Related: Privacy · Terms · DPA

Flarepoint — Privacy Policy

Operator: Flarepoint Marketing Ltd. ("Flarepoint", "we", "us", "our") — a British Columbia company (incorporation no. BC1502750), 1301–125 Milross Avenue, Vancouver, BC V6A 0A1, Canada. Effective date: May 31, 2026 Applies to: the Flarepoint website (flarepoint.ca), the Flarepoint application, and all related features and modules (together, the "Service").

Flarepoint provides operating software for marinas and boatyards. We take privacy seriously and built the Service to be Canadian-first, with personal information hosted in Canada and access tightly controlled. This Policy explains what personal information we handle, why, how we protect it, and the choices and rights you have.

This Policy is governed by Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (BC PIPA).

1. Who this Policy is for

This Policy covers:

  • Marina and boatyard customers ("Customers") who subscribe to and operate the Service, and their staff users (managers, receptionists, accounting, housekeeping, agents).
  • Boat owners and their representatives ("Owners") whose information is entered into, or who use, the Service through their marina.
  • Website visitors and people who contact us or start a trial.

2. Our role: when we are a "controller" and when we are a "service provider"

Flarepoint plays two different privacy roles, and it matters which one applies:

  • As a service provider (processor) to our Customers. When a marina uses the Service to manage its Owners, vessels, contracts, placements, audits, incidents and (as modules become available) invoices and payments, the marina is the organization responsible for that personal information. Flarepoint processes it on the marina's behalf and on its instructions, only to provide and support the Service. If you are an Owner and want to access, correct, or delete information your marina holds about you, please contact your marina first; we will assist the marina as needed.
  • As the organization responsible (controller). For Customer account and staff-user data, billing and subscription data, website-visitor data, support communications, and our own security and product analytics, Flarepoint is the responsible organization and this Policy governs directly.

A separate Data Processing Addendum (DPA) governs our service-provider obligations to Customers and forms part of the agreement between us.

3. Information we collect

We collect only what we need to run the Service. Depending on your role and the modules in use, this may include:

3.1 Information provided to us

  • Account & staff data: name, work email, phone, role, marina/organization, login credentials (passwords are stored only as salted hashes), and (where enabled) multi-factor authentication details.
  • Owner & vessel records: Owner names and contact details, billing/representative details, vessel details, slip/berth assignments, contracts, and placements — typically entered by the marina or imported from the marina's existing files (e.g., spreadsheets, rent-rolls).
  • Compliance & document data: insurance certificates, signed documents/agreements, identification provided for check-in, and related expiry dates.
  • Operational data: check-in/check-out records and vessel movement events, dock-audit results, photos captured during audits or incidents (which may incidentally include people or property), housekeeping and inspection records, and incidents.
  • Communications: messages you send us, support requests, and notification preferences.
  • Payment & billing data (current and future modules): subscription billing information, and — when the Payments module is enabled — payment-method and transaction information needed to process payments via our payment processors. We do not store full card numbers; these are handled by our PCI-compliant processors.

3.2 Information collected automatically

  • Usage & device data: log data, IP address, browser/device type, pages and features used, timestamps, and diagnostic/error data, used to operate, secure, and improve the Service.
  • Cookies and similar technologies: see §9.

3.3 Information from third parties

  • Authentication providers: if you sign in with Google, we receive basic profile information (name, email) needed to create or match your account.
  • Future integrations: if a Customer connects a third-party system (e.g., a channel manager or accounting tool), we may receive related data under that Customer's instructions.

We do not intentionally collect sensitive information beyond what the Service requires, and we ask Customers not to upload special-category data that is not needed to operate their marina.

4. How we use personal information

We use personal information to:

  • provide, operate, secure, and maintain the Service and its features;
  • authenticate users and enforce role-based access;
  • generate the Compliance Health signal and surface insurance/contract/audit status (an operational aid — see Terms of Service for its limits);
  • create and send documents, receipts, reminders, and notifications by email and (where enabled) SMS;
  • process subscriptions and, when enabled, invoices and payments;
  • provide customer support and respond to requests;
  • monitor, detect, and prevent fraud, abuse, and security incidents, and keep audit logs;
  • send you service and account messages, and — with consent and an unsubscribe option, as required by Canada's Anti-Spam Legislation (CASL) — our own marketing communications;
  • comply with legal obligations; and
  • understand usage and improve the Service (using aggregated or de-identified data wherever possible).

Automated processing. The Compliance Health signal and similar features process data automatically to surface possible issues. They are decision-support tools, not solely-automated decisions producing legal or similarly significant effects about an individual; operators review and decide. See the Terms of Service for their limits.

We rely on consent (including consent obtained by the marina from its Owners), the performance of our contract with you, our legitimate business interests in operating and securing the Service, and legal requirements, as appropriate under PIPEDA and BC PIPA.

