Stiple Privacy Policy

This Privacy Policy ("Policy") describes how Stiple Inc. ("Stiple," "we," "us," or "our"), a corporation incorporated under the laws of Canada with its head office in Stouffville, Ontario, collects, uses, discloses, and protects personal information across our platforms and services.

This is our umbrella Privacy Policy. It applies to the personal-information practices that are common across all of Stiple's products and websites, including:

• stiple.ca — our corporate website
• Stiple Labs — our browser-based geospatial data platform
• Mapdesk — our field surveying and mapping platform
• Future products and services, including SOS (Smart Optimized Storage), our NTRIP services, and platform plugins (collectively with the above, the "Services")

Product-specific detail lives in the annexes. Because each product handles data a little differently, the detailed, product-specific practices are set out in separate Privacy Annexes that supplement this umbrella policy. The current annexes are the Mapdesk Privacy Annex (stiple.ca/legal/mapdesk-privacy) and the Stiple Labs Privacy Annex (stiple.ca/legal/labs-privacy). Read the umbrella and the relevant annex together. If a product-specific matter is addressed differently in an annex, the annex controls for that product.

We are committed to protecting your privacy and handling your personal information responsibly. As a people-over-profit company, we believe transparency about data practices is not optional — it is fundamental to the trust our users place in us.

Across the Services, we process the following broad categories of personal information. The exact items collected by a given product, and how, are described in that product's Privacy Annex.

2.1 Information You Provide

• Account and identity information — such as your name, email address, organization, role, and password (always stored in hashed form; we never store plaintext passwords).
• Profile information — optional details you choose to add, such as a profile photo or phone number.
• Billing information — where a product is paid, billing details are collected and processed by our payment sub-processor. Stiple does not store full payment-card numbers on its servers.
• Communications — the content of support requests, emails, and feedback you send us, together with your contact details.

2.2 Information Collected Automatically

• Log and device information — such as IP address, browser or app version, operating system, and timestamps, recorded by our servers when you use the Services.
• Usage information — how you interact with a product, where that product collects it. Product-specific analytics practices (including any product that collects no analytics at all) are stated in the relevant annex.
• Cookies and similar technologies — used on our web properties as described in Section 11 and our Cookie Policy.

2.3 Information from Third Parties

When you sign in, our authentication sub-processor provides us with basic identity information (such as your name and email address) and, where applicable, your profile photo. Our payment sub-processor provides transaction confirmation details (for example, whether a payment succeeded and the billing address). We receive only what is necessary and only what you authorize. The identity of our current sub-processors is maintained on our Sub-Processor List (see Section 5).

We use the personal information we collect for the following purposes:

• Provide and maintain the Services — to operate our platforms, manage your account, and deliver the features you use.
• Process transactions — to process payments, send confirmations, and manage subscriptions for paid products.
• Send service-related communications — to send account notices, security alerts, and technical updates. We do not send marketing communications without your consent.
• Improve and develop the platform — to understand usage, diagnose problems, and build new features, using aggregated or anonymized data where possible. We do not derive analytics from the content of your uploaded datasets.
• Ensure security and prevent fraud — to protect the integrity of our Services and investigate potential violations of our Terms of Service.
• Comply with legal obligations — to meet applicable laws, regulations, and lawful requests.

3.1 Consent Posture & Lawful Bases

Under PIPEDA and Quebec's Law 25, we collect, use, and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances, and we rely on the following bases:

• Consent — when you create an account and use the Services, you consent to the processing described in this Policy and the relevant annex. Consent is obtained at or before the time of collection, in clear terms, and may be withdrawn (subject to legal or contractual limits and reasonable notice).
• Performance of our agreement with you — processing necessary to provide the Services you have requested.
• Legitimate operational purposes permitted by law — such as security, fraud prevention, and maintaining service integrity.
• Legal obligation — processing required by applicable Canadian law.

For any processing that requires express consent under Law 25 or PIPEDA — for example, the use of non-essential analytics cookies for Quebec users — we obtain that consent before the processing begins.

3.2 Automated Decision-Making

Stiple does not make decisions that produce legal or similarly significant effects about you based solely on automated processing. If we ever introduce such processing, we will inform affected individuals as required by Law 25, explain the principal factors involved, and provide the right to have the decision reviewed by a person and to submit observations.

