Privacy Policy
Last updated: May 4, 2026 · Effective immediately
Permit Ready Pros Consulting Inc. ("PRP", "we", "our", "us") is a Toronto-based short-term rental compliance consulting service. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over it.
This policy applies to permitreadypros.com, the PRP client portal, the PRP admin dashboard, and any related services. It is written to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Ontario's privacy framework.
Plain-language summary. We collect what we need to deliver compliance services and get paid. We don't sell your data. We share it only with the platforms that run our service (Supabase, Stripe, Resend, Netlify) and only when legally required. You can ask us to delete it.
1. What we collect
1.1 Account & identity information
- Name, email address, phone number
- Company name (property managers only)
- Authentication credentials (managed via Supabase Auth — passwords are stored hashed, never plaintext)
1.2 Property & compliance information
- Property address, unit, postal code, property type
- City of Toronto STR registration number ("permit number")
- Permit status, expiry date, and history
- Principal residence indicators (host) or owner contact info (property manager)
- 180-night usage tracking (entire-unit rentals)
- Documents you upload (permit certificate, ID, utility bills, MAT receipts, etc.)
1.3 Subscription & billing information
- Plan selected (Basic / Full / Premium for hosts; Starter / Growth / Partner / Enterprise for property managers)
- Subscription status, unit count, billing period
- Payment processor identifiers — Stripe customer ID and subscription ID. We never store your card number, CVV, or full payment details — those live with Stripe.
1.4 Communications
- Emails, support messages, complaint responses, audit findings, MAT-related correspondence
- System-generated notifications (renewal reminders, MAT reminders, etc.)
1.5 Optional: Airbnb / iCal calendar data
If you choose to connect a short-term rental calendar (Airbnb iCal feed) to PRP's stay-tracking feature, we collect:
- The calendar URL you provide (encrypted at rest using AES-256 via pgcrypto)
- Booking date ranges and listing summaries returned by the iCal feed
- Computed booked-night totals against the 180-night cap
We do not use Airbnb's API, scrape your dashboard, or access guest details, payouts, or messages. iCal feeds only contain date ranges and a generic summary line. This feature is opt-in and only available to plans above Basic Compliance.
1.6 Property manager portfolios — third-party owner information
If you are a property manager, you may provide PRP with personal information about the property owners on whose behalf you operate (name, email, phone, property address). You warrant that you have obtained the necessary consent from each owner before sharing their information with us. PRP's confidentiality and protection obligations extend to that owner information.
2. How we use your information
- Service delivery — to provide the compliance services in your selected plan
- Communication — to email reminders, audit findings, and check-ins
- Billing — to charge subscriptions, issue invoices, and manage plan changes via Stripe
- Compliance support — to track 180-night usage, MAT filings, and permit renewal windows
- Aggregated analytics — to improve our service (we never publish identifiable data)
- Legal compliance — to respond to lawful requests from authorities
3. Third-party processors we use
PRP uses the following processors to operate the service. Each is contractually obligated to handle your data only for the purposes we direct and to maintain industry-standard security.
| Processor |
What it does |
Data shared |
Region |
| Supabase |
Database, authentication, document storage |
Account, profile, intake, documents, calendar URLs (encrypted) |
United States |
| Stripe, Inc. |
Subscription billing, payment processing, Customer Portal |
Name, email, billing address, card details (you enter directly into Stripe), subscription metadata |
United States |
| Resend |
Transactional email delivery |
Email address, message content (renewal reminders, MAT correspondence, etc.) |
United States / European Union |
| Netlify |
Website hosting, serverless functions |
Standard web request logs (IP, user agent, request path) |
Global CDN |
City of Toronto
(at your direction) |
MAT remittance confirmation emails (when you trigger them) |
Permit number, property address, MAT amount remitted, payment date — only when you click "I paid the City — log it" |
Canada |
Some processors are located in the United States. By using PRP, you acknowledge that your data may be processed in the U.S. and other jurisdictions, where it is subject to applicable local laws including potential lawful access requests.
4. What we do not share
- We do not sell your information.
- We do not share your information with advertising networks.
- We do not provide your information to other clients (host data is never visible to property managers, and vice versa).
- We do not file MAT returns, submit permit applications, or act as an agent on your behalf with the City of Toronto. Any submission to the City is initiated by you.
5. Data retention
- Active accounts: We retain your data for as long as your account is active.
- Closed accounts: Data is retained for a minimum of two (2) years after service ends, to preserve compliance records that may be required for City inspections, audits, or legal proceedings.
- Billing records: Retained for seven (7) years to comply with Canadian tax recordkeeping requirements.
- Deletion on request: You may request deletion of records that are no longer required by law (see Section 7 below).
6. Security
- All connections to and from PRP use TLS 1.2+ (HTTPS).
- Database access is restricted by row-level security (RLS): you can only see your own records; staff access requires admin-role grants and is logged.
- Documents are stored in private buckets accessible only to you and authorized PRP staff.
- Stored Airbnb iCal URLs are encrypted at rest using symmetric AES-256 (pgcrypto).
- Passwords are hashed by Supabase Auth using bcrypt; we never see or store your plaintext password.
- Card numbers are entered directly into Stripe and never touch our systems.
- Two-factor authentication is supported via Supabase Auth (recommended for all clients).
7. Your rights under PIPEDA
You have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information
- Withdraw consent for non-essential uses of your information
- Request deletion of information no longer required by law (note: certain compliance records must be retained for the periods listed in Section 5)
- Request a copy of your data in a portable format
- Lodge a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated
To exercise any of these rights, email info@permitreadypros.com from the email address on your account.
8. Cookies & local storage
The PRP portal uses browser local storage to maintain your sign-in session (a JSON Web Token issued by Supabase Auth). We do not use third-party advertising cookies or analytics trackers that share data with marketing networks.
9. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to active clients and posted to this page with an updated effective date. Continued use of PRP services after a change indicates acceptance of the revised policy.
10. Contact
Privacy questions or requests: info@permitreadypros.com
Permit Ready Pros Consulting Inc.
Toronto, Ontario, Canada
permitreadypros.com