Legal

ShopWrk Privacy Policy

Last updated June 11, 2026

This Privacy Policy explains how ShopWrk Technologies Inc. ("ShopWrk," "we," "us," or "our") collects, uses, discloses, stores, and protects personal information in connection with the ShopWrk platform, websites, mobile applications, communications, and related services (collectively, the "Services").

ShopWrk Technologies Inc. is located at:

225 6th Avenue Southwest
Suite 2700
Calgary, Alberta T2P 1N2
Canada

You can contact us about this Privacy Policy or your privacy choices at support@shopwrk.com.

1. Who this policy covers

ShopWrk is a business-to-business software platform for auto styling and related service businesses. This policy covers:

  • shops, business owners, administrators, employees, contractors, and other authorized users of a ShopWrk account ("Customers" and "Authorized Users");
  • individuals who interact with a shop through ShopWrk, such as vehicle owners, leads, appointment requesters, invoice recipients, call participants, SMS recipients, and other shop customers ("End Customers");
  • visitors to ShopWrk websites and public pages; and
  • people who contact us for sales, support, billing, security, privacy, or other business purposes.

For most personal information that a shop uploads, imports, or creates about its End Customers, the shop decides why and how that information is used. In those cases, ShopWrk generally acts as a service provider or processor for the shop. For information about ShopWrk account administration, billing, security, product analytics, platform improvement, and our own business operations, ShopWrk may act as an independent controller or business.

If you are an End Customer of a shop that uses ShopWrk, you should also review that shop's privacy policy. We will help the shop respond to privacy requests where required, but the shop is usually the primary point of contact for requests about its own customer records.

2. Information we collect

The information we collect depends on how the Services are used.

Account and user information

We collect information such as name, email address, phone number, login identifiers, role, permissions, avatar, shop affiliation, authentication records, device tokens, notification preferences, support communications, and account activity.

Shop and business information

We collect information about shops and their businesses, including business name, legal name, address, phone number, website, service areas, branding, tax and billing settings, business contacts, payment and subscription status, compliance settings, connected integrations, and configuration choices.

For telecom registration, number porting, payment onboarding, fraud prevention, and legal compliance, we may collect business registration details, tax identifiers, beneficial owner or representative details, government or business documents, letters of authorization, service addresses, campaign descriptions, consent language, and related compliance records.

End Customer and CRM information

Customers may use ShopWrk to collect and manage End Customer information, including names, email addresses, phone numbers, addresses, vehicles, appointments, leads, estimates, jobs, invoices, payments, notes, tags, custom fields, warranties, documents, forms, portal activity, communication preferences, and attribution data such as referral source, UTM parameters, ad identifiers, and lead form data.

Communications information

The Services may process SMS, MMS, email, phone calls, voicemails, conversation history, message content, attachments, delivery status, unsubscribe and opt-out records, consent records, call recordings, transcripts, call summaries, AI-generated drafts or replies, and related audit logs.

If a shop enables call recording, voicemail recording, transcription, or voice AI features, call audio and voice characteristics may be processed. Some laws may treat voice recordings or voice characteristics as sensitive or biometric information. Shops are responsible for giving required notices and obtaining required consents before using these features.

Payment and billing information

ShopWrk uses Finix for embedded payments between shops and their End Customers, and Stripe for ShopWrk subscription billing and related platform billing. We and our payment providers may process transaction amounts, payment status, receipts, refunds, chargebacks, disputes, payout and settlement details, billing contact details, payment method tokens, payment instrument identifiers, card brand, card type, last four digits, expiration information, bank account metadata, payment consent records, merchant onboarding status, and fraud or risk signals.

ShopWrk does not intend to store full payment card numbers in its own application database. Card and bank data is tokenized or processed by payment providers where available.

AI content and AI usage information

ShopWrk AI features may process prompts, messages, customer context, shop configuration, documents, knowledge base content, imports, conversation history, call transcripts, generated outputs, embeddings, tool results, AI usage records, model metadata, token counts, latency, cost, feedback, approvals, and related telemetry.

