Log In Sign Up
Last modified: January 5, 2026

Privacy Policy

At Mechmate, we take your privacy seriously. Please read this Privacy Policy carefully to understand how we handle your personal data.

By using or accessing our Services in any way, you acknowledge that you accept the practices and policies described below, and you hereby consent to our collection, use, and sharing of your information as described in this Privacy Policy.

Please remember that your use of Mechmate’s Services is at all times subject to our Terms of Use. Any terms we use in this Policy without defining them have the definitions given to them in the Terms of Use.

Accessibility: If you have a disability or special needs, you may access this privacy policy in an alternative format by contacting us at [email protected].

What this policy covers

This Privacy Policy describes how we handle the personal data we collect when you access or use our Services.

Definition - Personal Data: Any information that identifies or relates to a particular individual, also including information referred to as “personal information” or “personally identifiable information” under applicable data protection laws, rules, or regulations.

What this Policy does NOT cover: This Privacy Policy does not cover the practices of companies that we do not own or control, or individuals that we do not employ or manage.

1. Introduction

Mechmate is an all-in-one management software for service, repair, and maintenance businesses. This Privacy Policy explains how we collect, use, store, and protect your personal information.

2. Who we are

Mechmate is a SaaS (Software as a Service) platform that enables service, repair, and maintenance businesses to manage their daily operations, including:

  • Customer and equipment management
  • Work order creation and tracking
  • Invoicing and payments
  • Online appointment scheduling
  • Inventory management
  • Time and task tracking

3. Information we collect

Reference period: This section details the categories of personal data we collect and have collected over the past 12 months, in compliance with the transparency requirements of data protection laws (CCPA, PIPEDA, Loi 25).

3.1 For businesses (our direct customers)

Account information:

  • Company name and registration information
  • Names and contact information of users (owners, technicians, staff)
  • Email address and phone number
  • Business address
  • Account preferences and settings

Payment information:

  • Billing information
  • Payment methods (processed and stored by Stripe)
  • Transaction and subscription history

Usage data:

  • Pages visited and features used
  • Actions performed in the application
  • Diagnostic and performance data
  • Technical logs and errors

3.2 For end customers of businesses (data processed on behalf of our customers)

Contact information:

  • First and last name
  • Phone number
  • Email address
  • Physical address
  • Company name (for corporate customers)

Equipment information:

  • Type, make, model, and year
  • Serial or identification number
  • Usage metrics (mileage, hours of use, etc.)
  • Maintenance and repair history
  • Equipment photos
  • Digital maintenance logbook

Service information:

  • Appointment history
  • Work orders and services performed
  • Parts installed and products used
  • Technician notes and diagnostics
  • Estimates and invoices
  • Payment history

Communications:

  • Email and SMS history
  • Conversation notes
  • Shared documents and photos

3.3 Information collected automatically

Technical data:

  • IP address
  • Browser type and version
  • Operating system
  • Device identifiers
  • Cookies and similar technologies data
  • Login and activity logs

3.4 Sources of personal data collection

We collect your personal data from the following sources:

You (directly):

  • Information you provide to us directly:
    • When creating your account or using our services
  • In forms, free text fields, questionnaire responses
  • When you send us an email or contact us
  • Through in-app interactions (creating customers, invoices, etc.)
  • Information collected automatically during use:
    • Via cookies and similar technologies (see section 10)
  • Approximate location if you use a browser with geolocation enabled
  • Telemetry data if you install our applications (desktop, mobile)
  • Information about your sessions and activity in the application

Third parties (indirectly):

  • Analytics providers: PostHog analyzes how you interact with our services
  • Support providers: To provide you with technical assistance
  • Payment providers: Stripe for transaction information
  • Authentication providers: If you use SSO or third-party login (future)

4. How we use your information

4.1 Providing and improving our services

  • Creating and managing your account
  • Processing transactions and payments
  • Providing technical and customer support
  • Improving our features and developing new ones
  • Personalizing your experience

4.2 Communications

SMS (Transactional messages only):

