Privacy Policy

1. About this Privacy Policy

This Privacy Policy describes how Rest Mama Inc. (“SolarLead,” “we,” “us,” “our”) collects, uses, discloses, stores, and protects personal information in connection with the SolarLead service (the “Service”) available at solarlead.io.

We are a Canadian federally-incorporated company based in Halifax, Nova Scotia. This policy is designed to comply with:

• the Personal Information Protection and Electronic Documents Act (PIPEDA), applicable to private-sector businesses operating in Canada;
• the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), applicable to information about California residents;
• the General Data Protection Regulation (GDPR), applicable to information about individuals in the European Economic Area, the United Kingdom, and Switzerland;
• other U.S. state privacy laws including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Quebec's Law 25, to the extent they apply.

2. Personal information we collect

2.1 Information about customers (“Customer Data”)

When you create an account, subscribe, or use the Service, we collect:

• Identification and contact information: your name, email address, company name, job title, business phone number.
• Authentication credentials: a password hash (we never store the password itself in plaintext), authentication tokens.
• Payment information: processed by Stripe, Inc.; we receive a Stripe customer ID and subscription status, but we do not store your full credit card number.
• Usage data: actions you take within the Service, including searches, filters applied, contacts unlocked, features accessed, and page views, along with associated timestamps.
• Technical data: IP address, browser type, device identifiers, operating system, referring URLs, and similar metadata required to operate the Service securely.
• Communications: if you email us, we retain the contents for support and record-keeping.

2.2 Information about property owners (“Homeowner Data”)

The Service aggregates information about residential solar installations and the properties where those installations occurred. This information may include:

• From public permit records: property street address, municipality, permit filing date, system size or capacity, declared project value, contractor name, and permit type. All of this information is public record under the building permit laws of the municipality where the permit was filed.
• From licensed data vendors (contact enrichment only): phone numbers and email addresses associated with a property address, provided by our third-party data-enrichment partner. This information is obtained by the vendor from publicly and commercially available sources and is returned to Customers on a per-unlock basis.

Homeowner Data does not include social security numbers, social insurance numbers, financial account numbers, driver's license numbers, passport numbers, biometric data, or any other “sensitive personal information” as defined by applicable privacy laws.

3. How we collect personal information

• Directly from Customers: through account registration, subscription purchase, and in-Service interactions.
• From public government sources: municipal, state, and provincial building department records, which we retrieve through automated collection of publicly-published data feeds (e.g., Socrata, ArcGIS, CKAN, Accela) and via freedom-of-information requests where applicable.
• From the U.S. Lawrence Berkeley National Laboratory's “Tracking the Sun” dataset, which aggregates historical U.S. residential solar installations and is publicly released for research and commercial use.
• From licensed third-party data vendors, specifically for contact-enrichment requests initiated by Customers on a per-address basis.

4. How we use personal information

4.1 Customer Data — purposes and legal bases

We use Customer Data to:

• provide, maintain, and improve the Service (contractual necessity);
• process payments and manage subscriptions (contractual necessity);
• respond to support requests and communicate about your account (legitimate interest and contractual necessity);
• send service announcements and material changes to these policies (legitimate interest and contractual necessity);
• detect, investigate, and prevent fraud, abuse, or security incidents (legitimate interest);
• comply with legal obligations, including tax, accounting, and record-keeping (legal obligation).

4.2 Homeowner Data — purposes and legal bases

We use Homeowner Data to:

• provide Customers with aggregated market intelligence, searches, and reports within the Service (legitimate interest, as the purpose is a lawful B2B service to the solar industry, and the data is derived from public records or from licensed commercial data vendors);
• fulfil Customer-initiated contact enrichment requests (legitimate interest);
• generate anonymized and aggregated statistics that cannot reasonably be linked back to any individual (legitimate interest).

We do not use Homeowner Data for any purpose that would cause SolarLead to be considered a “consumer reporting agency” under the U.S. FCRA or equivalent laws.

5. How long we retain personal information

We retain personal information only as long as necessary for the purposes described in Section 4, subject to the following retention schedules:

• Customer account information: retained for the duration of your active subscription plus a period of up to twenty-four (24) months thereafter for tax, accounting, legal, and audit purposes. You may request earlier deletion under Section 8.
• Payment records: retained for seven (7) years after collection, as required by Canadian tax and corporate record-keeping laws.
• Homeowner contact-enrichment data (phone numbers and email addresses): automatically purged from our systems twelve (12) months after the date the enrichment was first returned to a Customer, unless a longer retention period is required by law or until an earlier deletion is requested by the individual. Expiry is enforced by an automated background process.
• Homeowner public-record permit data (address, permit details, contractor name): retained for as long as the underlying record is reasonably useful for the lawful purposes described above, subject to any deletion request valid under applicable law.
• Usage, technical, and communications logs: retained for up to thirty-six (36) months for security, diagnostic, and fraud-prevention purposes.

6. Who we share personal information with

We share personal information only as follows:

6.1 Service providers (processors)

We use a limited number of third-party service providers to operate the Service. Each is bound by data-processing obligations to use personal information only for the purposes we direct. As of the effective date, these include:

• Stripe, Inc. — payment processing (United States; EU Standard Contractual Clauses apply for EEA transfers).
• Railway Corp. — application hosting and backend infrastructure (United States).
• Vercel Inc. — frontend and marketing site hosting (United States).
• Supabase, Inc. — database infrastructure (data stored in North American regions).
• Anthropic, PBC — AI model inference for in-platform analytics features. Only anonymized or aggregated inputs are sent; no raw homeowner contact information is transmitted.
• Licensed contact-enrichment vendor — for skip-tracing and contact-lookup services; operates under contractual privacy and lawful-use commitments.

