Privacy Policy

This Privacy Policy describes how IRCC Vault (“we,” “us,” or “our”) collects, uses, discloses, stores, and protects personal information when you visit https://www.irccvault.com, create an account, use our tools, purchase a membership, contact support, or otherwise interact with IRCC Vault (the “Service”).

We are committed to handling personal information responsibly and in line with applicable Canadian privacy law, including the Personal Information Protection and Electronic Documents Act (PIPEDA), where it applies to our activities.

By using the Service, you acknowledge that you have read this Privacy Policy. If you do not agree, please do not use the Service. Our Terms of Use govern your use of the Service and incorporate this policy by reference.

For the purposes of this policy, the organization responsible for personal information processed through the Service is IRCC Vault, operating the website at irccvault.com.

Privacy inquiries: privacy@irccvault.com
General contact: contact@irccvault.com or the contact form.

This policy applies to personal information we collect through the Service. It does not apply to:

• Third-party websites, government portals (including official IRCC or provincial immigration sites), or services you access via links from our site — those have their own policies.
• Payment card details entered on Stripe-hosted checkout pages, which are processed under Stripe’s privacy policy and PCI standards (we receive limited billing metadata, not full card numbers).
• Information you choose to publish in public forums or social media about IRCC Vault without using our account system.

4.1 Information you provide directly

• Account registration: name, email address, and password (stored in hashed form — we do not store plaintext passwords).
• Profile and application data: information you enter in tools such as the PR Application Tracker, eligibility / CRS-style calculators, NOC Finder queries, Job Duties Analyzer and Generator inputs, Reference Letter Generator inputs, and related saved or prefill data linked to your account.
• Consultant messaging (Elite): messages, attachments metadata, and contact details you send through in-app consultant channels.
• Contact and support: name, email, subject, and message content submitted via our contact form or support email.
• Password reset: email address used to issue reset links (via our email provider).
• Marketing preferences: if you opt in or out of promotional communications where offered.

4.2 Information collected automatically

• Usage and device data: pages viewed, features used, approximate timestamps, browser type, operating system, referring URL, and similar technical logs generated by our hosting and application infrastructure.
• Analytics: when enabled, we may use services such as Google Analytics and Microsoft Clarity to understand aggregate usage (e.g., page views, session duration, interaction patterns). These tools may use cookies or similar technologies as described in Section 9.
• Session and authentication: session tokens and cookies required to keep you signed in and secure the Service.
• Performance monitoring: we may use hosting or application performance tools (e.g., Vercel analytics) to measure reliability and speed.

4.3 Payment and subscription information

Paid memberships (Navigator, Elite) are processed by Stripe. We receive information such as Stripe customer ID, subscription status, plan tier, billing period dates, cancellation flags, and limited payment metadata — not your full payment card number. Stripe’s handling of card data is governed by Stripe’s policies.

4.4 AI and third-party processing of your inputs

Certain features send the text you submit (job descriptions, duty lists, letter prompts, NOC search context, etc.) to AI providers (e.g., OpenAI) to generate outputs. That content may include personal or employer-related information if you include it in your prompts. See Section 6 for how we share data with processors.

We use personal information to:

• Create, authenticate, and manage your account and subscription tier.
• Provide, operate, maintain, and improve the Service and its features.
• Generate AI-assisted outputs you request (NOC suggestions, duty analysis, letters, etc.).
• Store tracker timelines, eligibility prefill, and other workspace data you choose to save.
• Process payments, send receipts, and manage billing lifecycle (renewals, cancellations).
• Respond to contact requests, consultant messages, and support inquiries.
• Send transactional emails (welcome, password reset, subscription confirmations, consultant notification emails where applicable).
• Send marketing or product emails only where permitted by law and your preferences (e.g., discount campaigns to eligible free accounts where configured).
• Monitor security, prevent fraud and abuse, and enforce our Terms of Use.
• Comply with legal obligations and respond to lawful requests.
• Produce aggregated, de-identified statistics (e.g., signup trends) that do not identify you.

