Privacy Policy
1. Who We Are
This Privacy Policy describes how Resila Technologies Inc., a corporation incorporated under the laws of Canada ("we," "us," or "our"), collects, uses, discloses, and protects your personal information when you visit our corporate website at resila.com or use our web application TruePick at gettruepick.com (collectively, the "Services").
- Data Controller: Resila Technologies Inc.
- Contact: gavin@resila.ai
- Address: 4605 Boulevard Lapinière, Suite 350, Brossard, QC J4Z 3T5, Canada
2. What Personal Information We Collect
2.1 Information Collected via the Resila Corporate Website
When you visit resila.com, we may collect:
- Contact information you provide through forms (name, email address)
- Technical data automatically collected (IP address, browser type, device information, pages visited)
- Cookie and tracking data (see our Cookie Policy for details)
2.2 Information Collected via TruePick
When you create an account and use TruePick, we collect additional categories of personal information:
2.2.1 Account Information
- Name, email address, and account credentials
- Subscription tier and billing information (processed via Stripe; we do not store full payment card details)
2.2.2 Email and Purchase Data (OAuth Integration)
When you connect your email account via OAuth: TruePick accesses your email to identify and extract purchase receipts and transaction data. We process email subject lines, sender information, and receipt contents to identify spending patterns. We do not read, store, or analyze the content of non-receipt emails.
2.2.3 Self-Reported Psychological and Behavioural Data
IMPORTANT -- Sensitive Information: TruePick collects self-reported information that may include indicators of anxiety, depression, neuroticism, and other psychological or behavioural traits. Under applicable privacy laws (including PIPEDA, Quebec's Law 25, and the CCPA/CPRA), this information may be classified as sensitive personal information. We collect this data solely based on your explicit, informed consent.
- Self-reported mood, anxiety, and depression indicators
- Behavioural patterns and habit-tracking data
- Neuroticism and personality trait self-assessments
2.2.4 Usage and Behavioural Analytics
- In-app actions, feature usage, and interaction patterns
- AI-generated insights and categorizations derived from your data
- Session data, device information, and log files
3. How and Why We Use Your Information
We process your personal information for the following purposes and on the following legal bases:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation and management | Name, email, credentials | Contract performance |
| Providing the TruePick service (purchase tracking, behavioural insights) | Email receipts, self-reported data, behavioural data | Contract performance + Explicit consent (for sensitive data) |
| AI-powered analysis and insights | Purchase data, self-reported psychological data, behavioural data | Explicit consent |
| Subscription and billing | Payment information (via Stripe) | Contract performance |
| Waitlist and newsletter communications | Email address (via Resend) | Consent |
| Website analytics and improvement | Technical data, usage data | Legitimate interest |
| Security and fraud prevention | IP address, account activity logs | Legitimate interest |
| Legal compliance | As required by applicable law | Legal obligation |
4. AI and Automated Processing
TruePick uses artificial intelligence (specifically, OpenAI's language models) to analyze your purchase history, behavioural data, and self-reported psychological information to generate personalized insights, categorizations, and recommendations.
What this means: Your personal data -- including sensitive self-reported mental health indicators -- is processed by third-party AI models to produce insights. While we design these processes to be helpful, AI-generated outputs may be inaccurate or incomplete. They are not medical, psychological, or financial advice.
Your rights regarding automated processing: You have the right to request human review of any significant decision made using automated processing. You may also opt out of AI-powered features while continuing to use core TruePick functionality. Contact us at privacy@resila.com to exercise these rights.
5. Who We Share Your Information With
| Service Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | User authentication and database hosting | Account data, application data | US / Canada |
| OpenAI | AI-powered analysis and insight generation | Purchase data, behavioural data, self-reported psychological data | United States |
| Stripe | Payment processing | Billing and payment information | United States |
| Vercel | Application hosting and deployment | Technical/usage data | United States |
| Render | Application hosting and deployment | Technical/usage data | United States |
| Resend | Waitlist management and email newsletters | Email address | United States |
We do not sell your personal information. We do not share your personal information with third parties for their own marketing purposes.
Note regarding OpenAI: Your data processed through OpenAI's API is subject to OpenAI's data processing terms. As of the date of this policy, OpenAI's API data usage policy states that API inputs and outputs are not used to train their models. We recommend reviewing OpenAI's current privacy documentation independently.
