DVLCEAdvertising
Legal

Privacy policy

Last updated: 2026-05-18

Who we are

DVLCE (“we”, “us”) is a Toronto-based web design and advertising agency. We run advertising.dvlce.ca and the client portal at advertising.dvlce.ca/members. This policy describes how we collect, use, and protect your personal information, in line with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation (CASL).

What we collect

  • Contact details. Name, email, phone (if you provide it), company name. From the public contact form and from clients we onboard.
  • Account credentials. Email and a scrypt-hashed password for the client portal. We never see your raw password.
  • Account profile. The site you're associated with, the plan you're on, your invoices, and a reference to the Google Ads sub-account and GA4 property tied to your business.
  • Technical data. IP address (request-scoped), user agent, referrer. Standard web-server stuff.
  • Analytics. Aggregated GA4 events (page views, form submissions, conversions) if you accepted the cookie banner.

What we do not collect

  • We do not collect credit card or bank details directly. Payments (when applicable) go through Stripe.
  • We do not collect data from end-users who click on your ads. We only see the aggregate performance numbers Google returns through their API.
  • We do not sell or rent your data to anyone, and we do not use it to train AI models.

Why we collect it

  • To respond to your inquiry when you contact us.
  • To authenticate you when you sign into the client portal.
  • To show you your own campaign performance, GA4 numbers, and invoices on the dashboard.
  • To manage your Google Ads sub-account under our manager account, on your behalf.
  • To send you transactional emails (sign-in links, password resets, invoices, service notices).
  • To protect the site from abuse (rate limiting, anti-bot, breach-password checks at signup).

Third-party processors

  • Vercel (US) — site hosting.
  • Cloudflare (US/Global) — DNS, edge proxy, lead-relay worker.
  • Google Firebase / Firestore (US) — portal authentication and user records.
  • Google Analytics 4 (US) — analytics on the public site (if you accepted cookies) and the read source for your portal dashboard.
  • Google Ads API (US) — campaign management on your behalf, scoped to your sub-account under our MCC.
  • Resend (US) — transactional email delivery. ZeptoMail (Canada) is configured as a fallback.
  • n8n on our self-hosted NAS (Canada) — lead routing and Discord notifications.

Your rights

  • Access. Email us and we'll send you everything we have about you.
  • Correction. Tell us what's wrong and we'll fix it.
  • Deletion. Email us to delete your account. We complete the purge within 7 days.
  • Complaint. File with the Office of the Privacy Commissioner of Canada.

Retention

  • Active portal account: while active.
  • Deleted account: scrubbed within 7 days.
  • Invoicing and tax records: 7 years per CRA requirement, with personal identifiers anonymized once not legally required.
  • Consent records (CASL): 3 years after the relationship ends.
  • Lead records from the public contact form: 24 months unless you become a client.

Security

Portal passwords are stored as scrypt hashes. Sessions use secure, HTTP-only cookies. Service-account credentials (Google Ads API, GA4 API, Firebase) live in our internal credential vault and are not exposed to the browser. The portal is served over HTTPS only.

Cookies

We use a single first-party session cookie to keep you signed in. Analytics cookies only fire if you accepted them in the banner. You can change your choice any time by clearing cookies for this site and reloading the page.

International transfers

Some of our processors store data in the United States. By using the portal you consent to your data being processed there. We pick vendors with SCC-equivalent data protection standards.

Changes to this policy

We'll post any material change on this page and bump the “Last updated” date. For substantial changes we'll also email active portal users.

Contact

Privacy questions: privacy@dvlce.ca. We aim to respond within 30 days, per PIPEDA.