Documents and electronic signatures

The Services may process uploaded documents, generated documents, contracts, invoices, estimates, warranty documents, signature fields, signer names and contact details, signature images or metadata, timestamps, IP addresses, browser and device information, consent records, access tokens, audit events, and related PDFs.

Staff, payroll, and operational information

Where a shop uses staffing, time tracking, commission, payroll, or compensation features, the Services may process employee or contractor names, roles, hourly rates, commission rates, time entries, schedules, location information if enabled, compensation snapshots, deductions, paystub metadata, tax-related settings, addresses, and limited bank or social security metadata such as last four digits.

Imports, integrations, and third-party sources

Customers may import files or connect third-party services such as lead sources, calendars, advertising platforms, CRM systems, messaging providers, payment providers, or other tools. We process information received from those sources as directed by the Customer and according to the permissions granted through the integration.

Device, usage, telemetry, and security information

We collect technical and usage information such as IP address, device type, browser, operating system, app version, pages and routes viewed, referring URLs, session events, feature usage, crash reports, logs, performance data, error details, security events, approximate location inferred from IP address, cookies, local storage identifiers, and similar technologies.

We use product analytics and observability tools, including PostHog, to understand usage, improve reliability, detect errors, evaluate features, route feature flags, and measure AI usage. Session replay may be used for selected routes or sampled sessions. We configure replay to mask inputs and sensitive areas where feasible, but Customers should avoid entering unnecessary sensitive information into free-text fields.

3. How we use information

We use information to:

  • provide, operate, maintain, secure, and improve the Services;
  • create and administer accounts, shops, roles, permissions, authentication, and support;
  • enable shop workflows such as leads, estimates, jobs, scheduling, invoices, payments, warranties, forms, documents, signatures, customer portals, inventory, staffing, reporting, and automations;
  • send and receive SMS, MMS, email, calls, voicemails, push notifications, service notices, receipts, alerts, and support messages;
  • provide AI features, including drafting, summarization, recommendations, classification, search, configuration assistance, voice AI, SMS AI, knowledge retrieval, analytics, and workflow automation;
  • process payments, billing, subscriptions, invoices, refunds, chargebacks, disputes, payouts, merchant onboarding, fraud detection, and payment compliance;
  • support telecom registration, number purchasing, number porting, 10DLC/A2P registration, consent tracking, quiet hours, opt-out enforcement, and communication compliance;
  • monitor usage, performance, errors, security, fraud, abuse, availability, and Service quality;
  • provide onboarding, training, customer support, and account management;
  • conduct research and analytics, including using aggregated, de-identified, or otherwise privacy-preserving information to improve the Services;
  • communicate about product updates, administrative matters, security, billing, and permitted marketing;
  • enforce our agreements and policies;
  • comply with legal, regulatory, tax, telecom, payment network, law enforcement, and dispute obligations; and
  • protect the rights, property, safety, and security of ShopWrk, Customers, End Customers, providers, and the public.

4. AI, model providers, and model improvement

ShopWrk uses AI systems to power features such as assistant responses, workflow automation, summaries, lead handling, configuration support, document analysis, voice AI, SMS AI, search, recommendations, and analytics.

Foundation model providers

ShopWrk uses the Vercel AI SDK and Vercel AI Gateway for model access, with zero data retention and no prompt-training controls confirmed for production use. We may route AI requests to model providers such as OpenAI, Anthropic, Google, or other providers through Vercel AI Gateway, and may use direct provider APIs for specialized features where necessary.

ShopWrk does not authorize foundation-model providers to train their general models on Customer Data. Provider processing is used to return AI outputs, maintain security, comply with law, and provide the contracted service. Provider retention and exclusions may vary by provider, feature, model, contract, and configuration, including for safety, abuse, legal, or specialized stateful features.

ShopWrk model and feature improvement

Unless a Customer opts out, ShopWrk may use de-identified content, aggregated information, product telemetry, AI usage telemetry, feedback, evaluation data, and derived signals to improve, train, test, evaluate, and monitor ShopWrk's own models, prompts, retrieval systems, safety systems, automations, and AI-powered product features.

