DealerJet — Privacy Policy
Effective Date: June 11, 2026 Last Updated: July 11, 2026
1. Introduction
This Privacy Policy describes how DealerJet, a business registered in the Province of Ontario, Canada ("DealerJet," "we," "us," or "our"), collects, uses, discloses, stores, and protects personal information about you (the "Customer" or "you") when you use our software service (the "Service"), including the web dashboard at dealerjet.ca, the DealerJet Chrome extension, and related backend APIs.
DealerJet is committed to protecting your privacy and complying with the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal Canadian privacy law that governs how private-sector organizations handle personal information in the course of commercial activity, as well as applicable provincial privacy laws and regulations where they apply.
This policy supplements, and is incorporated into, our Terms of Service.
2. Who We Are and How to Contact Us
For questions about this policy, your information, or to exercise any of the rights described in Section 11 below, contact our Privacy Officer:
DealerJet — Privacy Officer info@dealerjet.ca 1576 Richmond Street, Unit 12, London, Ontario, N6G 2M6 Canada
We will respond to all valid privacy inquiries within thirty (30) days as required by PIPEDA.
3. Information We Collect
3.1 Information You Provide Directly
When you create an account or use the Service, you may provide:
- Account information: name, email address, business name, business phone, business address, dealership type, province of operation, dealer registration number(s).
- Authentication credentials: password (stored as an argon2id hash, the OWASP-recommended algorithm; we never see your plaintext password) and DealerJet session cookies. The Service does not store Facebook account credentials; the Chrome extension operates within your authenticated Facebook session in your own browser, and we never retain your Facebook password or any Facebook OAuth token.
- Facebook account identifier: when you post a vehicle to Facebook Marketplace through the Chrome extension, we store the numeric Facebook account ID and the public display name of the Facebook profile used to post, and associate them with your DealerJet user account. We collect this only to (a) attribute each listing to the team member who posted it, and (b) enforce our terms against account sharing (each DealerJet seat is tied to one Facebook posting account). We do not access your Facebook friends, messages, timeline, or any other Facebook data — only the account identifier of the profile actively used for posting. You can change or clear this binding at any time from your account settings.
- Payment information: billing name and address. Full credit card numbers are collected and stored by Stripe, our payment processor; we receive only a tokenized reference and the last 4 digits of the card for display.
- Settings data: dealership branding, the dealership's sales contact name and phone, each team member's own optional sales contact name and phone (shown in the listings that member posts), warranty pitch text, financing pitch text, compliance footer text, posting preferences.
- Vehicle history documents: Carfax reports, safety inspection reports, and similar PDF documents you upload and attach to specific vehicles in your inventory. These files are stored alongside the corresponding vehicle record and are not shared outside DealerJet.
- Customer support communications: any email or message you send us.
3.2 Information Collected Automatically
When you use the Service, we automatically collect:
- Usage data: pages viewed, features used, button clicks, scrape activity, posting activity, error events.
- Security and account event logs: a record of significant account events — logins (success and failure), password changes, email changes, Facebook account binding and swap events, plan changes, billing events. Each entry includes timestamp, action type, IP address, user agent, and event metadata. Retained as described in Section 9 to support security review, fraud investigation, account recovery, and PIPEDA compliance.
- Device and connection data: IP address, user agent (browser
- OS version), screen resolution, time zone, language preference.
- Cookies and similar technologies: see Section 10.
3.3 Information from Third-Party Sources
To provide the Service, we retrieve data from third-party platforms on your behalf:
- AutoTrader.ca: your published vehicle listings (year, make, model, trim, mileage, photos, descriptions, accident/Carfax flags, pricing, dealer page contact info), and the public dealership metadata (name, location, phone, website) shown on the dealer's public AT page.
- CarGurus.ca / CarGurus.com (not offered at launch; may be added later): the same categories of public listing data from your CarGurus dealer page, if and when that integration is offered and you choose to use it.
- NHTSA vPIC (US National Highway Traffic Safety Administration): publicly available vehicle specification data decoded from VIN numbers (free and public — no PII flows here).
