Privacy Policy
Last updated: May 3, 2026
ParkOnce Inc. is a British Columbia-incorporated business. We are committed to handling your personal information consistent with our obligations under British Columbia's Personal Information Protection Act (PIPA) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
This policy describes what we collect, why, how long we keep it, and how you can ask us to correct or delete it.
1. Accountability
ParkOnce Inc. is accountable for the personal information under our control.
Under PIPA, "personal information" means information about an identifiable individual, but not business contact information used to contact someone at a place of business, and not work product information.
2. What we collect, and why
We collect the minimum personal information needed to run a parking scanner that points you at the right provider app or website.
| What we collect | Source | Why |
|---|---|---|
| Device identifier | iOS identifierForVendor or Android ANDROID_ID | Lets us link a returning user's previous scans on the same install, without asking you to create an account. Reset by reinstalling the app. |
| GPS location (latitude / longitude, the OS-reported accuracy radius in metres, and a coarse fix-source bucket: "gps", "wifi", "cell", or "none") | Your phone's location service, with your permission | Find nearby parking zones; cross-check whether a scanned QR code matches the location it claims to be from (anti-scam) |
| Scan events: for every scan we record what method you used (QR scan, camera text scan, or typed), what was actually input (the QR URL, the recognized zone code, or the code you typed), what we routed you to, whether the scan was flagged as suspicious, what the outcome was, and how long recognition took. For camera text scans we additionally keep a small audit trail (what the recognizer originally returned vs the corrected zone we displayed) so we can debug accuracy regressions. For QR scans we keep the issuing date of the destination's SSL certificate. | Generated in-app each time you scan | Detect fraudulent QR stickers; measure recognition accuracy; detect when a parking provider quietly switches to a new URL pattern |
| Parking sessions: when a scan leads to a payment hand-off, we record which provider you were routed to, the URL we opened, and a link back to the originating scan event | Generated in-app when you tap a chip and we open the provider | Reconcile "did this scan turn into a paid session?" for end-to-end success metrics; respond to "your app sent me to the wrong provider" support requests |
| Technical telemetry: app version, native build number, OS name + version, and device model (e.g. "iPhone 14 Pro") | Stamped on every scan event from the device | Pinpoint which build, OS, or device a regression came from when accuracy or latency drops. These are device-class diagnostics, not tracking identifiers. |
We do not upload photos of signs to our servers. The text-recognition model runs entirely on your device; only the recognized text is sent.
| What we do not collect | Why |
|---|---|
| Your name | No account is required to use ParkOnce |
| Your email address | Same reason as above. No account, no marketing list. |
| Your phone number | Nothing in the app uses it |
| Your payment information | You pay the parking provider directly; we never see your card |
| Your home address | Not relevant to scanning a parking sign |
| Your license plate | The app neither asks for nor stores plate numbers |
| Photos of parking signs | The on-device camera frames are processed by an on-device text-recognition model and immediately discarded; nothing leaves your phone except the recognized text |
We collect on the basis of implied consent: by installing and using ParkOnce, you consent to the collection and uses described in this policy. You can withdraw consent at any time by uninstalling the app and emailing privacy@parkonce.app to request deletion of any data we hold tied to your device.
3. How we use and share your information
We use the information above only for the purposes listed in section 2.
We do not sell your information. We do not share it for advertising purposes.
We share your information with the following service providers, who process it on our behalf under data processing agreements that require them to handle it consistent with our obligations under PIPA and PIPEDA:
- A database provider that stores the scan-event and parking-session rows described in section 2. Data is hosted in AWS Canada Central (Montreal).
- A product-analytics provider that receives anonymous event metadata tied to your device identifier so we can compute per-device metrics like scan-success rate and drop-off. We never send raw scanned URLs, zone codes, or precise GPS to this provider. The events we send are limited to provider names, recognized-or-not booleans, scam-warning reasons, payment-handoff events, and recognition timing.
- An error-monitoring provider that receives a stack trace and a recent breadcrumb trail when the app encounters an error. The OCR pipeline attaches breadcrumbs that include short fragments of text the recognizer saw (capped at 80 characters per block) so we can debug recognition failures from the field. These breadcrumbs are only transmitted when an error fires, not on every scan.
- A transactional email provider that we use only for our internal reporting (retention-job alerts, weekly scrape summaries), not for messaging users.
If you want the current vendor names, email privacy@parkonce.app and we will share them.
We will disclose your information where required by law (for example, in response to a court order, subpoena, or search warrant).
4. How long we keep your information (retention and anonymization)
We anonymize scan data in two stages.
