Privacy Policy
Last updated: 24 March 2026
1. Who We Are
NorBot Systems Inc. ("NorBot," "we," "us") is a Canadian corporation based in Stratford, Ontario. We operate the Visualizer Plugin, an embeddable AI renovation visualiser for contractor websites. Our Privacy Officer is Ferdie Botden, who can be reached at privacy@norbotsystems.com or by mail at NorBot Systems Inc., PO Box 23030 Stratford PO Main, Stratford, ON N5A 7V8. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.
2. Information We Collect
We collect the following categories of information. Account Information: when you create an account, we collect your name, email address, phone number (optional), company name, and website URL. Payment Information: payment processing is handled entirely by Stripe, Inc. We receive your Stripe customer identifier and subscription status but do not store, process, or have access to your full credit card number. Widget Usage Data: when homeowners interact with the Widget on your website, we collect uploaded photographs, selected renovation styles and room types, Design Expert chat messages, AI-generated visualisations, and lead contact details (name, email, phone, project description) submitted voluntarily through the lead capture form. Analytics and Device Information: we collect page URLs where the Widget is embedded, session duration, browser type, device type, operating system, and IP address (anonymised after 30 days).
3. How We Use Your Information
We use the information we collect for the following purposes. Service Delivery: to operate the Visualizer Plugin, generate AI visualisations, power the Design Expert chat, deliver leads to your Dashboard, and generate quotes. Payment Processing: to manage your subscription, process payments through Stripe, and send billing-related communications. Communications: to send you account notifications, product updates, and support responses. We do not send marketing emails without your express consent. Product Improvement: to analyse aggregated, de-identified usage patterns to improve the Widget, AI models, and overall Service quality. No individual-level data is used for this purpose without consent. Legal Compliance: to comply with applicable laws, respond to legal process, and enforce our Terms of Service.
4. Legal Basis for Processing
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), we process your personal information on the following bases. Consent: you provide express consent when you create an account, check the consent box during signup, or voluntarily submit information through the Widget. Contractual Necessity: processing is necessary to perform the contract between you and NorBot (our Terms of Service), including providing the Service, processing payments, and delivering leads. Legitimate Interests: we may process information where we have a legitimate business interest that is not overridden by your privacy rights, such as preventing fraud, ensuring security, and improving the Service. You may withdraw your consent at any time by contacting privacy@norbotsystems.com.
5. Data Sharing
We share personal information only in the following circumstances. Sub-processors: we use the following third-party service providers to operate the Service. Supabase (database hosting, ca-central-1 Montréal region). Vercel (application hosting, United States and global edge network). Stripe (payment processing, United States and global). Google (Gemini AI models, for image generation and chat). OpenAI (AI models, for image generation and chat). Each sub-processor is bound by data processing agreements that require them to protect your information to a standard no less protective than this Policy. We do not sell, rent, or trade your personal information to any third party. Law Enforcement: we will disclose personal information to law enforcement or government authorities only in response to a valid legal process (such as a court order or warrant) issued under Canadian or applicable foreign law.
6. Data Residency
Our primary database is hosted by Supabase in the ca-central-1 (Montréal) region, ensuring that your data at rest is stored within Canada. Application hosting through Vercel may involve processing on servers located in the United States or on Vercel’s global edge network. AI model requests (for image generation and chat) are sent to provider APIs (Google, OpenAI) which may process data outside of Canada; however, these providers do not retain prompt data beyond the processing request per their respective data processing agreements. We take reasonable steps to ensure that any cross-border transfer of personal information is subject to appropriate safeguards consistent with PIPEDA requirements.
7. Data Retention
We retain your personal information for the duration of your active subscription plus 30 days following cancellation. During the 30-day post-cancellation period, you may request a data export in CSV or JSON format. Lead data collected through the Widget is available for export at any time through the Dashboard (Accelerate and Dominate tiers) or by contacting support@norbotsystems.com (Elevate tier). After the 30-day retention period, all account data is permanently deleted from our production systems. Backup copies are purged within 90 days of the deletion date. Anonymised, aggregated data that cannot be used to identify any individual may be retained indefinitely for statistical and product improvement purposes.
8. Your Rights Under PIPEDA
Under PIPEDA, you have the following rights regarding your personal information. Access: you may request a copy of the personal information we hold about you. Correction: you may request that we correct any inaccurate or incomplete information. Withdrawal of Consent: you may withdraw your consent to our collection, use, or disclosure of your information at any time, subject to legal or contractual restrictions. Deletion: you may request that we delete your personal information, subject to our legal obligations to retain certain records. To exercise any of these rights, contact our Privacy Officer at privacy@norbotsystems.com. We will respond to your request within 30 calendar days. If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.
9. Your Rights Under CCPA/CPRA
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you additional rights. Right to Know: you may request that we disclose the categories and specific pieces of personal information we have collected about you. Right to Delete: you may request that we delete your personal information, subject to certain exceptions. Right to Opt-Out of Sale: we do not sell personal information. Right to Non-Discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights. To exercise your rights, contact us at privacy@norbotsystems.com. We will verify your identity before processing your request, typically by confirming your email address.
10. Do Not Sell My Personal Information
NorBot Systems Inc. does not sell, rent, or trade your personal information to any third party. We have not sold personal information in the preceding 12 months and have no plans to do so. If you have any concerns about the handling of your data, please contact our Privacy Officer at privacy@norbotsystems.com.
11. Cookies and Tracking
The Visualizer Plugin uses only essential cookies that are strictly necessary for the operation of the Service, such as session identifiers and authentication tokens. We do not use advertising cookies, third-party tracking pixels, or behavioural advertising technology. The Widget itself does not set any cookies on your visitors’ browsers; it uses in-memory session identifiers that do not persist after the browser tab is closed.
12. Children’s Privacy
The Visualizer Plugin is a business-to-business service intended for use by contractors and renovation professionals. The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected such information, we will delete it promptly. If you believe a child under 16 has provided us with personal information, please contact us at privacy@norbotsystems.com.
13. Breach Notification
In the event of a security breach that results in the unauthorised access, disclosure, or loss of personal information, we will notify affected individuals and the Office of the Privacy Commissioner of Canada within 72 hours of becoming aware of the breach. Our notification will include: a description of the nature of the breach; the types of personal information affected; a description of the measures we have taken or propose to take to address the breach and mitigate its effects; and contact information for our Privacy Officer. We maintain an incident response plan and conduct regular security assessments to minimise the risk of data breaches.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will provide at least 30 days’ notice by email to the address associated with your account before the changes take effect. Non-material changes (such as corrections or formatting) take effect upon posting. The current version date is displayed at the top of this page. We encourage you to review this Policy periodically.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us. Privacy Officer: Ferdie Botden. Email: privacy@norbotsystems.com. General Support: support@norbotsystems.com. Mail: NorBot Systems Inc., PO Box 23030 Stratford PO Main, Stratford, ON N5A 7V8, Canada.