CARDAPS Privacy Policy

We rely on your consent to collect, use, retain, and share your Personal Information. This Privacy Policy outlines your options, where available, to refuse or withdraw your consent. You agree to this Privacy Policy when you: - Use our website at cardaps.ca and any associated applications (the "Platform"); - Create an account or register as a dealer; - Submit a vehicle for valuation, scoring, or lead generation; - Subscribe to any CARDAPS service or plan; - Otherwise interact with us. This Privacy Policy applies: - When you begin a relationship with us; - During the course of our relationship; and - For a period of time after the end of our relationship. We do not collect Personal Information from individuals under the age of 14 without a parent's express and verified consent. Users must be the age of majority in their province to create an account.

We may collect the following Personal Information depending on how you use our Platform: Account Information: - Name, email address, phone number; - Password (stored encrypted, never in plain text); - Business name and dealer license number (for dealer accounts); - Province and postal code. - Subscription tier and status (used to determine whether advertising is displayed on your account). Vehicle Information: - Vehicle Identification Number (VIN); - Year, make, model, trim, style; - Kilometers, condition details (paint, bodywork, accident history); - Valuation estimates and scoring data. Seller Lead Information (when you submit a vehicle for dealer offers): - Your name, phone number, email, and postal code; - Vehicle details and condition assessment; - Consent records and submission timestamps. Transaction Information: - Subscription plan, payment method (processed by Stripe; we do not store full card numbers); - Credit purchases, lookup history; - Billing address. Automated Information: - IP address, browser type, device type; - Pages visited, time spent, interaction patterns; - Cookies and similar technologies (see Section 5); - For free-tier visitors who consent to advertising: identifiers used by Google AdSense, Meta Pixel, and Google Ads to deliver and measure ads (see Section 5 for details).

We use your Personal Information to deliver and manage our products and services. Specifically, we use it to: - Provide vehicle valuations, scoring, and market intelligence; - Share Seller Leads with Participating Dealers in your area (only when you submit a Seller Lead and consent to be contacted); - Process subscriptions, payments, and credit purchases via Stripe; - Authenticate your account and maintain security; - Send transactional communications (account confirmations, password resets, subscription updates); - Improve our algorithms, scoring models, and Platform features; - Generate anonymized and aggregated analytics for market research; - Display advertising on free-tier visits to users who consent to advertising cookies, and ensure no advertising is shown to paid subscribers (see Section 5); - Measure the effectiveness of any Cardaps advertising we run on Google Search, the Google Display Network, Facebook, and Instagram (only when free-tier users consent to advertising cookies); - Comply with applicable legal requirements, including tax and regulatory obligations; - Contact you by email regarding your account or services. Marketing emails are sent only with your express opt-in consent. We will never sell, rent, or trade your Personal Information to third parties for their marketing purposes.

When you submit a vehicle through our Seller Lead Program (via the Price Estimator), the following additional data handling applies: What we share with Participating Dealers: - Your name, phone number, email address, and postal code; - Vehicle details: VIN, year, make, model, trim, kilometers; - Condition assessment: paint, bodywork, accident history; - CARDAPS valuation estimate. This information is shared only with licensed Participating Dealers in your geographic area, and only when you have provided express consent by checking the required consent checkbox and agreeing to the Seller Lead Program Terms. Participating Dealers are independently owned businesses. They are not owned by, operated by, or affiliated with CARDAPS. Once your information is shared with a Participating Dealer, their use of your information is governed by their own privacy policies. You may withdraw consent for dealer contact at any time by emailing privacy@cardaps.ca. Note that withdrawing consent will not affect information already shared with dealers who have received your lead. Seller Lead data is retained for 24 months, then anonymized or deleted. Consent records are retained for 36 months for compliance purposes.

