Privacy Policy

We may collect the following types of information:

Information You Provide Directly

• Contact information — name, email address, phone number, and company name when you fill out our contact form or reach out to us
• Account information — credentials and profile data if you create an account on any of our platforms (e.g., Tradelink)
• Communications — any messages, feedback, or inquiries you send us
• Payment information — billing details when you purchase our services (processed through secure third-party payment processors)

Information Collected Automatically

• Device and browser data — IP address, browser type, operating system, device identifiers
• Usage data — pages visited, time spent, referring URLs, click patterns
• Cookies and similar technologies — see Section 4 below

We use the information we collect for the following purposes:

• To provide, maintain, and improve our services and AI tools
• To respond to your inquiries and provide customer support
• To send transactional communications (confirmations, updates, security alerts)
• To analyze usage patterns and improve user experience
• To detect, prevent, and address technical issues or security threats
• To comply with legal obligations and enforce our Terms of Service
• To send marketing communications where you have opted in (you can unsubscribe at any time)

We do not sell your personal information. We may share your information with:

• Service providers — trusted third parties who assist us in operating our website, conducting our business, or serving our users
• Legal requirements — when required by law, subpoena, or government request
• Business transfers — in connection with a merger, acquisition, or sale of assets
• With your consent — when you explicitly authorize us to share your information

We use cookies and similar technologies to:

• Remember your preferences and settings
• Understand how you interact with our website
• Analyze traffic and usage patterns
• Provide relevant content

You can control cookies through your browser settings. We use essential, analytics, and functional cookies.

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected. When no longer needed, we securely delete or anonymize it.

We implement appropriate technical and organizational security measures including SSL/TLS encryption, encrypted storage, access controls, and regular security assessments.

Under Canadian privacy law, you have the right to:

• Access — request a copy of the personal information we hold about you
• Correction — request corrections to inaccurate or incomplete information
• Deletion — request the deletion of your personal information
• Withdraw consent — withdraw your consent at any time
• Complaint — file a complaint with the Office of the Privacy Commissioner of Canada

Our website and services may integrate with third-party services including Google OAuth (see Section 9 below for details on Google user data), analytics providers, hosting providers, and n8n automation.

This section discloses how HUBi accesses, uses, stores, shares, and retains data obtained from Google user accounts, in compliance with the Google API Services User Data Policy (including Limited Use requirements) and the Google APIs Terms of Service.

HUBi's Tradelink platform (tradelink.hubi.ca) offers Google Sign-In as an optional authentication method, using the standard NextAuth Google OAuth 2.0 flow. The OAuth client is registered under Google Cloud project hubi-489417.

Data Accessed

HUBi requests only the following standard OpenID Connect scopes when a user signs in with Google: openid, email, profile. The Google user data accessed is limited to:

• Google account identifier (sub claim)
• Email address and email-verified status
• Display name and (where available) given name and family name
• Profile picture URL
• Locale, if provided by Google

HUBi does not request, access, or store data from Gmail, Google Drive, Google Calendar, Google Contacts, Google Sheets, YouTube, or any other Google API beyond the OpenID Connect scopes above.

Data Usage

The Google user data we access is used solely to:

• Authenticate the user and create or link a HUBi/Tradelink account
• Display the user's name and profile picture inside the authenticated experience
• Send service-related (transactional) email to the verified address

HUBi does not use Google user data for advertising, profiling, building user models, training generalized AI/ML models, or any purpose unrelated to providing the authenticated user-facing features they signed in for. We do not transfer Google user data to determine creditworthiness or for lending purposes.

Data Sharing

HUBi does not sell Google user data and does not share it with third parties for advertising or marketing. Google user data is shared only:

• With infrastructure service providers strictly necessary to operate the authentication and account-management functions of the service: our hosting provider (Hostinger, Canada), managed PostgreSQL database, and SMTP email delivery (Postfix on our own infrastructure). These providers act as data processors under written agreements and are not permitted to use the data for their own purposes.
• When required by law, in response to a valid legal request (subpoena, court order, or lawful government request), or to protect the rights, property, or safety of HUBi, our users, or the public.
• With your explicit consent, when you specifically authorize a particular disclosure.

Data Storage & Protection

• Google user data (account ID, email, name, profile picture URL) is stored in our PostgreSQL database in Canada
• All data in transit is protected with TLS 1.2 or higher (HTTPS for web traffic, TLS for database connections, STARTTLS for SMTP)
• Data at rest is protected by full-disk encryption on the hosting provider and access-controlled database credentials managed via environment variables, not source code
• Authentication sessions are issued as signed JWTs (NextAuth) over Secure, HttpOnly, SameSite cookies
• Passwords for the optional email/password login path are stored as bcrypt hashes (cost factor ≥ 10); plaintext passwords are never persisted or logged
• Production access is restricted to a small set of authorized HUBi engineers using SSH key authentication with role separation
• We perform regular security reviews, dependency updates, and audit-log monitoring of authentication events

Data Retention & Deletion

We retain Google user data only for as long as your HUBi/Tradelink account is active or as required to provide the service. You may delete your Google-linked HUBi account, and request deletion of all associated data, at any time by:

• Emailing hello@hubi.ca from the address linked to your account with the subject "Delete my account"
• Using the account-deletion control inside your Tradelink account settings, where available

We acknowledge deletion requests within 7 business days and complete full data erasure (including backups within their retention window) within 30 days, except where we are required by law to retain specific records (for example, financial transaction records for tax compliance).

You can also revoke HUBi's access to your Google account at any time, independently of contacting us, at https://myaccount.google.com/permissions.

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children.

We may update this Privacy Policy from time to time. We will post the updated policy on this page with a revised "Last updated" date.

If you have questions about this Privacy Policy, contact us at: