Skip to content
← Back to homepage

Privacy Policy

Last updated: May 22, 2026

Plain-English summary

  • We collect your email, filter preferences, and billing details from Stripe. That's it.
  • We never sell or rent your data.
  • We never share your filter or behavior with anyone.
  • You can export, edit, or delete your data at any time by emailing info@protexaservices.com.
  • We use Supabase (database), Stripe (payments), Resend (email), Vercel (hosting), and Anthropic (AI classification of public filings). All are named below.

1. Who we are

NewBusinessSignal is operated by Protexa Property Services (1338 Wellington St. W., Ottawa, Ontario, Canada). We are a Canadian organization and the "controller" responsible for your personal information under PIPEDA (Canada), CCPA / CPRA (California subscribers), and the GDPR (EU subscribers, if any).

2. What we collect

From you directly:

  • Your email address (to send you the business-formation digest).
  • Your password, stored as a one-way bcrypt hash (we never see your plaintext password).
  • Your filter preferences (state, entity types, counties, NAICS keyword) and cadence (weekly or daily).
  • Your plan tier (Starter or Pro).

From Stripe (our payment processor):

  • A Stripe customer ID and subscription ID (never your card number - Stripe holds that).
  • Billing address and tax ID if you provide them at checkout.

Automatically, via server logs:

  • IP address (hashed before we persist it for rate-limiting and abuse defense).
  • Timestamps of signup, digest sends, and link clicks.
  • Email delivery events from Resend (delivered, opened, bounced, unsubscribed).

We do not collect data about the California businesses we surface in your digest. Those filings are public records published by the California Secretary of State. We don't enrich them with personal contact information, owner names, or other PII beyond what the state already publishes.

3. Why we collect it

  • Service delivery (legal basis: contract): sending you the digests you subscribed for.
  • Billing (legal basis: contract): processing payments via Stripe.
  • Account access (legal basis: contract): password authentication and magic-link account management.
  • Abuse prevention (legal basis: legitimate interest): rate-limiting signup attempts.
  • Legal compliance (legal basis: legal obligation): CASL / CAN-SPAM unsubscribe processing; financial records.

4. Who we share with

We share only what's necessary with these service providers, each bound by their own privacy commitments:

  • Supabase (database + storage): your subscriber record, filter, and subscription status.
  • Stripe (billing): your payment details.
  • Resend (email delivery): your email address and the digest content we send you.
  • Vercel (hosting): standard server logs of requests you make to newbusinesssignal.com.
  • Anthropic (AI): only public business-formation filing text (CA Secretary of State data) is sent for industry classification. Your personal data never leaves our systems for AI processing.
  • Upstash (rate limiting): hashed IP and email keys only, no plaintext PII.

We do not sell, rent, or share your data for advertising. We do not use third-party trackers (Meta Pixel, Google Analytics, etc.).

5. Where your data lives

Your subscriber record lives in a Supabase Postgres database hosted in a North American region. Emails are sent via Resend (US infrastructure). If you're outside Canada or the US, your data may cross borders as a result. We rely on standard contractual commitments from these providers (SCCs where applicable) for cross-border transfer.

6. How long we keep it

  • Active subscribers: as long as you're subscribed, plus 1 year after you cancel (for billing records and refund disputes).
  • Unsubscribed: we stop sending immediately. We retain the record of your unsubscribe (required by CASL / CAN-SPAM) for 3 years.
  • Server logs: 30 days.
  • Stripe webhook events and server-error rows: 90 days.

7. Your rights

Depending on your jurisdiction, you have the right to:

  • Access what we hold on you (PIPEDA, CCPA, GDPR).
  • Correct any information you think is wrong (PIPEDA, CCPA, GDPR).
  • Delete your subscriber record (subject to the retention minimums above for billing and anti-spam law).
  • Withdraw consent - the unsubscribe link in every email does this with one click.
  • Opt out of sale or sharing for advertising (CCPA) - we never sell or share for advertising, so this is already in effect by default.
  • Portability - we'll provide a JSON export of your subscriber record on request.
  • Complain to a privacy regulator: the Office of the Privacy Commissioner of Canada (PIPEDA), the California Privacy Protection Agency (CCPA), or your local data protection authority (GDPR).

To exercise any of these, email info@protexaservices.com. We respond within 30 days (or 45 days for CCPA / GDPR requests).

8. Cookies

newbusinesssignal.com uses essential cookies only (HttpOnly session cookie, CSRF token). We do not use analytics or advertising cookies.

9. Security

We use HTTPS everywhere, encrypted database storage, bcrypt for password hashing, HMAC-signed short-lived magic-link tokens for account access, signed Stripe webhook verification, and least-privilege service accounts. We don't store your payment card number.

10. Children

NewBusinessSignal is a B2B service for adults. We do not knowingly collect personal information from children under 16. If you believe we have, email us and we will delete it.

11. Changes to this Policy

Material changes will be announced by email at least 14 days in advance.

12. Contact

Privacy questions, access requests, deletion requests: info@protexaservices.com.