Privacy notice.

1. Who we are

• Norcut Railings LTD., a company incorporated in British Columbia, Canada. Trade-only B2B supplier of aluminum railing systems.
• General contact: office@norcut.ca. Billing and account-record requests: accounts@norcut.ca.
• Norcut Railings is the accountable organization for personal information under this notice.

2. What we collect

• Quote requests: name, company name, role, business email, business phone, project city, project description, and any estimator spec attached to the request.
• Estimator submissions: the fields above plus the encoded estimator spec (line, length, mount type, finish, corners, application).
• Stock-notify requests: business email and a qualifier (Contractor, Developer, Installer, or Other).
• Account applications:the fields above plus business credentials supplied during trade-account review — typically company legal name, business number, billing address, trade references, and an authorized signer.
• Site analytics:pseudonymous page-view and event data via Google Analytics 4 (Measurement ID G-L7DZ0S4Z7X). IP anonymization is on. Loaded only on the production deployment (VERCEL_ENV === "production"); not on preview or local environments.
• Most of the contact data above is "business contact information" collected to communicate with the contact in their professional capacity. Under PIPEDA, business contact information used solely for communicating with a person about their employment or profession is outside the Act’s scope; under PIPA BC, the analogous "contact information" definition is excluded from the definition of personal information. Norcut still applies the standards in this notice as a matter of practice.

3. Why we collect it

• Respond to quote, estimator, and stock-notify requests.
• Review trade-account applications, run credit checks where authorized by the applicant, and maintain order history and invoices for approved accounts.
• Ship product, schedule freight, and resolve order issues with the named project contact.
• Operate the site, monitor errors, and measure aggregate page traffic.
• Meet record-keeping obligations under applicable tax, commercial, and consumer-protection law.
• We do not sell, rent, or trade personal information.

4. Legal basis (PIPEDA & PIPA BC)

• Implied consentfor sales communication initiated by the contact — submitting a quote request, estimator submission, or stock-notify form is treated as consent to be contacted about that request.
• Express consent for trade-account applications and any associated credit check, captured on the application form at the point of submission.
• Implied consent for first-party site analytics limited to pseudonymous, IP-anonymized GA4 data, on the basis that the processing is non-sensitive and consistent with the reasonable expectations of a B2B trade visitor.
• Statutory authorityto retain transaction records for the periods required by federal and provincial law (see §6 Retention).

5. Cookies

• Strictly necessary: session, CSRF, and Vercel deployment-routing cookies. These keep the site functional and are not subject to consent under PIPEDA.
• Analytics: Google Analytics cookies (gtag.js) loaded only on the production deployment. IP anonymization is on. No advertising, remarketing, or cross-site tracking cookies.
• No third-party tracking: Norcut does not embed ad pixels, social trackers, or session-replay tools.
• To opt out of GA, block third-party cookies in your browser or install the Google Analytics Opt-out Browser Add-on.

6. Retention

• Quote and stock-notify records: 5 years from the last contact, then deleted on the next quarterly purge.
• Trade-account application records: 7 years from account closure, to align with the BC Limitation Act and commercial record-keeping obligations under the Excise Tax Act (GST) and the Income Tax Act.
• Order, invoice, and shipping records: 7 years from invoice date, for tax and commercial record-keeping.
• Site analytics (GA4): the GA4 property default of 14 months for event-level data; aggregated reports retained indefinitely.
• Backups: 90-day rolling backup window across Vercel and Supabase. Deleted records may persist in backups for up to 90 days after deletion from the primary database.

7. Your rights

• Access: request a copy of the personal information Norcut holds about you. Norcut will respond within 30 days, consistent with PIPEDA Principle 9.
• Correction: request that inaccurate or incomplete information be corrected.
• Withdrawal of consent: withdraw consent for future processing, subject to legal and contractual obligations that require continued retention (for example, an active trade account or open quote).
• Deletion: request deletion of records that are no longer required to be retained.
• Send requests in writing to office@norcut.ca. Billing-record requests should be sent to accounts@norcut.ca. Norcut may require reasonable verification of identity before releasing or amending records.
• Escalation:if you are not satisfied with Norcut’s response, you may file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, for BC-resident data, the Office of the Information and Privacy Commissioner for British Columbia (oipc.bc.ca).

8. Cross-border data

Norcut’s site infrastructure is hosted on Vercel, and its database is hosted on Supabase in the US East (Northern Virginia) region. Personal information submitted through the site — quote requests, estimator submissions, stock-notify entries, and account applications — is stored and processed on US infrastructure. While stored in the US, personal information may be subject to the laws of the United States, including lawful access by US courts, law enforcement, and national security authorities.

Norcut requires its processors to provide a comparable level of protection to the standards in this notice through contractual measures, consistent with the Office of the Privacy Commissioner of Canada’s guidance on transfers for processing. Transfer to a processor does not relieve Norcut of accountability for the information.

9. Safeguards

• HTTPS in transit; database encryption at rest.
• Pricing data is server-only and never exposed to the browser bundle. Per-part unit prices are not transmitted to public visitors.
• Access to account, quote, and order records is restricted to named Norcut staff on a need-to-know basis.
• Norcut will notify affected individuals and, where required, the Office of the Privacy Commissioner of Canada in the event of a breach of security safeguards that creates a real risk of significant harm, in accordance with PIPEDA’s mandatory breach-notification requirements.

10. Changes

Norcut may update this notice from time to time. The effective date at the top of the page will be updated to reflect any material change. Continued use of the site after an update constitutes acceptance of the updated notice.

11. Contact

Privacy and general sales inquiries: office@norcut.ca. Billing and account statements: accounts@norcut.ca.