Cookies and similar technologies help Cardaps operate the Platform, remember your preferences, understand how visitors use our services, and (for free-tier users) deliver advertising that supports the free version of Cardaps. We use three categories of cookies, each with different rules around your consent: - Essential cookies, which the Platform cannot function without; - Analytics cookies, which help us understand and improve the Platform; and - Advertising cookies, which are only used for free-tier visitors and never on accounts with an active paid subscription. You can review and change your choices at any time through our cookie preferences (link in the page footer) or through your browser settings. Withdrawing consent is straightforward and does not affect your access to the Platform. Essential cookies (no consent required): These cookies are necessary for the Platform to function and cannot be disabled. They include: - Session management and authentication; - Language preference (English/French); - Subscription tier identification (used to determine whether advertising is displayed); - Security and fraud prevention. Because these cookies are strictly necessary to provide the service you requested, your consent is not required under applicable privacy laws. Analytics cookies (consent required): With your consent, we use Google Analytics 4 to understand how visitors interact with the Platform. This helps us: - Identify which features are most useful; - Diagnose performance issues and bugs; - Improve the Platform over time. Google Analytics processes data on our behalf as a data processor; we have configured it with IP anonymization and without ad personalization signals. Aggregated analytics data does not identify individual users. You can decline analytics cookies through our cookie preferences without affecting your access to the Platform. To learn more about how Google handles this data, see Google's privacy policy at policies.google.com/privacy and Google's cookies policy at policies.google.com/technologies/cookies. Advertising cookies (free-tier users only, consent required): We support the free version of Cardaps in part through advertising. If you visit Cardaps without an active paid subscription and consent to advertising cookies, we work with three advertising partners who help us display and measure ads: - Google AdSense - displays third-party ads on Cardaps pages; - Meta (Facebook) Pixel - helps us measure the effectiveness of any Cardaps advertising we run on Facebook and Instagram, and may show you Cardaps ads on those platforms; - Google Ads - helps us measure the effectiveness of any Cardaps advertising we run through Google Search and the Google Display Network. When advertising cookies are active, these partners receive the following information about your visit: - Your IP address (which approximates your general location); - Your device and browser type, screen size, and operating system; - The pages you visit on Cardaps and the time spent on each; - The website you came from before reaching Cardaps; - For Meta and Google: a unique identifier that allows them to recognize your browser across other sites where their tools are installed. By default, these partners use this information to show you personalized ads on Cardaps and elsewhere - meaning ads matched to your inferred interests, not just the page you are currently viewing. You can opt down to non-personalized ads at any time through our cookie preferences; you will still see ads, but they will be based only on the content of the page you are viewing. Cardaps never shares your name, email address, phone number, payment details, or any vehicle history report data with our advertising partners. Advertising cookies are not set on any account with an active paid subscription, regardless of consent settings. You can withdraw consent at any time through our cookie preferences. For technical details on how each partner uses this data: - Google AdSense and Google Ads: policies.google.com/technologies/partner-sites - Meta Pixel: www.facebook.com/privacy/policy Subscription tiers and advertising: The privacy distinctions described above are not just preferences - they are commitments that Cardaps enforces automatically based on your subscription status. Paid subscribers (Starter, Pro, and Enterprise plans) do not have advertising cookies set on their accounts under any circumstances, even if they consent to them in error. This applies once your subscription is active and continues for the full duration of any active subscription. If your subscription ends or lapses, advertising cookies may resume on your account only after you separately consent to them through our cookie preferences. Managing your cookie preferences: You have two ways to control cookies on Cardaps: 1. Cookie preferences (recommended): Use the "Cookie preferences" link in the page footer to review your current choices, accept or decline each category, and withdraw consent at any time. Your choices take effect immediately. 2. Browser settings: Most browsers let you block, delete, or notify you about cookies through their privacy settings. Browser-level controls apply to all websites, not just Cardaps. Note that blocking essential cookies will prevent the Platform from functioning. Withdrawing consent does not delete data that was collected before you withdrew - but no further data will be collected through the affected cookies after you withdraw. To request deletion of data already collected, see Section 9 (Your Rights). If you never make a choice, we default to the minimum needed to operate the Platform: essential cookies only. Analytics and advertising cookies require an affirmative consent action.

