Privacy

Privacy Policy

Last updated: May 28, 2026 — DRAFT

Draft for Legal Review

This content is a starting point only. It is not legal advice and has not been reviewed by counsel. It must be reviewed and finalized by a qualified privacy/technology lawyer before this site handles real user data or accepts members.

Overview

Who We Are

Vale Concierge ("Vale," "we," "us," or "our") is a private concierge service based in Canada, with operations in Vancouver and Toronto.

⚠ Lawyer review requiredConfirm the full legal entity name, jurisdiction of incorporation, and registered address. If Vale is a sole proprietorship, partnership, or has not yet been incorporated, this must be corrected before the policy goes live.

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you submit an application, become a member, or communicate with us. By submitting an application or using the service, you acknowledge that you have read and understood this policy.

Vale's primary privacy obligations arise under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Members residing outside Canada may have additional rights under the laws of their jurisdiction. See Section 8 (Your Rights).

Section 1

Information We Collect

Application data

When you submit an application through our website, we collect: your full name; email address or phone number; your professional or lifestyle category (selected from a provided list); and a free-text description you provide about yourself. If you were referred to Vale, we collect the name of your referrer.

Member profile data

Once you are accepted as a member and begin using the service, we build a profile to help us serve you effectively. This may include: travel preferences (airlines, seat preferences, hotel brands, dietary requirements); names and relationships of frequent travel companions or family members; preferred vendors, brands, and restaurants; historical bookings and outcomes derived from our interactions with you; and lifestyle preferences you share with us over time. This profile is central to the service and grows through ongoing communication.

SMS and message content

Vale communicates with members primarily via SMS text message. We retain the content of messages exchanged between you and Vale, including your requests and our responses. Message content may be processed by our AI-assisted tools and reviewed by members of our concierge team in order to fulfill requests and maintain your profile.

⚠ Lawyer review requiredVale uses Twilio to send and receive SMS messages. Confirm that a Data Processing Agreement (DPA) with Twilio is in place. Review Twilio's subprocessor disclosures. Confirm whether retention of full message content is permissible under PIPEDA's necessity and proportionality requirements.

Payment information

We collect payment information in order to process membership fees. Vale does not handle raw payment card data directly. Payment processing is handled by our payment processor.

⚠ Lawyer review requiredInsert the name of the payment processor (e.g., Stripe). Confirm whether Vale ever has access to full card numbers, CVVs, or magnetic stripe data. Confirm PCI-DSS compliance scope and, if Vale is a merchant, its SAQ level. Update this section once the payment flow is finalized.

Automatically collected technical data

When you visit our website, we may collect limited technical information automatically, including your IP address, browser type, device type, and pages viewed. This information is used to maintain and improve the site.

⚠ Lawyer review requiredConfirm whether any analytics tool (e.g., Vercel Analytics, Google Analytics) is deployed. If so, disclose it specifically. Confirm whether a cookie consent banner is required under CASL or applicable EU/UK cookie law for any international visitors. If no analytics are deployed, confirm and simplify this section accordingly.
Section 2

How We Use Information

We use the personal information we collect for the following purposes:

  • To evaluate and process your application for membership;
  • To provide concierge services, including researching, recommending, booking, and managing requests on your behalf;
  • To build and maintain your member profile so we can personalize and improve your experience over time;
  • To communicate with you via SMS, and where applicable, email;
  • To process membership fees and booking-related payments;
  • To comply with our legal obligations, including record-keeping requirements;
  • To detect, investigate, and prevent fraudulent or unauthorized activity.

We do not use your personal information to serve you third-party advertising. We do not sell your personal information to any third party.

