Privacy Policy

1. Who We Are

GrantHub is operated by Kickstart Ventures Inc. ("we", "us", "our"), a company incorporated under the laws of British Columbia, Canada. We are committed to protecting your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (PIPA).

Our Privacy Officer is responsible for overseeing our compliance with privacy legislation and for addressing privacy-related complaints. For any privacy-related inquiries, contact our Privacy Officer at [email protected].

Mailing address: Kickstart Ventures Inc., 997 Seymour Street, Suite 250 - #1370, Vancouver, BC V6B 3M1, Canada.

2. Information We Collect

We collect only the personal information that is necessary for the purposes identified in this policy. We collect information by fair and lawful means, with your knowledge and consent. We collect the following categories of personal information:

• Account information: Email address, display name, and authentication credentials when you create an account via Firebase Authentication (Google).
• Business profile data: Company name, industry, province, business type, employee count, revenue range, NAICS codes, CRA business number, incorporation details, and diversity information (such as Indigenous-owned or women-owned status) that you provide.
• Uploaded documents: Business plans, financial statements, incorporation documents, and other files you upload to your document library. Files are stored on Firebase Storage (operated by Google).
• Application data: Grant application drafts, pipeline tracking status, saved grants, and application scoring results.
• AI interaction data: Conversations with the AI Grant Advisor, including questions asked and responses generated.
• Payment information: Processed securely by Stripe (US-based). We do not store your credit card details. Stripe may store transaction history, billing address, and subscription status.
• Email capture data: Email address, postal code, industry, and province collected through discovery tools, grant alert signups, and other email capture forms — including before account creation.
• Credit and referral activity: Credits earned and spent, referral codes used, and referral relationships.
• Usage data: Pages visited, grants viewed, search queries, features used, and engagement patterns collected through PostHog analytics.
• Technical data: IP address, browser type, device information, and user agent string — collected automatically when you use the Service.

3. How We Use Your Information

We use and disclose your personal information only for the purposes for which it was collected, unless you consent to a new purpose or disclosure is required by law. We use your personal information for the following purposes:

• Providing and maintaining the Service, including grant search, matching, and recommendations
• Processing payments and managing subscriptions
• Powering AI features (Grant Advisor, draft generation, application scoring) — see Section 4
• Sending transactional emails (account confirmations, payment receipts, booking confirmations)
• Sending grant alerts, deadline reminders, and weekly digests matching your preferences
• Sending marketing emails and product updates (with your consent — see Section 5)
• Operating the credit and referral programs
• Analyzing usage patterns (such as feature adoption and navigation flows) to improve the user experience
• Detecting and preventing fraud, abuse, and unauthorized access
• Complying with legal obligations

See our Terms of Service for details on acceptable use and your obligations when using the Service.

4. AI Data Processing

To power our AI features, certain data is sent to third-party AI providers for processing:

• Provider: Azure OpenAI, operated by Microsoft Corporation (US-based).
• Data sent: Business profile information, uploaded document content, application draft text, and chat messages — only the data necessary to generate the requested AI response is transmitted.
• Purpose: Grant recommendations, application draft generation, compliance scoring, and conversational assistance.
• Safeguards: Data is transmitted via encrypted connections. Microsoft's Azure OpenAI Service does not use customer data to train or improve its models. Data is processed and discarded after generating a response.
• Automated assessments: When AI features generate scores or assessments (such as application compliance scoring), these are generated algorithmically based on your input and the grant program's publicly available criteria. You have the right to request an explanation of how any AI-generated assessment was produced by contacting [email protected].
• Limitations: AI-generated outputs may contain inaccuracies or reflect limitations of the underlying models. AI content is intended as a starting point and should be reviewed by a qualified professional before use. See our Terms of Service Section 8 for details.

5. Commercial Electronic Messages (CASL)

In compliance with Canada's Anti-Spam Legislation (CASL), we obtain your consent before sending commercial electronic messages. We send the following types of emails:

• Transactional: Account confirmations, password resets, payment receipts, subscription changes, and booking confirmations (no additional consent required).
• Grant alerts: New grant notifications, deadline reminders, and application status updates.
• Marketing: Product updates, feature announcements, weekly digests, educational content, and promotional offers.