3.3 Privacy Impact Assessments

Where Law 25 requires it, we conduct a privacy impact assessment before deploying any new technology, system, or project that involves high-risk processing of personal information, or before transferring personal information outside Quebec, and we document the assessment and the safeguards adopted.

User content, not personal information. The datasets you upload to or capture through the Services — including point clouds, laser scans, survey data, imagery, and related files — are treated as user content. We protect this content with the same rigour as personal information, but it is governed by the data-ownership provisions of our Terms of Service rather than as personal information under privacy legislation, except to the extent a particular dataset contains identifiable personal information.

Purpose-limited processing. We process your content solely to provide the Services you have requested — for example, hosting, rendering, format conversion, and tool execution. We do not process your content for any other purpose.

No mining, no analysis, no sharing. Across all products, Stiple does not:

• Mine, analyze, or extract insights from the content of your datasets for our own purposes;
• Sell, license, or share your content with any third party;
• Use your content to train artificial intelligence or machine-learning models;
• Combine your content with data from other users; or
• Access the content of your data except as necessary to provide the Services or as directed by you.

Ownership. You retain all ownership rights in your content at all times. Uploading or capturing data through the Services does not transfer any intellectual-property rights to Stiple. You may export or delete your content in accordance with Section 8 (Data Retention) and the applicable annex.

Your responsibility for identifiable content. Some datasets — particularly scans of occupied or private spaces — may contain identifiable features such as faces, licence plates, or signage. Stiple does not automatically anonymize, blur, or redact your content. You are responsible for reviewing your datasets and obtaining any consents or authorizations required under applicable privacy or property law before uploading them. Product-specific guidance on this point is provided in the relevant annex.

Where your content is stored. Substantive user content is stored on Canadian infrastructure. See Section 7 (Cross-Border Data Transfers & Data Residency) for details on storage location and the limited cross-border processing that applies.

We do not sell your personal information. Period. We have never sold personal information and have no plans to do so.

We share your information only in the limited circumstances below.

5.1 Sub-Processors (Service Providers)

Stiple engages third-party service providers ("sub-processors") to help us deliver the Services — for example, cloud infrastructure, object storage, authentication, payment processing, and analytics. Our current sub-processor list — including what each one handles, which products it applies to, and where the data is located — is maintained at stiple.ca/legal/sub-processors. We provide notice of material changes to our sub-processors in accordance with applicable law.

Sub-processors receive only the information necessary to perform their specific function. They are contractually obligated to protect your information and may not use it for their own purposes. Stiple maintains Data Processing Agreements with its sub-processors to ensure appropriate safeguards in accordance with applicable privacy legislation.

5.2 Legal Requirements

We may disclose your information if required by law, or if we believe in good faith that disclosure is necessary to comply with a legal obligation, court order, or enforceable governmental request; to protect the rights, property, or safety of Stiple, our users, or the public; or to detect, prevent, or address fraud, security, or technical issues. We will notify you of any legal demand for your information unless we are legally prohibited from doing so.

5.3 Business Transfers

If Stiple is involved in a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy, and you will have the opportunity to export your data beforehand.

5.4 With Your Consent

We share information with third parties when you direct us to — for example, when you choose to share a project or dataset with a collaborator through the Services.

5.5 Aggregated or Anonymized Data

We may share aggregated or anonymized data that cannot reasonably be used to identify you. This data is never derived from the content of your uploaded datasets.

We implement a range of measures to protect your personal information and your content:

• Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS/SSL.
• Encryption at rest — data stored on our infrastructure is encrypted at rest.
• Access controls — role-based controls limit access to personal information to team members who need it.
• Strong authentication — required for platform accounts and administrative access.
• Ongoing security practices — we regularly review and update our security posture as threats evolve.

No absolute guarantee. While we take commercially reasonable measures to protect your information, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security, but we commit to promptly addressing any security incidents (see Section 10 on breach notification).

Substantive personal data stays in Canada. Stiple's substantive personal data — including your project and survey data, files, and uploaded content — is stored and processed in Canada. Backend compute runs on Amazon Web Services in the ca-central-1 (Montreal) region, and primary object storage is on Backblaze B2 in Toronto.