⚠ Lawyer review requiredUnder PIPEDA and GDPR (if applicable), processing must be tied to a lawful basis or a stated purpose to which the individual has consented. Confirm the lawful basis for each processing activity above — e.g., contract performance, legitimate interests, or consent. For EU/EEA members, a lawful basis table mapping each activity to a GDPR Article 6 basis will be required.
Section 3

SMS / Text Messaging

⚠ Lawyer review requiredThis section must be reviewed carefully against both TCPA (United States, if Vale accepts US members) and CASL (Canada). The draft below is a starting framework only. Key items requiring lawyer review are called out inline.

Vale's primary member communication channel is SMS text message. By providing your phone number during the application process and accepting membership, you consent to receive text messages from Vale related to your membership and concierge service requests. Message frequency varies based on your usage and the requests you make. Standard message and data rates from your carrier may apply.

⚠ Lawyer review requiredTCPA (US): Confirm whether Vale's outbound SMS messages constitute "marketing" or "transactional/service" messages — this affects the consent standard required. For marketing messages, prior express written consent is required. For purely transactional service messages to existing customers, the standard may differ. Confirm with counsel. CASL (Canada): Confirm whether Vale's messages constitute "commercial electronic messages" requiring express or implied consent under CASL Section 6. Confirm that the consent mechanism at the point of phone number collection satisfies CASL requirements (including disclosure of sender identity and description of what messages will be sent).

Opting out: To stop receiving SMS messages from Vale, reply STOP to any message. You will receive a one-time confirmation that you have been unsubscribed. To re-subscribe, contact us directly. To receive help, reply HELP.

⚠ Lawyer review requiredVerify that the STOP/HELP opt-out/help mechanism exactly satisfies the language required by your SMS carrier aggregator (Twilio/Twilio short code/long code), TCPA carrier requirements, and CASL. Confirm whether a separate SMS terms and conditions disclosure is required at the point of phone number collection (many US carriers require this for compliance with CTIA messaging guidelines).

Vale uses Twilio, Inc. as its SMS messaging provider. Twilio processes your phone number and message content as a data processor acting on Vale's behalf. Vale retains message content for the purposes described in this policy.

⚠ Lawyer review requiredConfirm Twilio DPA is executed. Review Twilio's data retention, subprocessor list, and cross-border transfer mechanisms. If AI processing of message content occurs via Anthropic's API, Anthropic must also be listed as a data processor/subprocessor with appropriate contractual terms in place.
Section 4

How We Share Information

We do not sell personal information. We share personal information only in the circumstances described below.

Vendors and service providers for fulfillment

To fulfill your requests, we share relevant details with third-party service providers, which may include ground transportation companies, restaurants, hotels, aviation brokers, and other travel and lifestyle vendors. We share only the information necessary to complete your specific request — typically your name, travel dates, preferences, and contact information. These vendors receive information as principals contracting with you directly, not as our data processors.

⚠ Lawyer review requiredUnder PIPEDA, disclosure to third parties for purposes you would reasonably expect requires either consent or falls within a recognized exception. Confirm that sharing with fulfillment vendors is covered by member consent obtained at onboarding. Assess whether DPAs are needed with any fulfillment vendors that store or further process member data on Vale's behalf (as opposed to using it solely for fulfillment of your request). Review specifically the Blacklane and OpenTable relationships.

Commission and referral relationships

Vale may receive referral fees or commissions when members book through Vale with certain vendors. This is disclosed in our Terms of Service. The existence of such commercial relationships does not affect your price or Vale's obligation to act in your interests.

⚠ Lawyer review requiredReview disclosure adequacy under applicable consumer protection law (BPCPA in BC; Competition Act misleading advertising provisions). If Vale's Black tier involves rebating commissions back to members, confirm whether additional financial services disclosure obligations apply.

Technology service providers

We use third-party technology providers to operate the service. These currently include Twilio (SMS delivery), Vercel (website hosting), Supabase (database and data storage), and Anthropic (AI processing of concierge requests). These providers access personal information only as necessary to perform services on Vale's behalf, and are contractually bound to protect it.

