1. Information we collect
We collect the minimum data necessary to operate the Service:
- Account information - name, email address, and password (securely stored).
- Uploaded documents - P&ID files you submit for instrument extraction.
- Extraction results - instrument data extracted from your documents, including any corrections you make during review.
- Usage data - pages processed and features used.
- Payment data - processed and stored by our payment processor. We receive only transaction confirmation, customer ID, and purchase amount. We never see or store your card number.
- Technical data - IP address, browser type, and request logs for security and abuse prevention.
- Marketing consent records - if you opt in to promotional communications, we record the date and method of your consent as required by Canadian anti-spam legislation.
2. How we use your data
- Provide the Service - process your P&ID documents, extract instrument data, and generate exports.
- Operate and improve the Service - use information about how you use the Service, such as feature usage patterns, error rates, and performance metrics, to maintain and improve the Service. We do not use uploaded documents or extracted data for service improvement.
- Billing - process payments, manage your drawing balance, and maintain transaction history.
- Communication - send verification emails, processing notifications, and important service updates. Promotional communications are sent only with your express consent.
- Security - detect and prevent fraud, abuse, and unauthorized access.
3. Data retention
- Uploaded files - files are attached to your project and encrypted at rest. When you delete a project, all associated files are permanently removed.
- Extraction results - retained with your project until you delete the project or your account.
- Account data - retained until you delete your account. Upon deletion, all personal data is permanently removed.
- Aggregate accuracy data - de-identified usage statistics may be retained indefinitely for service improvement.
- Server logs - retained temporarily for security and debugging purposes. Older entries are periodically overwritten.
4. Third-party services
We share data only with services necessary to operate. For a detailed list of sub-processors by category, see our Data Processing Agreement.
- Payment processor - processes credit card transactions. Subject to their own privacy policy. We never see or store your card number.
- CDN and security - industry-standard content delivery and DDoS protection services.
- Email delivery - transactional emails are sent through a third-party email service. Your email address is shared only for delivery purposes.
- Cloud hosting - managed cloud infrastructure with encrypted storage.
- Document processing - your uploaded documents are processed by our extraction system to identify and classify engineering data. We do not train artificial intelligence models on your uploaded documents or extracted data. The third-party infrastructure providers we use operate under contractual commitments that prohibit using your content for training their models.
We never sell your personal data to third parties.
5. Data security
- All data encrypted in transit and at rest using industry-standard encryption
- Passwords securely hashed (never stored in plaintext)
- Token-based authentication with automatic rotation
- Rate limiting and account lockout protection
- Role-based access controls: you can only access your own data
- Structured audit logging with request correlation
6. Cookies
We use only essential cookies and browser storage:
- Authentication data - used to keep you signed in across sessions.
- Cookie consent preference - saved to remember your choice.
We do not use tracking cookies, advertising cookies, or sell data to advertisers. We use minimal, cookie-free analytics to understand aggregate usage patterns (page views, not personal data).
7. Canadian privacy rights (PIPEDA)
Tagsight Technologies is a Canadian business subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). We adhere to PIPEDA's ten fair information principles:
- Accountability - Tagsight is responsible for personal information under its control, including information transferred to third-party service providers. For privacy inquiries, contact support@tagsight.io.
- Identifying purposes - we identify the purpose for collecting personal information at or before the time of collection. See Section 2 for our purposes.
- Consent - we obtain meaningful consent for the collection, use, and disclosure of your personal information. For transactional uses (providing the Service), consent is implied through your use of the Service. For marketing communications, we obtain express opt-in consent. You may withdraw consent at any time, subject to legal or contractual restrictions.
- Limiting collection - we collect only the personal information necessary for the purposes identified. We do not collect information indiscriminately.
- Limiting use, disclosure, and retention - personal information is used only for the purposes for which it was collected, unless you consent to other use or as required by law. See Section 3 for retention periods.
- Accuracy - we keep personal information as accurate, complete, and up-to-date as necessary. You can update your name and email through account settings.
- Safeguards - we protect personal information with security safeguards appropriate to the sensitivity of the information. See Section 5 and our Security page for details.
- Openness - this Privacy Policy describes our policies and practices for managing personal information.
- Individual access - upon written request, we will inform you of the existence, use, and disclosure of your personal information and give you access to it. We will respond within 30 days.
- Challenging compliance - you may challenge our compliance with these principles by contacting us. If we cannot resolve your concern, you may file a complaint with the Office of the Privacy Commissioner of Canada.
Breach notification: In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm, we will: (a) notify the Office of the Privacy Commissioner of Canada; (b) notify affected individuals; and (c) keep records of all breaches for at least two years, as required by PIPEDA.
Privacy Commissioner: If you are not satisfied with our response to your privacy concern, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or 1-800-282-1376.
8. European privacy rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of access - request a copy of all personal data we hold about you.
- Right to rectification - request correction of inaccurate personal data.
- Right to erasure - request deletion of your account and all associated data.
- Right to data portability - receive your data in a structured, machine-readable format.
- Right to object - object to processing of your data for certain purposes.
- Right to restrict processing - request limitation of how we process your data.
- Right to lodge a complaint - you have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.
Lawful basis for processing: We process your data based on: (a) contract performance (providing the Service you signed up for); (b) legitimate interests (improving service accuracy, security); and (c) consent (marketing communications).
Breach notification: In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected individuals without undue delay.
Privacy contact: For privacy inquiries and to exercise your data rights, contact privacy@tagsight.io.
Sub-processors: For a list of sub-processors we use (by category), see our Data Processing Agreement.
To exercise any of these rights, contact us at support@tagsight.io. We will respond within 30 days.
9. California privacy rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to know - you may request the categories and specific pieces of personal information we have collected about you.
- Right to delete - you may request deletion of your personal information.
- Right to opt-out of sale - we do not sell personal information. There is nothing to opt out of.
- Non-discrimination - we will not discriminate against you for exercising your privacy rights.
Categories of personal information collected:
- Identifiers (name, email, IP address)
- Commercial information (purchase history, drawing balance)
- Internet activity (usage logs, feature interactions)
- Professional information (uploaded engineering documents)
To submit a CCPA request, email support@tagsight.io with the subject "CCPA Request".
10. Children's privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will take steps to delete it.
11. International data transfers
Your data is processed on servers located in North America. If your data is transferred outside Canada, we ensure appropriate safeguards are in place in accordance with PIPEDA and, for EEA residents, the GDPR (including Standard Contractual Clauses where applicable).
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before they take effect.
13. Contact
For privacy-related questions or to exercise your data rights:
Email: support@tagsight.io
If you are a Canadian resident and are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or 1-800-282-1376.