Privacy Policy — Canada

This Privacy Policy describes how Sawai Gyoseishoshi Office ("we", "us", "our") collects, uses, discloses, retains, and protects information when you use MmowW Drone (the "Service") in Canada. By using the Service you consent to the practices described below. The Service is operated by a Japanese registered Gyoseishoshi (administrative legal-affairs lawyer) firm regulated under the Gyoseishoshi Act of 1951 (Japan).

1. Information We Collect

We collect only what is necessary to provide drone-compliance services for the Transport Canada (Transport Canada) regime in Canada.

• **Account data:** email address, name, business name, country of operation, preferred language. You may optionally add a phone number for receipt of regulatory urgent alerts.
• **Operational data:** drone serial numbers, registration numbers, flight log entries (timestamp, latitude/longitude, altitude, duration, weather, observer/payload notes), maintenance records, incident reports, training certificate numbers, insurance certificate metadata. You decide what to enter; we do not auto-collect telemetry from your aircraft.
• **Compliance data:** Transport Canada reference numbers, Canadian Aviation Regulations Part IX — Remotely Piloted Aircraft Systems category assignments, Level 1 Complex (from Nov 2025) risk-assessment artefacts, audit-trail snapshots required for Per safety management system (no explicit period) retention.
• **Payment data:** handled exclusively by Stripe (PCI-DSS Level 1). We never see, store, or transmit your card number, CVV, or full bank details. We retain only Stripe customer ID, last-four-digit hint, and invoice metadata.
• **Technical data:** IP address (truncated to /24 for analytics), browser type, device class, referrer URL, and pages visited. Used solely for security, fraud prevention, and aggregate quality metrics.
• **Communications:** any message you send via info@mmoww.net or our /ca/feedback/ form, plus any reply we send. Stored for 24 months and then anonymised.

2. How We Use Your Information

We use the information for the purposes below. We do not use it for advertising, behavioural profiling, or political/electoral targeting.

• **Service delivery:** to display your drones, flight logs, registrations, and reminders inside the Canada dashboard.
• **Transport Canada compliance:** to alert you when Canadian Aviation Regulations Part IX — Remotely Piloted Aircraft Systems is amended, when registration deadlines approach, when your insurance certificate is about to expire, and when Level 1 Complex (from Nov 2025) guidance changes.
• **Audit support:** to generate audit-ready PDF, CSV, and JSON exports on demand for Per safety management system (no explicit period) retention.
• **Communication:** to reply to your support requests, send service announcements, and notify you of outages or maintenance.
• **Security:** to detect, prevent, and respond to abuse, account compromise, and fraud.
• **Legal:** to comply with our obligations under Japanese law and applicable Canada law.

3. Disclosure to Third Parties

We do not sell, rent, or trade personal information. We disclose information only in the limited circumstances below:

• **Sub-processors (data processors):** Supabase (database / authentication, hosted in EU region), Stripe (payments, PCI-DSS Level 1), Xserver (Japan-based hosting), SendGrid or equivalent SMTP provider (transactional email). All sub-processors are bound by data-processing agreements that require equivalent protection to this Policy.
• **Regulatory authority requests:** if Transport Canada (Transport Canada) issues a lawful order, we will respond strictly within the scope of the order and notify you unless legally prohibited.
• **Court orders / law enforcement:** disclosure only against valid court order or equivalent legally-binding instrument from a court of competent jurisdiction in Japan or Canada.
• **Successor entity:** in the unlikely event of merger or acquisition, the successor will be bound by this Policy or a stricter version with prior notice to you.
• **Aggregated / anonymised statistics:** we publish, e.g. "Canada members average 14.2 flights per month", with no individual identifier.

4. Your Rights — Access, Correction, Deletion, Portability

You have the following rights at all times. Requests are honoured within 14 days at no cost.

• **Right of access:** download a complete export of all personal data we hold about you, in JSON or CSV.
• **Right of rectification:** correct inaccurate or incomplete data via your dashboard or by request.
• **Right to erasure ("right to leave"):** delete your account; all personal data is purged within 30 days. Aggregated anonymised statistics may persist.
• **Right to data portability:** transfer your flight logs, drone registrations, and audit artefacts to another provider in industry-standard formats (CSV/JSON).
• **Right to object / restrict processing:** object to processing or request restriction; we will pause non-essential processing within 14 days.
• **Right to lodge a complaint:** with your local data-protection authority. In Canada this is governed by applicable national law; in the EU by the GDPR; in the UK by the UK GDPR; in Australia by the Privacy Act 1988; in Canada by PIPEDA; in the United States by applicable federal and state law including CCPA/CPRA where relevant.

To exercise any right, email info@mmoww.net from the email address on your account or use /ca/feedback/.

5. Retention, Security, International Transfer, and Revisions

5.1 Retention

• **Account data:** retained while your account is active and 30 days after deletion.
• **Operational compliance data:** retained for Per safety management system (no explicit period) from the date of each entry, in line with Transport Canada guidance, then anonymised or deleted.
• **Payment data:** retained for 7 years to satisfy Japanese tax law.
• **Communications:** retained for 24 months then anonymised.

5.2 Security

• TLS 1.3 in transit, AES-256 at rest, encrypted database backups, role-based access control with least privilege, mandatory two-factor authentication for all administrative roles, full audit log of every administrative action.
• Annual third-party security review and quarterly internal penetration testing.

5.3 International transfer

• Primary database in EU region (Supabase). Some operational logs traverse to Japan for engineering review under standard contractual clauses or equivalent transfer safeguards.

5.4 Children

• The Service is not intended for users under 16. We do not knowingly collect personal data from children. If you believe we have, contact info@mmoww.net for immediate deletion.

5.5 Revisions

• This Policy may be updated when Transport Canada regulations change or when we add features. Material changes are announced in-app at least 30 days before effective date, and prior versions are archived at /ca/privacy/history/.
• Last updated: 2026-04-25.
• Questions? info@mmoww.net — we reply within 1 business day.