Skip to content
Log InGet Started

Legal

Privacy Policy

Last updated: May 9, 2026 · Effective: May 9, 2026

VG-Real Estate Services Inc. ("VG Real Estate", "we", "us", or "our") operates the SaaS CRM platform and public marketing website at vg-realestate.ca (together, the "Service"). This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information, in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), the Ontario Consumer Protection Act, and other applicable Canadian laws.

By creating an account or using the Service, you consent to the collection and handling of your personal information as described in this Policy. If you do not agree, please do not use the Service.

1. Who This Policy Applies To

This Policy applies to:

  • Subscribers — licensed Canadian real estate professionals, brokerages, and team members who hold a VG Real Estate CRM account.
  • Website visitors — anyone browsing our public marketing pages, property listings, or blog.
  • Consumers — buyers, sellers, tenants, and business owners who submit inquiry forms, valuation requests, or contact our agents through the Service.
  • Contacts — individuals whose information is entered into a Subscriber's CRM (their clients, leads, and cooperating agents). For Contact data, the Subscriber is the data controller and VG Real Estate is the data processor.

2. Information We Collect

2.1 Account information — name, email address, phone number, brokerage name, licence number (optional), profile photo, hashed password, two-factor authentication (2FA/TOTP) secret, and Google OAuth identifiers when you sign in with Google.

2.2 Billing information — subscription plan, billing cycle, invoice history, and partial payment details returned by Stripe (last 4 digits, card brand, expiry). We do not see or store full payment card numbers. Full card details are handled exclusively by Stripe, Inc., a PCI-DSS Level 1 service provider.

2.3 CRM content you create — client contacts, property listings, deals, calendar events, notes, tasks, uploaded documents, generated OREA contracts, and email threads you connect via Gmail/Outlook OAuth. This is your data; we act as processor.

2.4 Public listing inquiry data — when a consumer submits the contact form on a property listing or the valuation request form, we collect the name, email, phone number, and message, and route it to the listing agent or VG operations team.

2.5 Technical and usage data — IP address, user-agent, device type, pages visited, feature interactions, approximate geolocation from IP, referrer URL, and error logs. Used for security, fraud prevention, analytics, and debugging.

2.6 Cookies and similar technologies — see our Cookie Policy.

2.7 MLS data — we retrieve listing data from the Toronto Regional Real Estate Board (TRREB) via the AMPRE RESO Web API under licensed IDX and DLA feeds. MLS data is shown to Subscribers and website visitors subject to TRREB's data display terms.

3. How We Use Your Information

We use personal information for the following purposes, consistent with PIPEDA's identification-of-purposes principle:

  • Provide the Service — authenticate you, store your CRM data, deliver features, sync email, generate contracts, and display MLS listings.
  • Process billing — charge subscription fees, calculate HST (13% for Ontario customers via Stripe Tax), issue invoices, and handle refunds.
  • Communicate with you — send transactional emails (account confirmation, password reset, invoices, security alerts, plan-limit notices) and, with your consent under CASL, commercial electronic messages such as product updates and newsletters.
  • Support and safety — respond to support tickets, investigate abuse, enforce our Acceptable Use Policy, and prevent fraud.
  • Improve the Service — analyze aggregated, de-identified usage to improve features and performance.
  • Legal compliance — comply with tax, anti-money-laundering, records-retention, and court obligations.

We do not sell your personal information. We do not use your CRM Contact data, email content, or generated contracts to train third-party AI models, nor for advertising.

4. Automated Decision-Making and AI Features

The Service uses artificial-intelligence features to assist you. When you use these features, limited content you explicitly submit is transmitted to our AI sub-processors and returned to you as a suggestion — no automated decision produces a legal or similarly significant effect without your review and approval.

  • VG Assistant, summarization, drafting (email replies, contract clauses, feedback analysis) — powered by Anthropic Claude, operated by Anthropic, PBC.
  • You review and edit every draft before sending or filing.
  • No training on your data — Anthropic's Commercial Terms of Service, which govern our API usage, prohibit the use of customer inputs or outputs to train Anthropic's foundation models.
  • Opt-out — you may disable AI features on any paid plan by contacting privacy@vg-realestate.ca. Plan pricing is unchanged.

5. Gmail Integration and Google API Limited Use

When you connect a Gmail account to VG Real Estate CRM, we request a single Google OAuth scope: https://www.googleapis.com/auth/gmail.modify. We use this access only to:

  • Display your inbox threads inside the CRM email module so you can read client correspondence next to the relevant deal or contact.
  • Compose and send replies, and save drafts, from your Gmail account when you click "Send" or "Save Draft" inside the CRM.
  • Mark messages as read, archive, or apply labels when you act on them inside the CRM.

We do not:

  • Permanently delete your messages or thread history.
  • Allow human review of your Gmail data, except (i) when you give explicit written consent for us to investigate a support issue, (ii) where required by applicable law, or (iii) for security investigations to protect the integrity of the Service, where the data is aggregated and de-identified for those purposes.
  • Use Gmail data to develop, improve, or train any artificial-intelligence or machine-learning models, whether ours or any third party's.
  • Sell, rent, or transfer Gmail data to data brokers, advertising networks, or other parties for advertising or marketing purposes.
  • Allow third parties to access Gmail data, except sub-processors strictly necessary to operate the Service (listed in Section 6) and only under written confidentiality and data-processing agreements.

Storage and retention. OAuth access and refresh tokens are stored encrypted at rest in our database and are used only to call the Gmail API on your behalf. Message metadata (sender, recipient, subject, snippet, timestamps) and limited message bodies are cached in our database to power CRM features such as search and association with deals or contacts. The cache is purged within 30 days of you disconnecting the Gmail account or deleting your VG Real Estate account.