Customers may opt out of this ShopWrk model and feature improvement use by contacting support@shopwrk.com. An opt-out applies prospectively to the Customer account after we process the request. It does not require us to remove aggregated or de-identified data, evaluation results, derived measurements, or model improvements that cannot reasonably identify a person or Customer account and were already created before the opt-out was processed.

ShopWrk may still use information as necessary to provide AI features requested by the Customer, maintain security, prevent abuse, debug issues, comply with law, enforce our agreements, and generate billing or usage records.

AI output

AI outputs may be incomplete, inaccurate, or inappropriate for a particular use. Customers are responsible for reviewing AI outputs before relying on them or sending them to End Customers, employees, or third parties.

5. How we disclose information

We disclose information as needed to provide and operate the Services, as directed by Customers, and as described below.

Service providers and subprocessors

We use service providers and subprocessors for hosting, database services, authentication, storage, infrastructure, AI routing and model processing, telecom, payments, email, analytics, observability, customer support, fraud prevention, identity verification, security, document processing, and related operations.

These providers may include Supabase, Vercel, AI model providers routed through Vercel AI Gateway or direct APIs, Telnyx, Finix, Stripe, Resend, PostHog, sandbox or worker infrastructure providers, and other providers used to operate the Services.

Telecom providers

We disclose communications information to Telnyx and related telecom carriers, registries, aggregators, and service providers to provide calling, SMS, MMS, number purchasing, number porting, 10DLC/A2P registration, messaging profiles, campaign registration, delivery, call recording, transcription, voice AI, compliance, fraud prevention, and telecom operations.

We do not sell, rent, or share SMS opt-in data, messaging consent records, or phone numbers collected for SMS consent with third parties or affiliates for their marketing or promotional purposes.

Payment providers and financial partners

We disclose payment and merchant information to Finix, Stripe, banks, card networks, payment method providers, fraud and risk providers, identity verification providers, and other financial partners as needed for payment processing, subscription billing, merchant onboarding, KYC, fraud prevention, settlement, payouts, disputes, refunds, chargebacks, tax, accounting, and compliance.

Customer-directed disclosures

We disclose information according to Customer instructions, including when Customers send messages, create public links, invite users, enable integrations, export data, connect third-party accounts, submit payment or telecom registrations, share documents, or use public customer-facing pages.

Connected integrations

If a Customer connects third-party services, information may be exchanged with those services according to the Customer's configuration and the third party's terms and privacy policy.

Legal, safety, and compliance

We may disclose information to comply with law, legal process, subpoenas, court orders, regulator requests, payment network rules, telecom requirements, tax obligations, sanctions screening, fraud investigations, security incidents, or other legal and compliance obligations.

Business transactions

If ShopWrk is involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction, information may be disclosed or transferred as part of that transaction, subject to appropriate protections.

Aggregated and de-identified information

We may disclose aggregated, de-identified, or anonymized information that does not reasonably identify a person or Customer account, including usage trends, industry benchmarks, AI performance measurements, and product analytics.

6. Cookies and analytics choices

We use cookies, local storage, pixels, SDKs, and similar technologies for authentication, security, preferences, analytics, feature flags, error monitoring, session replay, and Service functionality.

You can control cookies through your browser settings. Some cookies and local storage are necessary for authentication, security, and core Service functionality. Blocking them may prevent the Services from working correctly.

You can contact support@shopwrk.com to ask about analytics choices, privacy rights, or account-level AI improvement opt-out options.

7. Communications, consent, and opt-outs

Customers are responsible for obtaining and documenting legally required consents before using ShopWrk to send SMS, MMS, email, voice calls, automated messages, AI-assisted messages, marketing communications, payment reminders, or recorded calls.

End Customers can opt out of SMS messages by replying STOP or using another supported opt-out method. Where supported, replying START may re-enable messages. HELP may return assistance information. Email marketing messages should include an unsubscribe mechanism where required by law.

Customers must comply with applicable communication laws, including Canada's Anti-Spam Legislation (CASL), the Telephone Consumer Protection Act (TCPA), CAN-SPAM, state telemarketing and text messaging laws, call recording laws, telecom carrier rules, 10DLC/A2P requirements, and industry codes of conduct.

Service, transactional, billing, security, legal, and account administration communications may continue where permitted by law, even after a marketing opt-out.

