Privacy Policy

This Privacy Policy describes how JAAMM TECH Inc. (“JAAMM TECH”, “we”, “us”) collects, uses, discloses, and safeguards personal information in connection with BayOps, the multi-tenant management application for automotive repair and body shops (the “Service”). We operate in alignment with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to our commercial activities in provinces—including Ontario—where substantially similar provincial law has not been declared applicable. This notice is designed to meet PIPEDA’s expectations for openness, including identifying purposes, consent, accountability, and your access rights. It is not legal advice; obtain independent counsel for your situation.

1. Who this applies to

• Shop users: individuals who sign in with credentials issued to a customer organization (the “tenant”) that subscribes to the Service.
• End customers’ information: your shop may enter personal information about vehicle owners, drivers, insurers, and other parties into BayOps. That processing is primarily directed by the tenant; JAAMM TECH provides the systems and safeguards described here and in your agreement with us.

2. Personal information we process

Depending on how you use BayOps, we may process:

• Account and identity: name, email address, role (e.g. owner, manager, receptionist), organization membership, active status, last login time, optional profile image, and two-factor authentication material when enabled. Sign-in is handled through Keycloak (OpenID Connect); tokens and session attributes are used to secure the application.
• Tenant business data you or your colleagues submit: customer names, phone, email, address, insurance company, policy numbers, vehicle identifiers (including VIN, plate, mileage), quotes, invoices, line items, payments, parts catalog data, PDF URLs, notes, and similar operational records.
• Documents and OCR: files you upload (e.g. licence, insurance, registration) plus derived content such as OCR confidence scores, extracted fields, and truncated raw text when the OCR feature is enabled. Files are stored using the deployment’s configured object storage (e.g. Supabase Storage).
• Communications: when outbound email is enabled, we process recipient addresses, subject lines, HTML bodies, attachment metadata, send status, and optional error messages for delivery logging.
• Audit and security: audit events may include user identifier, timestamps, entity references, change payloads, and, where recorded, IP address and browser user agent.
• Technical data: server and application logs typical for web hosting; rate limiting and request correlation may use identifiers from the request. The Service registers a service worker for PWA behaviour; the app may use browser storage for drafts (e.g. quote drafts) and install-prompt dismissal preferences on the device.
• Optional error reporting: if your deployment sets an error-reporting webhook, uncaught errors may be sent to that endpoint as configured.

3. Purposes

• Provide, operate, and improve BayOps (quotes, invoicing, documents, reports, administration).
• Authenticate users, authorize actions by role, enforce multi-tenant isolation, and meet security needs.
• Maintain records required for business, accounting, and dispute resolution.
• Send operational email initiated by tenants (e.g. invoices) when that feature is used.
• Comply with law, respond to valid legal requests, and protect rights and safety.

4. Consent and withdrawal

By using the Service under a tenant account, you acknowledge that personal information is collected and used as described. Where information is sensitive or the use is not reasonably expected, we rely on meaningful consent (which may be implied in context of employment or contract with your organization). You may withdraw consent where feasible, subject to legal or contractual restrictions; withdrawing may limit access to BayOps. Tenants control much of the data they enter; contact your employer or shop administrator to exercise rights regarding tenant-held records.

5. Disclosure and subprocessors

We may disclose personal information to:

• Identity provider: Keycloak (or equivalent OIDC host) for authentication and token issuance.
• Infrastructure: hosting, database, object storage, and email delivery providers chosen by the deployment (e.g. Vercel, PostgreSQL/Supabase, SMTP relay). Data may be processed in Canada or other jurisdictions where those providers operate; we use contractual and technical measures appropriate to the deployment.
• OCR service: when enabled, document images or extracts may be sent to the configured OCR service for processing.
• Law enforcement or regulators when required by applicable law.

6. Retention

We retain personal information for as long as needed to provide the Service, meet legal, tax, and contract obligations, and resolve disputes. Tenant administrators and your agreement may specify deletion or export expectations; some backups may persist for a limited period after deletion.

7. Security

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including access controls, encryption in transit for standard HTTPS deployments, tenant isolation in the application design, and audit logging. No method of transmission or storage is completely secure.

8. Access, correction, and challenges

Subject to PIPEDA and your role, you may request access to or correction of personal information we hold about you. For requests, contact: your service agreement or BayOps administrator. We may verify your identity and redirect tenant-held operational data requests to your organization where appropriate.

9. Complaints (Canada)

You may file a complaint concerning our privacy practices with the Office of the Privacy Commissioner of Canada (OPC). See Contact the OPC.

10. Ontario and commercial email

For Ontario-based organizations, PIPEDA generally governs our collection, use, and disclosure of personal information in the course of commercial activities as described by the OPC. Commercial electronic messages sent through BayOps should comply with Canada’s anti-spam rules (CASL); tenants are responsible for consent and content for messages they initiate to their customers.

11. Changes

We may update this policy from time to time. The “Last updated” date reflects material revisions. Continued use of the Service after changes become effective constitutes acceptance where permitted by law.

12. Contact

JAAMM TECH Inc. — Privacy-related inquiries: use the contact details in your agreement or your BayOps administrator.