6. International Data Transfers
Your personal information may be transferred to and processed in the United States and/or Canada, depending on the service provider. Canada benefits from an adequacy decision by the European Commission (where applicable). For transfers to the United States, we rely on:
- Standard contractual clauses (where required under applicable law)
- Data processing agreements with each sub-processor
- The service provider's own compliance certifications (e.g., SOC 2, ISO 27001, where available)
7. How Long We Keep Your Data
| Data Category | Retention Period | Justification |
|---|---|---|
| Active account data | Duration of your account | Contract performance |
| Data after account deletion | 30 days (then permanently deleted) | Allowing recovery from accidental deletion |
| Billing and transaction records | 7 years after transaction | Legal obligation (tax and commercial law) |
| Self-reported psychological data | Deleted upon account deletion or upon withdrawal of consent | Consent-based processing |
| AI-generated insights | Deleted upon account deletion | Contract performance |
| Email/purchase data from OAuth | Deleted upon disconnection of email integration or account deletion | Consent / Contract |
| Analytics and log data | 12 months | Legitimate interest |
| Waitlist/newsletter data | Until unsubscription + 30 days | Consent |
8. Your Privacy Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
8.1 All Users
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate personal information.
- Deletion: Request deletion of your personal information, subject to legal retention requirements.
- Withdrawal of Consent: Where processing is based on consent (including for sensitive data), you may withdraw consent at any time. This does not affect the lawfulness of processing prior to withdrawal.
- Data Portability: Request your data in a structured, machine-readable format.
8.2 Canadian Residents (PIPEDA / Quebec Law 25)
- Right to be informed of the existence, use, and disclosure of your personal information
- Right to access and challenge the accuracy of your information
- Right to withdraw consent, subject to legal or contractual restrictions
- Right to file a complaint with the Office of the Privacy Commissioner of Canada or, for Quebec residents, the Commission d'accès à l'information du Québec
8.3 California Residents (CCPA/CPRA)
- Right to know what personal information is collected, used, and disclosed
- Right to delete personal information
- Right to opt out of the sale or sharing of personal information (we do not sell your data)
- Right to limit the use and disclosure of sensitive personal information
- Right to non-discrimination for exercising your privacy rights
Do Not Sell or Share: We do not sell your personal information as defined under the CCPA. We also do not "share" your personal information for cross-context behavioural advertising as defined under the CPRA. Notwithstanding, we provide a "Do Not Sell or Share My Personal Information" link on our websites to facilitate the exercise of this right. If you believe any data practice constitutes a sale or share under the CCPA/CPRA, you may exercise your opt-out right by contacting us at privacy@resila.com or by using the link provided on our website.
Right to Limit Use of Sensitive Personal Information: Under the CPRA, self-reported psychological and behavioural data collected by TruePick may constitute "sensitive personal information." You have the right to limit our use and disclosure of this data to purposes that are necessary to provide the Service. You may exercise this right at any time through your account settings or by contacting us at privacy@resila.com.
Authorized Agents: You may designate an authorized agent to submit CCPA/CPRA requests on your behalf. Authorized agents must provide signed written authorization from the consumer, and we may verify the consumer's identity directly. Authorized agent requests should be submitted to privacy@resila.com with proof of authorization.
Request Metrics: Where required by the CCPA/CPRA, we will disclose in this Privacy Policy (or in an annual update) metrics regarding the number of requests to know, delete, and opt out that we received, complied with, and denied in the preceding calendar year.
8.4 EU/EEA Residents (GDPR)
If you are located in the EU/EEA, you additionally have:
- Right to restriction of processing
- Right to object to processing based on legitimate interests
- Right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects
- Right to lodge a complaint with your local data protection supervisory authority
Automated Decision-Making (Article 22): TruePick uses AI to generate insights from your data. Where this processing produces effects that significantly affect you, you have the right to obtain human intervention, express your point of view, and contest the decision. To request human review of any AI-generated insight or categorization, contact us at privacy@resila.com. You may also disable AI-powered features at any time through your account settings while continuing to use core functionality.
