CapWest

Privacy Policy

CapWestPO, operated by Onni Contracting Ltd.

Version 1.0 · Last updated: 2026-05-13

1. Overview

CapWestPO is an internal, business-to-business purchase order submission and review tool. It is operated by Onni Contracting Ltd. on behalf of CapWest Build, a construction-industry customer. The application is delivered both as a web app at orders-capwest.up.railway.app and as a native iOS app distributed through Apple TestFlight and the Apple App Store.

CapWestPO is not a consumer service. Accounts are provisioned by an administrator; there is no self-signup. The application is intended exclusively for authorised personnel of CapWest Build and Onni Contracting Ltd. This Privacy Policy explains what information we collect through the application, why we collect it, how we store and share it, and what choices our users have.

Our role.Onni Contracting Ltd. is the controller of the authentication and account data that we collect to operate the service (your work email address, your display name, your assigned role, and related session information). With respect to the purchase order content, comments, and attachments that you submit through the application (collectively, “Submitted Content”), Onni Contracting Ltd. acts as a processor (service provider) on behalf of CapWest Build, which is the controller of that Submitted Content. Requests relating to Submitted Content should be directed to CapWest Build. Requests relating to your account, your access, or this Privacy Policy should be directed to our Privacy Officer (see Section 13).

2. Information we collect

All data collected by CapWestPO is linked to an authenticated user account and is collected solely to operate the purchase order workflow. We do not use any of this data for advertising, cross-app tracking, or profiling. The application contains no third-party advertising or analytics SDKs.

2.1 Identity and account data

  • Email address, used to authenticate the user (via Microsoft Entra single sign-on or, where enabled, email and password), to identify the submitter of each purchase order, and to deliver confirmation and status notifications.
  • Display name, supplied by your identity provider when you sign in, and attached to submitted requests, comments, and audit log entries.
  • Role. Your assigned permission level within the app (for example, requester or administrator). This determines which features and which purchase orders you can access.

2.2 Purchase order content

Each purchase order request includes the fields the user enters, which vary by category (Trucking, Materials, Fuel, Equipment Rentals, or Labour). Typical fields include:

  • Project name, project number, and project area
  • Site address, pick-up address, and delivery address
  • Site contact names and phone numbers (these may be the names and phone numbers of the user’s colleagues or third-party site contacts)
  • Material, fuel, equipment, or labour details, quantities, descriptions, scope of work, dates required, urgency
  • Vendor PO number, optional free-text notes
  • Optional file attachments (documents, spreadsheets, and images) associated with the request.
  • Comments posted on a request after submission, along with the identity of the commenter.

2.3 Audit and operational data

  • Audit log.Every status change on a purchase order (Submitted → Under Review → PO Issued, or Cancelled) is recorded along with the user who performed the change, the timestamp, and a short note about what changed. This audit trail is used for internal review and recordkeeping.
  • Session cookies and tokens.On the web app, secure session cookies are set after sign-in. On iOS, authentication tokens are stored in the device’s secure keychain. The iOS app also saves in-progress purchase order drafts locally so users do not lose work if they close the app mid-form.
  • Server logs, our hosting provider (Railway) and database provider (Supabase) generate operational logs that may include IP addresses, request paths, status codes, and rate-limit events. These logs are used to operate and secure the service.

2.4 Information we do not collect

  • We do not collect device identifiers for advertising (IDFA / Google AID), location data, contacts, health data, financial data, browsing history, or sensitive personal information.
  • We do not use third-party advertising or analytics SDKs in the iOS app or the web app, and we do not engage in cross-app or cross-site tracking of any kind.
  • We do not sell personal information, and we do not share personal information with third parties for their independent marketing purposes.

3. How we use information

We use the information described above to:

  • Authenticate users and enforce role-based access control.
  • Receive, process, route, and respond to purchase order requests.
  • Send transactional emails, submission confirmations, status updates, comment notifications, and (where applicable) copies of submitted requests to the CapWest orders desk.
  • Maintain an audit trail of who did what to which request, so CapWest Build and Onni Contracting Ltd. can satisfy internal controls and respond to billing or contract disputes.
  • Operate, secure, and improve the service, including rate-limiting abusive traffic, debugging errors, and preventing fraud or unauthorised access.
  • Comply with applicable legal and regulatory obligations.

4. Legal bases (PIPEDA, BC PIPA, GDPR)

CapWestPO is operated from Canada and processes personal information under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the British Columbia Personal Information Protection Act (BC PIPA). Because CapWestPO is a business-to-business tool used in the context of an employment or contractor relationship, the personal information we handle is largely work product information and business contact information, for which a more limited consent regime applies.