We may disclose your Personal Information to: Service Providers: - Stripe (payment processing) - governed by Stripe's privacy policy; - Supabase (database hosting) - data stored in Canada/US; - Email service providers (transactional emails only); - Google LLC (Google AdSense, Google Ads, Google Analytics 4) - processes data on our behalf for advertising and analytics, only for users who consent to the relevant cookies; - Meta Platforms, Inc. (Facebook Pixel) - processes data on our behalf for advertising, only for free-tier users who consent to advertising cookies. Participating Dealers: - Only when you submit a Seller Lead and provide express consent; - Limited to the information described in Section 4. Legal Requirements: - If required by law, court order, or regulatory authority; - To protect our legal rights or the safety of our users; - To investigate fraud or security incidents. Corporate Transactions: - If CARDAPS is involved in a merger, acquisition, or sale of assets, your Personal Information may be transferred to the acquiring entity. We will notify you and provide options before any such transfer. International Data Transfers: Some service providers process data outside Canada. Specifically: - Stripe and Supabase may process data in the United States; - Google operates globally and may process data in any country where it operates; - Meta processes data primarily in the United States. These transfers are governed by data processing agreements and applicable safeguards. See Section 10 for Quebec-specific provisions on cross-border data. We do not disclose Personal Information to: - Data brokers; - Any party for marketing purposes without your express consent. Our advertising partners (Google and Meta) receive limited data as described in Section 5 to display and measure ads on our behalf - this does not constitute selling, renting, or trading your information.

We implement industry-standard security measures to protect your Personal Information: - All data transmitted between your browser and our servers is encrypted using TLS/SSL; - Passwords are hashed using bcrypt (never stored in plain text); - Payment information is processed by Stripe (PCI DSS Level 1 compliant) and never touches our servers; - Database access is restricted by row-level security policies; - Employee access to Personal Information is limited to those who require it; - We conduct regular security reviews of our infrastructure. No system is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security of your data. If we become aware of a security breach affecting your Personal Information, we will notify you and the appropriate regulatory authorities as required by law.

We retain your Personal Information only as long as necessary for the purposes described in this policy: - Active accounts: Information retained while your account is active; - Deleted accounts: Personal information deleted within 90 days of account deletion, except as required by law; - Seller Leads: Retained for 24 months, then anonymized or deleted; - Consent records: Retained for 36 months for CASL/Law 25 compliance; - Transaction records: Retained for 7 years as required by tax law; - Anonymized data: May be retained indefinitely for analytics and research. When we no longer need your Personal Information, we securely destroy, delete, or anonymize it.

You have the following rights regarding your Personal Information: Right of Access: You may request a copy of the Personal Information we hold about you. Right to Correction: You may request correction of inaccurate or incomplete information. Right to Deletion: You may request deletion of your Personal Information, subject to legal retention requirements (e.g., tax records). Right to Withdraw Consent: You may withdraw consent at any time for: - Marketing communications - click the unsubscribe link in any email, or contact us; - Advertising cookies - use our cookie preferences (link in page footer) to decline or revoke consent; - Analytics cookies - use our cookie preferences (link in page footer) to decline or revoke consent; - Seller Lead Program dealer contact - email privacy@cardaps.ca (note: information already shared with dealers will remain with them). Withdrawing consent for non-essential cookies does not affect your access to the Platform. Withdrawing consent for marketing communications may affect your ability to receive certain updates. Right to Data Portability: You may request your Personal Information in a structured, commonly used format (e.g., CSV, JSON). Right to Opt Out of Ad Personalization: If you are a free-tier user and you have consented to advertising cookies, you may opt out of personalized ads through our cookie preferences. You will still see advertising, but it will be based only on the content of the page you are viewing rather than your inferred interests. Paid subscribers do not see advertising and therefore this right does not apply. Right to File a Complaint: You may file a complaint with: - The Office of the Privacy Commissioner of Canada (priv.gc.ca); - The Commission d'acces a l'information du Quebec (cai.gouv.qc.ca) for Quebec residents. To exercise any of these rights, contact: privacy@cardaps.ca We will respond to access and deletion requests within 30 days.