Revoking access. You can disconnect your Gmail account at any time from inside the CRM (Email → account settings → Disconnect). Disconnection revokes our OAuth grant. You can also revoke our access directly from your Google Account at myaccount.google.com/permissions. On revocation, we delete your Gmail-derived cached data within 30 days.

Limited Use disclosure. VG-Real Estate Services Inc.'s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6. Sharing of Information — Sub-Processors

We share personal information only with carefully selected service providers who process data on our behalf under written data-processing agreements. We do not sell or rent personal information. Our current sub-processors are:

  • Stripe, Inc. — payment processing, billing, tax calculation (Stripe Tax). USA / Ireland.
  • Neon, Inc. — managed PostgreSQL database hosting. USA.
  • Vercel, Inc. — application hosting and edge delivery. USA with global CDN.
  • Google LLC — Google Workspace (company email), Google OAuth sign-in, Gmail integration, Google Fonts.
  • Anthropic, PBC — Claude AI for drafting, summarization, and in-CRM assistance.
  • Cloudflare, Inc. — Turnstile CAPTCHA and bot protection.
  • Geocodio, LLC — address-to-coordinate lookup for property maps.
  • Toronto Regional Real Estate Board (TRREB) via AMPRE / PropTx — licensed MLS data feed.
  • Documenso / e-signature provider — electronic signature for contracts (planned; rolled out when enabled for your account).

We may also disclose information (a) to comply with law, court order, or regulatory request; (b) to enforce our Terms of Service or protect our rights, property, or safety or that of users or the public; or (c) in connection with a merger, acquisition, financing, or sale of assets, subject to equivalent privacy commitments.

7. Where Your Data Is Stored (Cross-Border Transfers)

Your personal information is stored and processed on servers located in Canada and the United States, depending on the service. While stored outside Canada, your information remains subject to the laws of the host jurisdiction, including lawful access by foreign authorities. We require all sub-processors to apply safeguards at least equivalent to those required under PIPEDA.

8. Data Retention

We retain personal information only for as long as necessary for the purposes identified in this Policy or as required by law.

  • Active account data — retained while your subscription is active.
  • After account deletion — your CRM content and account profile are permanently deleted within 30 days, except for data subject to legal holds.
  • Billing and tax records — retained for 7 years as required by the Income Tax Act and Excise Tax Act (Canada).
  • Audit and security logs — retained for up to 24 months for fraud prevention and incident investigation.
  • Backups — encrypted backups may persist for up to 35 days before being overwritten.

9. Data Security

We apply administrative, technical, and physical safeguards proportional to the sensitivity of the information, including:

  • TLS 1.2+ encryption in transit for all traffic.
  • Encryption at rest for database, file storage, and backups.
  • Role-based access control, least-privilege admin access, and full audit logging.
  • Two-factor authentication (2FA/TOTP) available to all users; required for admin roles.
  • Cloudflare Turnstile protection on authentication endpoints.
  • Rate limiting and security headers (CSP, HSTS, X-Frame-Options) on both public and CRM surfaces.
  • Passwords hashed with industry-standard algorithms; full card numbers never touch our servers.

No system can be guaranteed 100% secure. We continually monitor and improve our safeguards.

10. Breach Notification

In the event of a breach of security safeguards involving personal information under our control that creates a real risk of significant harm, we will, in accordance with PIPEDA's Breach of Security Safeguards Regulations:

  • Notify affected individuals as soon as feasible (typically within 72 hours of confirmation).
  • Report the breach to the Office of the Privacy Commissioner of Canada.
  • Maintain a record of the breach for at least 24 months.

11. Your Rights Under PIPEDA

You have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Withdraw consent for optional uses of your data (which may limit service availability).
  • Request deletion of your account and associated personal information.
  • Export your CRM data in a portable format (CSV or JSON on request).
  • File a complaint with us or with the Office of the Privacy Commissioner of Canada (priv.gc.ca).

To exercise any right, email privacy@vg-realestate.ca from the address on file. We respond within 30 days.

12. CASL — Commercial Electronic Messages

Marketing emails from VG Real Estate are sent only with express or implied consent as defined by Canada's Anti-Spam Legislation. Every marketing email includes sender identification, a physical mailing address, and a one-click unsubscribe link that is honoured within 10 business days.

Transactional messages required to operate your account (billing, security, service notices) are not subject to CASL unsubscribe requirements.

When Subscribers use the Service to send commercial emails to their own contacts, the Subscriber is the sender under CASL and is solely responsible for obtaining consent, maintaining records, and honouring unsubscribe requests.

13. Children

The Service is not directed to individuals under 18 and we do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, contact us and we will delete it.

14. Third-Party Links

The Service contains links to third-party websites (e.g., brokerage sites, social networks, Stripe checkout). We are not responsible for their privacy practices. Review each third party's privacy policy before providing personal information.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email to the address on file and post a prominent notice in the Service at least 14 days before the change takes effect. The "Last updated" date above reflects the current version.

16. Contact Us and Privacy Officer

Our Privacy Officer handles all privacy-related requests, questions, and complaints.

VG-Real Estate Services Inc.

Attn: Privacy Officer

Toronto, Ontario, Canada

Privacy: privacy@vg-realestate.ca

General: hello@vg-realestate.ca

Support: support@vg-realestate.ca

If we are unable to resolve your concern, you may contact the Office of the Privacy Commissioner of Canada at 1-800-282-1376 or priv.gc.ca.