Privacy Policy

1. About This Policy

HonkIO (“we”, “our”, “us”) is committed to protecting the privacy of our customers and end-users in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act respecting the protection of personal information in the private sector (Law 25), and other applicable provincial privacy laws. This policy explains how we collect, use, and protect personal information.

2. Information We Collect

Account information: Name, email address, billing information, and API credentials when you create an account.

Message data: Phone numbers (sender and recipient), message content, delivery timestamps, and status information when you send SMS messages through our API.

Consent records: CASL consent records you submit, including phone numbers, consent type, timestamp, IP address, and consent description.

Usage data: API call logs, rate limit events, and billing ledger entries for operational and compliance purposes.

3. Data Residency & Cross-Border Transfers

What stays in Canada: All personal information is stored in Canada. Our database (Supabase PostgreSQL) and in-memory cache (Upstash Redis) are hosted in the ca-central-1 region (Montréal, Québec). No personal information is written to disk outside Canadian jurisdiction.

Cross-border processing: HonkIO's API application layer is currently hosted on infrastructure that may be located outside Canada (United States). Personal information (including phone numbers, message content, and consent data) may be transmitted to and processed by such infrastructure on each API request before being written to Canadian-hosted storage. HonkIO intends to migrate the API layer to Canadian-hosted infrastructure; until that migration is complete, this cross-border processing may occur.

Quebec Law 25 disclosure: Prior to implementing this architecture, HonkIO conducted a Privacy Impact Assessment (PIA) as required by Quebec Law 25 (Loi 25) §3.3. The PIA concluded that adequate contractual and technical safeguards are in place, including: a Data Processing Agreement with our API host requiring confidentiality and prohibiting secondary use; TLS 1.3 encryption in transit; no host-side data persistence; and access limited to application execution. A summary of the PIA is available to enterprise customers upon request at privacy@honkio.ca.

We will notify affected customers before any material change to this cross-border transfer arrangement.

4. How We Use Personal Information

• Providing and operating the SMS gateway service
• Processing billing and managing account credits
• Enforcing CASL consent rules and DNCL compliance on your behalf
• Generating compliance audit logs as required by CASL
• Communicating service updates, security notices, and billing alerts
• Detecting and preventing fraud and abuse

We do not sell personal information. We do not use message content for advertising or model training.

5. Data Retention

Message content is retained for 90 days by default. Customers may configure shorter retention periods via API. Message metadata (sender, recipient, timestamps, status) is retained for 3 years for billing and compliance purposes.

CASL consent audit records are retained for a minimum of 3 years from the date of last consent or opt-out, as recommended by the CRTC.

Account data is retained for the life of the account plus 12 months after account closure.

6. Your Rights (PIPEDA & Law 25)

You have the right to:

• Access the personal information we hold about you
• Correct inaccurate personal information
• Withdraw consent to processing (subject to legal and contractual restrictions)
• Erasure (right to be forgotten): Request deletion of personal information via DELETE /v1/compliance/erasure API endpoint or by emailing privacy@honkio.ca
• Data portability: Receive a copy of your data in machine-readable format
• Lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca

Quebec residents also have rights under Law 25 including the right to be informed of automated decision-making affecting you.

7. Third-Party Service Providers

We share limited data with the following Canadian-compliant processors:

• Telnyx LLC (United States) — telecom carrier aggregator. Phone numbers and message content are transmitted to Telnyx for delivery. Telnyx has signed a Data Processing Addendum with HonkIO.
• API infrastructure host (may be located outside Canada) — API application hosting. Personal information may be processed in transit through this infrastructure on each request. No personal data is persisted by the host. A Data Processing Agreement is in place restricting use to service delivery only.
• Supabase Inc. — database hosting, restricted to ca-central-1 (Montréal). All persistent personal data is stored here.
• Upstash Inc. — Redis cache hosting, restricted to ca-central-1 (Montréal). Used for rate limiting and session state.
• Stripe Inc. (United States) — payment processing. Billing information is handled directly by Stripe and not stored by HonkIO.

We have Data Processing Agreements in place with all processors that handle personal information. Processors whose infrastructure may be located outside Canada are subject to additional contractual safeguards as documented in our PIA.

8. Security

We implement industry-standard security measures including TLS 1.3 in transit, AES-256 at rest, API key hashing (bcrypt), HMAC webhook signatures, and network-level access controls. API keys are hashed before storage — we cannot recover your key if lost. We perform regular security assessments and log all privileged access.

9. Cookies and Tracking

Our marketing website uses minimal first-party cookies for session management and analytics. We do not use third-party advertising cookies. The API itself does not use cookies — authentication is via API keys in request headers.

10. Privacy Impact Assessments

Pursuant to Quebec Law 25 §3.3, HonkIO conducts Privacy Impact Assessments (PIAs) before implementing new data flows involving personal information outside Quebec.

A PIA was completed on April 3, 2026 covering the cross-border transfer of personal information through HonkIO's Railway-hosted API (see §3 above). The assessment reviewed the sensitivity of data in transit, the legal framework of the receiving jurisdiction (United States), contractual protections in place, technical controls, and residual risks. The PIA concluded that adequate protection exists and the transfer may proceed. PIA summaries are available to enterprise customers upon written request to privacy@honkio.ca.

11. Contact Our Privacy Officer

Our designated Privacy Officer can be reached at:

12. Changes to This Policy

We will notify you of material changes to this Privacy Policy by email at least 14 days before they take effect. The “last updated” date at the top of this page will always reflect the current version.