2.1 Introduction
BowTel Canada Operations Inc. (“BowTel,” “we,” “us,” or “our”) is committed to protecting the privacy of individuals who use our platform at bowtel.vacations (the “Platform”). This Privacy Policy describes how we collect, use, disclose, and protect your personal information in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta's Personal Information Protection Act (PIPA).
This Privacy Policy applies to all Users of the Platform, including Guests, Hosts, and Visitors.
Privacy Officer Contact:
BowTel Canada Operations Inc.
Privacy Officer: Uvaraj Thulasiram
Calgary, Alberta, Canada
Email: charter@bowtel.vacations
This designation is published in compliance with section 8.1 of Quebec's Act respecting the protection of personal information in the private sector (“Law 25”), as well as the accountability principle under PIPEDA and Alberta PIPA. The Privacy Officer is responsible for the implementation of and compliance with this Privacy Policy.
2.2 PIPEDA's 10 Fair Information Principles
BowTel adheres to the ten fair information principles set out in Schedule 1 of PIPEDA:
- Accountability — BowTel is responsible for all personal information under its control. Our Privacy Officer is accountable for compliance. See Section 2.14.
- Identifying Purposes — We identify the purposes for collecting personal information at or before the time of collection. See Section 2.4.
- Consent — We obtain meaningful consent for the collection, use, and disclosure of personal information. See Section 2.3.
- Limiting Collection — We collect only the personal information necessary for identified purposes. See Section 2.4.
- Limiting Use, Disclosure, and Retention — We use and disclose personal information only for the purposes for which it was collected, and retain it only as long as necessary. See Sections 2.5 and 2.8.
- Accuracy — We keep personal information as accurate, complete, and up-to-date as necessary. See Section 2.10.
- Safeguards — We protect personal information with appropriate security measures. See Section 2.9.
- Openness — We make information about our privacy practices readily available. This Privacy Policy fulfills this principle.
- Individual Access — Individuals have the right to access their personal information held by BowTel. See Section 2.10.
- Challenging Compliance — Individuals may challenge our compliance with these principles. See Section 2.13.
2.3 Consent
2.3.1 How We Obtain Consent
We obtain your consent to collect, use, and disclose your personal information through:
- Express consent — When you create an account, you expressly consent to our collection and use of personal information as described in this Privacy Policy.
- Implied consent — In some cases, your consent is implied through your actions, such as providing information when making a booking.
- Opt-in consent — For non-essential uses such as marketing communications, we obtain your express opt-in consent.
2.3.2 Withdrawing Consent
You may withdraw your consent at any time, subject to legal or contractual restrictions, by:
- Adjusting your account notification preferences;
- Contacting us at charter@bowtel.vacations;
- Unsubscribing from marketing emails using the link provided in each email.
Withdrawal of consent may limit our ability to provide certain Services to you. We will inform you of the consequences of withdrawing consent.
2.4 Information We Collect
2.4.1 Information You Provide
| Category | Data Collected | Purpose |
|---|---|---|
| Account Information | Full name, email address, phone number, date of birth, password (hashed) | Account creation, identity verification, age verification, communications |
| Host Profile | Business name (if applicable), property address, listing details, photographs, house rules, pricing, bank account information (stored by Stripe) | Listing creation, payout processing, tax reporting |
| Guest Profile | Booking preferences, travel purpose | Booking processing, personalized experience |
| Booking Information | Check-in/check-out dates, guest count, special requests | Booking management, communication between Host and Guest |
| Payment Information | Credit/debit card details (stored by Stripe — BowTel does not store card numbers), billing address | Payment processing |
| Communications | Messages between Hosts and Guests, support inquiries, feedback | Service delivery, dispute resolution, trust and safety |
| Identity Verification | Government-issued photo identification (when required in future) | Identity verification, fraud prevention |
| Reviews | Star ratings, written reviews | Community trust, service improvement |
2.4.2 Information Collected Automatically
| Category | Data Collected | Purpose |
|---|---|---|
| Device Information | IP address, browser type and version, operating system, device type | Security, analytics, service optimization |
| Usage Data | Pages viewed, search queries, clicks, booking events, time on page | Service improvement, analytics |
| Location Data | Approximate location derived from IP address | Search relevance, fraud detection |
| Cookies and Tracking | Session identifiers, preferences, analytics data | See Cookie Policy |
2.4.3 Information from Third Parties
| Source | Data | Purpose |
|---|---|---|
| Stripe | Payment confirmation, payout status | Payment processing |
| Authentication Providers | Name, email (if you sign in via Google, etc.) | Account creation |
2.5 How We Use Your Information
We use personal information for the following purposes:
- Providing the Services — Processing bookings, facilitating payments, enabling communication between Hosts and Guests, managing listings;
- Identity Verification — Verifying your identity and age to maintain platform trust and safety;
- Communications — Sending booking confirmations, reminders, receipts, and service-related notifications via email (through Resend);
- Customer Support — Responding to inquiries and resolving issues, including through our AI support agent (“Aurora”), which processes conversation content to provide assistance;
- Trust and Safety — Detecting and preventing fraud, abuse, and violations of our Terms of Service; moderating messages and content;
- Analytics and Improvement — Analyzing usage patterns (page views, booking events) to improve the Platform and User experience;
- Legal Compliance — Complying with applicable laws, regulations, legal processes, or governmental requests, including tax reporting obligations (T4A, GST/HST);
- Dispute Resolution — Investigating and resolving disputes between Users;
- Marketing — With your express consent, sending promotional communications about BowTel services and features. You may opt out at any time.
