SLIM — Privacy Policy

This Privacy Policy (the “Policy”) is issued by 2195992 Ontario Inc., operating as SLIM (“SLIM,” “Company,” “we,” “us,” or “our”). SLIM provides a web-based software platform for real estate lockbox inventory management available at getslim.app (the “Service”). This Policy explains how we collect, use, disclose, store, and protect personal information and other data in connection with the Service.

This Policy is intended to be read together with SLIM’s Terms of Service. Where this Policy describes practices that require a legal basis or consent, your legal basis may include, without limitation, your consent, the performance of a contract with you, compliance with legal obligations, and other bases permitted under applicable law.

By accessing, registering for, or using the Service, you acknowledge that you have read and understood this Policy and consent to the collection, use, disclosure, and processing of your personal information as described herein, subject to applicable legal requirements.

1. Scope and Definitions

This Policy applies to personal information we collect and process in the course of providing the Service to individual users and to teams, including team leaders, administrators, and authorized users. This Policy also applies to visitors to our website where personal information is collected through cookies or similar technologies.

For purposes of this Policy, “personal information” generally means information about an identifiable individual, as defined under applicable Canadian privacy laws. “Customer Data” means data, content, and information that you or your authorized users submit to the Service, including lockbox inventory records, addresses, photos, notes, tags, and audit trail activity.

2. Information We Collect

We collect personal information and Customer Data in several ways.

First, we collect information you provide directly when you register, manage your account, or contact us. This may include your name, email address, phone number (collected and verified during account registration via a third-party verification service), team name, brokerage name (if you choose to provide it), and communications you send to us.

Second, we collect Customer Data that you or your authorized users submit into the Service as part of lockbox inventory management workflows. Customer Data may include lockbox identifiers, installation and status histories, inventory movement records, property addresses, photos, closing dates, notes, tags, and audit trail activity. For clarity, SLIM does not collect or store lockbox access codes in its servers, databases, or systems of record. Lockbox access codes remain under your control and on the physical lockbox, and you are responsible for determining when and how such codes are shared. If you include code-like information in free-text notes or uploads, you do so at your own discretion and you remain responsible for that content.

Third, we collect information automatically when you access or use the Service. This may include device and browser information, operating system information, screen resolution, device type, IP address, approximate location inferred from IP address, and log data relating to your use of the Service (for example, pages visited, features used, lockbox records created, lockbox records accessed, lockbox status changes, and other audit trail events). We use this information for account security, fraud prevention, troubleshooting, diagnostics, and analytics. For security monitoring purposes, IP addresses are stored in hashed (pseudonymized) form using a one-way cryptographic function, rather than in plain text. SLIM does not collect or store lockbox access codes as part of usage analytics.

Fourth, we collect payment-related information through our third-party payment processor. Payment details are collected and processed by our payment processor. We do not store your full credit card number, CVC, or full card details on our servers. We may receive limited billing descriptors and tokenized references from the payment processor in order to administer subscriptions and billing.

Fifth, we collect information through cookies and similar technologies, as described in Section 8 (Cookies and related technologies).

3. How We Use Information

We use personal information and Customer Data to provide, operate, and improve the Service. This includes creating and administering accounts, enabling lockbox inventory workflows, sending notifications selected by you, processing payments, maintaining audit trails, providing customer support, and developing and improving features.

We also use personal information for security, integrity, and fraud prevention purposes, including monitoring suspicious login activity, enforcing account lockouts after failed attempts, investigating suspected abuse, and maintaining the integrity and availability of the Service.

We may use information to comply with applicable law, enforce our agreements, protect our rights and property, and respond to lawful requests.

We do not sell personal information. We do not disclose personal information to third parties for their own independent marketing purposes.

4. Disclosures of Information

We disclose personal information and Customer Data only as described in this Policy and as permitted or required by applicable law.

Service providers and subprocessors. We engage third-party service providers to host, store, transmit, support, and operate the Service, including infrastructure hosting, database hosting, payment processing, email delivery, identity verification, mapping/autocomplete, bot protection, and analytics and measurement services (collectively, “Subprocessors”). Subprocessors may process personal information and Customer Data on our behalf for the purpose of providing and supporting the Service, and for no other purpose except as permitted by their contracts with us and by applicable law.

Examples of Subprocessors used in connection with the Service may include payment processors, hosting and database providers, transactional email providers, identity verification providers, and security and bot-protection services. Where analytics tools are used, they are only loaded after you provide cookie consent where required by our cookie banner and preferences.

Team visibility. If you are part of a team account, other authorized team members may access Customer Data and audit trail information in accordance with role permissions configured within the Service. Team administrators are responsible for access configuration and internal governance.

Legal requirements and legal process. We may disclose personal information or Customer Data if we believe in good faith that such disclosure is required by applicable law or legal process (including in response to a subpoena, court order, warrant, or other legal request). Where permitted by law and feasible in the circumstances, we may (but are not obligated to) provide notice before responding to such requests.

Business transactions. If SLIM or 2195992 Ontario Inc. is involved in a corporate transaction such as a merger, acquisition, reorganization, financing, bankruptcy, or sale of all or substantially all assets, personal information and Customer Data may be transferred as part of that transaction as permitted by law. Where required by law or where practicable, we will provide notice before personal information becomes subject to a materially different privacy policy.

5. Cross-Border Processing and International Transfers

The Service may be hosted and processed in the United States and Canada and may involve Subprocessors with operations in multiple jurisdictions. When personal information is processed outside of Canada, it may be subject to the laws of the jurisdiction in which it is processed and may be accessible to government authorities under those laws.

SLIM remains responsible for personal information under its control, including personal information transferred to Subprocessors for processing. We use contractual and/or other appropriate measures designed to provide a level of protection comparable to that required under applicable Canadian privacy law when personal information is processed by Subprocessors.

