Legal Steel Logo

Command Palette

Search for a command to run...

Privacy Policy

Last updated: May 26, 2026 (version 2026-05-26)

Français

Your Privacy Matters

This Privacy Policy explains how Steel Software Innovations Ltd. ("Steel Software Innovations Ltd.", "we", "us", or "our") collects, uses, discloses, and protects personal information when you use LegalSteel (the "Site" and our associated apps, APIs, and services, collectively the "Services"). We are federally incorporated in Canada and based in Ontario.


1) Scope & Interpretation

This policy applies to personal information about identifiable individuals that we handle in connection with the Services and is intended to meet requirements under Canada's privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws where applicable, including Quebec's Act respecting the protection of personal information in the private sector (as modernized by Law 25), Alberta's PIPA, and British Columbia's PIPA.

Personal information means information about an identifiable individual. It does not include aggregated, anonymized, or de‑identified information that cannot reasonably be re-identified.

2) Information We Collect

  • Account & profile. Email address, hashed password, display name, language and notification preferences, the dates on which you accepted the Terms of Service and Privacy Policy, and the date on which you confirmed your age.
  • Beta access. The beta access code you redeemed (if any), the date of redemption, and your resulting beta entitlement period.
  • Subscription & billing. Payment card details are collected and processed by Stripe; we do not store full card numbers. We receive limited billing metadata (last four digits, expiry, transaction IDs), your Stripe customer ID, subscription plan, status, and renewal dates.
  • Watchlist. The firearm records you choose to add to your watchlist, the time you added them, and the time we last notified you about a change.
  • Search activity. Search queries you submit (text query, manufacturer, make, model), the time of the search, and the number of matching results. We use this to improve the Services and to investigate misuse.
  • Sessions & device. IP address, user agent / browser and device type, operating system, and session timestamps. We use IP address for authentication, security, fraud prevention, and rate limiting.
  • Email engagement. When we send you an email, our email provider records delivery telemetry (delivered, opened, clicked, bounced, complained), including the recipient address, subject line, event type, and associated metadata. This data is associated with your email address, not your account ID.
  • Communications. Messages you send to support, feedback you submit, and your marketing preferences.
  • Cookies & identifiers. Cookies, local storage, and similar technologies that help us remember your settings, keep you signed in, and understand feature usage.
  • OAuth-linked accounts. If you choose to sign in with a Google account, we receive the limited profile data described in Section 8.
  • We do not knowingly collect sensitive government identifiers (e.g., SIN, driver's licence numbers, firearms licence numbers) and we do not require you to disclose firearms ownership.

3) How We Use Information

  • Provide, operate, and improve the Services, including authentication, watchlist monitoring, and personalization.
  • Process payments, prevent fraud, and manage subscriptions and beta entitlements.
  • Send transactional messages (e.g., receipts, security and service notices, password resets, email verification) and, with your consent, optional updates, watchlist alerts, or marketing communications.
  • Operate rate limits and abuse-prevention controls (using IP address, account ID, and request timing).
  • Perform analytics to understand usage and develop new features.
  • Protect our users, our Services, and comply with legal obligations and lawful requests from public authorities.

5) Cookies & Similar Technologies

We use essential cookies to keep you signed in and secure the Site, and analytics cookies to understand how features are used. You can control cookies in your browser; disabling some cookies may limit functionality.

6) When We Share Information

  • Service providers. Vendors who help us operate the Services under contracts that limit their use of personal information to providing services to us. See Section 7 for the current list.
  • Legal & safety. Where required or permitted by law, such as to comply with lawful requests, protect users, or defend legal claims.
  • Business transfers. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to confidentiality and applicable legal requirements.
  • With your direction. When you ask us to share or otherwise consent.

7) Our Service Providers

We engage the following categories of third-party processors. Each processes only the information needed to provide the relevant service to us, under written agreements requiring appropriate safeguards.

