Skip to main content

Privacy Policy

Last updated: 2026-05-03

1. Who we are

Andy's Adventures Vehicle Repair ("AAVR", "we", "us") operates this website (2735 Day St, Winnipeg, MB). Questions about your data? Contact info@aavr.ca or (204) 996-4425.

2. What we collect and why

  • Contact form submissions: name, email, phone (optional), message. Used to respond to your inquiry and provide service.
  • Help-agent chat content: the messages you type in the chat bubble are sent to our AI provider (see section 5) to generate a reply. Conversations are not retained server-side beyond the request.
  • Technical data: IP address, country (derived from IP), browser user-agent, referring page. Used for security, fraud prevention, and analytics in aggregate.
  • Optional account data (if you create an account): the personal information you choose to provide for service-tracking and admin access. You can delete your account at any time.

3. Cookies and analytics

We use only essential cookies needed for the website to function (no tracking or advertising cookies). For aggregate page-view counts we use Cloudflare Web Analytics, which is cookieless, IP-anonymized, and does not track you across sites or build a profile of you. We do not use Google Analytics, Facebook Pixel, or any other behavioural tracker. You see a one-time disclosure banner on your first visit; clicking "Got it" only records that you've seen the notice.

4. Where your data lives

Lead and account data are stored in Cloudflare's globally distributed edge database (D1). Data is encrypted at rest and in transit. Backups are encrypted in Cloudflare R2 with three retention tiers (daily for 7 days, weekly for 4 weeks, monthly indefinitely until you request deletion).

5. Third parties we share with

  • Resend (United States): sends our automated email replies and owner notifications. Resend privacy policy.
  • Moonshot AI / Kimi (Singapore): powers the help-agent chat and the daily lead summary. Your message content is sent to Moonshot's API to generate replies. PII is masked before sending the daily summary. Moonshot privacy policy. Cross-border data transfer: by using the help agent you consent to your message being processed in Singapore.
  • Cloudflare (global): provides hosting, DNS, anti-bot protection (Turnstile), database, and (if you opt in) analytics. Cloudflare privacy policy.
  • Google (United States): if Andy uses Google Calendar to schedule your appointment, the event details (your name and the requested service) are written to a calendar Andy controls. Google privacy policy.

6. CASL — automated email reply

When you submit the contact form, we send you a one-time confirmation email letting you know we received your inquiry and giving you our phone number for urgent matters. This email is transactional (Canadian Anti-Spam Legislation s.6(6)(a)). We will not add you to any marketing list. Replies to that email are not monitored — call us instead for follow-up.

7. Retention

  • Contact-form leads: retained until you ask us to delete them, or 7 years (typical small-business records retention) whichever comes first.
  • Help-agent chat: not retained server-side.
  • Security logs (IP, user-agent): 90 days.
  • Account data: as long as the account exists; deleted within 30 days of account deletion.

8. Your rights under PIPEDA

You can: (a) ask what personal information we hold about you, (b) ask us to correct it, (c) ask us to delete it, (d) withdraw any consent you've given. Email info@aavr.ca with your request. We respond within 30 days.

If you're not satisfied with our response, you can complain to the Office of the Privacy Commissioner of Canada.

9. Security

We use industry-standard practices: TLS 1.2+ everywhere, parameterized database queries (no SQL injection), input sanitization, anti-bot challenges (Turnstile + Cloudflare Bot Fight Mode), rate limits, and a six-layer defense against prompt-injection attempts on the help agent. We do not store credit card details or government identifiers.

10. Changes to this policy

We may update this policy as our practices evolve. The "last updated" date at the top reflects the current version. For material changes, we'll show a banner on the site for 30 days.

← Back to home