⚠ Lawyer review requiredConfirm that DPAs are in place with each listed subprocessor. Verify current list — add or remove providers as the technology stack evolves. For EU/EEA members, confirm that cross-border data transfer mechanisms (SCCs or equivalent) are in place for US-based processors (Twilio, Vercel, Supabase, Anthropic). Update this list whenever a new subprocessor is added.

Legal compliance and protection

We may disclose personal information if required by law, court order, or lawful government request, or if we believe disclosure is reasonably necessary to protect the rights, property, or safety of Vale, our members, or the public.

Section 5

Payment Data

⚠ Lawyer review requiredThis section must be reviewed by a lawyer with PCI-DSS experience. The draft below is a placeholder pending finalization of Vale's payment architecture.

Membership fees are processed by our payment processor. Vale does not store payment card numbers, CVV codes, or other sensitive card data on its own systems. Your payment information is handled directly by the payment processor, which maintains its own security certifications.

⚠ Lawyer review requiredInsert the name of the payment processor (e.g., Stripe). Confirm whether Vale is in scope for PCI-DSS and, if so, at which SAQ level. Confirm the payment processor's own privacy policy and data retention terms. Confirm whether this section needs to address how member-authorized spend on bookings is processed (i.e., whether Vale holds a payment method on file to charge for bookings, and if so, how that is disclosed and authorized).

Vale's concierge team does not accept, request, or transmit payment card information through SMS messages. Members should never send card details by text message.

Section 6

Data Storage, Security & Retention

Vale's data is stored on servers operated by our technology providers, which are currently located in the United States and Canada.

⚠ Lawyer review requiredConfirm the precise data residency locations for each provider (Supabase, Vercel, Twilio, Anthropic). If any data is processed or stored in the EU/EEA or UK, GDPR and UK GDPR transfer restrictions apply. For all cross-border transfers from Canada to other jurisdictions, PIPEDA's accountability principle and Schedule 1 requirements (Section 4.1.3) require ensuring comparable protection in the receiving jurisdiction. Confirm whether standard contractual clauses (SCCs) or binding corporate rules are in place for any such transfers.

We take reasonable technical and organizational measures to protect personal information from unauthorized access, disclosure, alteration, or destruction. These measures include encryption of data in transit and at rest, restricted access controls, and secure authentication practices.

⚠ Lawyer review requiredConfirm and describe the specific security measures in place before this section is finalized. Under PIPEDA Principle 7 and GDPR Article 32, organizations must implement appropriate technical and organizational measures. Specific measures to confirm: encryption standards (TLS version; AES-256 at rest?), access controls (who can access member data and under what conditions), logging and audit trails, incident response plan. If GDPR applies, a formal Data Protection Impact Assessment (DPIA) may be required for processing of sensitive data or large-scale profiling.

We retain personal information for as long as necessary to provide the service and comply with our legal obligations. Application data for unsuccessful applicants is retained for a limited period and then deleted. Member data is retained for the duration of the membership and for a reasonable period thereafter.

⚠ Lawyer review requiredDefine specific retention periods for each category of data: application data (accepted and declined); member profile data; SMS message content; payment records; booking records; technical/server logs. Retention periods must be proportionate to the purpose (PIPEDA Principle 5; GDPR Article 5(1)(e)). Consult counsel on minimum retention required by Canadian tax law, anti-money laundering regulations, and any applicable booking/travel agency recordkeeping requirements.
Section 7

Your Rights

⚠ Lawyer review requiredThis section must be tailored for at minimum three regulatory regimes: PIPEDA (Canada), GDPR (EU/EEA members), and CCPA/CPRA (California, US members). The draft below covers the common ground. Jurisdiction-specific obligations must be drafted by qualified counsel. In particular: (1) GDPR Article 13/14 notice requirements at collection; (2) whether Vale requires an EU/EEA data protection representative under GDPR Article 27; (3) CCPA opt-out rights and whether Vale qualifies as a "business" under CCPA; (4) Quebec Law 25 (Bill 64) obligations for Quebec residents, including mandatory privacy impact assessments for new systems, appointment of a privacy officer, and expanded individual rights.

