Privacy Policy

Verifran ("we," "us," or "our") is a franchise candidate intelligence platform operated in Ontario, Canada. We help franchise candidates assess their readiness through our AI-powered FRS assessment and connect qualified candidates with franchise brands.

For privacy inquiries, contact us at: privacy@verifran.com

We collect the following categories of personal information:

Information you provide directly

• Contact information: email address, name (when provided)
• FRS assessment responses: answers to questions about your financial position, management experience, risk tolerance, lifestyle preferences, and market readiness
• Financial information: general financial ranges disclosed during the Vera conversation (e.g., liquid capital ranges, net worth ranges, investment comfort levels)
• Franchise preferences: categories of interest, geographic preferences, timeline
• Contact form submissions: name, email, message, and inquiry type
• Franchisor registration data: business name, contact details, franchise system information

Information collected automatically

• IP address: used for market detection (country-level only)
• Browser and device information: browser type, operating system
• Usage data: pages visited, assessment completion status, referral source

• To generate your FRS assessment and provide personalized franchise readiness insights
• To match you with franchise brands that align with your profile (only with your explicit consent)
• To provide aggregated, anonymized analytics and industry reports (no individual data is ever disclosed)
• To communicate with you about your assessment results, platform updates, and franchise opportunities (only with your CASL-compliant consent)
• To improve our platform, AI models, and assessment methodology
• To respond to your inquiries and provide customer support

We comply fully with Canada's Anti-Spam Legislation (CASL). This means:

• Express consent required: We will never send you commercial electronic messages without your explicit, opt-in consent
• Clear identification: All emails clearly identify Verifran as the sender with our contact information
• Easy unsubscribe: Every commercial email includes a working unsubscribe mechanism that is processed within 10 business days
• No pre-checked boxes: Consent checkboxes are never pre-selected
• Record-keeping: We maintain records of when and how consent was obtained

As a Canadian organization, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Our practices align with PIPEDA's 10 fair information principles:

• Accountability: We are responsible for personal information under our control
• Purpose: We identify the purpose for collecting information at or before the time of collection
• Consent: We obtain meaningful consent for the collection, use, and disclosure of personal information
• Limiting collection: We collect only the information necessary for the identified purposes
• Limiting use, disclosure, and retention: Information is used only for the purposes for which it was collected, and retained only as long as necessary
• Accuracy: We keep personal information as accurate, complete, and up-to-date as necessary
• Safeguards: We protect personal information with appropriate security measures
• Openness: This policy makes our practices readily available
• Individual access: You can request access to your personal information
• Challenging compliance: You can challenge our compliance by contacting our privacy officer

Quebec Residents - Law 25

If you are a resident of Quebec, your personal information is also protected under Quebec's Act respecting the protection of personal information in the private sector (Law 25), which imposes additional requirements beyond PIPEDA. This includes enhanced consent standards and the right to data portability in a structured, commonly used technological format. Verifran's use of AI technology (the Vera assessment engine) may constitute an automated decision-making process under Law 25. You have the right to be informed of any such automated processing that produces a decision about you, and to request that a human review any such decision. To exercise this right, contact privacy@verifran.com.

For users in the United Kingdom, European Union, or other jurisdictions with equivalent data protection laws:

• Legal basis: We process your data based on your explicit consent (FRS assessment) and our legitimate interests (platform improvement)
• Data portability: You may request a copy of your data in a machine-readable format
• Right to erasure: You may request deletion of all your personal data
• Right to restriction: You may request that we limit how we process your data
• Data transfers: Your data is stored in Canada, which the EU recognizes as providing adequate data protection

We never share your personal information with franchise brands or any third party without your explicit permission.

Specifically:

• Your FRS results are only shared with franchisors if you explicitly opt in to being discoverable
• We do not sell, rent, or trade your personal information
• We may share anonymized, aggregated data in industry reports (e.g., "the average FRS of candidates in Ontario") - this data can never identify you
• We use third-party service providers (hosting, email delivery, AI processing) who are contractually bound to protect your data and use it only for providing services to us

Service providers we use

• Supabase: Database hosting and authentication
• Vercel: Application hosting
• Anthropic: AI conversation processing (Vera)
• Resend: Transactional email delivery
• Stripe: Payment processing (franchisor subscriptions only)

International Data Transfers

Some of your personal information is processed by service providers located in the United States. Specifically: Anthropic (US) processes Vera conversation transcripts for AI responses; Resend (US) processes your email address for transactional email delivery; Stripe (US) processes payment information for franchisor subscriptions; Vercel (US) hosts the application and processes usage data. By using Verifran, you acknowledge that your information may be transferred to, stored in, and processed in the United States, where privacy laws may differ from those in Canada. In such cases, your data may be subject to access by US government authorities under applicable US law. We require all third-party processors to provide a comparable level of protection to that required under PIPEDA through contractual data processing agreements.

• FRS assessments: Retained for 24 months from completion, then automatically deleted unless you request earlier deletion
• Conversation transcripts: Retained for 12 months for quality improvement, then deleted
• Account data: Retained as long as your account is active, then deleted within 30 days of account closure
• Contact form submissions: Retained for 6 months
• Anonymized analytics data: Retained indefinitely (cannot be linked back to you)

We protect your information using:

• TLS/SSL encryption for all data in transit
• Encryption at rest for stored data
• Access controls limiting who within our team can access personal data
• Regular security reviews of our infrastructure and practices

In the event of a data breach that creates a real risk of significant harm to individuals, we will:

• Notify the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible
• Notify all affected individuals directly as soon as feasible
• Maintain a record of all breaches for a minimum of 24 months

We assess "real risk of significant harm" based on the sensitivity of the information involved, the probability that the information will be misused, and the potential harm to affected individuals including financial loss, reputational damage, or identity theft.

You have the right to:

• Access: Request a copy of all personal information we hold about you
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your personal data
• Data portability: Receive your data in a structured, machine-readable format
• Withdraw consent: Withdraw your consent for data processing at any time. Please note: withdrawing consent for core data processing (such as your FRS assessment responses) will result in the deletion of your assessment data and loss of access to your FRS report and Validation Hub. Withdrawing consent for marketing communications only will not affect your platform access.
• Opt out: Unsubscribe from marketing communications at any time

To exercise any of these rights, email us at privacy@verifran.com or use our self-serve data deletion page. We will respond within 30 days.

We use essential cookies required for the platform to function (e.g., session management). We do not use third-party advertising or tracking cookies. Analytics data is collected through Vercel Analytics, which does not use cookies and does not track individual users across sites.

Verifran is not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a minor, we will delete it promptly.

We may update this privacy policy from time to time. We will notify you of material changes by email (if we have your address) and by posting a notice on our website. For material changes - including new data sharing arrangements, new uses of your personal information, or changes to your rights - we will request fresh consent before the changes take effect. For minor administrative changes, continued use of the platform following notice will constitute acceptance.

For privacy questions, data requests, or complaints: