Privacy policy

1. Who we are

“bookyoo” designates the quote and invoice service operated by Quintin conseil numérique inc., a company incorporated in Québec, Canada. Address: 800, rue du Square-Victoria, bureau 2624, Montréal (Québec) H3C 0B4, Canada. Data Protection Officer (DPO): privacy@bookyoo.io.

2. What data we collect

Account data

• Email address (required — used as identifier)
• First and last name (optional, provided at creation)
• Preferred language (FR or EN, detected by default)
• Microsoft, Google, or Magic Link authentication identifier (depending on your login choice)

Your company data (“tenant”)

• Legal name, address, logo, tax numbers
• Quotes, invoices, clients, catalogued services you create
• Time tracking: time entries if you use this feature
• Customization settings (colors, conditions, etc.)

Technical data

• Connection IP address (anonymized after 30 days)
• Browser type, operating system
• Pages visited in the app, dates and times (audit logs)
• Technical session cookies only (no advertising, no third-party analytics)

3. Why we use it

Your data is used only to:

• Operate the service (display your quotes, generate PDFs, etc.)
• Authenticate you securely
• Send you emails essential to the service (quote sent confirmation, payment alerts, trial-end notifications)
• Detect and block fraud or abuse of the service
• Improve the product (anonymous aggregates: number of active users, no individual tracking)
• Respond to your support requests

We NEVER use your data to: serve targeted advertising, sell your address to third parties, train AI models, profile your business activity.

4. Where it's stored

All your data is hosted in Canada, in AWS region ca-central-1 (Montréal). It is never transferred outside Canada without your explicit consent.

• Database: AWS RDS Postgres, encrypted at rest (AES-256)
• Backups: automatic daily, retained 7 days, encrypted
• In transit: all exchanges between your browser and bookyoo are encrypted via TLS 1.3
• Multi-tenant isolation: each company's data is isolated by PostgreSQL Row-Level Security — it is technically impossible for another tenant to see your data

5. Who we share it with

Your data is shared only with the following subprocessors, each bound by a data protection agreement:

• Amazon Web Services (AWS Canada): infrastructure hosting (RDS, ECS, S3). ca-central-1 region only. AWS policy.
• Microsoft Azure (Entra ID): authentication if you log in with Microsoft. Data limited to name + email.
• Google Cloud (OAuth): authentication if you log in with Google. Data limited to name + email.
• Stripe (coming soon): subscription payment management. No card data transits through our servers.

We never share your data with third parties for commercial or marketing purposes. No reselling. No data brokers.

6. How long we keep it

• While your account is active: indefinitely (you need it)
• After account closure: 90 days in a recoverable trash, then full deletion
• Backups: 7 days maximum
• Technical audit logs: 12 months
• Financial data (paid invoices): 6 years (Canadian tax obligation)

7. Your rights

Regardless of your location, you have the following rights over your data:

• Right of access: obtain a copy of all data we hold about you
• Right to rectification: correct inaccurate information
• Right to erasure (“right to be forgotten”): request deletion of your account and your data
• Right to portability: export all your data in a standard format (JSON / CSV) — already available in the app via Settings → Exports
• Right to object: refuse certain processing (such as marketing emails — already refused by default with us)
• Right to restriction: request that we temporarily stop processing your data

Specific to Law 25 (Québec residents)

Pursuant to Law 25, you may file a complaint with the Commission d'accès à l'information du Québec (CAI) if you believe your rights have not been respected.

To exercise any of these rights, write to privacy@bookyoo.io. We reply within 30 days maximum (15 days for urgent requests under GDPR).

8. Cookies and trackers

bookyoo uses only essential technical cookies required for the service to work:

• Session cookie (keeps you logged in) — deleted at logout
• Language cookie (remembers FR or EN) — duration 1 year
• Currency / region display cookie (landing) — duration 1 year, localStorage

We do not set any advertising or third-party analytics cookies (Google Analytics, Facebook Pixel, etc.). No consent banner to click — we don't track you.

9. Contact us

For any question about this policy or to exercise your rights:

• Data Protection Officer: privacy@bookyoo.io
• Postal address: Quintin conseil numérique inc. · 800, rue du Square-Victoria, bureau 2624, Montréal (Québec) H3C 0B4, Canada

Changes to this policy: for material changes, we'll notify you by email at least 30 days before implementation. The update date at the top of this page is always current.