- Facebook: when you authorize the Chrome extension, it operates within your authenticated Facebook session in your browser. We do not store Facebook account credentials. We only use your session to pre-fill listing forms when you initiate a "Post to Facebook" action.
We do not collect information about end consumers (the buyers who message your Facebook listings). Buyer messages flow directly between you and the consumer through Facebook Messenger; DealerJet does not access or store these messages.
3.4 Sensitive Personal Information
We do not knowingly collect sensitive categories of personal information (health, sexual orientation, religious or political beliefs, ethnic origin, etc.) and we ask that you not provide them.
4. How We Use Your Information
We use your personal information for the following purposes, each of which is supported by a recognized legal basis under PIPEDA (consent, performance of contract, or legitimate business purposes):
| Purpose | Examples |
|---|---|
| Provide the Service | Authenticate logins, render your dashboard, run inventory scrapes you initiate, generate marketplace descriptions, populate Facebook posting forms |
| Bill and process payments | Charge subscription fees, send invoices, handle refunds, manage billing disputes |
| Communicate with you | Send transactional emails (welcome, payment receipts, password resets, Service notices), respond to support requests |
| Improve the Service | Analyze usage patterns, identify and fix bugs, build new features |
| Security and abuse prevention | Detect and respond to unauthorized access, account sharing, fraudulent activity, and Service abuse |
| Compliance with law | Respond to lawful subpoenas, court orders, regulatory requests, or PIPEDA access requests |
We will not use your information for materially new purposes without your consent.
5. Marketing Communications
We may send you product update emails, feature announcements, or promotional offers about DealerJet. These communications comply with Canada's Anti-Spam Legislation (CASL):
- We obtain your express consent (typically when you sign up).
- Every marketing email includes an unsubscribe link.
- We honour unsubscribe requests within ten (10) business days.
- We identify the sender and provide contact information in every message.
You may opt out of marketing emails at any time. Operational and legally-required communications (such as billing notices, security alerts, or Terms updates) cannot be opted out of while you maintain an active account.
6. How We Share Information
We do not sell, rent, or trade your personal information. We share it only in the limited circumstances described below.
6.1 Service Providers (Sub-Processors)
We rely on the following third parties to operate the Service. Each is contractually bound to use your information only as needed to provide their service to us:
| Provider | Purpose | Location of Data |
|---|---|---|
| Stripe | Payment processing (card collection via Stripe Checkout, ongoing billing via the Stripe Customer Portal) | United States; Stripe is PCI-DSS certified |
| Render | Application hosting and database (Postgres) | United States |
| Cloudflare | DNS resolution for dealerjet.ca, content delivery (CDN), web application firewall, and Cloudflare Email Routing (the inbound email service that forwards mail sent to @dealerjet.ca addresses to our support inbox) | Global edge network |
| Resend | Outbound transactional email delivery (signup verification, password reset, account-event notifications) | United States |
| Sentry (planned) | Error monitoring and crash reporting | United States |
| Plausible Analytics (planned) | Privacy-focused web analytics, no cookies, no PII | European Union |
This list is current as of the Last Updated date. We may add or change providers in the future and will update this policy accordingly.
6.2 Third-Party Platforms You Authorize
When you choose to post a listing to Facebook Marketplace using the Chrome extension, the listing data (vehicle details, photos, description) flows from our backend, through your browser, to Facebook. Facebook becomes the controller of that data once posted. Facebook's privacy practices are governed by Facebook's own policy, not ours.
6.3 Legal and Safety Disclosures
We may disclose your information when we have a good-faith belief that disclosure is necessary to:
- Comply with a lawful subpoena, court order, or governmental request.
- Enforce our Terms of Service.
- Protect the rights, property, or safety of DealerJet, our users, or the public.
- Investigate fraud, security issues, or abuse.
We will notify you of any legal request for your data unless prohibited from doing so by law.
6.4 Business Transfers
If DealerJet undergoes a merger, acquisition, financing, or sale of all or part of its business, your information may be transferred to the acquiring entity, subject to the protections of this policy. We will notify you of any such transfer and your options.
