policy.
16. Safeguards
GCS uses reasonable safeguards such as account scoping, role-based access concepts, session controls, CSRF protection, hashed passwords, optional or required two-factor authentication, recovery controls, logging, and provider security measures. No system, provider, or transmission method is perfectly secure.
17. Access and correction requests
Clients may request access to or correction of their account information by contacting GCS support. Requests involving customer data may need to be handled by the responsible client business unless GCS is legally required or contractually authorized to respond directly.
18. Withdrawal of consent
A person may withdraw consent where consent is the applicable basis, subject to legal, contractual, billing, security, or operational limits. Withdrawal may affect account access, service delivery, customer workflow records, support, security monitoring, or the ability to maintain required business records.
19. Cookies and tracking
GCS may use essential cookies for authentication, sessions, CSRF protection, security, preferences, and operational diagnostics. Analytics or tracking tools, if used, should be disclosed in the Cookie and Tracking Notice and configured consistently with final privacy review.
20. Children and minors
GCS is designed for business use and is not directed to children or minors. Clients should not intentionally submit personal information about minors unless it is necessary for a lawful business purpose, appropriately consented to, and suitable for the service.
21. Breach and security incident handling
GCS will use reasonable efforts to investigate suspected security incidents affecting information under its control. Notification, timing, content, regulatory reporting, and cooperation commitments require final legal review and may depend on the nature of the incident and applicable law.
22. Contact
Privacy questions, access requests, correction requests, and security concerns may be sent to [email protected] or the configured GCS support email shown on this page. The final policy should identify any required privacy officer or legal notice details.
23. Lawyer-review notice
This Privacy Policy is a serious draft for review and does not guarantee PIPEDA compliance or compliance with any other privacy law. Draft for review. Not legal advice. Lawyer review required before full commercial reliance.
Support
For questions about these terms, your data, or your account, contact [email protected].