Privacy Policy
Last updated: July 2, 2026
MarkPaid is operated by Bspoke Ventures Inc. (MarkPaid, we, us, or our). This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when we provide the MarkPaid website, application, integrations, support, billing, and related services (the Service).
We are a Canadian business based in Quebec. This policy is intended to support our obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act respecting the protection of personal information in the private sector as amended by Law 25, Canada's Anti-Spam Legislation (CASL) where applicable, substantially similar provincial private-sector privacy laws, and privacy commitments relevant to SOC 2 trust services reviews. This policy is not legal advice to our customers.
MarkPaid helps businesses follow up on unpaid invoices and stop follow-ups when invoices are paid. To protect customers, debtors, and our own security posture, this policy describes our privacy practices at a practical level without publishing sensitive internal control details, security procedures, credentials, or proprietary operating methods. We provide deeper security and compliance evidence through controlled review channels, including our Trust Center where available.
1. Scope and roles
This policy applies to personal information we process in connection with the Service. Depending on the context, MarkPaid may act as:
- a business or controller for account, website, billing, security, support, and direct relationship data; and
- a service provider or processor for customer, invoice, payment-status, communication, and integration data that our customers upload, sync, or instruct us to process.
Our customers remain responsible for deciding what personal information they submit to the Service and for having the authority, notices, and consents required to contact their own customers through email, SMS, voice, or other channels.
2. Personal information we collect
a) Account and team information
- Name, work email address, company name, role, account settings, and support requests
- Authentication, authorization, session, and security records
- Billing contact details, plan information, and payment-related metadata
b) Customer, invoice, and receivables information
- Customer names, business contact details, invoice numbers, balances, due dates, and payment status
- Notes, case history, follow-up status, and related receivables workflow records
- Message templates, delivery status, replies, call metadata, and communication history
c) Integration information
If you connect accounting, legal-practice, payment, import, or API integrations, we process information needed to operate those integrations, such as:
- customer, matter, invoice, payment-status, and account metadata from connected systems;
- CSV import fields, mapping choices, webhook events, and sync logs; and
- integration tokens or credentials, which are protected and not exposed in public policy materials.
d) Website, device, and security information
- IP address, device and browser information, approximate location, pages visited, and referral source
- usage events, diagnostics, error reports, security logs, audit records, and fraud-prevention signals
3. How we collect information
We collect personal information from:
- you, when you visit our website, create an account, use the Service, contact us, or request support;
- our customers, when they upload, import, or enter customer and invoice information;
- connected third-party systems, when an authorized customer enables an integration; and
- service providers and security tools that help us operate, monitor, protect, and improve the Service.
We collect only the personal information that is reasonably necessary for identified, legitimate purposes or that we are otherwise permitted or required to collect by law.
4. How we use information
We use personal information for the following purposes:
- to provide, configure, maintain, and support the Service;
- to sync invoice, customer, matter, and payment-status data from authorized integrations;
- to send service-related invoice follow-ups, notifications, and transactional communications as instructed by our customers;
- to detect payment status and stop follow-up workflows when invoices are paid;
- to authenticate users, administer accounts, process billing, and respond to support requests;
- to monitor reliability, troubleshoot errors, prevent abuse, investigate security events, and maintain audit records;
- to comply with legal, regulatory, contractual, accounting, tax, dispute-resolution, and audit obligations; and
- to improve the Service using aggregated, de-identified, or limited operational information where appropriate.
We do not sell personal information. We do not use customer invoice, debtor, or receivables data for third-party advertising or to build unrelated marketing profiles.
5. Consent, authority, and lawful communications
We seek meaningful consent where required and rely on other legal permissions where applicable, including to provide requested services, protect security, satisfy legal obligations, or process information on behalf of our customers. If we ask for consent, we aim to describe the personal information involved, the purposes, the relevant service providers or categories of service providers, and any material consequences in clear language.
Customers must ensure they have the notices, permissions, consents, and lawful bases required to upload or sync personal information into MarkPaid and to send invoice follow-up messages, including obligations under CASL and other laws governing commercial electronic messages, SMS, voice communications, and debt or receivables-related communications.
Where consent may be withdrawn, withdrawing consent may limit our ability to provide some parts of the Service. We will explain practical consequences when we respond to a withdrawal request.
6. AI and automated processing
MarkPaid may use automated systems for limited service-supporting functions, such as:
- mapping imported columns and normalizing integration data;
- helping customers configure templates or workflows; and
- detecting technical, security, sync, or delivery issues.
We do not use customer invoice or debtor data to train third-party foundation models. We do not use the Service to make exclusively automated decisions that determine a person's creditworthiness, legal rights, or eligibility for goods or services. If this changes in a way that requires notice or consent, we will update our notices before implementing the change.
