Log in Get started

Privacy Policy

Effective date: · Last updated:

1. Introduction

Bravo Technology Inc. ("Bravo", "we", "us", "our"), a company incorporated in British Columbia, Canada, respects your privacy and is committed to protecting your personal information. This Privacy Policy explains what we collect when you use the Bravo Card service (the "Service"), how we use it, who we share it with, and what choices you have.

This Policy applies to the Bravo Card service. It does not apply to the Bravo eGift Card product, to Partner Restaurants you visit, or to third-party websites linked from our Service.

By using the Service you confirm you have read this Policy. Use of the Service is also governed by our Terms of Use.

2. Definitions

  • Personal Information — information about an identifiable individual.
  • Service — the Bravo Card platform, including the website, the wallet pass, our payment and rewards back-end, and any related features.
  • Linked Payment Card — your underlying credit or debit card linked to the Service through our payment processor.
  • Bonus — your dining-reward balance.
  • Partner Restaurant — a merchant participating in the Bravo network.

3. Information we collect

3.1 Information you provide directly

  • Account information: your phone number and name (and email address, if you provide one for support or marketing).
  • Phone verification: the one-time code (OTP) you enter to verify your phone number.
  • Linked Payment Card: only the metadata returned by our payment processor — typically the last four digits, brand, and expiry date. The full card number is never stored by Bravo. It is held by Stripe under PCI-DSS controls.
  • Communications: emails, SMS, or in-app messages you send to our support team.
  • Marketing preferences: your opt-in or opt-out choices.

3.2 Information collected automatically

  • Transaction data: when a qualifying transaction occurred, which Partner Restaurant it was at, the transaction amount, and the resulting Bonus.
  • Device and technical data: IP address, device type, operating system, browser type, and wallet platform (Apple Wallet or Google Wallet).
  • Usage data: page views, clicks, and similar interaction metrics — collected only when you have consented to analytics cookies (see Section 8).
  • Cookies and similar technologies (see Section 8).

3.3 Information from third parties

  • Stripe — transaction status, card metadata, fraud signals related to your Linked Payment Card.
  • Apple Wallet / Google Wallet — pass installation and lifecycle events from your device.
  • Service providers — delivery status from our email and SMS senders.

4. How we use your information

We use Personal Information for the following purposes:

  • operating the Service (issuing the Bravo Card pass, recording transactions, calculating and applying Bonus);
  • authenticating you (phone verification, account access);
  • processing transactions through Stripe and reconciling them with Partner Restaurants;
  • providing customer support;
  • detecting, investigating, and preventing fraud, abuse, and security incidents;
  • improving the Service through analytics and product testing;
  • sending you transactional communications (OTP codes, receipts, Bonus updates, security and account notices);
  • sending you marketing communications, with your express consent;
  • complying with legal obligations under Canadian tax, anti-money-laundering, and other applicable laws.

5. Legal basis: consent

Under Canadian privacy law — including PIPEDA (federal), Quebec Law 25, BC PIPA, and Alberta PIPA — our legal basis for processing Personal Information is your consent.

By using the Service you consent to processing for the purposes described in Section 4. For sensitive uses — including marketing communications and optional analytics or advertising cookies — we ask for express opt-in consent.

You can withdraw consent for non-essential processing at any time, subject to legal and contractual constraints (for example, we still need to retain certain records to comply with tax law). Withdrawing consent for processing necessary to operate the Service may mean we can no longer provide the Service to you.

6. When and with whom we share

6.1 Service providers

We use the following service providers to operate the Service. We bind each of them to confidentiality and data-protection obligations.

  • Stripe, Inc. (United States) — payment processing and Linked Payment Card storage.
  • Amazon Web Services, Inc. (United States) — cloud storage and SMS delivery (including OTPs sent when you sign in or verify your phone).
  • Twilio SendGrid, Inc. (United States) — transactional and marketing email delivery.
  • Resend, Inc. (United States) — transactional email delivery.
  • Vercel, Inc. (United States) — web hosting and edge content delivery.

6.2 Partner Restaurants

When you earn or redeem Bonus at a Partner Restaurant, the restaurant's point-of-sale system does not receive your Personal Information. The restaurant only sees the transaction status — for example, the amount paid or, if there is a problem, an error message. Your name, phone number, email address, and other identifying details are never shared with Partner Restaurants.

6.3 Apple and Google

The Bravo Card pass is installed and operated through Apple Wallet (Apple Inc., United States) or Google Wallet (Google LLC, United States). Push notifications related to your Bravo Card pass are delivered natively by your device's wallet platform, governed by Apple's and Google's respective privacy notices.

6.4 Advertising partners

With your consent (managed through our cookie banner), we may share limited information — typically hashed identifiers and event-level data — with advertising platforms such as Meta (Facebook / Instagram), Google Ads, TikTok, and similar third-party platforms, to run, measure, and improve advertising campaigns. We will not enable advertising cookies until you have given consent.

6.5 Legal and safety

We may disclose Personal Information when required by law, court order, or government request, or when we reasonably believe disclosure is necessary to protect rights, property, or the safety of Bravo, our users, or the public.

6.6 Corporate transactions

If Bravo is involved in a merger, acquisition, financing, sale of assets, or similar corporate transaction, your information may be transferred as part of that transaction, subject to confidentiality obligations.

