Privacy Policy
Important Notice — Not Legal Advice. This document was prepared for Provetly. While drafted with regulatory research, it has not been reviewed by an attorney. Consult a lawyer licensed in your operating jurisdiction before relying on this document.
Effective Date: April 28, 2026 Last Updated: May 2, 2026
1. Who We Are
Provetly is an online directory that connects homeowners in the United States and Canada with vetted home service contractors. Provetly is operated by Orchiq, a sole proprietorship of Renel Lherisson, based in Montréal, Québec, Canada.
- Website: https://provetly.com
- Privacy email: privacy@provetly.com
- Mailing address: Orchiq (Provetly), Montréal, Québec, Canada (full street address available on request to privacy@provetly.com)
Privacy Officer (Québec Law 25 designation). Renel Lherisson serves as the Person in Charge of the Protection of Personal Information for Provetly. You may reach the Privacy Officer at privacy@provetly.com.
A French-language version of this Privacy Policy will be made available to Québec residents in accordance with the Charter of the French Language. Until that version is published, Québec residents may request a French summary by emailing privacy@provetly.com.
2. Scope
This Privacy Policy applies to personal information we collect through provetly.com, our emails, and related services (the "Service"). It applies to two types of users:
- Homeowners who browse the directory, leave reviews, or contact contractors.
- Contractors who pay for a subscription to be listed.
The Service is intended only for adults aged 18 or older. We do not knowingly collect information from children.
3. What Information We Collect
3.1 Information You Provide
Homeowner accounts (free):
- Email address
- Optional: name, phone number, postal/ZIP code, profile photo
- Reviews, ratings, and photos you submit about contractors
- Messages you send through the Service
Contractor accounts (paid):
- Business name, owner name, business email and phone
- Business address, service area, EIN or business registration number
- State / provincial license number(s) and expiration date
- Insurance certificate(s) (general liability, workers' comp where applicable)
- Background check authorization for the business owner
- Photos, descriptions, pricing, and other listing content
Payments (contractors only): We use Stripe, Inc. to process payments. We do not store full credit card numbers on our systems. Stripe collects card data directly under its own privacy policy: https://stripe.com/privacy.
3.2 Information We Collect Automatically
- Device, browser, and operating system
- IP address and approximate location derived from it
- Pages viewed, links clicked, time on page
- Referrer URL
- Cookies and similar technologies (see Section 12)
3.3 Information From Third Parties
- License-verification data from state, provincial, or municipal licensing boards
- Insurance verification from carriers or verification services
- Background-check reports from a consumer reporting agency (with the contractor's written consent under the FCRA where applicable)
3.4 Sensitive Personal Information
We collect a limited amount of "sensitive personal information" as defined by the California Consumer Privacy Act (Cal. Civ. Code § 1798.140(ae)), specifically: government-issued license numbers (contractors only) and account log-in credentials. We do not sell or share this data and do not use it for any purpose other than providing and securing the Service.
4. How We Use Information
We use personal information for these purposes:
| Purpose | Categories Used |
|---|---|
| Create and maintain accounts | Account info |
| Verify contractor credentials | License, insurance, background-check info |
| Process subscription payments | Payment metadata (Stripe handles card data) |
| Display public contractor profiles | Business info, photos, ratings |
| Display reviews | Review content, reviewer first name + first initial |
| Send transactional emails (e.g., receipts, account alerts) | Email, name |
| Send marketing emails (with consent) | Email, name |
| Detect fraud, abuse, and policy violations | Usage data, account info |
| Improve the Service and analyze trends | Aggregated usage data |
| Comply with legal obligations | All categories as needed |
5. Legal Basis for Processing
For users in the European Economic Area, the United Kingdom, and Québec (Law 25), we rely on the following legal bases:
- Performance of a contract — to provide the Service to you.
- Consent — for marketing emails, optional cookies, and any sensitive data uses.
- Legitimate interests — to operate, secure, and improve the Service (balanced against your rights).
- Legal obligations — to comply with tax, anti-fraud, and regulatory requirements.
You may withdraw consent at any time (see Section 8).
6. How We Share Information
We do not sell personal information for money. We do not share personal information for cross-context behavioral advertising. We disclose information only as follows:
6.1 Service Providers (Processors)
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Vercel Inc. (US) | Hosting & content delivery | https://vercel.com/legal/privacy-policy |
| Supabase Inc. (US) | Database & authentication | https://supabase.com/privacy |
| Stripe, Inc. (US) | Payments | https://stripe.com/privacy |
| Resend (US) | Transactional & marketing email | https://resend.com/legal/privacy-policy |
We have written agreements (DPAs) with each provider requiring them to protect personal information.