8. End Customer requests

End Customers may have rights to access, correct, delete, port, restrict, object to, withdraw consent for, or opt out of certain processing of their personal information, depending on where they live and the context of the processing.

Because shops usually control their own End Customer records, End Customers should first contact the shop they interacted with. If an End Customer contacts ShopWrk directly at support@shopwrk.com, we may:

  • verify the request;
  • direct the End Customer to the relevant shop;
  • forward the request to the shop;
  • help the shop respond; or
  • respond directly where ShopWrk is legally responsible for the relevant processing.

End Customers do not need a separate ShopWrk account-level AI improvement opt-out if their personal information is not used for ShopWrk model improvement in identifiable form. If an End Customer asks that their personal information not be used for AI improvement, we will handle that request according to applicable law and the relevant shop's instructions. De-identified information that cannot reasonably identify the End Customer may not be reversible.

9. Privacy rights

Depending on where you live, you may have privacy rights under Alberta's Personal Information Protection Act (PIPA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec and other Canadian privacy laws, the California Consumer Privacy Act (CCPA/CPRA), and other U.S. state privacy laws.

These rights may include the right to:

  • request access to personal information we hold about you;
  • request correction of inaccurate information;
  • request deletion of personal information, subject to legal exceptions;
  • request portability of certain information;
  • withdraw consent where processing is based on consent, subject to legal or contractual limits;
  • object to or restrict certain processing;
  • opt out of certain targeted advertising, sale, sharing, or profiling where those rights apply;
  • limit certain uses of sensitive personal information where that right applies;
  • appeal a privacy rights decision where required by law; and
  • complain to a privacy regulator.

To exercise privacy rights, contact support@shopwrk.com. We may need to verify your identity and authority before acting on a request. If the request relates to a shop's End Customer data, we may need to involve the shop.

We do not sell personal information for money. Some analytics, advertising, or integration activities may be considered a "sale," "sharing," targeted advertising, or similar activity under certain U.S. state privacy laws. Where those laws apply, you may contact support@shopwrk.com to request an opt-out.

We do not knowingly sell or share personal information of individuals under 16.

10. Retention

We retain information for as long as needed to provide the Services, maintain business records, comply with legal and regulatory obligations, resolve disputes, enforce agreements, support security and fraud prevention, maintain backups, preserve audit logs, meet telecom and payment obligations, and as otherwise described in this policy.

Retention periods vary by data type and context. For example, communications logs, opt-out records, payment records, tax records, compliance registrations, security logs, call recordings, transcripts, payroll records, legal records, and backups may have different retention periods.

After account termination, we may delete, de-identify, or archive Customer Data according to our agreements, operational needs, and legal obligations. We may retain information in backups, logs, payment records, telecom records, fraud records, compliance records, dispute files, and legal archives where permitted or required.

11. Security

We use administrative, technical, and organizational safeguards designed to protect information against unauthorized access, disclosure, alteration, and destruction. These safeguards may include access controls, encryption in transit, encryption at rest where supported, tenant scoping, audit logs, provider security controls, monitoring, vulnerability management, and incident response procedures.

No system is perfectly secure. Customers are responsible for securing their own accounts, passwords, devices, user permissions, integrations, exports, and instructions to ShopWrk.

12. International transfers

ShopWrk is based in Canada and provides Services to Customers in Canada and the United States. Information may be processed in Canada, the United States, and other jurisdictions where we or our service providers operate.

Privacy laws in those jurisdictions may differ from the laws where you live. We use contractual, technical, and organizational safeguards for cross-border processing where required by law.

13. Children's information

The Services are intended for business use and are not directed to children. We do not knowingly collect personal information from children under 13 or the equivalent minimum age under applicable law. If you believe a child provided personal information to ShopWrk, contact support@shopwrk.com.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice by posting the updated policy, updating the "Last updated" date, or using another reasonable method. Continued use of the Services after an updated policy becomes effective means the updated policy applies, subject to applicable law.

15. Contact

ShopWrk Technologies Inc.
225 6th Avenue Southwest
Suite 2700
Calgary, Alberta T2P 1N2
Canada

Email: support@shopwrk.com