7. Where Your Information Is Stored (International Transfers)
Some of our service providers (Stripe, Render, Resend, others) operate primarily in the United States. As a result, your personal information may be processed in or transferred to the United States.
We acknowledge that:
- Once your data is in another country, it is subject to that country's laws, including possible access by foreign government authorities under those laws.
- We use providers that maintain industry-standard security and, where possible, contractual safeguards (e.g., Standard Contractual Clauses or equivalent) to protect transferred data.
- You consent to these international transfers by using the Service.
If you are uncomfortable with international transfers, do not use the Service.
8. How We Protect Your Information
We use commercially reasonable administrative, technical, and physical safeguards to protect personal information against unauthorized access, disclosure, alteration, or destruction:
- Encryption in transit: all communication between your browser and our servers uses TLS (HTTPS).
- Encryption at rest: databases and backups are encrypted using AES-256 or equivalent.
- Access controls: access to production systems is limited to the operator and is protected by multi-factor authentication.
- Password storage: passwords are hashed using argon2id (the OWASP-recommended password hashing algorithm as of 2024); we never store plaintext passwords.
- Logging and monitoring: access to systems is logged; unusual activity is investigated.
- Vendor due diligence: sub-processors are reviewed for security posture before integration.
No system is perfectly secure. If you become aware of a security incident affecting your account, contact our Privacy Officer immediately.
8.1 Support Staff Access to Your Account
To help you when you request support, DealerJet support staff may need to access your account and view your data as you see it. When this happens:
- Access is limited to authorized DealerJet staff and is used only to diagnose and resolve the issue you have raised or a system problem affecting your account.
- Every staff access session is recorded in an audit log with the staff member's identity, the account accessed, and the time.
- Support sessions are read-only by default; a staff member must take a deliberate, separately-logged step to make any change on your behalf, and staff can never change your billing or delete your account through this support access.
- While a support session is active, a clear indicator is present in the account, and the session automatically expires after a short period.
You may ask us for a record of any staff access to your account at any time by contacting our Privacy Officer.
8.2 Data Breach Notification and Recordkeeping
In the event of a security breach involving your personal information, we assess whether it creates a real risk of significant harm (RROSH), the standard under PIPEDA. If it does, we will:
- Notify affected individuals as soon as feasible, describing the breach, the information involved, the steps we have taken, and what you can do to protect yourself.
- Report the breach to the Office of the Privacy Commissioner of Canada (OPC) as required by PIPEDA's mandatory breach notification rules, and notify any other organization or government institution that could reduce the risk of harm.
As required by PIPEDA, we maintain a record of every breach of security safeguards — whether or not it meets the RROSH threshold — and retain those records for at least 24 months. The OPC may request access to these records. Our internal breach-response procedure is documented separately for our operations team.
9. How Long We Keep Your Information
We keep your personal information only as long as necessary for the purposes for which it was collected, or as required by law:
| Data Type | Retention |
|---|---|
| Account and Customer Data | Duration of subscription + 90 days after cancellation, then deleted unless legal hold applies |
| Billing records | Seven (7) years after transaction (Canadian tax law) |
| Security and account event logs (audit logs) | Retained for at least one (1) year for security review, fraud investigation, account recovery, and PIPEDA compliance. Longer retention may apply where ongoing investigation, legal hold, or law enforcement preservation requests require it. |
| Server logs and error reports (application/access logs) | 90 days |
| Marketing email opt-out lists | Indefinitely (to ensure we honour your opt-out) |
| Backup snapshots | Up to 35 days after deletion in primary store |
You may request earlier deletion as described in Section 11.
10. Cookies and Similar Technologies
Our full Cookie Policy lists every cookie the Service sets and why. The short version: we only use strictly necessary cookies (login session, security tokens) — no advertising cookies, no cross-site tracking, no third-party analytics cookies. Because every cookie we set is essential to providing the Service you signed in to, no cookie-consent banner is required under PIPEDA or Quebec Law 25; if we ever introduce non-essential cookies, we will ask for your consent first.