The limited cross-border (United States) transfers. Two of our sub-processors process a narrow set of personal information in the United States:

• WorkOS — authentication and profile-photo CDN (applies to both Stiple Labs and Mapdesk). WorkOS is our authentication provider, and it also serves user profile photos through its content-delivery network. Because both Stiple Labs and Mapdesk use a single Stiple account that signs in through WorkOS, this transfer applies to both products. WorkOS processes only the limited identity data needed to authenticate you (such as your name, email address, and profile photo); your survey, project, and file data are not transferred to the United States as part of authentication.
• Stripe — payment processing (Stiple Labs only). Stripe is our payment processor and is used solely to bill Stiple Labs subscriptions. It processes the billing information necessary to take payment for a Labs subscription. Mapdesk involves no payment processing and no Stripe at all — Mapdesk is free and contains no in-app purchases, so a Mapdesk user who has no Stiple Labs subscription has no Stripe involvement of any kind.

These are the only personal-information transfers outside Canada. Each is governed by a data-processing agreement that requires appropriate contractual safeguards, and neither involves your survey, project, or file data, which remain in Canada. Where your information is processed in the United States, it may be subject to U.S. law, including laws such as the CLOUD Act that can compel a U.S.-based provider to disclose data; we have deliberately kept substantive data in Canada to minimize this exposure. Our current sub-processors and their data locations are listed at stiple.ca/legal/sub-processors. If you have heightened data-residency or sovereignty requirements, contact our Privacy Officer at privacy@stiple.ca to discuss enhanced options.

Foreign government access. Where Stiple receives a foreign government request to access your data, we will notify you promptly unless we are legally prohibited from doing so.

Quebec Law 25. Before transferring personal information of Quebec residents outside Quebec, we assess whether the information would receive adequate protection, having regard to applicable legal frameworks and contractual safeguards, and we document that assessment as part of our privacy-impact-assessment process (Section 3.3).

We retain your information only for as long as necessary to fulfill the purposes for which it was collected, and we destroy or anonymize it when those purposes have been achieved, subject to legal retention obligations.

• Account data (name, email, profile) — retained while your account is active, plus a 90-day window after termination to allow for reactivation.
• User content (surveys, point clouds, files) — retained while your account is active. On termination, you have a 90-day export window to download your content before it is permanently deleted from our production systems.
• Log and usage data — retained for up to 24 months, then anonymized or deleted.
• Communications (support requests, emails) — retained for 24 months after the last communication.
• Payment records — retained as required by Canadian tax and financial-reporting obligations.

Deleting your account. You can delete your Stiple account at any time: sign in to Stiple Labs at labs.stiple.ca and go to Profile → Danger Zone → Delete account. When you confirm, your account enters a 14-day cancellation window during which you can reverse the request by signing back in. After 14 days, your account and associated data — including projects, survey data, files, and images — are permanently deleted, and any active subscription is cancelled; this cannot be undone. For security, fraud-prevention, audit, and legal-compliance purposes, Stiple retains a limited set of account and access logs after deletion (for example, sign-in records and a record of which projects were downloaded and when); these logs do not include your project, survey, or file content, are retained for 24 months, and are then deleted unless a longer period is required by law.

Deleting specific datasets. You may also request deletion of specific datasets at any time by contacting support@stiple.ca or our Privacy Officer at privacy@stiple.ca. Such requests are processed within 30 days.

Backup retention. Backups of production data may persist for up to 90 days after data is deleted from production systems. Data in backups is not accessible through the platform and is deleted as backups rotate.

Legal hold. We may retain data longer than the periods above where required by law, legal proceedings, or regulatory investigations.

Product-specific retention details, where they differ, are set out in the relevant Privacy Annex.

We respect your privacy rights under Canadian law and will respond to valid requests within the timeframes required by law.

9.1 Rights Under PIPEDA (All Canadian Users)

Under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

• Access the personal information we hold about you;
• Challenge the accuracy of your personal information and request correction;
• Withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions and on reasonable notice; and
• File a complaint with the Office of the Privacy Commissioner of Canada (see Section 15).

We will respond to access requests within 30 days. In complex cases, we may extend this period with notice to you.

