Plain-language privacy

Privacy Policy

How we collect, use, store, and protect your information — written in plain language, backed by PIPEDA, GDPR, and HIPAA compliance frameworks.

Last updated · March 20, 2026

1. Introduction

BuildingAutopilot Property Management Inc. (“BuildingAutopilot”, “we”, “us”, “our”) respects your privacy. This policy explains, in plain language, what personal information we collect, why we collect it, how we use it, and the rights you have over it.

BuildingAutopilot complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, the General Data Protection Regulation (GDPR) in the European Union, and the Health Insurance Portability and Accountability Act (HIPAA) where applicable in the United States.

If you have any questions, contact our Privacy Officer at privacy@buildingautopilot.ca.

2. Information we collect

Identity & contact information

  • Name, email address, phone number, mailing address
  • Unit number, residency status (owner, tenant, family member), move-in date
  • Emergency contacts, vehicle plate, parking spot, pet records (optional)

Operational data (created as you use the platform)

  • Package deliveries, visitor sign-ins, maintenance requests, amenity bookings
  • Communications: announcements you read, replies, support tickets
  • Sign-in events with timestamp, IP address, device, and browser

Technical & security data

  • Audit log entries for every administrative action
  • API request metadata (path, status, latency) used for monitoring
  • Cookies for session management and CSRF protection (no third-party tracking)

Sensitive data — handled with extra care

For HIPAA-covered properties, we may process limited health-related accommodations (e.g., service animal records, accessibility accommodations) under a Business Associate Agreement. Health data is encrypted at the column level with a separate key.

3. How we use your information

  • To deliver the platform’s core functions — packages, maintenance, amenities, communications
  • To notify you of building events, deliveries, and announcements (via your chosen channels)
  • To investigate incidents and produce auditor-ready compliance reports
  • To improve the platform (aggregated, de-identified analytics)
  • To comply with our legal obligations and respond to lawful requests

We never sell your data. We do not use it for behavioural advertising. We do not share it with third-party marketing platforms.

4. How we protect your information

  • Encryption at rest — AES-256 column-level encryption
  • Encryption in flight — TLS 1.3 on every API endpoint
  • Encrypted backups — continuous, geo-redundant, point-in-time recovery to any minute in the last 30 days
  • Mandatory MFA for admin, board, and finance roles
  • Immutable audit log — every administrative action logged with operator, IP, timestamp
  • Annual penetration testing by independent third parties

Read the full security and privacy page for the compliance framework details.

5. Data retention

We retain personal information only as long as required to deliver the service and meet legal obligations.

  • Resident records — retained while you reside in the building, then 7 years for legal/financial records (or as required by jurisdiction)
  • Operational records (packages, visitors, requests) — 7 years for audit purposes
  • Audit log — minimum 7 years, append-only, never rotated out
  • Backups — point-in-time to 30 days; older backups purged automatically

6. Your rights

You have the right to:

  • Access — request a copy of your personal information
  • Rectification — correct inaccurate or incomplete information
  • Erasure — request deletion of your personal information (subject to legal retention requirements)
  • Portability — receive your data in a machine-readable format
  • Restriction — pause processing while we investigate a request
  • Objection — object to processing on legitimate-interest grounds
  • Withdraw consent — withdraw your consent at any time (where consent is the legal basis)

Submit a Data Subject Access Request (DSAR) by emailing privacy@buildingautopilot.ca. We will respond within 30 days (and typically within 48 hours).

7. Cookies & tracking

We use only the cookies necessary to keep you signed in and to prevent CSRF attacks. We do not use behavioural advertising cookies, fingerprinting, or third-party analytics scripts that track you across the web.

8. International transfers

BuildingAutopilot primarily stores data in Canadian and US data centres. For EU customers, we operate an EU data residency option. International transfers are protected by Standard Contractual Clauses and equivalent safeguards.

9. Children’s privacy

BuildingAutopilot is not directed at children under 13. If a parent or guardian becomes aware that a child under 13 has provided personal information, please contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email and an in-app notification at least 30 days before they take effect.

11. Contact

Privacy Officer
BuildingAutopilot Property Management Inc.
Toronto, Ontario, Canada
Email: privacy@buildingautopilot.ca

For Canadian residents, you also have the right to complain to the Office of the Privacy Commissioner of Canada.