What if I hate GridOwl after 30 days?

We pull the hardware at no cost. No auto-bill, no restocking fee, no awkward sales call. If you keep it, you sign on month-to-month.

Does GridOwl need my restaurant's WiFi?

No. GridOwl uses LoRaWAN — a separate long-range radio built for exactly this job. All we need is a power outlet and a LAN connection for the gateway.

How much does my staff have to do for GridOwl setup?

Nothing. Our tech installs everything — typically 20 minutes per location — while your team runs service.

Am I locked into a GridOwl contract?

Starter and Professional are month-to-month. Cancel with 30 days' notice and we pull the hardware. Enterprise terms are custom.

Can I add GridOwl sensors mid-month?

Yes. Order from the dashboard, we ship pre-configured. Stick them on, they appear online automatically.

What happens to GridOwl during a power outage?

Sensors run on 5-year internal batteries and keep logging through outages. The gateway takes an optional UPS. You'll get an alert the second connectivity returns.

What does the health inspector see with GridOwl?

A live GridOwl URL you open for them, or a signed PDF. Every reading, every breach, every corrective action — timestamped and tamper-proof.

Where does GridOwl store my data?

On Canadian infrastructure, encrypted in transit and at rest, PIPEDA-compliant. Role-based access means a line cook can't see the VP's dashboard.

Privacy Policy | GridOwl

1. Introduction

GridOwl ("Service") is operated by R Gupta Consultancy Services Inc., an Ontario corporation operating as GridOwl ("RGCS", "we", "us"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information.

We are committed to complying with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy law, and applicable provincial privacy legislation.

Your privacy is important to us. Please read this policy carefully to understand our practices.

2. Information We Collect

Account Information

When you create an account, we collect: name, email address, password hash, organization name, phone number (optional), account preferences, and role/permissions.

IoT Sensor Data

Temperature readings, humidity levels, timestamps, device identifiers (dev_eui), gateway identifiers, signal strength (RSSI), and spreading factor (SF) from LoRaWAN sensors deployed in your facility.

Equipment Metadata

Equipment type (freezer, refrigerator, etc.), equipment location, temperature setpoints/thresholds, equipment serial numbers, and maintenance history.

Location Data

Facility address, geolocation coordinates (latitude/longitude) for equipment and gateways, and location metadata for sensor positioning.

HACCP & Compliance Data

Temperature breach events, acknowledgments, resolutions, escalation actions, audit logs, compliance reports, and user actions (who, what, when).

Usage & Activity Data

Login history, page views, features used, API calls, session duration, IP address, browser type, device type, and timestamps of actions.

Cookie & Tracking Data

Session cookies (httpOnly), JWT refresh tokens, authentication state, and analytics information (see Cookie Policy section).

Communication Data

Emails, support tickets, feedback, feature requests, and communication with RGCS staff.

3. How We Use Your Information

We use your information for the following purposes:

Service Delivery: Provide temperature monitoring, data collection, and reporting functionality
Account Management: Create and manage your account, authenticate users, and maintain access control
Breach Detection: Identify temperature anomalies and alert you to potential food safety issues
Compliance Reporting: Generate HACCP-style audit logs and compliance summaries
Hardware Management: Track sensor deployment, maintenance, battery life, and calibration schedules
Communications: Send service updates, security alerts, billing notifications, and support responses
Analytics: Analyze usage patterns to improve the Service (aggregated, non-personally identifiable)
Security: Prevent fraud, unauthorized access, and malicious activity
Legal Compliance: Comply with applicable laws, regulations, and food safety requirements
Customer Support: Respond to your inquiries and resolve issues

4. Legal Basis for Processing

Under PIPEDA, we process your personal information based on the following legal grounds:

Consent: We process your information based on your express consent when you create an account and agree to our Terms of Service and Privacy Policy.

Contract: We process information necessary to fulfill our subscription agreement with you (e.g., billing, service delivery).

Legal Obligation: We may process information to comply with food safety laws, tax regulations, and other legal requirements.

Legitimate Business Interests: We process information for security, fraud prevention, and service improvement.

5. Data Sharing & Third Parties

We do not sell your data to third parties. We share data only with essential service providers:

AWS (Amazon Web Services)

Purpose: Cloud infrastructure, data storage, compute, and database hosting.

Data Shared: All personal and sensor data (encrypted in transit and at rest).

Jurisdiction: US (AWS data centers in US regions; may be subject to US government access requests under FISA).

The Things Industries (TTI)

Purpose: LoRaWAN network operator for IoT connectivity.

Data Shared: Device identifiers, location data, and uplink metadata for network routing and optimization.

