Privacy Policy

This Privacy Policy explains how QuickFlip Recon(“we”, “us”) collects, uses, and protects personal information when you use the QuickFlip Recon web application and related services. We operate in Canada and are committed to handling your data in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), British Columbia's Personal Information Protection Act (PIPA), and where applicable, the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR).

Who this policy covers

This policy covers personal information collected through the QuickFlip Recon application, marketing website, and communications with us. There are three categories of people whose data may appear in QuickFlip Recon:

• Customers — the dealerships and their employees who sign up for and use QuickFlip Recon.
• End customers— the vehicle-buying public whose contact info may appear in customer-facing PDFs produced by dealerships using QuickFlip. These individuals are customers of the dealership, not of QuickFlip directly; the dealership is the “data controller” and QuickFlip acts as a “data processor”.
• Website visitors — people who browse quickfliprecon.com without signing up.

What we collect

Account information

• Email address and name of the person creating an account
• The dealership or dealer group name you enter
• Encrypted password and multi-factor authentication secret
• Access role assigned by your dealer-group admin

Billing information

All payment card details are collected and stored by Stripe, our payment processor — never by us. We store only the Stripe customer ID, subscription ID, plan, status, and renewal date, which we use to manage your subscription.

Inventory data you upload

• Vehicle information (VIN, make, model, year, mileage, options, pricing, etc.)
• Photos you upload
• PDFs you upload (e.g. CarFax, service reports)
• Recon workflow records (tasks, status, notes)
• Any free-text fields you fill in

Automatic technical data

• IP address (used for abuse prevention and regional defaults only)
• Browser user agent
• Application logs tied to your session (when errors or actions occur)
• No cookie-based ad tracking. We don't run Google Analytics, Facebook pixels, or similar.

How we use your information

• To operate the Service — store your inventory, authenticate sign-ins, render the UI.
• To send transactional emails (account verification, password reset, billing receipts, urgent account notices).
• To process subscription payments via Stripe.
• To respond to your support requests.
• To detect, prevent, and respond to abuse, fraud, and security incidents.
• To comply with legal obligations (tax reporting, lawful requests from government agencies in the jurisdictions where we operate).

We do not sell personal information.We do not share your inventory data or your customers' personal information with third parties except the subprocessors listed on our subprocessor page.

Where your data lives

Your data is stored on infrastructure operated by our subprocessors:

• Supabase (Postgres, Auth, file storage) — AWS US-East region.
• Vercel (web hosting and serverless functions) — US regions.
• Stripe(payments) — US; Canadian customer data is subject to Stripe Canada's practices.
• Resend (transactional email) — US regions.

By using the Service, you consent to your data being transferred to and stored in the United States. Each of these providers maintains industry- standard security practices including encryption at rest and in transit.

Security

We take security seriously. A detailed overview of the measures we take is on our Security page, but in brief:

• All traffic is encrypted with HTTPS (TLS 1.2+).
• Data at rest in Supabase is encrypted with AES-256.
• Database access is gated by Postgres row-level security policies.
• Multi-factor authentication (TOTP) is required on every account.
• Passwords are hashed using bcrypt via Supabase Auth.

Your rights

Depending on where you live, you may have rights including:

• Access — ask us what personal information we hold about you.
• Correction — ask us to correct inaccurate information.
• Deletion — ask us to delete your information (subject to our legal obligation to keep records for tax and billing purposes).
• Portability — ask us to export your data in a machine- readable format.
• Opt out of sale— we don't sell data, so this is automatic.
• Withdraw consent — cancel your subscription to stop data processing.

To exercise any of these rights, email privacy@quickfliprecon.com. We respond within 30 days.

Retention

We retain your personal information for as long as your account is active, plus a 30-day grace period after cancellation (so you can reactivate without data loss). After that, active-production data is deleted. Backups are rotated continuously; deleted data ages out of backups within 90 days. Billing and tax records may be retained up to 7 years to satisfy Canadian record-keeping obligations.

Cookies

We use essential cookies and equivalent browser storage (session cookies, auth tokens) to keep you logged in and remember your 2FA preferences. We don't use tracking cookies, advertising cookies, or third-party analytics cookies on the application side.

Children

QuickFlip Recon is a B2B product for automotive dealerships. We don't knowingly collect information from anyone under 16. If you believe we have, email privacy@quickfliprecon.comand we'll delete it.

Changes to this policy

We'll update this policy as the product and the law evolve. Material changes are announced by email and in-app at least 14 days before they take effect.

Contact

Privacy questions or requests: privacy@quickfliprecon.com
General contact: hello@quickfliprecon.com

If you feel we haven't addressed a privacy concern, you can contact the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the BC Office of the Information and Privacy Commissioner (oipc.bc.ca).