  • Verification codes: Confirming the phone number when booking an appointment via the widget
  • Type: Transactional messages only (NOT marketing)
  • Frequency: A single SMS per appointment booking attempt
  • Rates: Standard messaging and data rates may apply depending on your mobile plan

Emails:

  • Appointment notifications and reminders
  • Invoices and receipts
  • Service confirmations
  • Important system updates
  • Customer support
  • New features (if you have opted in)

4.3 Compliance and security

  • Detecting and preventing fraud
  • Complying with our legal obligations
  • Enforcing our terms of use
  • Protecting the rights and safety of our users
  • Resolving disputes

4.4 Analysis and improvement

  • Analyzing platform usage
  • Understanding trends and preferences
  • Measuring the effectiveness of our services
  • Conducting research and analysis

4.5 Transparency commitment

We commit to NOT:

  • Collecting new categories of personal data without informing you
  • Using collected personal data for purposes that are materially different, unrelated, or incompatible with the purposes described above

If we need to modify our collection or use practices, we will inform you in advance and obtain your consent if required by law.

We process your personal data on the basis of:

  • Performance of a contract: To provide the services you have requested
  • Legitimate interest: To improve our services, ensure security, and prevent fraud
  • Consent: For marketing communications (optional)
  • Legal obligations: To comply with applicable laws (taxation, accounting, etc.)

6. Information sharing

6.1 We NEVER sell your personal data

Firm commitment: We never sell or rent your personal data to third parties, regardless of the circumstances. Your information is not a product to be commercialized.

6.2 Sharing with trusted third parties

Essential service providers:

  • Stripe: Payment processing and billing
  • Brevo (Sendinblue): Sending transactional emails and SMS
  • PostHog: Usage analytics (anonymized data)
  • Sentry: Error tracking and performance
  • Hosting services: Secure data storage

All of these partners:

  • Are contractually required to protect your information
  • May only use your data according to our instructions
  • Comply with industry security standards

6.3 Important note regarding business customer data

The information of business customers (names, equipment, histories, etc.) belongs to the businesses. Mechmate acts as a data processor on behalf of the business. The business is the data controller for this data.

If you are a customer of a business using Mechmate and have questions about your data, you should contact the business directly.

We may disclose your information if required by law, a court order, or legal proceedings.

6.5 Business transfer

In the event of a merger, acquisition, asset sale, or other similar transaction in which a third party assumes control of our business (in whole or in part), your personal information may be transferred to that third party.

Our commitment:

  • We will make reasonable efforts to notify you BEFORE your information becomes subject to different privacy and security policies
  • You will have the option to delete your account before the transfer if you wish
  • The new owner will be required to honor the commitments of this policy until a new policy is adopted

6.6 Aggregated, de-identified, or anonymized data

We may create aggregated, de-identified, or anonymized data from the personal data we collect, including by removing information that enables the identification of a particular user.

Use of this data:

  • Analyzing platform usage trends
  • Improving our services and developing new features
  • Conducting research and market analysis
  • Promoting our business and publishing statistics

Guarantee: We will never share this data in a way that could personally identify you. This anonymized data may be retained indefinitely and shared with third parties for legitimate business purposes.

7. Data security

We take security very seriously and implement robust protective measures:

Technical measures:

  • SSL/TLS encryption for all communications
  • Encryption of sensitive data at rest
  • Secure authentication with JWT
  • Multi-tenant isolation (each business has its own isolated data)
  • Automatic daily backups
  • Regular security testing

Organizational measures:

  • Limited access to personal data (principle of least privilege)
  • Staff training on data protection
  • Strict security policies
  • Access monitoring and logging
  • Incident response plan

Infrastructure:

  • Hosted at OVH Canada (Beauharnois, Quebec)
  • Tier III+ certified datacenter, ISO 27001, ISO 14001
  • Redundancy and high availability
  • 24/7 monitoring
  • DDoS protection included

Important: No system is 100% secure. We are committed to doing our best to protect your data, but we cannot guarantee absolute security. No method of data transmission over the Internet or data storage is completely secure.