For residents of Quebec, the following additional provisions apply: Language: In accordance with the Charter of the French Language (Bill 96), this Privacy Policy is available in both French and English. In the event of any discrepancy between the English and French versions, the French version shall prevail for Quebec residents. Privacy Officer: CARDAPS has designated a Privacy Officer responsible for ensuring compliance with Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25 / Bill 64). The Privacy Officer can be reached at privacy@cardaps.ca. Privacy Impact Assessments: We conduct privacy impact assessments before implementing new features or services that involve the collection of Personal Information, as required by Law 25. Incident Response: In the event of a confidentiality incident (data breach) that presents a risk of serious injury, we will: - Notify the Commission d'acces a l'information du Quebec; - Notify affected individuals; - Take measures to reduce the risk of harm. Automated Decision-Making: We use automated systems in two ways that may affect you: 1. Vehicle scoring and valuation: Our algorithms produce scores, valuations, and risk assessments based on vehicle data. We will inform you when a decision affecting you was made by automated means, and you may request a review of the decision by a human. 2. Ad personalization (free-tier users who consent to advertising cookies): Google and Meta use automated systems to select which ads to show you based on your inferred interests. You have the right to opt out of personalized advertising through our cookie preferences while continuing to receive non-personalized ads. See Section 9 (Right to Opt Out of Ad Personalization). You may request a copy of the criteria used in any automated decision affecting you by contacting privacy@cardaps.ca. Cross-Border Transfers: Several of our service providers process data outside Quebec, including outside Canada: - Stripe (payment processing) - United States; - Supabase (database hosting) - United States or Canada depending on infrastructure region; - Google LLC (AdSense, Ads, Analytics) - United States and other countries where Google operates; - Meta Platforms, Inc. (Facebook Pixel) - United States. Before transferring Personal Information outside Quebec, Cardaps assesses whether the receiving jurisdiction provides adequate privacy protection. We rely on contractual data processing agreements with each provider that include obligations equivalent to those required by Law 25. You may request information about specific cross-border transfers affecting your data by contacting privacy@cardaps.ca.

We comply with Canada's Anti-Spam Legislation (CASL). We will only send you commercial electronic messages (marketing emails) if you have provided express opt-in consent. Transactional messages (account confirmations, password resets, subscription updates, Seller Lead notifications) are exempt from CASL consent requirements as they relate directly to a service you have requested. Every marketing email includes: - Clear identification of CARDAPS as the sender; - Our contact information; - A functional unsubscribe mechanism. We honor unsubscribe requests within 10 business days.

The Platform may contain links to third-party websites and services, including: - Carfax Canada (carfax.ca) - ClearVin (clearvin.com) - Government databases (NHTSA, Transport Canada, SAAQ) - Stripe payment portal We do not control these third-party services and are not responsible for their privacy practices. We encourage you to read their privacy policies before providing any Personal Information.

The Platform is not directed at children under the age of 14. We do not knowingly collect Personal Information from children under 14. If we learn that we have collected information from a child under 14 without parental consent, we will delete it promptly. Users must be the age of majority in their province of residence to create an account or submit a Seller Lead.

We may update this Privacy Policy from time to time. When we make material changes, we will: - Update the "Last Updated" date at the top of this page; - Post a notice on the Platform; - Send an email notification to registered users if the changes materially affect how we handle Personal Information. Your continued use of the Platform after changes are posted constitutes your acceptance of the updated policy.

If you have questions about this Privacy Policy, want to exercise your rights, or wish to file a complaint, please contact us: CARDAPS Technologies Inc. Privacy Officer Email: privacy@cardaps.ca Customer Support: support@cardaps.ca Website: cardaps.ca