Privacy Policy

Zulma Resources Inc. (“Zulma”, “we”, “us”) operates the Zulma home services platform (the “Platform”) at app.zulma.ca. The Platform connects customers in the Niagara region of Ontario with independent crew members who provide residential cleaning and lawn care services. This Privacy Policy explains what personal information we collect, how we use and share it, and the rights you have under Canada's Personal Information Protection and Electronic Documents Act (“PIPEDA”) and Ontario's applicable privacy laws.

We collect personal information only when needed to provide our services or operate the Platform, and we use it only for the purposes stated below.

From Customers, we collect:

• Account information: name, email, phone number, password (hashed)
• Service address: to dispatch a Cleaner and compute pricing
• Booking history: service type, dates, ratings, reviews, receipts
• Payment information: card details handled by Stripe; we store only a tokenized reference
• Communications: messages between you and your Cleaner (anonymized at the phone number level), support tickets
• Photos: before/after photos of cleaned spaces, when you haven't opted out

From crew members, we collect:

• Identity: full name, address, government ID, criminal record check status
• Payout information: bank account details handled by Stripe Connect for earnings transfers; we store only a tokenized reference
• Live location: collected via the browser geolocation API only while a crew member has an active accepted job and the active-job page is open. Used to compute proximity to the customer's address for arrival detection. Not stored long-term and not shared with the customer until the crew member is within 1 km of the destination, for crew safety
• Performance: ratings, completion rate, customer reviews, capability tags

From all users, we collect:

• Device + browser metadata for security and debugging
• IP address (logged for fraud prevention)
• Cookie consent preferences
• Web push subscription data (browser-issued endpoint and encryption keys), only if you opt in to push notifications. Used solely to deliver booking-status alerts.
• Aggregate usage analytics through Vercel Analytics (page views, anonymized referrers). No cross-site tracking, no personal identifiers attached.

• To provide and operate the home services on the Platform, including dispatch, payment processing, real-time tracking, and dispute resolution
• To send transactional notices: booking confirmations, crew-assigned alerts, day-of reminders, completion receipts, and dispute updates. These are essential to the service and not subject to a separate opt-in
• To send marketing communications (promotions, new-service announcements), only if you have opted in separately, in compliance with Canada's Anti-Spam Legislation (CASL). We currently do not run a marketing program; if and when we do, you'll have a clear opt-in
• To prevent fraud, abuse, and unauthorized access
• To improve the Platform via aggregate analytics
• To comply with legal obligations (CRA, courts, regulators)

We share personal information only with:

• Your assigned crew member: limited to the information needed to perform the service (your address, service details, access instructions you provide, your first name and last initial).
• Stripe Inc. (United States): payment processor (PCI DSS certified). Stripe handles your card data; we do not store raw card numbers.
• Supabase Inc. (United States): database and authentication provider. Data is stored in encrypted Postgres databases. Row-Level Security ensures users can only read their own rows.
• Vercel Inc. (United States): web hosting + Vercel Analytics for aggregate usage measurement (anonymized, no cross-site tracking).
• TomTom International B.V. (Netherlands): map tile rendering, address autocomplete, and routing. When you enter or select an address, that address is sent to TomTom for geocoding. No other personal information is shared with TomTom.
• Resend Inc. (United States): transactional email delivery (booking confirmations, crew-assigned alerts, completion receipts). Recipient email + email content are shared.
• Law enforcement: only when compelled by valid Canadian legal process or required by law.

We do not sell or rent your personal information to anyone for any purpose. All processors above are bound by either their own published privacy commitments, a signed data-processing agreement, or both.

Personal information is stored on servers located in the United States (Supabase, Stripe, Vercel, Resend) and the Netherlands (TomTom). Your information may be subject to foreign legal processes (such as the U.S. CLOUD Act). By using the Platform, you consent to this cross-border transfer.

Where available, we choose providers' Canadian regions: our Supabase project is hosted in Canada Central so primary application data sits inside Canada by default.

We use cookies and similar technologies for:

• Essential session management (always on; required to use the Platform)
• Optional analytics, only if you accept the cookie banner
• Optional marketing, only if you accept the cookie banner

You can change your preferences at any time by clearing cookies in your browser settings. We do not use third-party advertising cookies.

Under PIPEDA, you have the right to:

• Access: request a copy of the personal information we hold about you
• Correct: update inaccurate or incomplete information
• Withdraw consent: stop us from collecting certain optional data, subject to legal or contractual obligations
• Delete: request deletion of your account and personal data, subject to retention requirements
• Complain: file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) if you believe we have mishandled your data

To exercise these rights, contact our Privacy Officer (see section 12).

• Account data: retained while your account is active, plus up to 7 years for tax and audit purposes
• Booking and payment records: 7 years (CRA requirement)
• Before/after photos: 30 days by default; you may request immediate deletion
• Cleaner background-check records: duration of engagement plus 2 years
• Marketing consent records: duration of consent plus 3 years

The Platform is not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact our Privacy Officer for prompt deletion.

• HTTPS encryption for all data in transit
• Encrypted at-rest storage (Supabase, AES-256)
• Row-Level Security (RLS) — users access only their own data
• Tokenized payment storage via Stripe
• Background-checked staff; access logging on production systems
• Regular security audits

No system is perfectly secure. We will notify affected users and the Office of the Privacy Commissioner if a breach creating real risk of significant harm occurs, as required by PIPEDA.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. The “Last updated” date at the top reflects the most recent revision.

Our Privacy Officer is responsible for compliance with this policy and PIPEDA. Contact:

We aim to respond to access and correction requests within 30 days, as required by PIPEDA.