Privacy Policy
Effective 2026-07-01 · Pivotex is a brand of Steven's Electrical Services Corp., Ontario, Canada.
Short version
We collect the minimum needed to run the mobile app and keep your Pivotex devices working: your email address, the list of devices you've paired, and the operational state each device publishes (relay status, WiFi signal, firmware version). We don't sell it, we don't advertise on it, and we don't share it with third parties except the specific service providers listed below who help us deliver the service.
1. Who we are
Pivotex is a brand of Steven's Electrical Services Corp., an Ontario corporation that operates the Pivotex product line, the pivotex.ca website, the Pivotex mobile app, and the app.pivotex.ca dashboard. In this policy, "Pivotex", "we", "us", and "our" refer to Steven's Electrical Services Corp.
Contact for privacy inquiries: steve@pivotex.ca · 416-908-6656.
2. What we collect
2.1 Information you give us
- Email address — required to create a Pivotex account and receive sign-in links. This is the only mandatory personal information.
- Device names — friendly names you set on your paired units (e.g. "Front Entrance").
- Contact form submissions — if you fill in a quote or contact form on pivotex.ca, we receive the name, company, email, phone, and message you provide.
2.2 Information generated by using the service
- Device pairing records — which Pivotex unit IDs belong to your account, when each was paired, and a per-device access token used to authorize commands.
- Device operational state — the current on/off state of each relay, mode setting, WiFi signal strength, firmware version, and event log entries that your Pivotex units publish while online. This information is generated by the device, not you, and is used to render the app's control screen.
- Authentication credentials — WebAuthn passkey public keys (if you register one) and short-lived magic-link tokens sent to your email.
2.3 Automatically collected technical data
- Server logs — IP address, timestamp, request path, and user-agent for every API request. Retained for 30 days for abuse detection and debugging, then discarded.
- MQTT broker logs — connection/disconnection events for each device (used to determine online status).
2.4 What we do NOT collect
- We do not collect your name, address, or date of birth in the app.
- We do not use advertising identifiers, tracking pixels, or analytics SDKs.
- We do not access your microphone, contacts, photos, health data, or location beyond what Bluetooth Low Energy requires to discover nearby Pivotex devices.
- The mobile app requests camera access only to scan the pairing QR code shown on the unit's LCD screen. Video from the camera is processed on-device and never sent to us.
- The mobile app requests Bluetooth access only to communicate with Pivotex devices near you. We do not receive a list of other Bluetooth devices in range.
3. How we use it
- To authenticate you and provide the app + dashboard functionality.
- To route commands from your app to your devices via the MQTT broker.
- To display each device's current state in the app and on your admin dashboard.
- To send transactional email (sign-in links). We do not send marketing email.
- To provide support when you contact us.
- To detect and prevent abuse of the service (e.g. brute-force sign-in attempts, rate-limit violations).
We do not use your data to train machine-learning models, we do not sell it, and we do not disclose it to third parties for their own marketing.
4. Service providers we share with
We rely on a small number of vetted third-party services to operate the platform. Each receives only the minimum data required for the specific function they perform.
- DigitalOcean, Inc. — hosts our production servers in a Toronto (Canada) region. Encrypted at rest; standard cloud tenancy.
- Resend Inc. — delivers transactional sign-in emails. Receives your email address and the magic-link URL. Resend's privacy policy: resend.com/legal/privacy-policy.
- Porkbun LLC — DNS provider for pivotex.ca. Does not process personal data of app users.
- Apple Inc. / Google LLC — distribute the mobile app through the App Store and Google Play. If you enable Sign in with Apple in a future release, Apple handles the credential exchange; we only ever see the email you consent to share.
We do not use Google Analytics, Meta pixels, Mixpanel, Segment, or any other user-tracking service.
5. How long we keep it
- Your account and paired-device list are retained as long as you have an active account.
- Magic-link tokens expire 15 minutes after being emailed and are discarded on first use.
- WebAuthn challenge sessions expire within 5 minutes.
- Server request logs are rotated after 30 days.
- Device event logs are pruned to the most recent 100 events per device.
- If you delete your account (see below), we remove your user record, paired-device records, and passkeys immediately. Server-log entries containing your IP address expire on the normal 30-day schedule.
6. Security
- All connections between the mobile app, the dashboard, and our servers use TLS 1.2 or higher.
- MQTT connections between your Pivotex device and our broker are also TLS-encrypted, with per-device unique credentials.
- The mobile app does not ship with any shared administrative credentials. Every command is authorized against the specific customer JWT and device-ownership record.
- Firmware updates are signed with an ECDSA P-256 key. Devices verify the signature before applying an update; unsigned firmware is rejected.
- Passkeys, when used, are stored as public keys only. Private keys never leave your device.
- We have not experienced a data breach. If we ever do, we will notify affected users by email within 72 hours of confirming the incident.
7. Your rights
Depending on your jurisdiction (Canada's PIPEDA, EU/UK GDPR, California's CCPA/CPRA), you may have the right to:
- Access the personal data we hold about you.
- Correct inaccuracies.
- Delete your account and associated data.
- Export your data in a machine-readable format.
- Object to specific uses of your data or restrict processing.
To exercise any of these rights, email steve@pivotex.ca from the address on your Pivotex account. We respond within 30 days.
8. Deleting your account
You can delete your Pivotex account at any time by emailing steve@pivotex.ca from the address on the account. Deletion removes your user record, paired-device records, and passkey credentials from our servers. Your physical Pivotex devices continue to work locally over Bluetooth and (if configured) local network, but can no longer be controlled through app.pivotex.ca.
9. Children
Pivotex is a commercial product for building operators and door-hardware installers. It is not directed to children under 13, and we do not knowingly collect information from anyone under 13. If you believe a child has provided information to us, contact us and we will delete it.
10. Data location
Our servers are hosted in Toronto, Ontario, Canada. Emails are delivered through Resend Inc.'s infrastructure in the United States. If you are located outside Canada, your data will be transferred to and processed in Canada under Canadian privacy law.
11. Changes to this policy
If we make material changes, we will update the "Effective" date at the top of this page and, for changes that expand our data use, email account holders at least 30 days before the change takes effect.
12. Contact
Questions or complaints about privacy? Email steve@pivotex.ca or call 416-908-6656. Physical mail: Steven's Electrical Services Corp., Ontario, Canada (address on request).
If you believe we have not resolved your privacy concern, you have the right to contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.