Plain-language summary: We collect only what we need to run the Platform. We never sell your data. Pros see your first name, service address, and job description after a booking or quote request needs it. Payment card details are handled by Stripe, not stored by Mendly.
1. Introduction
Mendly ("we", "us", "our") is committed to protecting your personal information. This Privacy Policy explains what information we collect, how we use and share it, and the choices you have about your information. It applies to all users of mendly.dev and any associated Mendly applications (together, the "Platform").
This Policy is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) and applicable Nova Scotia privacy and consumer protection requirements. Mendly is a home-services marketplace and is not a health-care provider or health product. Marketing electronic communications are also subject to Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23). By using the Platform, you consent to the practices described in this Policy.
2. Information We Collect
2.1 Information You Provide
- Account information: full name, email address, phone number, and profile photo.
- Service address and property details when booking.
- Job descriptions, photos, and notes submitted with bookings or service requests.
- Messages you send through the Platform's messaging system.
- Ratings and review text you submit.
- Pro applicants only: government-issued ID, trade licence numbers, insurance certificates, and RCMP criminal record check results.
2.2 Information We Collect Automatically
- Device type, operating system, and browser.
- IP address and approximate geographic location.
- Pages visited, features used, and session duration.
- Booking activity including searches, profile views, and completed bookings.
- Analytics consent status, policy acceptance version, user agent, and acceptance timestamp.
Payment information: Card numbers and CVV codes are entered directly into our payment processor's secure form and are never transmitted to or stored by Mendly's servers. We receive only a payment token and the last four digits of your card for display purposes.
3. How We Use Your Information
We use your information to:
- Create and manage your account.
- Facilitate bookings between Customers and Pros.
- Process payments and issue invoices.
- Verify Pro identities, trade licences, insurance, and criminal record status.
- Send booking confirmations, reminders, and receipts by email.
- Send service and account notifications through the Platform.
- Respond to support requests and resolve disputes.
- Enforce our Terms of Service and Safety standards.
- Analyse aggregate, anonymised usage data to improve the Platform.
We do not use your personal information for third-party advertising, and we do not sell or rent your personal information to any third party.
4. How We Share Information
4.1 Between Customers and Pros
When a booking is confirmed, we share the following with the assigned Pro: your first name, the service address, the scheduled date and time, and the job description. We do not share your email address, phone number, full last name, or payment details. All pre-booking communication between Customers and Pros happens through the Platform's messaging system, which protects both parties' direct contact information.
4.2 Service Providers
We share information with trusted third-party providers who help us operate the Platform:
- Supabase — authentication, database, and private storage for profiles, bookings, messages, photos, and provider verification records.
- Stripe — payment processing, card authorization, Stripe Connect payouts, identity verification, receipts, refunds, disputes, and related fraud controls.
- Resend — transactional email delivery for sign-in, booking, quote, receipt, and support messages.
- Mapbox — address search, geocoding, maps, and approximate distance calculations.
- PostHog — product analytics only when enabled and consented; session replay is disabled by default and must be separately enabled and masked.
- Vercel — application hosting, deployment logs, edge/network routing, and serverless function execution.
- Upstash — rate limiting and abuse prevention for API routes.
- Background check providers such as Certn — provider screening, RCMP criminal record check workflow, and verification audit records.
- Web push providers — browser push subscription delivery when you opt in to push notifications.
All service providers are bound by data processing agreements and are not permitted to use your information for their own commercial purposes. Some providers process or store data outside Canada, including in the United States. Where that happens, your information may be subject to lawful access by foreign courts, law enforcement, or regulators.
4.3 Legal Requirements
We may disclose your information if required by law, court order, or government authority, or if we reasonably believe disclosure is necessary to protect the safety of any person.
4.4 Business Transfers
If Mendly is acquired by or merged with another entity, your personal information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a materially different privacy policy.
5. Cookies & Tracking
We use cookies and similar technologies to keep you logged in and to understand how the Platform is used. Specifically:
- Session cookies — required to keep you logged in across pages. These are deleted when you close your browser.
- Preference cookies — used to remember your settings (e.g., search filters). These persist across sessions.
- Analytics — PostHog analytics is opt-in for private beta users. We identify users by internal account ID, not email, and do not use analytics for third-party advertising.
- Session replay — disabled by default. If enabled for a controlled test, Mendly masks inputs and page text and will disclose the test before collecting replay from signed-in users.
You can disable cookies in your browser settings. Disabling session cookies will prevent you from logging in. We do not use third-party advertising cookies. See our Cookie Policy for the full list of cookies we use and how to change your choices.
6. Your Rights Under PIPEDA
Under the Personal Information Protection and Electronic Documents Act, you have the following rights:
- Access — request a copy of the personal information we hold about you.
- Correction — request correction of inaccurate or incomplete information.
- Withdrawal of consent — withdraw consent for non-essential uses of your information. Note that withdrawing consent for essential uses (such as sharing your address with a confirmed Pro) may prevent us from completing the service.
- Deletion — request deletion of your account and personal information, subject to our legal retention obligations (see Section 7).
- Complaint — file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca if you believe we have mishandled your information.
To exercise any of these rights, contact our Privacy Officer at support@mendly.dev. We will respond within 30 days.
7. Data Retention
We retain your personal information for as long as your account is active, and for a reasonable period afterward in case of disputes or legal obligations. Specifically:
- Account information — retained while your account is active. On deletion, direct identifiers are anonymized unless we must retain them for a legal, safety, tax, fraud, or dispute reason.
- Booking records — retained for 7 years to comply with Canadian tax and commercial record-keeping requirements.
- Messages — retained for 2 years after the related booking is completed.
- Photos — request and job photos are retained with the related booking unless removed earlier under our moderation or deletion process.
- Stripe payment, refund, payout, and dispute identifiers — retained as long as required for accounting, tax, fraud prevention, and chargeback defence.
- Pro credential records — retained for 3 years after a Pro's account is closed, unless a dispute, safety incident, legal claim, or regulatory requirement requires longer retention.
- Legal acceptance and audit logs — retained to prove policy acceptance, provider agreement acceptance, security actions, and deletion handling.
To request account deletion, email support@mendly.dev.
8. Security
We implement industry-standard safeguards to protect your personal information:
- TLS encryption for all data transmitted between your browser and our servers.
- Encrypted storage for data at rest.
- Role-based access controls — employees access only the data necessary for their function.
- Regular security reviews and dependency updates.
No system is completely secure. If we become aware of a security breach that likely affects your personal information, we will notify you in accordance with applicable law.
9. Third-Party Links
The Platform may contain links to third-party websites. We are not responsible for the privacy practices of those sites. This Policy applies only to information collected by Mendly through the Platform.
10. Children
The Platform is not directed at individuals under 18 years of age, and we do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from someone under 18, we will delete it promptly.
11. Changes to This Policy
We may update this Policy from time to time. We will notify registered users by email when material changes are made. The "Last updated" date at the top of this page indicates when the Policy was most recently revised. Continued use of the Platform after changes take effect constitutes your acceptance of the revised Policy.
12. Contact & Complaints
For privacy-related questions, access requests, or concerns, contact our Privacy Officer:
If you are not satisfied with our response, you have several options for escalation depending on the nature of your concern:
- Federal — privacy: Office of the Privacy Commissioner of Canada, priv.gc.ca — for PIPEDA complaints involving private-sector handling of your personal information.
- Provincial — Nova Scotia: Office of the Information and Privacy Commissioner for Nova Scotia, oipc.novascotia.ca.
- Spam / unsolicited email: Canadian Radio-television and Telecommunications Commission (CRTC), fightspam.gc.ca — for CASL violations.