6. Security, No Guarantee, and Lockbox Risk Acknowledgement

We take reasonable and commercially appropriate measures designed to protect personal information and Customer Data against loss, theft, unauthorized access, unauthorized disclosure, copying, misuse, or modification. We select safeguards with regard to the sensitivity of the information and the context in which it is processed and we continually evaluate and improve our security measures. These measures include, without limitation, encryption of sensitive data at rest and in transit, role-based access controls, pseudonymization of IP addresses, immutable audit logging, and bot-protection mechanisms.

However, you acknowledge and agree that no method of transmission or storage is completely secure and that no security program can prevent all security incidents. Accordingly, while we use commercially reasonable safeguards, we cannot and do not guarantee absolute security. Security incidents may occur due to factors outside our reasonable control, including sophisticated cyberattacks, vulnerabilities in third-party infrastructure or software, compromised user credentials, or unauthorized third-party actions.

No lockbox code storage. SLIM does not collect or store lockbox access codes in its servers, databases, or systems of record. Lockbox access codes remain with you and on the physical lockbox, and you are responsible for controlling how and with whom such codes are shared.

Lockbox access information and physical-access risk acknowledgement. The Service is an administrative and tracking tool for lockbox inventory. Certain Customer Data, such as property addresses, lockbox identifiers, installation status, movement history, and audit trail activity, may relate to access workflows involving real property. You acknowledge that mishandling lockbox-related information and physical lockbox inventory can create risk of unauthorized access, trespass, theft, property damage, personal injury, or other harms. You are solely responsible for determining authorized recipients of lockbox-related information and for ensuring your access practices comply with applicable law, board or association rules, client instructions, and professional obligations. SLIM does not control and is not responsible for the physical security of any property, lockbox, key, alarm system, or device.

You are responsible for maintaining the confidentiality of your account credentials, ensuring that each person has their own authorized login where required, and promptly notifying us if you suspect unauthorized use of your account.

7. Breach Notification and Breach Recordkeeping

A “breach of security safeguards” includes the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of our security safeguards or from a failure to establish such safeguards, as those concepts are understood under applicable Canadian privacy law.

If we become aware of a breach of security safeguards involving personal information under our control, we will take steps we consider reasonable and appropriate in the circumstances to contain, investigate, assess, and remediate the incident. Where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an affected individual, we will notify affected individuals and report the breach to the Office of the Privacy Commissioner of Canada and any other regulator where required, as soon as feasible, in accordance with applicable law. Notifications will contain sufficient information to help an affected individual understand the significance of the breach and to take steps to reduce or mitigate harm, where possible.

We maintain records of all breaches of security safeguards as required by law, including records sufficient to allow a privacy regulator to verify compliance with breach reporting and notification requirements. We retain breach records for at least twenty-four (24) months from the date we determine the breach occurred, or longer where legally required.

8. Cookies and Related Technologies

We use cookies and similar technologies to provide core Service functionality, including maintaining login sessions and authentication state, and to record user preferences such as cookie consent settings. Where enabled by your consent, we may use analytics and measurement technologies to understand usage patterns and improve the Service and our marketing. Where required, analytics technologies are not loaded and analytics cookies are not set until you provide consent through our cookie banner or settings.

You may manage your cookie preferences at any time through the cookie consent banner presented on first visit, or by clearing your browser’s stored data for the Service. You may also manage cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning properly.

9. Data Retention and Deletion

We retain personal information and Customer Data only for as long as reasonably necessary for the purposes described in this Policy, including to provide the Service, comply with legal obligations (such as accounting and tax record requirements), resolve disputes, enforce agreements, and maintain security and auditability.

As described in the Service, account data is retained while your account is active. After cancellation or trial expiry, Customer Data is retained in read-only mode for ninety (90) days, after which it may be permanently deleted. Certain audit trail information may be retained in anonymized or aggregated form for integrity, security, and analytics purposes. Payment-related records may be retained as required by applicable accounting and tax rules.

10. Your Rights and Choices

Subject to applicable law, you may request access to personal information about you under our control and request correction of inaccuracies. You may also request deletion of your account and associated Customer Data, subject to legal and operational limitations, including lawful retention requirements and the need to maintain certain audit and security records. Requests may be made by contacting us at the address in Section 13.

Where consent is the legal basis for certain processing, you may withdraw consent, subject to legal and contractual restrictions. You may withdraw consent for analytics cookies at any time by clearing the cookie consent preference stored in your browser. Withdrawal of consent for the processing that is necessary to provide the Service may require account deletion. Withdrawal of consent may impact your ability to use certain Service features.

11. Children’s Privacy

The Service is not intended for use by individuals under 18 years of age, and we do not knowingly collect personal information from children.

12. Limitation of Liability for Loss or Theft of Information

To the fullest extent permitted by law, and without limiting any limitations of liability set out in SLIM’s Terms of Service, you agree that SLIM and its affiliates, officers, directors, employees, contractors, agents, suppliers, and licensors will not be liable for the loss or theft of personal information or Customer Data, or for damages caused as a result thereof, so long as SLIM was not grossly negligent and did not engage in willful misconduct in connection with the protection of such information. Nothing in this Policy limits any non-excludable rights or remedies that may apply under applicable law. This section does not affect or limit any mandatory rights available to you under the Personal Information Protection and Electronic Documents Act (PIPEDA) or other applicable Canadian privacy legislation.

13. Contact

If you have questions about this Policy or wish to make a privacy request, contact:

2195992 Ontario Inc., operating as SLIM
10200 Yonge St, Unit 101
Richmond Hill, Ontario L4C 3P3, Canada
Email: support@getslim.app