ExactBlue Mobile App — Privacy Policy

ExactBlue Mobile — Privacy Policy

Effective date: June 15, 2026 Last updated: June 15, 2026

This Privacy Policy explains how ExactBlue Technologies Inc. ("ExactBlue," "we," "us," or "our") collects, uses, shares, and protects personal information when you use the ExactBlue Mobile application (the "App") and any related online services, accounts, and reporting dashboards (together, the "Services").

We are based in Canada and serve customers in Canada, the United States, the European Union, and elsewhere. We aim to comply with applicable data protection laws, including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA) and other U.S. state privacy laws, and the EU/UK General Data Protection Regulation (GDPR/UK GDPR).

Please read this policy carefully. If you do not agree with it, please do not use the App.

1. Who we are (Data Controller)

For the purposes of the GDPR and similar laws, the data controller — the organization that decides why and how your personal information is processed — is:

ExactBlue Techmologies Inc.

 490 Sheldon Drive, Unit 6, Cambridge, ON, Canada, N1T2C1

Email: privacy@exactblue.com

Our designated Privacy Officer (required under PIPEDA and Quebec Law 25) can be reached at the email above.

Our role depends on how you use the App (see Section 2). When you use a corporate/team account, your employer or organization generally decides why your test data is collected and is therefore the data controller; in that case we act as a data processor handling the data on their behalf, and your organization's own privacy notice may also apply. We remain the controller for data we process for our own purposes (such as account security and App diagnostics).

If you are in the EU/EEA or UK, see Section 14 for our representative and your right to complain to a supervisory authority.

2. Scope of this policy

This policy applies to personal information processed through the ExactBlue Mobile app and directly related Services. It does not cover:

  • Purchases made through our online stores (AquaVial / ExactBlue), which are governed by the privacy policy on each store; or
  • Third-party websites or services we link to.

How the App stores your data — you choose:

  • On-device only (local): You may keep your test records on your phone only. In this mode, your records are not uploaded to our servers and are not accessible to us or to a team. They remain under your control on your device. (Limited technical data, such as crash reports, may still be collected if you have enabled diagnostics.)
  • Synced (corporate/team account): You may sync your records to our cloud (Google Firebase) so they can be accessed across your devices and shared with members of your organization's team account. In this mode, the data described in Section 3 is stored on our servers, and your organization controls who on the team can see it.

You can find or change your storage mode in the App's settings.

3. Information we collect

We collect only the information we need to provide water-testing functionality and to operate, secure, and improve the Services. The categories below describe what the App may collect.

3.1 Information you provide to us

  • Account & identity data: name, work email address, password (stored only in hashed form), employer/organization name, job role, and optional phone number.
  • Test readings: the App uses your device's camera/optical sensor to read your test spectrophotometrically — measuring how the chemical or microbiological test interacts with light — and an algorithm then estimates the concentration of the contaminant being tested. The raw optical reading is used only momentarily to calculate the result and is not stored. We keep only the calculated result, never the underlying image.
  • Saved test records: when you save a result, the App records the calculated result (estimated concentration), a test ID, your notes, the date and time, and (if you allow it) the geolocation of the sample. See below regarding location.
  • Exported reports: you can generate a PDF of a result and send it by email to recipients you choose.
  • Support communications: messages, feedback, and information you send when contacting us.

3.2 Information collected automatically

  • Device & technical data: device model, operating system and version, App version, unique device/installation identifier, IP address, and language settings.
  • Usage & diagnostic data: features used, in-app events, crash reports, and performance data, collected via analytics and crash-reporting tools (e.g., Google Firebase / Crashlytics). [VERIFY which SDKs you actually use.]
  • Geolocation data (optional): if you enable location, the App tags each test record with the place where the sample was taken. This is optional — you can save a test without it, and you can allow or deny location access in your device settings at any time. Denying location simply means your records are not tagged with a place.

3.3 Information from third parties

  • Authentication or single-sign-on providers, if you sign in that way.
  • Your organization's administrator, who may create or manage your account.

3.4 Sensitive information

The App is not designed to collect sensitive personal information (such as health, biometric, racial, or financial data). Please do not enter such information into free-text fields.

4. How we use your information

We use personal information for the following purposes. Under the GDPR we must also state a "legal basis" for each use — that is, the lawful justification for processing your data.

  • Create and manage your account — e.g., letting you log in and save results. Legal basis: performance of a contract (Art. 6(1)(b)).
  • Provide core testing features — e.g., reading a test optically and estimating contaminant concentration. Legal basis: performance of a contract.
  • Save and sync your test records — e.g., storing results, notes, time, and location for later access. Legal basis: performance of a contract.
  • Generate and send reports — e.g., creating a PDF you email to recipients you choose. Legal basis: performance of a contract.
  • Enable team access — e.g., sharing records with your organization's team account. Legal basis: performance of a contract / your organization's instructions.
  • Secure the Services — e.g., detecting fraud, abuse, or unauthorized access. Legal basis: legitimate interests (Art. 6(1)(f)).
  • Improve the App — e.g., fixing crashes, understanding feature usage. Legal basis: legitimate interests / consent for non-essential analytics.
  • Communicate with you — e.g., sending service notices or support replies. Legal basis: performance of a contract / legitimate interests.
  • Comply with law — e.g., responding to lawful requests, keeping records. Legal basis: legal obligation (Art. 6(1)(c)).

Where we rely on consent (for example, optional analytics or location), you may withdraw it at any time without affecting processing already carried out.