  • Hosting, content delivery & web analytics. Vercel Inc. hosts the Site, runs serverless functions, and provides web analytics.
  • Database & cache. Our managed PostgreSQL provider stores account, watchlist, search-log, and email-event data. Upstash Inc. (United States) provides managed Redis used for rate limiting and short-lived caching.
  • Payments. Stripe Payments Canada, Ltd. and its affiliates process card payments and manage subscriptions.
  • Transactional & notification email. Resend sends our outgoing email and provides delivery telemetry.
  • Authentication & sign-in. Google LLC provides optional OAuth sign-in.
  • Customer support tooling. Standard email and ticketing tools as required.

This list may change as we add, remove, or replace providers. Material changes will be reflected in this Privacy Policy in line with Section 16.

8) Google Sign-In

If you choose to sign in with Google, the third-party provider authenticates you and shares limited profile information with us.

  • Google. We receive your Google account ID, primary email address, name, and profile image, used to create or link your account.
  • You can unlink the provider at any time from your account settings. Your continued use of the provider is governed by their own terms and privacy policies.

9) Cross‑Border Transfers

Personal information may be processed in Canada and in the United States, where several of our service providers operate. When information is processed outside your province or territory or outside Canada, it may be subject to the laws of those jurisdictions.

We use contractual and technical safeguards intended to protect personal information when transferred, including written processor agreements, encryption in transit, and access controls. You may contact our Privacy Officer for more information about a specific transfer.

10) Automated Decision-Making

We do not use automated decision-making, including profiling that uses personal information, to render decisions that produce legal effects or otherwise significantly affect you. Automated processes we do run (such as detecting changes in public firearm classification data, sending watchlist alerts, applying rate limits, or detecting abuse) do not, on their own, decide questions about your rights, services, or contractual obligations.

11) Retention

We retain personal information only as long as necessary to fulfill the purposes described in this policy, to comply with our legal obligations, resolve disputes, and enforce our agreements. Typical retention:

  • Account data: kept while your account is active and for up to 24 months after closure (unless a longer period is required by law).
  • Watchlist and notification history: kept while your account is active and deleted with your account.
  • Search-query logs: The search query, filters, and result count are retained indefinitely for aggregate analytics and abuse investigation. The link to your account is anonymized after 30 days.
  • Email-engagement events (delivery, open, click, bounce): event type and timestamps are retained indefinitely for deliverability analytics. Identifying information, including the recipient address and subject line, is anonymized after 30 days.
  • Session data: Session records, including IP address and user agent, are deleted when the session expires. Rate-limit data is short-lived and expires automatically.
  • Verification tokens: Email verification tokens are deleted when they expire.
  • Billing records: retained for periods required by tax and financial reporting laws (typically 6–7 years).
  • Support communications and logs: retained for reasonable periods to improve service and maintain security.

12) Security

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (HTTPS), encryption at rest by our database and cache providers, hashed passwords, role-based access controls, audit logging, and routine vulnerability management. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

13) Data Breach Notification

If we become aware of a breach of security safeguards involving personal information that creates a real risk of significant harm to you, we will notify you and the appropriate regulators in accordance with PIPEDA and applicable provincial laws (including, where applicable, the Commission d'accès à l'information du Québec). We will also keep records of breaches as required by law.

14) Your Rights

Subject to legal limits, you may:

  • request access to and correction of your personal information;
  • request deletion of personal information we no longer need to retain;
  • request that we stop or limit processing for which consent is required;
  • where available, request a portable copy of personal information you provided to us, in a structured, commonly used technological format.

If we cannot fulfill a request, we will explain why. You may also contact the Office of the Privacy Commissioner of Canada or your provincial privacy regulator. We encourage you to contact us first so we can help resolve your concern.

15) Children

The Services are intended for individuals who are the age of majority in their province or territory and, in all cases, at least 18 years old. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact our Privacy Officer and we will take reasonable steps to delete it.

16) Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy, update the "Last updated" date and version above, and give reasonable advance notice (typically by email or in‑product notice) before the changes take effect.

17) Contact Our Privacy Officer

You can reach the Privacy Officer at:

Steel Software Innovations Ltd.
Attn: Privacy Officer
Email: admin@legalsteel.ca
Mailing address: 1554 Carling Ave - M225, Ottawa, ON, Canada, K1Z 7M4