Stage 1 (Day 0 to Day 90): linkable to your device
For the first 90 days after a scan we keep the device identifier on the scan event so we can:
- respond to a "your app sent me to the wrong provider" support request and reconstruct what you scanned,
- investigate a freshly reported scam QR sticker,
- compute per-device metrics (e.g. how many scans an install does before its first paid session) for product analytics.
Stage 2 (Day 90 onward): anonymized
90 days after a scan, an automated retention job nulls the device identifier on the scan event. From that point forward the row cannot be tied back to your device. The remaining columns (the recognized zone, the recognized provider, what we routed to, the outcome of the route, the OCR audit trail, the certificate-age signal, recognition timing, GPS coordinates, and the technical telemetry: app version, OS, device model) stay in the database indefinitely as anonymous operational data.
Why we keep that anonymous tail forever:
- Fraud detection. When someone reports a scam QR after the fact, we pattern-match the URL against earlier scans to find related scams. Removing the URL would close that audit trail.
- Accuracy regressions. When a build introduces an OCR regression, we replay the historical OCR audit trail through the new code to verify the fix.
- Provider URL drift. Parking providers occasionally change their URL formats without notice; the historical scan record is how we notice and update routing.
Once the device identifier is nulled, the GPS coordinates, zone, and URL belong to the sign, not the user. Zone codes are publicly printed and provider URLs are provider-controlled, so retaining them without the device link does not re-identify anyone.
| What | When | What happens |
|---|---|---|
| Device identifier on scan events | 90 days after the scan | Permanently nulled by the retention job |
| All other scan-event columns (recognized zone, OCR audit, GPS, timing, certificate signal, technical telemetry, raw scanned URL or code) | n/a | Retained indefinitely as anonymous operational data, no longer linkable to a person |
| Parking-session rows (when you tapped through to pay) | n/a | Retained indefinitely; tied to the originating scan event, which itself anonymizes at 90 days |
The retention job runs daily and alerts us if a run silently fails. A missed run would leave us out of compliance with this policy.
If you want your data deleted before the 90-day mark, email privacy@parkonce.app with the device identifier shown in app Settings; we will delete every row tied to that device.
5. Keeping your information accurate
For any correction request, email privacy@parkonce.app and we will respond within 30 business days.
If we correct your information and we have shared it with a service provider in the past year, we will pass the correction along to them.
6. How we protect your information
We use reasonable security measures to protect your information from unauthorized access, collection, use, disclosure, or disposal:
- Data in transit is encrypted with TLS.
- Data at rest is encrypted by Supabase / AWS.
- Database access is restricted by row-level security policies. The app's keys cannot reach our internal reporting tables; only our service role can.
- We separate analytics events (no scanned URLs, no raw scan input) from operational data so a leak of one cannot expose the other.
If a privacy breach occurs and there is a real risk of significant harm to you, we will notify you and the Office of the Privacy Commissioner of Canada where required by PIPEDA (s. 10.1).
7. Accessing your information
Under PIPA, you have the right to ask:
- what personal information about you we hold,
- how it has been or is being used, and
- to whom it has been disclosed.
To make a request, email privacy@parkonce.app in writing. We may ask you to verify your identity (for example, by scanning from the device on file, or providing the device identifier shown in app Settings) before releasing data tied to that device.
We will respond within 30 business days.
8. Complaints
If you are not satisfied with how we handle your personal information, you can contact us first at privacy@parkonce.app. We will respond as quickly as possible.
If you remain unsatisfied, you have the right to complain to the Office of the Information and Privacy Commissioner for British Columbia:
PO Box 9038, Stn Prov Govt
Victoria, B.C. V8W 9A4
info@oipc.bc.ca · (250) 387-5629
oipc.bc.ca
For complaints about cross-border or federal-private-sector matters, the Office of the Privacy Commissioner of Canada: priv.gc.ca.
9. Changes to this policy
If we change this policy, we will update the "Last updated" date at the top. Substantive changes (new categories of data, new processors, longer retention periods) will be highlighted on the page for 30 days after the change.
What is not in this policy
This policy covers the consumer ParkOnce app and parkonce.app website. It does not cover:
- Privacy agreements with cities and parking authorities that license ParkOnce data feeds (those are governed by separate contracts and in some cases by BC's Freedom of Information and Protection of Privacy Act, FOIPPA).
- Privacy agreements with parking providers (HotSpot, PayByPhone, HONK, etc.). When you tap through to a provider, their privacy policy applies to anything you do in their app.