Your consent: Express consent for grant alerts and marketing emails is collected via opt-in checkboxes during account registration or through email capture forms. Consent checkboxes are unchecked by default.

Withdrawing consent: You may unsubscribe from non-transactional emails at any time using the unsubscribe link included in every email, or by updating your notification preferences in Account Settings. Unsubscribe requests are processed within 10 business days. The unsubscribe mechanism in each email remains functional for at least 60 days after the email is sent.

Consent records: We retain records of your consent (including the method of collection, timestamp, and consent text) for the duration of your account and for 3 years after our business relationship ends, as required by CASL.

Sender identification: Kickstart Ventures Inc., 997 Seymour Street, Suite 250 - #1370, Vancouver, BC V6B 3M1, Canada. Contact: [email protected].

6. Third-Party Service Providers

We share your data with the following third-party service providers, solely for the purposes described:

• Firebase Authentication and Storage (Google, US): User authentication and document file storage. We do not transmit payment card data through Firebase.
• Stripe (US): Payment processing, subscription management, and billing.
• Azure OpenAI (Microsoft, US): AI-powered grant advice, draft generation, and scoring (see Section 4).
• PostHog (US/EU): Product analytics and usage tracking.
• Cloudflare (US): Website hosting, content delivery, and security.
• Resend (US): Transactional and marketing email delivery.

We do not sell your personal information to any third party. Data is shared with service providers only as necessary to operate the Service, under data processing agreements that require PIPEDA-comparable protections.

7. Cross-Border Data Transfers

Your personal information may be transferred to and processed in the United States by our third-party service providers. All cross-border transfers are governed by data processing agreements that require protection comparable to PIPEDA. However, when your data is stored or processed outside of Canada, it may be subject to the laws of that jurisdiction, including lawful access requests by courts, law enforcement, or government authorities under US laws, which may differ from Canadian privacy protections.

The following providers process data in the United States:

• Firebase (Google): Account credentials and uploaded documents
• Stripe: Payment and billing data
• Azure OpenAI (Microsoft): Business profiles, documents, and chat messages sent for AI processing
• PostHog: Usage analytics and behavioral data
• Cloudflare: Website traffic and request data
• Resend: Email addresses and email content

8. Data Accuracy

We take reasonable steps to ensure that personal information in our possession is accurate, complete, and up-to-date for the purposes for which it is used. You can update your personal information at any time through your Account Settings or by contacting us. If you believe any information we hold about you is inaccurate, please contact our Privacy Officer at [email protected].

9. Data Security

We implement security measures to protect your data, including encryption of data in transit (HTTPS/TLS), access controls restricting data to authorized personnel, and regular review of our security practices. Account credentials are managed through Firebase Authentication and are never stored in plain text. Payment data is handled by Stripe under PCI DSS compliance standards.

10. Data Retention

We retain your personal information according to the following schedule:

• Account data: Retained while your account is active. Deleted within 30 days of account deletion, unless otherwise required by law.
• Uploaded documents: Retained while your account is active. Deleted within 30 days of account deletion or upon your request.
• AI interaction data: Chat conversations, AI-generated responses, and scoring results are retained while your account is active. Deleted upon account deletion or upon request.
• Application and pipeline data: Grant application drafts, pipeline tracking, and saved grants are retained while your account is active. Deleted upon account deletion or upon request.
• Credit and referral data: Credit balances, ledger history, and referral relationships are retained while your account is active. Deleted upon account deletion or upon request.
• CASL consent records: Retained for 3 years after our business relationship ends, as required by CASL.
• Payment records: Retained for 7 years as required by Canada Revenue Agency (CRA) tax and accounting obligations.
• Usage and technical data: PostHog analytics data is retained for 12 months in identifiable form. Anonymized and aggregated analytics data may be retained indefinitely.
• Pre-registration email capture data: Retained while you remain subscribed to communications. Deleted upon unsubscribe request.

11. Breach Notification

In the event of a data breach involving your personal information that creates a real risk of significant harm, we will notify affected individuals as soon as feasible after determining the breach has occurred. The notification will include the date or approximate period of the breach, the personal information involved, the steps we are taking to mitigate the risk, steps you can take to protect yourself, and contact information for our Privacy Officer. We will also report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA. Where appropriate, we will notify other organizations or government institutions that may be able to help mitigate the harm. We maintain records of all privacy breaches for a minimum of 24 months.

12. Your Rights

Under PIPEDA and BC PIPA, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or incomplete information
• Request deletion of your personal data
• Request a copy of your data in a portable format
• Withdraw consent for data processing (which may limit your ability to use certain features — for example, withdrawing consent for AI processing will make AI features like the Grant Advisor unavailable)
• Request an explanation of any automated decision or AI-generated assessment that affects you
• File a complaint with our Privacy Officer or with the Office of the Privacy Commissioner of Canada

To exercise any of these rights, email our Privacy Officer at [email protected]. We will respond to your request within 30 days. If we cannot fulfill your request, we will provide an explanation and inform you of your right to complain to the Privacy Commissioner.

Internal complaints: If you have a concern about our privacy practices, you may submit a written complaint to our Privacy Officer. We will investigate and respond within 30 days. If you are not satisfied with our response, you may escalate to the Office of the Privacy Commissioner of Canada.

13. Additional Rights for Quebec Residents

If you are a resident of Quebec, you have additional rights under Quebec's Act respecting the protection of personal information in the private sector (Law 25), including:

• The right to data portability — receiving your data in a structured, commonly used format and requesting its transfer to another organization
• The right to request de-indexing of your personal information from search results linked to your name
• The right to an explanation of any automated decision that significantly affects you, and the right to request human review of such decisions

To exercise these rights, contact our Privacy Officer at [email protected].

14. Document and File Uploads

The Service allows you to upload documents such as business plans, financial statements, incorporation documents, and other files to your document library.

• Storage: Files are stored on Firebase Storage, a cloud storage service operated by Google (US-based).
• Accepted formats: PDF, DOC, DOCX, PNG, JPG, JPEG, GIF, and WEBP (maximum 10MB per file).
• Access: Uploaded files are accessible only to you through your authenticated account.
• AI processing: If you use AI features that reference your documents (such as draft generation), document content may be sent to Azure OpenAI for processing (see Section 4).
• Retention: Files are retained while your account is active. Upon account deletion, files are deleted within 30 days. You may delete individual files at any time through the document library.
• Sharing: Your uploaded documents are not shared with other users or third parties, except as required for AI processing or as described in this policy.

15. Cookies and Analytics

We use the following types of cookies and tracking technologies:

• Essential cookies: Required for authentication, session management, and core functionality. These cannot be disabled. Includes Firebase authentication tokens.
• Analytics cookies: PostHog sets a cookie (ph_*_posthog, 365-day expiry) and uses localStorage to track usage patterns including pages visited, features used, and engagement. PostHog is self-hosted / EU-based and does not share data with third parties.
• Security cookies: Cloudflare may set cookies (__cf_bm, __cflb) for bot detection and load balancing. These are essential for site security and performance.

We do not use third-party advertising cookies or sell analytics data. You may opt out of PostHog analytics tracking through your Account Settings, by contacting us at [email protected], or by using your browser's cookie management settings.

16. Proactive Disclosure Data

The Service displays aggregated data from Canada's Proactive Disclosure dataset, which is publicly available government data. This includes business names, funding amounts, government programs, and departments. This data is published by the Government of Canada and is already in the public domain. We aggregate and present this data to help users understand government funding patterns in their area.

17. Children's Privacy

GrantHub is not intended for individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a person under 18, we will take steps to delete it promptly.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates when this policy was last revised. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

19. Contact

For privacy-related inquiries or to exercise your rights, contact us at:

• Privacy Officer: [email protected]
• Support: [email protected]
• Mail: Kickstart Ventures Inc., 997 Seymour Street, Suite 250 - #1370, Vancouver, BC V6B 3M1, Canada

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.