Sentry (Error Tracking)

Purpose: Application error monitoring and crash reporting.

Data Shared: Non-personally identifiable error logs, stack traces, and browser information (no sensitive data).

Stripe (Payment Processing)

Purpose: Process subscription payments and billing.

Data Shared: Name, email, billing address (we do not store credit card numbers; Stripe handles PCI compliance).

All third-party service providers are bound by confidentiality agreements and are only authorized to use data for the specific purposes stated above.

6. Data Retention

HACCP Audit Logs

Retained for a minimum of 2 years as required by food safety regulations.

Sensor Data (Temperature Readings)

Retained for 5 years to support historical analysis, compliance verification, and food safety investigations.

Account Information

Retained while your account is active and for 1 year after termination to settle disputes and comply with legal obligations.

Activity & Usage Logs

Retained for 1 year for security and support purposes.

Cookies & Session Data

Session cookies expire when you log out. Refresh tokens are retained until expiration or revocation.

Deletion Requests

Subject to legal requirements, we will delete your personal information upon request. Some data may be retained if required by law or food safety regulations.

7. Your Rights Under PIPEDA

Under PIPEDA, you have the following rights:

Right of Access

You have the right to request access to all personal information we hold about you. We will provide this information within 30 days of a verifiable request.

Right of Correction

You have the right to request correction of inaccurate, incomplete, or outdated personal information. We will update your information and notify third parties who received it.

Right of Deletion

You have the right to request deletion of your personal information, subject to legal and regulatory requirements (e.g., food safety retention periods). We will inform you of any restrictions.

Right to Withdraw Consent

You may withdraw consent to the collection, use, or disclosure of your information at any time. However, withdrawal may limit your ability to use the Service.

Right to Data Portability

You may request a copy of your personal information in a portable, machine-readable format (e.g., CSV).

Right to Complain

If you believe RGCS has violated your privacy rights, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

To exercise any of these rights, please contact us at [email protected] with a description of your request. We may ask for verification of your identity.

8. Data Security

RGCS implements industry-standard security measures to protect your data:

Encryption in Transit: TLS/SSL encryption for all data transmitted between your browser/device and our servers
Encryption at Rest: AES-256 encryption for sensitive data stored in databases
Authentication: JWT tokens for API authentication; MFA support for accounts
Access Control: Row-level security and role-based access control (RBAC) to isolate tenant data
Audit Logging: Immutable logs of all system access and data modifications
Vulnerability Management: Regular security audits, penetration testing, and code reviews
Incident Response: We have processes in place to detect, respond to, and report security incidents

Important: No system is 100% secure. While we implement strong security measures, we cannot guarantee absolute security or that unauthorized access will never occur. You use the Service at your own risk.

9. International Transfers

Your personal information may be transferred to, stored in, and processed outside Canada, including in the United States. By using the Service, you consent to such transfers.

US Government Access: Your data stored on AWS servers in the US may be subject to access requests by US government agencies under laws such as FISA and the USA PATRIOT Act. RGCS has no control over such access.

10. Children's Privacy

GridOwl is not intended for use by children under 18 years of age. We do not knowingly collect personal information from children.

By creating an account, you represent that you are at least 18 years old. If we become aware that we have collected information from a child under 18, we will delete that information immediately.

11. Mobile Application

If you use the GridOwl mobile application (iOS or Android), the following additional data practices apply.

Push Notification Tokens

We collect device push notification tokens (via Apple Push Notification service or Firebase Cloud Messaging) to deliver real-time temperature breach alerts and escalation notifications. You may disable push notifications through your device settings at any time, though this may delay your receipt of HACCP breach alerts.

Device Information

We collect device type, operating system version, app version, and a unique device identifier for crash reporting and analytics purposes. This data is used solely to improve app reliability and user experience.

Biometric Authentication

If you enable biometric unlock (Face ID, Touch ID, or fingerprint), biometric data is processed entirely on your device using the operating system’s secure enclave. We never receive, store, or transmit biometric data to our servers.

Mobile Location Data

The mobile app may request location access to identify which restaurant location you are at for contextual temperature monitoring. Location data is used only within the app session and is not stored on our servers unless you explicitly associate it with a facility record.

Offline Data

The app may cache recent temperature readings locally on your device for offline viewing. Cached data is encrypted and automatically purged when you log out or after 7 days, whichever is sooner.

Account Deletion

You may delete your account directly within the app: navigate to Profile → Danger Zone → Delete My Account, confirm your email address and password, and your account will be permanently deleted immediately. Alternatively, contact [email protected].

Organization administrators: If you are the sole administrator of an organization, you must first assign another administrator before deleting your account. This ensures your organization retains administrative control. You can manage team members from Settings → Team.