5. Artificial intelligence (the AI Copilot)

The Service includes an AI assistant ("Copilot") that lets users ask questions and request actions in plain language. We designed it to be privacy-protective:

  • Most requests never reach an AI model. Common questions are answered deterministically from your own data, without sending anything to a third-party AI provider.
  • Data minimization. When a request does use an AI model, we are designed to send only the minimum necessary, structured context and to avoid sending personal information to the model; the model proposes actions through a restricted, server-validated set of tools rather than receiving free access to your data.
  • Limiting provider use. We do not use your data to train our own models, and we select AI processing options intended to limit our provider's use of your content. Provider practices and terms can change; we will update this Policy and, where appropriate, notify Customers if they change materially.
  • Provider. Our current AI provider is DeepSeek, accessed through a provider interface we may change over time. Where an AI provider operates outside Canada, our de-identification approach is intended to avoid transferring personal information across borders (see §8).
  • Human oversight. AI outputs may be incomplete or inaccurate and are not professional, legal, financial, or insurance advice. Any action the Copilot proposes is shown for confirmation before it is applied, and operators remain responsible for decisions.

6. Disclosure of personal information

We do not sell personal information. We disclose it only as follows:

  • To service providers (sub-processors) who help us run the Service, under contracts that limit their use to providing services to us. Current and anticipated categories include: cloud hosting and database (Supabase, Canadian region), transactional email (Resend), SMS (Twilio), document/PDF generation (PDFShift), AI processing (DeepSeek), and — for the Payments module — payment processing (e.g., Stripe and Canadian payment rails such as Interac and pre-authorized debit). We maintain a current list of sub-processors and will provide it on request.
  • Between a Customer and its own authorized users, according to roles and permissions the Customer configures.
  • To comply with law, lawful requests, or to protect rights, safety, and security.
  • In a business transfer (merger, acquisition, financing, or sale of assets), subject to confidentiality and this Policy.

7. Tenant isolation & access

The Service is multi-tenant. Each organization's data is logically isolated, and access is enforced by row-level security and role-based permissions so that one marina cannot access another marina's data. Staff access is scoped to the user's role and, where relevant, to specific marinas or docks. Privileged and document access is logged.

8. Where your information is stored (data residency & cross-border)

Personal information processed through the Service is hosted in Canada. Some service providers may process limited data (such as message delivery metadata, or de-identified AI queries) outside Canada; where this occurs, the information becomes subject to the laws of the jurisdiction in which it is processed, and we use contractual and technical safeguards to protect it. As described in §5, our AI design is intended to avoid sending personal information to AI providers that operate outside Canada. You may contact us for more detail about where specific categories of information are processed.

9. Cookies & analytics

The website and application use a small number of cookies and similar technologies that are necessary to keep you signed in, remember preferences, and keep the Service secure, plus limited analytics to understand and improve usage. We aim to minimize non-essential tracking. Where required, we will request consent for non-essential cookies, and you can control cookies through your browser settings.

10. How we protect personal information

We use administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including: encryption in transit and at rest, default-deny access controls and tenant isolation, hashed passwords, optional/role-mandatory multi-factor authentication, signed and logged access to private documents, least-privilege access for our team, and security monitoring and audit logging. No method of transmission or storage is perfectly secure, but we work to protect your information and to respond promptly to issues.

Breach notification. If a breach of security safeguards creates a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada (and assist Customers with their own notification obligations) as required by law, and keep records of breaches as required.

11. How long we keep information

We keep personal information for as long as needed to provide the Service, maintain the Customer's records, comply with legal, tax, audit, and security obligations, and resolve disputes. When information is no longer needed, we delete or de-identify it. Customers can export and, subject to legal retention requirements, request deletion of their data (see §12 and the Terms of Service for post-termination handling).

12. Your rights & choices

Subject to PIPEDA, BC PIPA, and any limitations in law, you may:

  • access the personal information we hold about you and ask how it is used and disclosed;
  • correct inaccurate or incomplete information;
  • withdraw consent (this may limit or end your ability to use the Service);
  • request deletion or export of your information; and
  • complain to us, and to the Office of the Privacy Commissioner of Canada or the BC Office of the Information and Privacy Commissioner.

If you are an Owner: information about you is usually held by your marina as the responsible organization. Please direct access, correction, and deletion requests to your marina; we will help the marina respond. For information for which Flarepoint is the responsible organization, contact us directly using §15.

We will verify your identity before acting on a request and respond within the timeframes required by law.

13. Children

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal information from children. If you believe a child's information has been provided to us, contact us and we will take appropriate steps.

14. Third-party links

The website and Service may link to third-party sites or services we do not control. Their privacy practices are governed by their own policies; we encourage you to review them.

15. Changes to this Policy

We may update this Policy as the Service and our modules evolve (for example, when Payments, e-signature, booking, or boatyard modules launch). We will post the updated Policy with a new effective date and, for material changes, take reasonable steps to notify Customers.

16. Contact us

Flarepoint Marketing Ltd. — Privacy Officer Email: hello@flarepoint.ca Mailing address: 1301–125 Milross Avenue, Vancouver, BC V6A 0A1, Canada BC incorporation no. BC1502750 · Business no. 710316159BC0001

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the Office of the Information and Privacy Commissioner for British Columbia (oipc.bc.ca).