RDV & CieRDV& Cie

Privacy Policy

Last updated: May 3, 2026

1. Who We Are

RDV & Cie ("we", "us", "our") is a booking platform for businesses in Quebec, Canada. Our platform is operated in compliance with Quebec Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

Privacy Officer contact: privacy@rdvetcie.com

2. Information We Collect

  • Account information: full name, email address, password (hashed), account role
  • Booking data: appointment dates, times, services booked, location, notes
  • Business data (owners): business name, locations, services
  • Communication data: email confirmations and notifications
  • Payment data: when a business uses Square for payment processing, your name, email, and phone may be shared with Square to create a customer profile. Credit card information is collected and stored exclusively by Square — we never store card numbers.
  • Technical data: IP address, browser type, session tokens (essential cookies only, unless you consent to analytics)
  • Consent records: date and time of privacy acceptance at account creation
  • Google Calendar data (therapists): when you connect Google Calendar, we access your calendar events (date, time, title) to block your availability. Only the event time is stored; event titles are used for display only and not permanently stored. Bookings synced to your Google Calendar contain only the platform name as the event title — no client names, service details, or pricing.

3. Purposes of Collection

We collect personal information solely for the following purposes, all of which are disclosed at the time of collection and require your explicit consent:

  • Creating and managing your account
  • Processing and managing appointments and bookings
  • Sending booking confirmations and appointment reminders
  • Enabling business owners to manage their team and schedule
  • Processing subscription payments (via Stripe)
  • Processing booking payments, card-on-file storage, and no-show charges (via Square, when enabled by the business)
  • Improving platform performance and fixing technical issues (analytics, with consent)
  • Complying with applicable laws

We do not sell your personal information to third parties.

4. Third-Party Services

  • Stripe: Subscription payment processing. Subject to Stripe's Privacy Policy.
  • Square: Booking payment processing, card-on-file storage, and refunds. When a business enables Square payments, your name, email, and phone number are shared with Square to create a customer record. Credit card data is collected via Square's Web Payments SDK and stored exclusively on Square's servers — we only store a reference ID, last 4 digits, and card brand for display purposes. Subject to Square's Privacy Policy (https://squareup.com/legal/privacy).
  • Resend: Transactional email delivery. Subject to Resend's privacy policy.
  • Google / Facebook: Optional OAuth sign-in. Subject to their respective privacy policies.
  • OpenStreetMap Nominatim: Location addresses are sent to OpenStreetMap's geocoding service to compute geographic coordinates for map display and local search. Only the resulting coordinates are stored. Subject to the OpenStreetMap Foundation's Privacy Policy.
  • Object Storage (S3-compatible): Uploaded images (business logos, therapist photos) are stored on S3-compatible cloud storage. Public images are accessible via direct URL; private files require authenticated access.
  • Google Calendar API: When therapists enable Google Calendar sync, we use the Google Calendar API to read calendar events and create booking events. Calendar access tokens are encrypted at rest. You can disconnect Google Calendar at any time from your settings. Subject to Google's Privacy Policy.
  • Google Analytics: With your explicit consent, we use Google Analytics 4 to collect anonymized usage data (pages visited, session duration, general location by country/region). Google Analytics uses cookies to distinguish users. No personally identifiable information is sent to Google. You can withdraw consent at any time via the cookie banner. Subject to Google's Privacy Policy.

All third-party processors are bound by data processing agreements consistent with Law 25 requirements.

5. Data Retention

We retain personal information for as long as your account is active and for a period of 7 years after account closure, as required for business and tax compliance. Booking records may be retained for the same period. You may request early deletion subject to legal obligations.

6. Your Rights (Law 25 / PIPEDA)

Under Quebec Law 25 and PIPEDA, you have the right to:

  • Access: Request a copy of all personal information we hold about you
  • Rectification: Correct inaccurate or incomplete information
  • Deletion: Request deletion of your personal information ("right to be forgotten")
  • Portability: Receive your data in a structured, machine-readable format
  • Withdraw consent: Withdraw consent at any time (may affect your ability to use the service)
  • Lodge a complaint: File a complaint with the Commission d'accès à l'information du Québec (CAI) or the Office of the Privacy Commissioner of Canada

To exercise your rights, contact our Privacy Officer at privacy@rdvetcie.com. We will respond within 30 days.

7. Cookies

We use essential cookies required for authentication and platform functionality. With your explicit consent, we also use Google Analytics cookies to collect anonymized usage statistics and improve the platform. These analytics cookies are only set after you click "Accept All" in the cookie consent banner. You can manage your cookie preferences at any time through the consent banner or by clearing your browser's local storage.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including bcrypt password hashing, TLS encryption in transit, and access controls. In the event of a data breach affecting your rights, we will notify you and the applicable authority within the legally required timeframe (72 hours for serious incidents under Law 25).

9. Marketplace Profiles

When business owners opt in to the public marketplace, their business name, description, logo, therapist photo, services, prices, location city, modalities, and certifications become publicly visible and indexable by search engines. Uploaded images (business logos, therapist photos) are stored on our servers; images on public profiles are publicly accessible. Location addresses are sent to OpenStreetMap's Nominatim service to compute geographic coordinates for map display and local search — only the resulting coordinates are stored.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a prominent notice on the platform at least 30 days before the changes take effect.

Questions? privacy@rdvetcie.com | Terms of Service