Privacy Policy

1. Who we are

The data controller is Incentv Technologies Inc., 14th Floor, 555 Burrard St, Vancouver, BC V7X 1M8, Canada. For any privacy-related question or to exercise your rights, contact us at privacy@capy.sc. Our Privacy Officer is responsible for our privacy program and can be reached at the same address.

2. Personal data we collect

We collect the following categories of personal data:

• Account data: email address, authentication identifiers, and, where applicable, name and organization.
• Billing data: billing address, tax identifiers, and payment details. Card numbers are collected and stored by our payment processor (Stripe); we do not receive or store full card numbers.
• Service usage data: API requests, feature interactions, and audit logs.
• Device and technical data: IP address, browser type, operating system, device identifiers, referring URLs, and pages viewed.
• Website analytics data: events, session replays, and user-journey information collected via Amplitude and PostHog when you browse our website. We do not run these analytics or session-replay technologies inside the product itself.
• Communications: emails you send us and support requests.

We do not intentionally collect special category data (e.g., health, biometrics, political opinions) and ask that you not submit it.

Data minimization and privacy by default. We collect only the personal data we need to provide and secure the Service. Where collection or processing is optional, it is turned off by default and enabled only by your explicit choice. The secret values you store with Capy are encrypted before they leave your device and remain encrypted within the Service; we do not receive or retain your secret values in plaintext.

3. How and why we use your data (legal bases)

Under the EU/UK GDPR we rely on the following legal bases:

• Contract (Art. 6(1)(b)): to create and operate your account, authenticate you, process payments, and deliver the Service.
• Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent fraud and abuse, maintain audit logs, troubleshoot, improve the Service, and conduct analytics. You may object at any time.
• Consent (Art. 6(1)(a)): for non-essential cookies and similar technologies and for optional marketing communications. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and other applicable laws.

Consent and marketing.Where we rely on consent — for example, your cookie choices on our website — we obtain and honor it before the relevant processing. We do not send marketing emails to Service account holders. If we offer optional marketing communications (for example, to people who sign up through our website), we will send them only with your separate, express opt-in; such consent is optional, is never a condition of using the Service, and you can withdraw it at any time. We do not sell your personal information and do not share it for cross-context behavioral advertising.

4. Cookies and similar technologies

We use a small number of cookies and browser storage mechanisms. Strictly necessary cookies are required to authenticate you and secure your session and do not require consent. Analytics technologies (Amplitude, PostHog) on our website help us understand how the website is used; we do not use them inside the product. A banner on the site lets you accept or reject non-essential cookies; your choice is stored locally in your browser. You can change your choice at any time by clearing your browser storage for capy.sc, which will redisplay the banner.

5. Service providers, subprocessors, and international transfers

We share personal data with the following processors and subprocessors, who act only on our documented instructions:

• Amazon Web Services, Inc.— cloud infrastructure and encrypted storage for the Service.
• WorkOS, Inc.— authentication and identity management.
• Vercel Inc.— website hosting and content delivery.
• Stripe, Inc.— payment processing.
• Resend Inc.— transactional email delivery.
• Amplitude, Inc.— website analytics and session replay.
• PostHog Inc.— website analytics.

We enter into data processing agreements with our subprocessors that require them to implement appropriate technical and organizational measures and to handle personal data in line with this policy and our security and confidentiality requirements. We maintain a current list of subprocessors and will notify customers of any intended additions or replacements of subprocessors that process personal data, giving you an opportunity to object before the change takes effect. We do not otherwise disclose your personal data to third parties except where required by law; where we receive a legally binding request to disclose personal data, we will notify you unless we are prohibited from doing so, and we maintain records of such disclosures.

Because Capy operates from Canada and uses U.S.-based processors, your data may be transferred to and processed in Canada, the United States, and other countries. Where data is transferred out of the EEA or UK, we rely on adequacy decisions (e.g., the Canadian adequacy decision and the EU-U.S. Data Privacy Framework where applicable) or on Standard Contractual Clauses together with supplementary measures.

