Privacy Policy
Last updated: July 7, 2026
Who we are
StepHub is operated by StepHub Inc.. This policy explains what data we collect when you use StepHub, why we collect it, and the choices you have.
What we collect
- Account data — name, email, and (for OAuth sign-in) the identifier provided by your identity provider.
- Transaction data — property addresses, milestones, tasks, contacts, and other information you or your collaborators enter about a deal.
- Uploaded documents — files you attach to a transaction, stored in a private per-deal vault.
- Messages and activity — messages exchanged inside a transaction and an activity log of actions taken.
- Technical data — basic logs (IP, user agent, timestamps) needed to operate and secure the service.
How we use it
- To provide the workspace and let you and your invited collaborators use it.
- To send account, security, and transactional notifications.
- To secure the service, prevent abuse, and troubleshoot problems.
- To comply with legal obligations.
We do not sell your personal information, and we do not use your transaction content to train third-party AI models.
Who can see your data
Access to a transaction is limited to its agent and the collaborators the agent invites. Row-level access controls in our database enforce this: users cannot query transactions, documents, messages, milestones, or tasks belonging to deals they aren't part of. The documents vault is private storage; files are only served to authorized participants.
Subprocessors
We use trusted infrastructure providers to run StepHub, including:
- Lovable Cloud (hosting, database, authentication, storage).
- Google (only if you sign in with Google).
If we add subprocessors that materially change how your data is handled, we will update this page.
Retention
We keep your account and transaction data while your account is active. When you delete your account, we delete or anonymize associated data within a reasonable period, except where we must retain it to comply with law or resolve disputes.
Security
Data is transmitted over TLS. Passwords are hashed by our authentication provider and checked against known-compromised password lists at sign-up and password change. Access to production data is limited to authorized operators. No system is perfectly secure — please report suspected vulnerabilities to security@stephub.ca.
Your rights
Depending on where you live, you may have rights to access, correct, export, or delete your personal data, and to object to certain processing. To exercise these rights, email privacy@stephub.ca. We will respond within the timeframes required by applicable law.
Children
StepHub is not directed to children under 16 and we do not knowingly collect their data.
Changes
We may update this policy over time. Material changes will be announced in-app or by email before they take effect.
Contact
Questions? Email privacy@stephub.ca. Data controller: StepHub Inc., headquartered in British Columbia, Canada. StepHub serves users across all Canadian provinces and territories and complies with Canada's federal Personal Information Protection and Electronic Documents Act (PIPEDA) as well as applicable provincial privacy laws.
See also our Terms of Service.