Your responsibility in security:

You must also contribute to protecting your data by:

  • Choosing a strong and unique password: Use a combination of uppercase and lowercase letters, numbers, and symbols
  • Never sharing your password: Mechmate will NEVER ask for your password by email or phone
  • Limiting access to your device: Lock your computer or mobile device when not in use
  • Protecting your browser: Keep your browser up to date with the latest security patches
  • Logging out after use: Especially on shared or public devices
  • Enabling two-factor authentication (2FA): If available in your account

If you believe your account has been compromised, contact us immediately at [email protected].

7.1 Privacy incident notification

In the event of a privacy incident presenting a risk of serious harm to affected individuals, we commit to:

  • Notifying affected individuals as soon as possible
  • Informing the Office of the Privacy Commissioner of Canada (and other competent authorities depending on your jurisdiction)
  • Taking immediate action to limit damages and prevent future incidents
  • Documenting the incident in accordance with our legal obligations

You will be informed by email or any other appropriate means of communication if your data is affected by an incident.

8. Data retention

8.1 Retention periods

Active business data:

  • Retained as long as the account is active
  • Includes all operational data (customers, equipment, invoices, etc.)

After account closure:

  • Data deleted within 90 days of the request
  • Option to export data before deletion
  • Certain data may be retained for legal obligations (invoices: 7 years)

Billing and accounting data:

  • Retained for 7 years for tax compliance
  • Even after account closure

Logs and analytics data:

  • Generally retained for 2 years
  • Anonymized data may be retained indefinitely

8.2 Automatic deletion

Certain data is automatically deleted:

  • SMS verification codes: 5 minutes
  • Expired sessions: 30 days
  • Temporary logs: according to retention policy

9. Your data rights

Depending on your location (GDPR in Europe, PIPEDA in Canada, etc.), you have the following rights:

9.1 Available rights

Right of access:

  • Obtain a copy of your personal data
  • Know how we use your data

Right of rectification:

  • Correct inaccurate or incomplete information
  • Update your information

Right to erasure (“right to be forgotten”):

  • Request the deletion of your data
  • Subject to our legal obligations

Right to data portability:

  • Receive your data in a structured and commonly used format
  • Transfer your data to another service

Right to object:

  • Object to the processing of your data in certain cases
  • Unsubscribe from marketing communications

Right to restriction:

  • Request the restriction of processing in certain situations

9.2 How to exercise your rights

For businesses (our direct customers):

  • Log in to your account to modify your information
  • Contact us at [email protected]
  • Use the export option in account settings

For end customers of businesses:

  • Contact the business where you are a customer directly
  • The business is responsible for your data
  • If the business does not respond, contact us at [email protected]

Response time: We commit to responding within 30 days.

10. Cookies and similar technologies

The Services use cookies and similar technologies such as pixel tags, web beacons, clear GIFs, and JavaScript (collectively, “Cookies”) to enable our servers to recognize your web browser, tell us how and when you visit and use our Services, analyze trends, learn more about our user base, and operate and improve our Services.

What is a cookie? Cookies are small data files — usually text files — placed on your computer, tablet, phone, or similar device when you use that device to access our Services.

10.1 Types of cookies used

We use the following types of cookies:

1. Essential cookies (required) Essential cookies are required to provide you with the features or services you have requested.

Examples:

  • Maintaining your user session
  • Authentication and security (JWT tokens)
  • Basic preferences necessary for operation
  • CSRF attack protection

Important note: Disabling these cookies will make certain features and services unavailable. You will not be able to log in to your account without these cookies.

2. Functional cookies Functional cookies are used to record your choices and settings regarding our Services, maintain your preferences over time, and recognize you when you return to our Services.

Examples:

  • Remembering your preferred language
  • User interface preferences (theme, layout)
  • Notification preferences
  • Recently viewed pages for quick navigation

Management: These cookies enhance your experience but are not strictly necessary. You can disable them in the settings.

3. Analytics and performance cookies (optional - consent required) Analytics cookies allow us to understand how visitors use our Services. They collect information about the number of visitors, pages viewed, and time spent on the site.

Services used:

  • PostHog: Usage and behavior analytics
  • Data collected: pages visited, interactions, time spent, user journey
  • Objective: Improving our Services and measuring the effectiveness of our features

Anonymized data: These cookies collect anonymized or pseudonymized data that does not directly identify you.