6. Data retention and disposal

We retain personal data for as long as your account is active, as necessary to provide the Service, and as required to comply with our legal obligations, resolve disputes, and enforce our agreements. Authentication identifiers such as your email are retained for the life of your account. Billing records are retained for the period required by tax and accounting law (typically six to seven years). Audit logs are retained for security and compliance purposes. When you delete your account or we no longer need your personal data, we delete or de-identify it from our production systems within a reasonable period, instruct our subprocessors to do the same, and retain only what we are required or permitted by law to keep. Backup copies containing deleted data age out on our standard backup cycle.

7. Your privacy rights

Depending on where you live, you may have the right to:

• access the personal data we hold about you;
• request correction, deletion, or restriction of your personal data;
• object to processing based on our legitimate interests, including profiling, and to the processing of your personal data for direct marketing;
• port your personal data to another controller in a structured, machine-readable format;
• withdraw your consent at any time;
• lodge a complaint with a supervisory authority (in the EEA, your local Data Protection Authority; in the UK, the Information Commissioner’s Office; in Canada, the Office of the Privacy Commissioner).

California residents have additional rights under the CCPA/CPRA, including the right to know what personal information we collect, request deletion or correction, opt out of any sale or sharing of personal information (we do not sell personal information and do not share it for cross-context behavioral advertising), limit the use of sensitive personal information, and not be discriminated against for exercising these rights. Brazilian residents have equivalent rights under the LGPD.

How to exercise your rights.You can manage your billing details through our billing provider’s customer portal, linked from the product. To access a copy of your personal data, or to correct, delete, port, restrict, or object to the processing of it, email privacy@capy.sc and we will handle your request. We will confirm receipt of your request and respond within the timeframes required by applicable law (generally within 30 to 45 days, with an extension where permitted). To protect your data, we take reasonable steps to verify your identity before acting on a request; if you use an authorized agent, we may ask the agent for proof of authorization and may confirm the request directly with you. If we cannot verify your identity or an agent’s authorization, we will let you know and may decline the request. We keep a record of the privacy requests we receive and how we responded. There is no charge to exercise your rights, and we will not discriminate against you for doing so.

8. Data accuracy and your responsibilities

We take reasonable steps to keep the personal data we hold accurate and up to date for the purposes for which it is used. You can help by keeping your account information current and by correcting it in your account settings or by contacting us. If you tell us that personal data is inaccurate or incomplete, we will correct or update it without undue delay.

9. Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit and at rest, end-to-end encryption of the secret values you store (so that they are never available to us in plaintext), access controls based on least privilege and need-to-know, audit logging, continuous security monitoring, vendor due diligence, and a documented information security program that is reviewed regularly. No method of transmission or storage is entirely secure, and we cannot guarantee absolute security.

10. Personal data breaches

We maintain procedures to detect, investigate, and respond to personal data breaches, and we document the facts, effects, and remedial actions for any breach. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the affected individuals and the relevant supervisory authorities within the timeframes required by applicable law, and we will notify affected customers in accordance with our agreements.

11. Children

The Service is available to users of all ages. We do not knowingly target children with advertising and do not knowingly process special category data relating to children. If you are under the age of 16 (or the applicable age of digital consent in your jurisdiction), please ensure a parent or legal guardian is aware of your use of the Service and has consented on your behalf where required. Parents or guardians who believe their child has provided us with personal data without appropriate consent may contact privacy@capy.sc to request deletion.

12. Automated decision-making

We do not use your personal data to make decisions that produce legal or similarly significant effects about you by solely automated means.

13. How we monitor, enforce, and review this policy

Our Privacy Officer is responsible for our privacy program and for monitoring compliance with this policy. We review this Privacy Policy at least annually, and whenever our practices change, to confirm it remains accurate and suitable. The “Last updated” date above reflects the most recent review. If we intend to use personal data for new purposes not described here, we will update this policy and, where required, obtain your consent or provide notice before doing so.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the “Last updated” date at the top and, where required, notify you by email or through the Service.

15. Contact

Incentv Technologies Inc.
14th Floor, 555 Burrard St, Vancouver, BC V7X 1M8, Canada
Email: privacy@capy.sc