Data Protection Officer: We have assessed whether the appointment of a Data Protection Officer (DPO) is required under Article 37 of the GDPR. Based on the current scale and nature of our processing activities, we have determined that a DPO appointment is not mandatory at this time. This assessment is reviewed annually. Privacy inquiries from EU/EEA residents may be directed to our Privacy Officer at privacy@resila.com.
Records of Processing Activities: We maintain Records of Processing Activities (ROPA) as required by Article 30 of the GDPR. These records document the categories of personal data processed, purposes of processing, categories of recipients, international transfers, and retention periods. A summary of our processing activities is available upon request by contacting privacy@resila.com.
Legitimate Interest Assessments: Where we rely on legitimate interest as a legal basis for processing (including website analytics and security), we have conducted and documented Legitimate Interest Assessments (LIAs) that balance our interests against your rights and freedoms. Copies of relevant LIAs are available upon request by contacting privacy@resila.com.
8.5 How to Exercise Your Rights
To exercise any of these rights, contact us at: privacy@resila.com. We will respond within the timeframe required by applicable law (typically 30 days, or 45 days for CCPA requests).
In-App Consent Withdrawal: Where we process your personal information based on consent (including sensitive psychological data and email integration), you may withdraw your consent at any time through your TruePick account settings. Withdrawal of consent is designed to be as easy as providing it. Upon withdrawal, we will cease the relevant processing and delete the associated data in accordance with our retention schedule. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
Consent for Secondary Uses: We will not use your personal information for purposes materially different from those described in this Privacy Policy without first obtaining your consent. If we wish to use previously collected data for a new purpose, we will notify you and, where required by applicable law (including PIPEDA and Quebec Law 25), seek your additional consent before proceeding.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal information, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Authentication controls and access restrictions
- Regular review of security practices and sub-processor compliance
- Incident response procedures for data breaches
No method of transmission or storage is 100% secure. If you become aware of any unauthorized access to your account, please contact us immediately.
9.1 Data Breach Notification
In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will notify you and the relevant regulatory authorities in accordance with applicable law. Under Quebec Law 25 (s. 3.5), we will notify the Commission d'accès à l'information du Québec (CAI) and affected individuals without delay. Under the GDPR (Article 33), we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. Under PIPEDA (s. 10.1), we will report to the Office of the Privacy Commissioner of Canada. We maintain a breach register documenting all incidents involving personal information, including those that do not meet the notification threshold, in compliance with Quebec Law 25 and GDPR Article 33(5). Our Data Breach Response Plan is maintained as a separate internal compliance document.
9.2 International Transfer Safeguards
We have conducted Transfer Impact Assessments (TIAs) for each sub-processor that processes personal information outside of Canada, evaluating the legal framework in the recipient country, the nature of the data transferred, and the supplementary measures in place. These assessments are reviewed annually or when there is a material change in the legal landscape of the recipient country. TIA documentation is maintained internally and is available upon request to regulatory authorities.
9.3 De-identification and Anonymization
Where we use personal information for analytics, service improvement, or research purposes, we apply de-identification or anonymization techniques in accordance with Quebec Law 25 (s. 23) and applicable best practices. De-identified data is subject to technical and administrative controls to prevent re-identification. We do not attempt to re-identify anonymized data, and we contractually prohibit our sub-processors from doing so. Anonymized data that can no longer reasonably be used to identify an individual is not subject to this Privacy Policy.
9.4 Granular Consent for Sensitive Data
In compliance with Quebec Law 25 (s. 12) and the CPRA, consent for the collection and processing of sensitive personal information (including self-reported psychological data) is obtained separately from your general acceptance of these Terms. When you first access TruePick's self-reporting features, you will be presented with a dedicated consent interface that clearly describes the specific categories of sensitive data to be collected, how it will be processed (including AI analysis by OpenAI), your right to decline without losing access to core features, and how to withdraw consent at any time. This consent is recorded and auditable.
10. Children's Privacy
Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us at privacy@resila.com and we will promptly delete it.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email notification. The "Last Updated" date at the top of this policy indicates when the most recent revisions were made.
Your continued use of our Services after changes are posted constitutes your acceptance of the revised policy.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights:
- Email: privacy@resila.com
- Mail: Resila Technologies Inc., 4605 Boulevard Lapinière, Suite 350, Brossard, QC J4Z 3T5, Canada
- Privacy Officer: Zihao Geng, Director