6.7 We do not sell your Personal Information

We do not sell your Personal Information to any third party.

7. Cross-border transfers

Several of our service providers (including Stripe, AWS, SendGrid, Resend, and Vercel) are located in the United States. By using the Service you acknowledge that your Personal Information may be transferred to, stored in, and processed in the United States and other countries where our service providers operate.

We require service providers to apply reasonable contractual and technical safeguards consistent with Canadian privacy law. While your Personal Information is outside Canada, it may be subject to the laws of the country where it is processed, including lawful access by the courts and authorities of that country.

8. Cookies and similar technologies

We use cookies and similar technologies to operate, secure, and improve the Service. Categories:

  • Strictly necessary — keep you signed in, prevent fraud, and remember your preferences. Always active. No consent required.
  • Analytics — measure how the Service is used so we can improve it. Active only with your consent.
  • Advertising and marketing — measure and personalise the ads we run on third-party platforms. Active only with your consent.

When you first visit the Service we ask you to accept or reject analytics and advertising cookies via a consent banner. You can change your choices at any time using the "Manage cookies" link in the footer.

We are not currently running analytics or advertising tools, but we may enable tools such as Google Analytics, Vercel Analytics, PostHog, and third-party advertising pixels in future. When those tools go live, your existing consent choices will apply.

9. Marketing communications

We will only send you marketing emails or SMS if you have given us express opt-in consent, in accordance with Canada's Anti-Spam Legislation (CASL).

You can unsubscribe at any time:

  • use the unsubscribe link in any marketing email;
  • reply STOP to any marketing SMS; or
  • email support@bravoup.ca.

Transactional messages — including phone-verification codes (OTPs), security alerts, account notices, and receipts — are necessary to operate the Service and are not subject to marketing opt-out.

10. Children's privacy

The Service is intended for users 18 years of age or older. We do not knowingly collect Personal Information from anyone under 18. If we learn we have collected information from someone under 18, we will delete it promptly.

If you believe we may have collected information about a minor, please contact us at support@bravoup.ca.

11. Data retention

We retain Personal Information only for as long as needed for the purposes described in this Policy, or as required by law.

  • Account information — retained while your account is open. After you close your account, we keep a limited record for 180 days to allow account restoration and to investigate fraud or disputes, then delete or anonymise it.
  • Transaction records — retained for seven (7) years to comply with Canadian tax, anti-money-laundering, and accounting requirements.
  • Marketing list — retained until you unsubscribe.
  • Support correspondence — retained for two (2) years to maintain a record of issues and resolutions.
  • Server and security logs — retained for 90 days for security monitoring and incident investigation.

After the applicable retention period, Personal Information is deleted or de-identified.

12. Security

We protect your Personal Information using:

  • TLS encryption for data in transit;
  • encryption at rest for data we store;
  • access controls limiting employee and contractor access to a need-to-know basis;
  • PCI-DSS compliance via Stripe for payment-card data — Bravo does not store full card numbers;
  • dynamic QR refresh on your Bravo Card pass to limit code reuse; and
  • regular security reviews of our infrastructure and dependencies.

No system is 100% secure. If a breach involving your Personal Information creates a real risk of significant harm, we will notify you and the relevant privacy commissioner as required by law, including under PIPEDA (s. 10.1) and Quebec Law 25.

13. Your rights

You have the right to:

  • access the Personal Information we hold about you;
  • correct inaccurate or incomplete information;
  • delete your Personal Information, subject to our legal and operational retention obligations (Section 11);
  • withdraw consent for non-essential processing, including marketing communications and optional analytics or advertising cookies;
  • portability — receive your Personal Information in a structured, commonly used technological format;
  • object to certain types of processing; and
  • complain to Bravo, then to the relevant privacy commissioner.

To exercise any of these rights, contact us at support@bravoup.ca. We will respond within the timelines required by applicable law (typically 30 days under PIPEDA).

If you are not satisfied with our response, you can contact:

  • Office of the Privacy Commissioner of Canada — priv.gc.ca · 1-800-282-1376
  • Office of the Information and Privacy Commissioner for British Columbia — oipc.bc.ca
  • Office of the Information and Privacy Commissioner of Alberta — oipc.ab.ca
  • Commission d'accès à l'information du Québec — cai.gouv.qc.ca

14. Privacy contact

If you have questions, concerns, or requests about this Policy or your Personal Information, contact us:

  • Email: support@bravoup.ca
  • Mailing address: #150 - 13575 Commerce Pkwy, Richmond, British Columbia, V6Y 2N5

15. Changes to this Policy

We may update this Policy from time to time. The "Effective date" at the top will reflect the current version. We will notify you of material changes by email, in-product notice, or both. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

16. Quebec residents

If you reside in Quebec, An Act respecting the protection of personal information in the private sector (Law 25) gives you additional rights, including:

  • the right to be informed about, and to object to, the use of decisions made solely on the basis of automated processing. Bravo does not currently use automated decision-making of this kind; if we introduce it in future we will update this Policy and notify you;
  • the right to data portability in a structured, commonly used technological format; and
  • the right to require us to cease disseminating your Personal Information, or to de-index any link associated with your name, in the circumstances permitted by Law 25.

The person responsible for the protection of personal information at Bravo can be reached at support@bravoup.ca.