2.6 Disclosure of Information
We may disclose your personal information to the following categories of recipients:
2.6.1 Other Users
- Hosts receive Guest name, profile photo, email, and booking details necessary to manage the reservation.
- Guests receive Host name, profile photo, property address (after booking confirmation), and communication content.
- Public — Listing information, Host first name, and reviews are publicly visible. Guest first name and review content are publicly visible on reviews.
2.6.2 Third-Party Service Providers
We use the following processors, who process personal information on our behalf:
| Provider | Service | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing, Host payouts (Stripe Connect) | Payment details, payout information | United States |
| Resend | Transactional email delivery | Email address, name, booking details | United States |
| Vercel | Website hosting and CDN | IP address, usage data | United States / Global |
| Supabase | PostgreSQL database hosting; persistent application data | All account, listing, booking, and message data | United States / Canada (region configured per project) |
| Cloudflare R2 | Object storage (listing photos, generated images) | Listing images, user-uploaded media | Distributed (Cloudflare edge network) |
| Cloudflare (DNS) | Domain name resolution for bowtel.vacations | IP address (transient, at DNS query time) | Distributed (Cloudflare edge network) |
| Upstash | Redis caching and rate-limiting | Short-lived session and request metadata; no PII at rest | United States / Global |
| Mapbox | Map display and geocoding | Approximate listing location (fuzzy coordinates) | United States |
| Twilio (SMS + Verify) | Phone-number verification and SMS notifications | Phone number, verification code, message content | United States |
| Persona | Government-ID verification (currently suppressed — no data is sent to Persona at this time; integration retained for future re-enablement) | None at present. When enabled: government-ID image, biometric selfie, ID metadata | United States |
| Anthropic | AI processing for Aurora features (host advisor, guest concierge, automated message drafting, listing-content suggestions). See section 2.12 below for an explicit no-training commitment. | Message content, listing content, and prompt context sent to the model at request time | United States |
| Sentry | Error tracking and performance monitoring | Stack traces, browser/device metadata, sparse user identifiers | United States |
| PostHog / Custom Analytics | Usage analytics | Anonymized usage events, IP address | See analytics provider's policy |
Last reviewed: 2026-05-19. We update this table when our third-party processor list changes materially.
2.6.3 Legal and Safety Disclosures
We may disclose personal information where we reasonably believe it is necessary to:
- Comply with applicable law, regulation, legal process, or governmental request;
- Enforce our Terms of Service and other agreements;
- Detect, prevent, or address fraud, security, or technical issues;
- Protect the rights, property, or safety of BowTel, our Users, or the public.
2.6.4 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity. We will provide notice before your personal information becomes subject to a different privacy policy.
2.7 Cross-Border Data Transfers
BowTel is based in Canada. Some of our service providers operate in the United States and other countries. When your personal information is transferred outside of Canada, it may be subject to the laws of those jurisdictions, which may differ from Canadian privacy laws.
Under PIPEDA, we are required to ensure that our service providers offer a comparable level of protection for personal information transferred outside of Canada. We achieve this through:
- Contractual provisions requiring compliance with PIPEDA-equivalent standards;
- Due diligence assessment of service provider privacy and security practices;
- Limiting the data shared with service providers to what is necessary for the service.
Note: Personal information transferred to the United States may be accessible to U.S. government authorities under U.S. law (e.g., under the USA PATRIOT Act or the Clarifying Lawful Overseas Use of Data Act). By using the Platform, you acknowledge this possibility.