Consent:

  • You can accept or decline these cookies on your first visit
  • Withdrawal of consent: You can withdraw your consent at any time in your Mechmate account settings
  • Declining will not affect your use of the main features

Local storage and other technologies: We also use browser local storage (localStorage, sessionStorage) for:

  • Interface preferences
  • Temporary cache to improve performance
  • Application state (non-sensitive data)

10.2 Do Not Track (DNT)

Important: Due to our use of cookies for the proper functioning of the Services, we do not currently support “Do Not Track” requests sent by your browser.

However, you have full control over analytics cookies through your Mechmate account settings.

How to manage your cookie preferences:

You can decide whether or not to accept cookies through your internet browser settings. Most browsers have an option to disable the cookie functionality, which will prevent your browser from accepting new cookies, and (depending on the sophistication of your browsing software) allow you to decide whether to accept each new cookie in various ways.

Instructions by browser:

  • Chrome: Settings > Privacy and security > Cookies
  • Firefox: Preferences > Privacy & Security > Cookies
  • Safari: Preferences > Privacy > Cookies
  • Edge: Settings > Privacy > Cookies

Managing cookies in Mechmate:

  • Log in to your account
  • Go to Settings > Privacy
  • Manage your analytics cookie preferences

Deleting existing cookies: You can also delete all cookies already present on your device. If you do this, you may need to manually adjust some preferences each time you visit our website and some Services and features may not function properly.

To learn more: To explore the cookie settings available to you, look for the “preferences” or “options” section in your browser’s menu. For more information about cookies, including how to manage and delete them, visit www.allaboutcookies.org.

11. Protection of minors

Mechmate is a professional tool intended for businesses. We do not knowingly collect information from children under the age of 13 (16 in the EU).

If you believe we have collected information from a minor, contact us immediately at [email protected].

12. Data location and transfers

12.1 Primary data storage

All your primary data (customers, equipment, invoices, work orders, etc.) is stored exclusively in Canada, at the OVH datacenter in Beauharnois, Quebec.

Benefits:

  • Full compliance with Canadian laws (PIPEDA)
  • Your data remains in Canada
  • Protection under Canadian privacy laws
  • Clear and stable jurisdiction

12.2 Limited transfers to third parties

Certain third-party services may process data outside of Canada:

Brevo (SMS and emails):

  • Servers in France/European Union
  • GDPR compliant and ISO 27001 certified
  • Used solely for sending transactional SMS/emails
  • Minimal data transmitted (phone number, email, name)

Stripe (Payments):

  • Servers in the United States
  • PCI DSS Level 1 certified (the most stringent standard)
  • Payment information only
  • We never store credit card numbers

PostHog and Sentry (Analytics and errors):

  • Anonymized or pseudonymized technical data
  • No sensitive customer data

12.3 For European Union residents

If you are in the EU and your data is transferred outside the EU, we ensure an adequate level of protection through:

  • EU standard contractual clauses with our partners
  • Recognized certifications (ISO 27001, SOC 2, PCI DSS)
  • Appropriate security safeguards
  • Compliance with GDPR data protection principles

13. Location data

We do not actively collect precise geolocation data. We may infer an approximate location from your IP address to:

  • Display content in your language
  • Comply with local laws
  • Prevent fraud

Our service may contain links to other websites. We are not responsible for the privacy practices of these sites. We encourage you to read their privacy policies.

15. Changes to this policy

We may modify this privacy policy from time to time to reflect:

  • Changes in our practices
  • New features
  • Legal or regulatory developments

Notification of changes

Minor changes:

  • Update of the “Last updated” date
  • In-app notification

Significant changes:

  • Email notification (30 days in advance)
  • Consent request if required
  • Option to close your account if you disagree

Your continued use after modifications constitutes your acceptance of the modified policy.

16. Jurisdiction-specific information

16.1 Canada (PIPEDA)

Canadian residents have specific rights under the Personal Information Protection and Electronic Documents Act (PIPEDA).