6.2 Public Profile Data
Contractor profile information (business name, license status, service area, photos, ratings) is public on provetly.com and may be indexed by search engines.
Reviews you post are public, attributed to your first name and first initial of last name, and are visible to anyone visiting the contractor's profile.
6.3 Legal Disclosures
We may disclose information to comply with subpoenas, court orders, or other legal process; to enforce our Terms; to protect rights, property, or safety; or in connection with a merger, acquisition, or sale of assets (with notice to you).
7. Cross-Border Transfers
Provetly is operated from Canada, but our infrastructure (Vercel, Supabase, Stripe, Resend) is hosted in the United States. If you are located outside the United States, your personal information will be transferred to and stored in the United States.
US laws (such as the CLOUD Act and FISA Section 702) may give US government authorities access to data stored in the US. We use contractual safeguards (Standard Contractual Clauses or equivalent) to provide a comparable level of protection.
Québec residents (Law 25, art. 17): We have conducted a privacy impact assessment of these out-of-Québec transfers and concluded they offer adequate protection. By using the Service, you acknowledge this disclosure.
8. Your Rights
Submit any rights request to privacy@provetly.com. We respond within 30 days (or 45 days under most US state laws, extendable once by 45 additional days).
8.1 California Residents (CCPA / CPRA — Cal. Civ. Code § 1798.100 et seq.)
You have the right to:
- Know what personal information we collect, use, disclose, and the sources, purposes, and recipients.
- Delete personal information (subject to exceptions).
- Correct inaccurate personal information.
- Portability — receive a copy in a portable format.
- Opt out of sale or sharing — we do not sell or share personal information, so this right is automatically honored.
- Limit use of sensitive personal information — we do not use sensitive PI beyond what is necessary; this right is automatically honored.
- Non-discrimination — we will not discriminate against you for exercising these rights.
You may designate an authorized agent. We honor the Global Privacy Control (GPC) browser signal as a valid opt-out request.
8.2 Virginia, Colorado, Connecticut, Texas, Utah, Oregon, Montana, Indiana, Kentucky, Rhode Island, and other US States
You have substantially similar rights: access, correction, deletion, portability, and opt-out of targeted advertising, sale, and profiling that has legal or similarly significant effects. Provetly does not engage in targeted advertising, sale of personal information, or solely-automated profiling that produces legal effects.
Oregon residents may request a list of specific third parties to which we have disclosed personal information.
If we deny a request, you may appeal by replying to our denial email.
8.3 Canadian Residents (PIPEDA, Alberta PIPA, BC PIPA)
You have the right to:
- Access the personal information we hold about you.
- Request correction of inaccurate information.
- Withdraw consent (subject to legal or contractual restrictions).
- File a complaint with the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca) or your provincial commissioner.
8.4 Québec Residents (Law 25 — Act respecting the protection of personal information in the private sector, RLRQ c P-39.1)
In addition to the Canadian rights above, you have the right to:
- Data portability — receive your information in a structured, commonly used technological format.
- Cease dissemination / de-indexing in some cases.
- Be informed when an automated decision based exclusively on your personal information is made about you, including the data used, the principal factors, and your right to have the data corrected or to submit observations to a human reviewer (see Section 14).
- File a complaint with the Commission d'accès à l'information du Québec (https://www.cai.gouv.qc.ca).
9. Retention
We keep personal information only as long as needed for the purposes described in this Policy:
| Data | Retention |
|---|---|
| Active account data | While account is active |
| Account data after closure | 7 years (tax and audit) |
| Contractor verification records (license, insurance, background) | 7 years after account closure |
| Reviews | Indefinitely while public; deleted on request subject to anti-abuse review |
| Marketing email preferences | Until unsubscribe + 12 months for proof of consent |
| Server logs | 90 days |
| Payment metadata | 7 years (tax and chargeback) |
| Support tickets | 3 years |
When retention ends we delete or irreversibly anonymize the data.
10. Security
We use industry-standard safeguards:
- TLS 1.2+ encryption in transit.
- Encryption at rest (AES-256 via Supabase / Vercel infrastructure).
- Role-based access controls; least-privilege admin access.
- Multi-factor authentication for staff accounts.
- No full payment card data stored on our systems (handled by Stripe, PCI-DSS Level 1).
- Logging and monitoring for suspicious activity.