2.8 Data Retention
We retain personal information only as long as necessary to fulfil the purposes for which it was collected, or as required by law:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account information | Duration of account + 3 years | Legal claims limitation period |
| Booking records | 7 years after completion | Tax and legal compliance (CRA requirements) |
| Payment records | 7 years | Tax and legal compliance |
| Messages | 3 years after last activity | Dispute resolution, trust and safety |
| Analytics data | 2 years (aggregated indefinitely) | Service improvement |
| Support inquiries | 3 years | Quality assurance, legal compliance |
| Closed account data | 30 days (deletion) to 3 years (legal hold) | Legal compliance, fraud prevention |
When personal information is no longer needed, it is securely destroyed or anonymized.
2.9 Security Safeguards
We implement appropriate technical and organizational security measures to protect personal information, including:
- Encryption — Data encrypted in transit (TLS 1.2+) and at rest;
- Access controls — Role-based access limited to authorized personnel;
- Authentication — Secure password hashing (bcrypt); support for multi-factor authentication;
- Infrastructure — Hosted on industry-standard cloud platforms with SOC 2 and ISO 27001 certifications;
- Payment security — Payment card data handled exclusively by Stripe (PCI DSS Level 1 certified); BowTel does not store, process, or transmit cardholder data;
- Monitoring — Security event logging and monitoring;
- Incident response — Documented procedures for responding to data breaches, including notification to affected individuals and the Office of the Privacy Commissioner as required by PIPEDA's breach notification provisions.
No method of transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.
2.10 Your Rights
Under PIPEDA and PIPA, you have the right to:
2.10.1 Access
Request access to the personal information we hold about you. We will respond to access requests within 30 days, as required by PIPEDA.
2.10.2 Correction
Request correction of inaccurate or incomplete personal information. Where we agree the information is inaccurate, we will correct it and, where appropriate, notify third parties to whom the information was disclosed.
2.10.3 Deletion
Request deletion of your personal information, subject to:
- Legal obligations requiring retention (e.g., tax records);
- Ongoing contractual obligations (e.g., active bookings);
- Legitimate interests (e.g., fraud prevention, legal claims).
2.10.4 Data Portability
Request a copy of your personal information in a structured, commonly used, machine-readable format.
2.10.5 Exercising Your Rights
To exercise any of these rights, contact us at:
Email: charter@bowtel.vacations
Subject: Privacy Rights Request — [Access / Correction / Deletion / Portability]
We may require verification of your identity before processing your request. Requests are processed free of charge unless they are manifestly unfounded or excessive.
2.11 Children's Privacy
The Platform is not directed at individuals under eighteen (18) years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a person under 18, we will take steps to delete it promptly. If you believe we have collected information from a minor, please contact us at charter@bowtel.vacations.
2.12 AI-Assisted Support and Aurora Features
BowTel uses an AI agent (“Aurora”) to assist with customer inquiries and to power host-side analytical features (host advisor), guest-side recommendations (guest concierge), automated message drafting, and listing-content suggestions. Aurora is implemented using large language models provided by Anthropic, PBC (the “AI Processor”).
When you interact with Aurora or use a feature that invokes Aurora in the background:
- The relevant content (your message, listing, or context for the task) is sent to the AI Processor at request time to generate the response;
- Conversations and AI outputs may be reviewed by human support staff for quality, accuracy, and abuse-monitoring purposes;
- Aurora does not make binding decisions regarding disputes, refunds, or account actions — these are handled by human staff;
- You may request to speak with a human support agent at any time.
No training on your data. BowTel does not authorise the AI Processor to use your personal information, message content, listing content, or any other data routed to it through the BowTel platform to train, fine-tune, or improve its general-purpose models. This restriction is in place through BowTel's commercial agreement with Anthropic, which contractually prohibits training on customer inputs and outputs. The AI Processor retains request data only as necessary to deliver the response and for abuse-monitoring purposes, in accordance with its own published data-handling policies.
2.13 Complaints and Challenging Compliance
If you believe BowTel has not handled your personal information in accordance with this Privacy Policy or applicable privacy law, you may:
- Contact our Privacy Officer at charter@bowtel.vacations;
- File a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca;
- File a complaint with the Office of the Information and Privacy Commissioner of Alberta at www.oipc.ab.ca.
We will investigate all complaints and respond within 30 days.
2.14 Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on the Platform with a revised “Last Updated” date;
- Sending an email notification to registered Users at least 30 days before material changes take effect.
Your continued use of the Services after the effective date constitutes acceptance of the updated Privacy Policy.