Depending on where you reside, you may have the following rights regarding your personal information:

  • Access: You may request a copy of the personal information we hold about you.
  • Correction: You may request that we correct personal information that is inaccurate, incomplete, or out of date.
  • Deletion: You may request that we delete your personal information. We may retain certain information as required by law or for legitimate business purposes (such as dispute resolution or record- keeping obligations).
  • Data portability: Where technically feasible and required by applicable law, you may request your personal information in a structured, machine-readable format.
  • Withdrawal of consent: Where we process information on the basis of your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. Note that withdrawal of consent for SMS messaging will limit our ability to provide the service.
  • Objection to processing: In certain circumstances, you may object to our processing of your personal information.
⚠ Lawyer review requiredCCPA/CPRA (California): If Vale accepts California members and meets the CCPA "business" threshold, a "Do Not Sell or Share My Personal Information" link and disclosure may be required. Confirm whether Vale's commission-based disclosures to vendors constitute "sale" or "sharing" under CCPA. GDPR (EU/EEA): If Vale has EU/EEA members, the right to erasure (Article 17), right to restrict processing (Article 18), and right to data portability (Article 20) apply. Confirm lawful basis for each processing activity. PIPEDA: Confirm the required response timeframe (30 days under PIPEDA). Quebec Law 25: Confirm expanded rights for Quebec residents, including the right to data portability (effective September 2023) and the right to de-indexation/cessation of dissemination.

To exercise any of these rights, please contact us at the address below. We will respond within the timeframe required by applicable law.

Section 8

Cookies & Tracking

Our website currently makes minimal use of cookies and tracking technologies. We may use essential cookies necessary for the website to function (for example, to maintain session state). We do not currently use third-party advertising or behavioral tracking cookies.

⚠ Lawyer review requiredConfirm exactly which cookies and tracking scripts are deployed on the site (including any Vercel Analytics, or other performance/analytics tools). If any non-essential cookies are set, CASL and EU/UK ePrivacy Directive requirements may require prior informed consent through a cookie banner. Update this section to reflect actual deployment. If analytics are added in the future, this section must be updated before or at the time of deployment.
Section 9

Children's Privacy

Vale is a private concierge service intended exclusively for adults aged 18 years or older. We do not knowingly collect, use, or disclose personal information from persons under 18 years of age. Our application process is directed to adults only.

If we learn that we have inadvertently collected personal information from a minor under 18, we will take prompt steps to delete that information. If you believe we may have information from or about a minor, please contact us immediately.

Section 10

Changes to This Policy

We may update this Privacy Policy from time to time as our practices evolve or as required by law. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes affecting how we process personal information, we will notify active members directly by SMS or email with reasonable advance notice.

Your continued use of the service following notice of an updated policy constitutes your acceptance of the changes.

⚠ Lawyer review requiredConfirm the required notice period for material policy changes under PIPEDA and any applicable consumer protection legislation. For EU/EEA members, confirm whether changes to lawful bases or processing purposes require fresh consent under GDPR.
Section 11

Contact

For privacy-related inquiries, to exercise your rights, or to report a concern, please contact us at:

Vale Concierge
[LAWYER: Insert full legal name, physical address, and privacy contact email]

⚠ Lawyer review requiredInsert the privacy contact email and physical mailing address. Under PIPEDA, organizations must designate an individual accountable for privacy compliance (the "Privacy Officer" or equivalent) and make their contact information available. Under Quebec Law 25, a specific privacy officer designation and internal privacy program are required. Under GDPR Article 27, if Vale has EU/EEA members, a representative in the EU/EEA may be required. Confirm whether a Data Protection Officer (DPO) is required under GDPR Article 37.