7. Disclosure and service providers
We disclose personal information only as needed for the purposes described in this policy, with consent where required, or as permitted or required by law. We may disclose personal information to:
- hosting, database, authentication, storage, monitoring, and infrastructure providers;
- email, SMS, voice, and workflow providers used to deliver customer-directed communications;
- accounting, legal-practice, payment, import, API, and integration providers authorized by a customer;
- billing, support, security, compliance, legal, accounting, and audit providers;
- public authorities, regulators, law enforcement, or courts where legally required or necessary to protect rights, safety, or security; and
- successors or potential successors in a merger, financing, acquisition, reorganization, or sale of assets, subject to appropriate confidentiality obligations.
We use contracts and vendor-review processes designed to require service providers to protect personal information, use it only for authorized purposes, and notify us of relevant confidentiality or security incidents. This Privacy Policy is our public summary of subprocessors, transfer posture, and privacy governance. Detailed contracts, security evidence, and operational control descriptions are shared only through controlled channels.
8. Storage, transfers, and processing outside Quebec or Canada
MarkPaid and our service providers may store or process personal information outside Quebec and outside Canada, including in the United States and other jurisdictions where our providers operate. Personal information processed outside your province or country may be subject to lawful access requests by courts, law enforcement, national security authorities, or regulators in those jurisdictions.
Before using service providers or transferring personal information outside Quebec where Law 25 applies, we assess factors such as the sensitivity of the information, the purpose of processing, contractual safeguards, security measures, and the legal framework in the receiving jurisdiction. We use contractual, organizational, and technical safeguards appropriate to the sensitivity of the information and the role of the provider.
9. Security, confidentiality, and SOC 2
We maintain administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, use, disclosure, loss, and alteration. These safeguards include measures for access control, authentication, encryption where appropriate, tenant separation, logging, monitoring, vendor review, incident response, change management, and personnel access governance.
No system is perfectly secure, and we do not publish detailed security procedures that could weaken the Service or reveal proprietary controls. For procurement, legal, or security reviews, we provide appropriate SOC 2-related trust evidence and security information through controlled channels such as our Trust Center, nondisclosure process, or customer review packet.
10. Retention and deletion
We retain personal information only as long as reasonably necessary for the purposes described in this policy, for customer instructions, or for legal, security, accounting, audit, dispute-resolution, backup, or compliance obligations. Retention periods vary based on the type of record and the context in which it is processed.
- Account and billing records are kept while an account is active and for a reasonable period afterward.
- Customer, invoice, integration, and communication records are retained according to customer instructions, service settings, and lawful operational needs.
- Security, audit, webhook, delivery, support, and diagnostic records may be retained for separate periods to protect the Service and preserve evidence.
- Backups and provider logs may persist for limited periods before routine deletion or overwrite.
When personal information is no longer required, we delete, anonymize, or de-identify it according to our retention practices, unless we are required or permitted to retain it.
11. Your privacy rights
Subject to legal limits and verification requirements, you may have the right to:
- request access to personal information we hold about you;
- request correction of inaccurate or incomplete personal information;
- withdraw consent where processing is based on consent;
- request deletion, de-indexing, or cessation of dissemination where applicable;
- request portability of computerized personal information collected from you in a structured, commonly used technological format where required by Quebec law;
- ask about our collection, use, disclosure, retention, service providers, and cross-border processing; and
- challenge our compliance or submit a privacy complaint.
If your information was submitted to MarkPaid by one of our customers, we may refer your request to that customer or need to coordinate with that customer before responding. We may decline or limit a request where permitted or required by law, including to protect other individuals' information, confidential business information, security, legal privilege, or audit integrity.
To exercise rights or submit a privacy complaint, contact privacy@markpaid.com. We may ask for information to verify your identity and the nature of your relationship to MarkPaid before acting on a request.
12. Confidentiality incidents and breach notice
We maintain processes to identify, investigate, contain, document, and remediate confidentiality incidents and security safeguard breaches involving personal information. If an incident creates a real risk of significant harm under PIPEDA, a risk of serious injury under Quebec law, or another notification threshold under applicable law, we will notify affected individuals, customers, regulators, and other organizations as required. We also keep required incident or breach records.
13. Cookies and similar technologies
We use cookies and similar technologies for authentication, security, session management, preferences, analytics, diagnostics, and website performance. Some cookies are necessary for the Service to function. You can control cookies through your browser settings, but disabling some cookies may affect functionality.
14. Children's information
The Service is intended for business use and is not directed to children. We do not knowingly collect personal information from children under 14. If you believe a child has provided personal information to us, contact us so we can review and take appropriate action.
15. Privacy Officer
Our Privacy Officer is responsible for privacy governance, privacy requests, and complaints:
Privacy Officer
Bspoke Ventures Inc.
5589 Royalmount Ave., Mount Royal, Quebec H4P 1J3
privacy@markpaid.com
16. Changes to this policy
We may update this policy from time to time to reflect changes to our practices, providers, legal obligations, or the Service. If changes are material, we will provide notice by appropriate means, such as updating this page, notifying account administrators, or requesting consent where required.