A note on automated analysis: the App's algorithm analyzes a water sample to estimate a contaminant concentration. It does not make automated decisions about you as an individual that produce legal or similarly significant effects, so the rules on automated individual decision-making do not apply to this analysis.

5. How we share your information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We disclose personal information only in these limited situations:

  • Your team (corporate account): if you sync data to a team account, your test records are accessible to other authorized members of your organization, as configured by your organization's account administrator. (In on-device-only mode, no such sharing occurs.)
  • Recipients you choose: the PDF report is generated on your device and sent through your own email app, so it goes only to the recipients you select and passes through your email provider. We do not receive or store these emailed reports. You control who receives them.
  • Service providers (processors) who help us run the Services under contract, including Google LLC (Firebase / Google Cloud) — authentication, database, file storage, analytics, and crash reporting
  • Your organization, where your account is provisioned or managed by an employer.
  • Legal and safety reasons — to comply with law, enforce our terms, or protect the rights, safety, and property of ExactBlue, our users, or the public.
  • Business transfers — in connection with a merger, acquisition, or sale of assets, subject to this policy.

Each service provider is permitted to use your information only to perform services for us, not for their own purposes.

6. International data transfers

We are based in Canada, and our service providers may store and process data in Canada, the United States, or other countries. Data protection laws in these countries may differ from those where you live.

When we transfer personal information out of the EU/EEA or UK, we rely on a lawful transfer mechanism such as the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision (Canada has a partial adequacy decision from the EU for PIPEDA-covered organizations). You can request more details using the contact information in Section 14.

7. How long we keep your information

We keep personal information only as long as necessary for the purposes described in this policy, or as required by law.

  • Account data and saved test records: retained for as long as your account remains active. When you close your account (or ask us to delete your data), we securely delete or anonymize it within a reasonable period, generally 90 days.
  • On-device-only data: stored on your phone under your control until you delete it or uninstall the App; we do not hold a copy.
  • Diagnostic/analytics data: typically retained for a shorter period, around 30 days 

When data is no longer needed, we securely delete or anonymize it.

8. How we protect your information

We use technical and organizational safeguards appropriate to the sensitivity of the data, including encryption in transit (HTTPS/TLS), access controls, authentication, and limiting access to staff who need it. No system is perfectly secure, so we cannot guarantee absolute security, but we work to protect your information and to notify you and regulators of breaches where required by law.

9. Your privacy rights

Your rights depend on where you live. We extend the core rights below to all users, and additional rights to residents of specific regions.

9.1 Available to everyone

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your account and associated data (subject to legal retention).
  • Withdraw consent where processing is based on consent.

9.2 EU/EEA & UK residents (GDPR)

In addition, you have the right to: restrict processing, object to processing based on legitimate interests, data portability (receive your data in a structured, machine-readable format), and rights regarding automated decision-making. You also have the right to lodge a complaint with your local supervisory authority (see Section 14).

9.3 California residents (CCPA/CPRA)

You have the right to: know/access the categories and specific pieces of personal information we collect; delete your information; correct inaccurate information; opt out of "sale" or "sharing" (we do neither); limit the use of sensitive personal information (we do not use it for inference); and non-discrimination for exercising your rights.

The categories of personal information we collect, in CCPA terms, include: identifiers (e.g., name, email, device ID, IP), commercial information (account/usage records), internet/network activity (app usage, diagnostics), and geolocation data (sample-site location, if you enable it). The App does not retain raw optical images. We collect these from you and from your device, for the business purposes described in Section 4.

9.4 Canada (PIPEDA & Quebec Law 25)

You have the right to access and correct your personal information, to withdraw consent, and — for Quebec residents — to data portability and to be informed about automated processing. You may also direct a complaint to our Privacy Officer and, if unsatisfied, to the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information du Québec (see Section 14).

9.5 How to exercise your rights

Email [privacy@exactblue.com] with your request. We will verify your identity (to protect your data), respond within the timeframe required by law (generally 30 days, extendable where permitted), and will not charge a fee except where allowed. You may use an authorized agent where the law permits.

10. Cookies and similar technologies

The App is not a website and does not use browser cookies, but it may use software development kits (SDKs) and device identifiers for authentication, analytics, and crash reporting (e.g., Firebase). Where required, we ask for your consent before using non-essential analytics, and you can manage tracking through your device's privacy settings. [Adjust to match your actual SDKs and consent flow.]

Geolocation: location tagging is optional. Because the App can use location technology to tag sample sites, we tell you when it is active and you can turn location access on or off through your device permissions at any time (this transparency is specifically required under Quebec's Law 25).

11. Children's privacy

The App is intended for use by professional operators and is not directed to children under 16 (or the minimum age in your region). We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

12. Third-party services

The App relies on third-party platforms (such as Google Firebase) whose own privacy practices govern their handling of data. We encourage you to review their policies. We are not responsible for the privacy practices of third parties we do not control.

13. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date and, where required, notify you in the App or by email. Your continued use of the Services after changes take effect means you accept the revised policy.

14. Contact us

Privacy Officer 

George Botos

 490 Sheldon Drive, Unit 6, Cambridge, ON

Canada, N1T2C1

Email: info@exactblue.com

To complain to a regulator:

  • Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca
  • Quebec: Commission d'accès à l'information du Québec — cai.gouv.qc.ca
  • EU/EEA: your national data protection authority (list at edpb.europa.eu)
  • UK: Information Commissioner's Office — ico.org.uk
  • California: California Privacy Protection Agency — cppa.ca.gov