What gets deleted: Your name, email, password, session tokens, and app preferences are permanently deleted. HACCP compliance audit records are retained in anonymized form (your name and email are removed; the compliance action record is preserved) for a minimum of 2 years as required by food safety regulations. Temperature readings and compliance events belong to your organization and are retained per your organization's data retention policy.

B2B data note: GridOwl operates as a data processor on behalf of your organization (the data controller). Your organization may have independent obligations to retain records of your actions for regulatory compliance. Deleting your GridOwl account removes your personal information from GridOwl's systems but does not necessarily affect your organization's own records.

12. Cookie Policy

Session Cookies

We use httpOnly, secure session cookies to maintain your login session. These cookies are essential for the Service to function and cannot be disabled without losing access.

JWT Refresh Tokens

We store JWT refresh tokens in secure, httpOnly cookies to extend your session without requiring you to log in repeatedly. These tokens expire after 30 days.

Analytics Cookies

We may use analytics cookies to understand how users interact with the Service. These cookies are non-essential and can be disabled in your browser settings.

Browser Telemetry

Our marketing website collects anonymous browser telemetry (JavaScript errors, page load performance metrics such as Largest Contentful Paint and Cumulative Layout Shift, and page URLs visited) using Grafana Faro. This data contains no personal information, is not linked to individual users, and is used solely to improve website reliability and performance. No cookies are set for this purpose.

Cookie Management

Most browsers allow you to refuse cookies or alert you when cookies are being sent. However, blocking cookies may affect your ability to use the Service.

13. Data Breach Notification

In the event of a data breach that affects your personal information, RGCS will:

Notification Timeline: Notify affected users and the Office of the Privacy Commissioner of Canada within seventy-two (72) hours of becoming aware of the breach, as required by PIPEDA's breach notification requirements.

Notification Content: Include a description of the breach, the types of personal information involved, the estimated number of individuals affected, the steps RGCS is taking to address the breach, and recommended steps you can take to protect yourself.

Record Keeping: Maintain records of all data breaches for a minimum of two (2) years, regardless of whether notification was required.

14. Sub-Processors & Change Notification

RGCS uses the third-party service providers listed in Section 5 (Data Sharing & Third Parties) as sub-processors to deliver the Service.

Change Notification

If RGCS adds or replaces a sub-processor that handles personal information, we will notify Tenant Administrators via email at least thirty (30) days before the change takes effect. The notification will include the name of the new sub-processor, the data it will process, and its jurisdiction.

Objection Right

If you object to a new sub-processor on reasonable data protection grounds, you may notify RGCS in writing within fourteen (14) days of receiving the change notification. RGCS will work in good faith to address your concerns. If the concern cannot be resolved, you may terminate your subscription without penalty.

15. Changes to Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified to you via email at least 30 days before the effective date.

Your continued use of the Service after changes become effective constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you must stop using the Service before the effective date.

16. Contact Information

If you have questions about this Privacy Policy or wish to exercise your rights under PIPEDA, please contact:

R Gupta Consultancy Services Inc. — Privacy Team

Email: [email protected]

Support: [email protected]

Address: Ottawa, Ontario, Canada

Privacy Commissioner of Canada: If you have privacy concerns that RGCS cannot resolve, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca or by phone at 1-800-282-1376.

Table of Contents

1. Introduction

2. Information We Collect

Account Information

IoT Sensor Data

Equipment Metadata

Location Data

HACCP & Compliance Data

Usage & Activity Data

Cookie & Tracking Data

Communication Data

3. How We Use Your Information

4. Legal Basis for Processing

5. Data Sharing & Third Parties

AWS (Amazon Web Services)

The Things Industries (TTI)

Sentry (Error Tracking)

Stripe (Payment Processing)

6. Data Retention

HACCP Audit Logs

Sensor Data (Temperature Readings)

Account Information

Activity & Usage Logs

Cookies & Session Data

Deletion Requests

7. Your Rights Under PIPEDA

Right of Access

Right of Correction

Right of Deletion

Right to Withdraw Consent

Right to Data Portability

Right to Complain

8. Data Security

9. International Transfers

10. Children's Privacy

11. Mobile Application

Push Notification Tokens

Device Information

Biometric Authentication

Mobile Location Data

Offline Data

Account Deletion

12. Cookie Policy

Session Cookies

JWT Refresh Tokens

Analytics Cookies

Browser Telemetry

Cookie Management

13. Data Breach Notification

14. Sub-Processors & Change Notification

Change Notification

Objection Right

15. Changes to Privacy Policy

16. Contact Information

Ready to monitor your cold chain?