ClimateRiskCheck ClimateRiskCheck
Methodology Early Access Get started

Privacy Policy

Last updated: May 2026

What We Collect

When you create an account, we collect:

  • Your email address (used as your account identifier)

When you submit a property address to generate a report, we additionally collect:

  • The address you submit
  • Report generation timestamp

When you use the bulk lookup feature, we additionally collect:

  • All property addresses included in the uploaded CSV file
  • Per-address geocode confidence, risk scores, and report output fields
  • A job identifier and processing timestamps

If you are a pilot programme participant and respond to a feedback survey, we additionally collect:

  • Your survey responses (whether the results would have changed your underwriting decision, an optional 1–5 rating, and optional free-text comments)
  • Response timestamp

We do not collect personal information about property owners or occupants.

How We Use It

We use the submitted address solely to:

  1. Geocode the property and run the climate risk assessment
  2. Generate and store the report (PDF + input parameters + data versions used) for 2 years so you can retrieve it for audit and compliance purposes

For bulk lookups, we additionally use the submitted addresses to process all rows in the uploaded CSV and produce a downloadable ZIP containing individual PDFs and a CSV summary. Bulk job data (addresses, per-row results, and the ZIP file) is retained for a short window only — see Retention and Deletion below.

What We Do Not Do

  • We do not sell, share, or disclose addresses or reports to any third party
  • We do not use submitted addresses to train models or improve algorithms
  • We do not retain individual report data beyond the 2-year audit window, after which reports and associated inputs are permanently deleted. Bulk job data is retained for a much shorter window (48 hours or less — see Retention and Deletion)
  • We do not link property addresses to individual borrowers or applicants

Data Storage and Residency

All data is stored and processed exclusively on AWS infrastructure in the ca-central-1 region (Montreal, Quebec, Canada). Data does not leave Canada.

The ca-central-1 region is a full AWS region with three Availability Zones, providing the resilience and auditability required by OSFI Guideline B-10 (Outsourcing) for federally regulated financial institutions. Lenders subject to OSFI oversight can confirm Canadian data residency at any time upon request.

Third-Party Services and Cross-Border Data Transfers

We use the following third-party services, some of which process data on infrastructure located outside Canada. In each case, only the minimum data necessary is transmitted, and we have taken reasonable steps to ensure comparable privacy protection as required under PIPEDA and Quebec Law 25.

Google Maps Geocoding API

Property addresses submitted for assessment are geocoded using the Google Maps Geocoding API, operated by Google LLC (United States). The address is transmitted solely to resolve a geographic coordinate and is not retained by Google beyond the scope of the API request, per Google's API terms of service.

Resend (Email Delivery)

Account registration emails (containing your API key) are delivered via Resend (Resend Inc., United States). The only personal information transmitted to Resend is your email address. No property addresses, report data, or financial information are processed by Resend. Resend's privacy policy is available at resend.com/legal/privacy-policy.

Stripe (Payment Processing)

Credit purchases are processed by Stripe (Stripe Inc., United States). Payment card data is handled entirely by Stripe and never touches our servers. We transmit your account email to Stripe solely to associate a credit purchase with your account. Stripe's privacy policy is available at stripe.com/en-ca/privacy.

Users who require all data processing to remain within Canada should contact us to discuss alternative arrangements.

Quebec Law 25 Compliance

Our compute and storage infrastructure is physically located in Quebec (AWS ca-central-1, Montreal). As a result, our data processing is subject to Quebec Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) in addition to federal PIPEDA.

In accordance with Law 25:

  • A Privacy Impact Assessment (PIA) has been conducted covering cross-border transfers of personal information to the following US-based processors: Google LLC (geocoding), Resend Inc. (email delivery), and Stripe Inc. (payment processing). The PIA confirms that each transfer is limited to the minimum data necessary, is protected by TLS encryption in transit, and that each processor maintains privacy practices comparable to Quebec Law 25 requirements.
  • We collect the minimum personal information necessary for the service.
  • Personal information is retained only as long as necessary for the purpose for which it was collected, consistent with the Law 25 data minimization principle. Individual report data is retained for 2 years (audit window); bulk lookup data — including uploaded addresses and per-row results — is retained for 48 hours or less and then permanently deleted.

PIPEDA Compliance

We handle personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). Key commitments:

  • Accountability: We are responsible for all personal information under our control.
  • Limiting collection: We collect only the address and account identifier necessary to deliver the service.
  • Limiting use: Data is used exclusively for report generation and audit retention.
  • Safeguards: TLS 1.2+ in transit; AWS SSE-S3 encryption at rest.
  • Individual access: Account holders may request access to or deletion of their data at any time.

Retention and Deletion

Individual reports: Reports (PDF, input parameters, and data versions used) are retained for 2 years from the date of generation, consistent with typical mortgage file retention requirements.

Bulk lookup jobs: Bulk job data — including the uploaded addresses, per-row results, and the downloadable ZIP file — is retained for a short window only:

  • Jobs that are validated but never submitted for processing are deleted after 24 hours.
  • Completed or failed jobs (including all row data and the ZIP file on S3) are deleted after 48 hours from completion. The presigned download URL also expires at 48 hours.

After expiry, all bulk addresses, row-level results, and the ZIP are permanently deleted from both our database and S3 storage. Individual PDF reports within a bulk job are governed by the 2-year individual report retention policy.

Pilot feedback responses: Survey responses submitted via the feedback form are retained indefinitely for product improvement purposes. They contain no property addresses or financial data. You may request deletion of your feedback response at any time.

You may request deletion of any report, bulk job, or feedback response at any time by contacting us at the email address below. Deletion requests are processed within 30 days.

Security

All data in transit is encrypted via TLS 1.2+. All data at rest is encrypted using AWS S3 server-side encryption (SSE-S3). Access to stored reports is restricted to the account that generated them.

Contact

For privacy-related questions, deletion requests, or to inquire about Canadian-hosted arrangements, contact us at: hello@climateriskcheck.ca

Built on Canadian open government data  ·  AWS ca-central-1  ·  Canadian data residency
Privacy Policy Terms of Service Methodology