6.2 Legal and safety disclosures

We may disclose personal information if required by subpoena, court order, or other legal process, or where we reasonably believe disclosure is necessary to: investigate or prevent fraud or illegal activity; protect the rights, property, or safety of SolarLead, our Customers, or others; enforce our agreements; or comply with applicable law.

6.3 Business transfers

If Rest Mama Inc. is acquired by, merges with, or sells assets to another entity, personal information may be transferred as part of that transaction. We will notify affected individuals of any such transfer that materially changes how their information is handled.

6.4 We do not sell personal information

We do not sell personal information as “sale” is defined under the CCPA/CPRA and equivalent laws, and we do not “share” personal information for cross-context behavioral advertising. The contact-enrichment feature is a Customer-initiated service, not a resale of personal information.

7. International data transfers

Rest Mama Inc. is based in Canada. Our service providers are based primarily in the United States and Canada. Personal information may therefore be transferred to, stored, and processed in the United States and other countries with data-protection laws different from those of your jurisdiction. By using the Service, you acknowledge this transfer.

Where personal information is transferred out of Canada or the EEA/UK, we rely on lawful transfer mechanisms including our service providers' Standard Contractual Clauses and PIPEDA's accountability framework.

8. Your privacy rights

Depending on your jurisdiction, you have some or all of the following rights with respect to personal information we hold about you:

• Right of access: request a copy of personal information we hold about you.
• Right to correction: request that we correct inaccurate or incomplete information.
• Right to deletion: request that we delete your personal information, subject to limited exceptions required by law.
• Right to restrict or object to processing: where we rely on legitimate interest as our legal basis.
• Right to portability: receive your account data in a commonly-used, machine-readable format.
• Right to withdraw consent: where we rely on consent as our legal basis, you may withdraw that consent at any time.
• Right to non-discrimination: we will not retaliate against you or provide a lower quality of service for exercising your privacy rights.

8.1 How to exercise your rights

To exercise any of the above rights, email privacy@solarlead.io with the subject line “Privacy Request”. We will respond within thirty (30) days or the time required by your applicable local law, whichever is shorter. We may request information reasonably necessary to verify your identity before acting on your request.

8.2 For homeowners whose information appears in SolarLead

If you are a homeowner and your name, address, or contact information appears in SolarLead's data as a result of a public permit record or a Customer's enrichment request, you may exercise the deletion right described in Section 8 by emailing privacy@solarlead.io. We will remove your information from our active database within thirty (30) days. Note that we cannot delete information from the original public records from which it was sourced (e.g., your municipality's building department), only from SolarLead's systems.

8.3 Right to appeal (Virginia, Colorado, Connecticut, others)

If we decline your privacy request, you may appeal by replying to our decision email with the subject line “Privacy Appeal.” We will respond to appeals within sixty (60) days. If you are dissatisfied with our response, you may contact your state attorney general or provincial privacy commissioner.

8.4 Canadian residents — Privacy Commissioner contact

You may file a complaint with the Office of the Privacy Commissioner of Canada:

9. Cookies and similar technologies

We use a small number of cookies and similar technologies to operate the Service. Our Cookie Policy contains the full list and explains how you can control them.

10. Security

We implement commercially reasonable administrative, technical, and physical safeguards to protect personal information from unauthorized access, loss, misuse, or alteration. These include:

• Encryption of data in transit using TLS 1.2 or higher;
• Encryption of sensitive database fields at rest;
• Role-based access control, with administrative access to sensitive data limited to a small number of authorized personnel;
• Regular security review of our dependencies and infrastructure;
• Secure credential management using industry-standard practices (password hashing, JWT-based authentication, environment-variable secret management).

No system is perfectly secure. If we become aware of a personal-information breach likely to result in material risk to affected individuals, we will notify affected individuals and applicable regulators in the time period required by law.

11. Children's privacy

The Service is not directed to individuals under the age of eighteen (18), and we do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact privacy@solarlead.io and we will promptly delete it.

12. California-specific disclosures (CCPA/CPRA)

This section supplements the rest of the Privacy Policy for California residents.

12.1 Categories of personal information collected

In the last twelve (12) months, we have collected the following categories of personal information, as defined by the CCPA/CPRA: identifiers (name, email, IP address, account ID); customer records (name, company, payment information processed by Stripe); commercial information (subscription purchase history); internet activity (pages viewed, features used); geolocation (approximate, from IP); inferences (usage-based analytical profiles used only within the Service); professional information (company, job title); and, for Homeowner Data, identifiers and public-record permit details.

12.2 Sources

See Section 3 above.

12.3 Purposes

See Section 4 above.

12.4 Sale or sharing

We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as defined by the CCPA/CPRA.

12.5 Sensitive personal information

We do not collect sensitive personal information as defined by the CPRA, and we therefore do not use or disclose such information.

12.6 How to exercise California rights

Email privacy@solarlead.io with the subject line “California Privacy Request.” You may also designate an authorized agent to exercise these rights on your behalf.

13. EEA/UK residents — GDPR disclosures

The data controller is Rest Mama Inc., at the registered address above. We do not have a designated EU representative because we do not specifically target users in the EEA or UK. You may contact us at privacy@solarlead.io for any GDPR request. You also have the right to lodge a complaint with your local data protection authority.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. We will post the updated policy on this page with a new “Last updated” date. If the changes are material, we will notify account holders by email at least thirty (30) days before the changes take effect.

15. Contact

Questions or requests relating to this Privacy Policy should be sent to:

This Privacy Policy was last updated on April 22, 2026 and becomes effective on that date. It supersedes all prior versions.