9.2 Rights Under Quebec Law 25 (Quebec Users)

If you are located in Quebec, you also have the following rights under Quebec's Act respecting the protection of personal information in the private sector (as modernized by Law 25):

• Data portability — to receive the computerized personal information you have provided to us in a commonly used technological format, and, where feasible, to have it communicated to another organization.
• De-indexing and cessation of dissemination — to request that we cease disseminating your personal information, or that we de-index any hyperlink attached to your name, where the conditions in the Act are met.
• Information about automated decision-making — to be informed when a decision is based exclusively on automated processing, to learn the principal factors that led to it, and to have it reviewed by a person and submit observations (see Section 3.2).
• Information on collection — to be told, at the time of collection, the purposes, the means of collection, your rights of access and rectification, and whether your information may be disclosed outside Quebec.

Stiple has designated a Privacy Officer responsible for the protection of personal information (see Section 14), conducts privacy impact assessments for high-risk processing (Section 3.3), and maintains a register of confidentiality incidents (Section 10), in accordance with Law 25.

9.3 How to Exercise Your Rights

To exercise any of these rights, contact our Privacy Officer at privacy@stiple.ca. We will verify your identity before processing your request and aim to respond within 30 days. If we need additional time, we will tell you the reason and the expected timeframe. There is no charge for a reasonable request; if a request is excessive, we will tell you the cost before proceeding.

In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will:

• Notify the Office of the Privacy Commissioner of Canada as required under PIPEDA, and the Commission d'accès à l'information du Québec for affected Quebec residents as required under Law 25;
• Notify affected individuals as soon as feasible;
• Keep a record of the breach and our response; and
• Take steps to reduce the risk of harm and prevent recurrence.

Breach record retention. In accordance with PIPEDA, Stiple maintains records of all privacy breaches for a minimum of twenty-four (24) months from the date the breach is detected, and maintains a register of confidentiality incidents as required by Law 25. Each record includes: (a) the nature of the breach; (b) the date or estimated date of the breach; (c) a description of the personal information involved; (d) Stiple's assessment of the risk of significant harm; and (e) the remedial actions taken. These records are available to the Office of the Privacy Commissioner of Canada, and to the Commission d'accès à l'information du Québec, on request.

On our web properties we use cookies and similar technologies. Essential cookies handle session management, authentication, and security, and cannot be disabled without breaking the platform. Analytics cookies help us understand how our platforms are used; where required by applicable law (including for Quebec users), we obtain your consent before setting non-essential analytics cookies. We do not use advertising, retargeting, or third-party tracking cookies — we are a tools company, not an advertising company. Full details, including how to manage cookies, are in our Cookie Policy at stiple.ca/legal/cookies. Mobile-app data practices are described in the relevant product annex rather than here.

Our Services are professional tools intended for use by adults in a business or professional context. They are not directed at children under 18, and we do not knowingly collect personal information from anyone under 18. If we learn that we have collected such information without verified parental consent, we will delete it promptly. If you believe a child under 18 has provided us information, contact us at privacy@stiple.ca.

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or operations.

Material changes. If we make material changes to this Policy, we will provide at least 30 days' notice before they take effect, by email to the address associated with your account and/or a prominent notice on our platform. Changes to the separate Sub-Processor List (Section 5.1) are handled on that page in accordance with applicable law and are not, by themselves, treated as material changes to this Policy.

Continued use. Your continued use of the Services after the effective date of a revised Policy constitutes acceptance of the changes. If you do not agree, you should discontinue use and close your account. Previous versions are available on request at privacy@stiple.ca.

Stiple has designated a Privacy Officer responsible for the protection of personal information and for ensuring compliance with applicable privacy law, including PIPEDA and Quebec Law 25. For any question, concern, or request regarding this Policy or our data practices, contact:

We aim to respond to all privacy-related inquiries within 30 days of receipt.

If you believe your privacy rights have been violated, please contact our Privacy Officer first at privacy@stiple.ca so we can try to resolve the matter directly. If you are not satisfied with our response, you may escalate:

15.1 Office of the Privacy Commissioner of Canada

• Website: www.priv.gc.ca
• Toll-free: 1-800-282-1376
• Address: 30 Victoria Street, Gatineau, QC K1A 1H3

15.2 Commission d'accès à l'information du Québec (Quebec Users)

• Website: www.cai.gouv.qc.ca
• Toll-free: 1-888-528-7741