Depending on context, we rely on one or more of the following:

• Contract: processing necessary to provide the Service you signed up for or purchased.
• Consent: where required — e.g., optional marketing, non-essential cookies where applicable, or explicit agreement at registration.
• Legitimate interests: securing the Service, improving features, and communicating about your account, balanced against your rights.
• Legal obligation: retaining certain records or responding to valid legal process.

You may withdraw consent for optional processing where withdrawal does not affect core Service delivery. Withdrawing consent for essential processing may require closing your account.

We do not sell your personal information. We share information only as described below with service providers who process data on our behalf under contractual safeguards:

• Hosting and infrastructure (e.g., Vercel) — application delivery, logs, and edge functions.
• Database (e.g., Supabase / PostgreSQL) — account and application data storage.
• Payments (Stripe) — subscription checkout, customer portal, webhooks.
• Email (e.g., Resend) — transactional and campaign email delivery.
• AI (e.g., OpenAI) — processing prompts you submit to AI-powered tools.
• Analytics (e.g., Google Analytics, Microsoft Clarity) — when enabled, aggregate usage measurement.

We may also disclose information:

• To professional advisors (lawyers, accountants) under confidentiality obligations.
• In connection with a merger, acquisition, or asset sale, with notice where required by law.
• When required by law, court order, or government request, or to protect rights, safety, and security of users and the public.

Our service providers may process or store information in Canada, the United States, or other countries where they operate. Those countries may have different privacy laws than your province or country of residence.

Where personal information is transferred outside Canada, we take steps reasonably appropriate to require comparable protection through contractual commitments with processors, consistent with applicable law.

We use cookies and similar technologies for:

• Strictly necessary: authentication, session management, security, and load balancing — required for the Service to function.
• Analytics and performance: understanding how visitors use the site (when analytics scripts are loaded). You may limit tracking via browser settings, ad blockers, or vendor opt-out tools (e.g., Google Analytics opt-out browser add-on).

Most browsers let you refuse or delete cookies. Blocking necessary cookies may prevent sign-in or certain features from working.

We retain personal information only as long as reasonably necessary for the purposes above:

• Account data: for the life of your account and a reasonable period after deletion for backups, disputes, or legal compliance.
• Consultant and contact messages: as needed for support history and operational requirements unless you request earlier deletion where feasible.
• Billing records: as required for tax, accounting, and payment dispute resolution (often several years).
• Server logs: typically rolling retention per hosting provider defaults unless longer retention is needed for security investigations.

We may retain anonymized or aggregated data that no longer identifies you without a defined end date.

We implement administrative, technical, and organizational measures appropriate to the nature of the data we hold, including password hashing, HTTPS encryption in transit, access controls on production systems, and use of reputable infrastructure providers.

No method of transmission or storage is 100% secure. You are responsible for maintaining the confidentiality of your password and for activity under your account. Notify us promptly at privacy@irccvault.com if you suspect unauthorized access.

Subject to applicable law, you may have the right to:

• Access personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your account and associated data, subject to legal retention needs.
• Withdraw consent for optional processing where consent is the legal basis.
• Challenge compliance with PIPEDA by contacting us, and if unresolved, the Office of the Privacy Commissioner of Canada.

To exercise these rights, email privacy@irccvault.com from the email address associated with your account. We may need to verify your identity before responding.

You can update much of your workspace data directly in the Service. Subscription management and cancellation are available through Stripe’s customer portal where enabled.

The Service is intended for adults managing their own immigration documentation or related professional use. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact us and we will take steps to delete it.

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the “Last updated” date. Material changes may be communicated by email or in-app notice where appropriate.

Continued use after changes take effect constitutes acceptance of the updated policy.

Questions about this Privacy Policy or our privacy practices: privacy@irccvault.com. General support: Contact form.