The specific cookies the Service sets in your browser are:
| Cookie | Purpose | Type | Lifetime |
|---|---|---|---|
dj_session |
Authentication session — identifies your logged-in account | Strictly necessary | 90 days idle, 365 days absolute maximum |
dj_csrf |
Cross-Site Request Forgery defense (double-submit token) | Strictly necessary | Browser session |
dj_imper |
Marker indicating an ongoing, audit-logged support-staff impersonation session (used only when our support staff assist with your account; displays a clear banner) | Strictly necessary | 30 minutes |
The DealerJet Chrome extension uses chrome.storage.local and
chrome.storage.session to maintain extension state on your
device only; this data is not transmitted to our servers except
when you initiate an action that requires it.
We do not use third-party advertising cookies and do not participate in cross-site advertising tracking.
You can disable cookies in your browser settings, but doing so will impair your ability to use the Service.
11. Your Rights
Under PIPEDA, you have the following rights with respect to your personal information. Depending on your province of residence, you may have additional rights under provincial privacy law.
11.1 Right to Access
You may request a copy of the personal information we hold about you. We will respond within thirty (30) days at no cost (unless the request is unreasonable, in which case we may charge a reasonable fee with prior notice).
11.2 Right to Correct
If you believe information we hold is inaccurate, you may request correction. You can update most account fields directly via the Settings page; for other data, contact our Privacy Officer.
11.3 Right to Delete (Withdraw Consent)
You may withdraw consent for our use of your personal information at any time, subject to legal or contractual restrictions. In practice, this means closing your account and requesting deletion; note that some data must be retained per the schedule in Section 9 (e.g., billing records for tax purposes).
11.4 Right to Data Portability
You may request an export of your Customer Data in a structured, machine-readable format (JSON or CSV — your choice at the time of request). We will respond within thirty (30) days.
11.5 Right to Complain
If you believe we have not handled your information appropriately, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada:
Office of the Privacy Commissioner of Canada 30 Victoria Street Gatineau, Quebec K1A 1H3 Toll-free: 1-800-282-1376 https://www.priv.gc.ca
We encourage you to contact us first so we can attempt to resolve the issue directly.
11.6 How to Exercise Your Rights
Contact our Privacy Officer at the address in Section 2. We may need to verify your identity before fulfilling certain requests (typically, a recent login from your account email or a brief identity-verification exchange).
12. Children's Privacy
The Service is intended for licensed motor vehicle dealers and is not directed to children. We do not knowingly collect personal information from individuals under 18. If you believe a minor has provided us information, contact our Privacy Officer and we will delete it.
13. Automated Decision-Making and AI
Marketplace descriptions are generated by our own software from your vehicle data and saved settings. No external AI service receives your data today. If we add AI-powered features in the future, we will name the provider in the sub-processor table above and update this policy first. Either way, this is assistive automation, not autonomous decision-making: every generated description is presented to you for review before posting, and you retain full control over what is published.
We do not use automated decision-making for any decisions that materially affect your legal rights (such as account approval, pricing eligibility, or termination).
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date and, if changes are material, notify you by email and/or via the Service at least fourteen (14) days before the change takes effect.
If a change requires fresh consent under PIPEDA (e.g., a new purpose for using your data), we will obtain that consent explicitly before applying the change to you.
15. Provincial Variations
Some Canadian provinces have privacy legislation that overlaps with or supplements PIPEDA:
- Quebec: Loi sur la protection des renseignements personnels dans le secteur privé (Quebec's private sector privacy law, recently amended by Law 25 / Bill 64). If you are a Quebec resident or your dealership operates in Quebec, additional rights and obligations may apply, including expanded data subject rights and mandatory privacy impact assessments for certain activities.
- British Columbia and Alberta: PIPA (Personal Information Protection Act), which applies to provincially-regulated organizations in those provinces.
- Other provinces: PIPEDA generally applies.
This policy is intended to comply with PIPEDA as the federal baseline. Where provincial law grants greater rights, those greater rights apply.
16. Contact
For all privacy-related inquiries, complaints, or requests:
DealerJet — Privacy Officer info@dealerjet.ca 1576 Richmond Street, Unit 12, London, Ontario, N6G 2M6 Canada
For general support: info@dealerjet.ca