To file a complaint: Office of the Privacy Commissioner of Canada (www.priv.gc.ca)

16.2 European Union (GDPR)

EU residents have extensive rights under the General Data Protection Regulation (GDPR).

Legal basis for processing: See section 5

Data Protection Officer: [email protected]

Right to file a complaint: Data protection authority of your country

16.3 California (CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Your rights:

  • Right to know: What personal information is collected, used, shared, or sold
  • Right to delete: Request the deletion of your personal information
  • Right to opt out of sale: Object to the sale of your personal information
  • Right to non-discrimination: Not be discriminated against for exercising your CCPA rights

Important - Clarification on “sale”:

Mechmate does not sell your personal data in the traditional sense of the term (we do not exchange it for money with third parties).

However, under the CCPA’s broad definition of “sale,” certain data sharing may be considered a “sale”:

  • Analytics services (PostHog): Sharing usage data with our analytics provider could be considered a “sale” under the CCPA
  • Error tracking services (Sentry): Sharing technical data for debugging

Your control: If you are a California resident and wish to opt out of this data sharing, you can:

  1. Disable analytics cookies in your account settings
  2. Contact us at [email protected] with the subject line “California Do Not Sell Request”
  3. Provide your name and the email address associated with your account

Contact to exercise your CCPA rights: [email protected]

16.4 Quebec (Loi 25)

Quebec residents benefit from enhanced protections under the Act to modernize legislative provisions as regards the protection of personal information (Loi 25), in effect since September 2023.

We comply with all Loi 25 requirements, including:

  • Appointment of a person in charge of the protection of personal information (see section 17)
  • Implementation of appropriate security measures
  • Mandatory notification in the event of a privacy incident
  • Privacy impact assessments (PIA) for sensitive projects
  • Limitation of data collection to necessary information
  • Transparency in the processing of personal information
  • Privacy incident management with appropriate documentation

Right to file a complaint: Commission d’acces a l’information du Quebec (CAI): www.cai.gouv.qc.ca

16.5 Nevada

If you are a Nevada resident, you have the right to opt out of the sale of certain personal data to third parties who intend to license or sell it.

Important: As stated in this policy, Mechmate does not sell your personal data in the traditional sense.

To exercise your Nevada right: If you still wish to exercise this right as a precaution, you can contact us at:

  • Email: [email protected]
  • Subject: “Nevada Do Not Sell Request”
  • Information to provide: Your name and the email address associated with your account

17. Contact information

Person in charge of the protection of personal information

In accordance with Quebec’s Loi 25 and best practices in privacy protection, we have designated a person in charge of the protection of personal information.

Person in charge: The founder of Mechmate Email: [email protected]

The person in charge is responsible for:

  • Overseeing compliance with data protection laws
  • Responding to your questions and requests regarding your personal data
  • Managing privacy incidents
  • Coordinating with data protection authorities

For any questions about this policy or your personal data:

Email: [email protected]

General email: [email protected]

Website: https://mechmate.io

Mailing address:

Mechmate

Quebec, Canada

Technical support:

Response time: We commit to responding within 2 business days for urgent requests and 30 days for data requests.

Appendix: Technical details for developers and auditors

Service providers and subprocessors

  • OVH Primary hosting, Canada (Beauharnois, QC) Tier III+, ISO 27001, ISO 14001
  • Stripe Payments, USA PCI DSS Level 1
  • Brevo Emails/SMS, France/EU ISO 27001
  • PostHog Analytics, USA/EU SOC 2
  • Sentry Error tracking, USA SOC 2
  • MinIO File storage, Self-hosted (VPS Canada) N/A

Technical security measures

  • Encryption in transit: TLS 1.3
  • Encryption at rest: AES-256
  • Authentication: JWT with refresh tokens
  • Sessions: 30-day expiration, revocation possible
  • API: Rate limiting, Zod validation
  • Database: Prisma ORM, parameterized queries
  • Isolation: Multi-tenant with strict account-level separation

Log retention

  • Application logs: 90 days
  • Security logs: 1 year
  • Audit logs: 7 years (financial transactions)
  • Error logs: 90 days
© 2026 Mechmate. Made in Quebec, Canada