No method of transmission or storage is 100% secure. If we experience a data breach with risk of serious injury, we will notify affected users and the relevant authorities (including the OPC and CAI Québec) as required.
11. Children
The Service is not directed to anyone under 18. We do not knowingly collect information from children under 13 (per the US Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506) or from minors under 18 generally. If you believe a child has given us information, email privacy@provetly.com and we will delete it.
12. Cookies and Tracking Technologies
We use the following categories of cookies:
- Strictly necessary — authentication, session, security (cannot be disabled).
- Functional — remember your preferences (language, region).
- Analytics — Vercel Analytics, which collects only minimal aggregated data and does not set third-party cookies or build cross-site profiles.
- First-party product analytics (Provetly) — when you accept the consent banner, we record pageviews, contractor profile views, your approximate location (city/region/country, derived from IP), referrer, UTM campaign parameters, device type, and a one-way hash of your IP. This is used to improve the service, surface relevant contractors, and measure marketing performance. Raw IP is never stored. Records are retained for 90 days, then deleted. You can decline at any time and we will not collect this data.
We do not use third-party advertising cookies, tracking pixels for ad networks, or cross-context behavioral advertising.
You may manage cookies in your browser. Disabling strictly necessary cookies may break sign-in and other features.
13. Marketing Communications
We send marketing emails only with your consent, in compliance with:
- CAN-SPAM Act (15 U.S.C. § 7701 et seq.) — truthful headers, identification, unsubscribe link, postal address.
- Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23) — express consent, sender identification, working unsubscribe for at least 60 days, action within 10 business days.
Every marketing email includes a one-click unsubscribe. Transactional emails (receipts, account alerts) are sent regardless of marketing preferences.
14. Automated Decision-Making
We use automated systems to flag potentially fake, abusive, or AI-generated reviews. These systems assist human moderators; they do not, on their own, produce legal or similarly significant effects on individuals.
If we ever introduce automated decisions made exclusively without human involvement that produce significant effects (for example, automatic suspension of a contractor account), Québec residents will be informed at the time of the decision of the personal information used, the principal factors and parameters, the right to correct the information, and the right to submit observations to a human reviewer (Law 25, art. 12.1).
We do not engage in profiling for targeted advertising.
15. Changes to This Policy
We may update this Policy from time to time. Material changes will be announced by email and / or by a prominent notice on the Service at least 30 days before they take effect. Your continued use after the effective date constitutes acceptance.
16. Contact Us
- General privacy questions: privacy@provetly.com
- Privacy Officer (Québec Law 25): Renel Lherisson, privacy@provetly.com
- Mailing address: Orchiq (Provetly), Montréal, Québec, Canada
You may also lodge a complaint with:
- California Privacy Protection Agency — https://cppa.ca.gov
- Office of the Privacy Commissioner of Canada — https://www.priv.gc.ca
- Commission d'accès à l'information du Québec — https://www.cai.gouv.qc.ca
Appendix A — California Notice at Collection (CCPA, Cal. Civ. Code § 1798.100(b))
This notice is provided at or before the point of collection.
| Category collected (per § 1798.140) | Examples | Sources | Purpose | Sold or shared? | Retention |
|---|---|---|---|---|---|
| Identifiers | Name, email, phone, IP address, account ID | You; automatic | Provide service, security, communications | No | See § 9 |
| Customer records (Cal. Civ. Code § 1798.80(e)) | Billing info, business info | You; Stripe | Payments, contractor listings | No | 7 years |
| Commercial information | Subscription history | You; Stripe | Manage subscriptions | No | 7 years |
| Internet activity | Pages viewed, clicks | Automatic | Analytics, security | No | 90 days logs |
| Geolocation (general) | City / region from IP | Automatic | Localized search | No | 90 days |
| Professional / employment info | Contractor license, insurance, background check | You; third-party verifiers | Vetting | No | 7 years |
| Sensitive PI: government-issued license number, account credentials | License #, password hashes | You | Vetting; security | No (and not used beyond § 1798.121 permitted purposes) | 7 years / while account active |
We do not sell or share personal information, do not use sensitive PI beyond permitted purposes, and do not engage in cross-context behavioral advertising. Therefore the "Do Not Sell or Share" and "Limit the Use of My Sensitive Personal Information" rights are automatically honored.
Appendix B — Québec Privacy Officer Contact (Law 25)
- Person in Charge: Renel Lherisson
- Title: Operator, Provetly (Orchiq)
- Email: privacy@provetly.com
- Mailing address: Montréal, Québec, Canada (full address on request)