A short, plain-language privacy notice.

Who this applies to

This privacy notice describes how SupaCorp ("we", "us") handles personal information when a Canadian law firm uses the SupaCorp entity management platform. It applies to firm users (lawyers and staff), and to the limited personal information about clients that flows through intake forms, generated documents, and corporate records the firm chooses to manage with us.

What we collect

We collect information firms provide directly: account details (name, work email, role), entity records (corporations, directors, shareholders, addresses), generated documents, intake responses from clients invited by the firm, and integration tokens for tools like Microsoft 365, Actionstep, Clio, QuickBooks, and Cosmolex. We also collect operational telemetry needed to run the service: authentication events, error logs, and the activity log a firm sees inside the product.

How we use information

We use information to operate the platform for the firm: to render the firm's records, generate documents, route intake submissions, send required emails, and support the firm. We do not sell personal information. We do not use a firm's data to train machine learning models, and we do not aggregate one firm's data to improve products for another firm.

Where data lives

Data is stored in Supabase Postgres with row-level security keyed to your organization, and in object storage with the same isolation. Backups are encrypted. Production data is hosted in Canada and the United States by our cloud providers. TLS is enforced for all transport.

Confidentiality and legal privilege

We treat the contents of corporate records, intake submissions, and generated documents as confidential. SupaCorp staff do not access firm data except where strictly required to provide support, investigate a security event, or comply with a lawful order, and only with the level of access the task requires.

Sharing with sub-processors

We use a small set of sub-processors to deliver the service: Supabase (database and storage), Vercel (hosting), and email/identity providers required for authentication and notifications. Each sub-processor is bound by a written agreement that includes confidentiality and security obligations. A current list is available on request.

Retention and deletion

We retain firm data for as long as the firm has an active subscription. On termination, the firm can export entity records and minute books. After a wind-down period, firm data is deleted from production systems; routine encrypted backups age out within 30 days.

Your rights

Individuals whose personal information is in the system (firm users and intake respondents) can request access, correction, or deletion of their personal information by contacting the firm that operates the workspace, or by contacting SupaCorp directly. We will respond within timelines required by Canadian privacy law (PIPEDA and applicable provincial statutes).

Security incidents

If we become aware of a material security incident affecting your data, we will notify the firm without undue delay, share what we know, and cooperate on response. Our security posture is described on the Security page.

Changes

We will update this page when our practices materially change and post the effective date below. For ongoing engagements, material changes will also be communicated to firm administrators by email.

Contact

Privacy questions and requests can be sent through the Contact page or to privacy@supacorp.ca. We will respond within five business days.

This notice is informational and does not by itself create a contract. Firms with enterprise privacy requirements can request our standard data processing agreement.