Where the European Union General Data Protection Regulation (GDPR) or the United Kingdom GDPR applies to a user, our legal bases for processing are: (a) performance of a contract with the user’s employer, (b) our legitimate interest in operating an internal procurement tool, and (c) compliance with legal obligations. CapWestPO is not directed to or intended for use by children, and we do not knowingly process personal information of anyone under the age of majority.

5. Third-party processors

CapWestPO relies on the following sub-processors to operate the service. We do not engage any third party that is not listed here, and none of these sub-processors uses your information for their own purposes.

  • Supabase, Inc. (United States), authentication, application database, server-side access controls, and file storage. Production data is hosted in Oregon, United States (AWS US-West-2). supabase.com/privacy
  • Microsoft Corporation(Microsoft Entra ID / Microsoft 365, multi-region), single sign-on identity provider. Microsoft authenticates the user and returns an email and display name to CapWestPO; we do not access the user’s Microsoft 365 mailbox, calendar, or files. privacy.microsoft.com
  • Railway Corporation (United States), hosting of the Next.js web application. railway.com/legal/privacy
  • ActiveCampaign, LLC (Postmark) (United States), transactional email delivery for confirmations, status updates, and comment notifications. postmarkapp.com/privacy-policy
  • Apple Inc.(multi-region), iOS app distribution via TestFlight and the Apple App Store, and associated crash and diagnostic reports that the user voluntarily shares with developers through Apple’s system-level settings. apple.com/legal/privacy

5.1 International data transfers

Personal information processed through CapWestPO is transferred to and stored in the United States, because Supabase, Railway, Postmark, and (often) Microsoft host their services there. By using CapWestPO, you acknowledge that your personal information may be subject to the laws of the United States, including lawful access requests by U.S. government authorities.

We transfer this information in reliance on PIPEDA’s accountability-based cross-border transfer framework: we remain accountable for the personal information we transfer to a service provider, and we put in place contractual commitments with each sub-processor that require a comparable level of protection to that required under Canadian law. CapWest Build has been notified of the storage location of Submitted Content and accepts the transfer as part of its use of the service. For any transfer of personal information of individuals located in the European Economic Area or the United Kingdom, we rely on the European Commission’s Standard Contractual Clauses (or the UK Addendum, as applicable) as the transfer mechanism.

6. Data sharing

Personal information submitted through CapWestPO is shared with:

  • CapWest Build personnel with administrator access, for the purpose of reviewing and approving purchase order requests.
  • The CapWest orders desk (an internal email inbox), copies of submitted requests are emailed there for processing.
  • The sub-processors listed in Section 5, strictly to perform the technical functions described.

We do not sell personal information. We do not disclose personal information to any other third party except where required by law, court order, or other valid legal process, or where disclosure is necessary to enforce our Terms of Service, protect our rights, or protect the safety of our users.

7. Cookies and local storage

  • Web app. CapWestPO sets only the strictly necessary cookies required for authentication and session management. We do not use advertising cookies, analytics cookies, or third-party tracking technologies.
  • iOS app.Authentication tokens are stored in the device’s secure keychain. In-progress purchase order drafts are stored locally on the device so the draft is not lost if the app is closed mid-form. This data never leaves the device until the user explicitly submits the request.

8. Data retention

Because CapWestPO records purchase orders that may relate to construction contracts, accounting records, and tax filings, we retain purchase order content, audit log entries, and associated account metadata for the duration of the customer relationship plus seven (7) years after the customer relationship ends. This retention period reflects standard practice for construction-industry procurement records, the six-year minimum that the Canada Revenue Agency requires for books and records, and the BC Limitation Act’s applicable limitation periods.

When a user’s account is deactivated, their identity record (email, name, role) is preserved for the same retention period so that the audit trail of historical purchase orders remains intact and attributable. After the retention period expires, records are deleted or de-identified.

Server logs and rate-limit telemetry are retained for a shorter period, typically no more than 90 days, unless a specific log is preserved as part of an active security investigation.

9. Security

We protect CapWestPO with a defence-in-depth approach: data is encrypted in transit (HTTPS) and at rest, access to records is governed by server-side permission rules tied to each user’s role, all sensitive actions are validated against cross-site request forgery, inputs are validated and sanitised, requests are rate-limited, and file attachments are restricted to a safe set of content types. Authentication is performed by Microsoft Entra ID (single sign-on) and by our authentication provider. Administrator access is provisioned and reviewed manually. No system is perfectly secure; in the event of a personal information breach that meets the notification threshold under PIPEDA, BC PIPA, or other applicable law, we will notify affected users and the relevant regulator (the Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner for British Columbia) as soon as feasible, and in any event within 72 hours of becoming aware of a breach that creates a real risk of significant harm.

10. Your rights

Depending on the jurisdiction in which you live and work, you may have the right to:

  • Request access to the personal information we hold about you;
  • Request correction of inaccurate or incomplete personal information;
  • Request deletion of personal information that is no longer required for the purpose for which it was collected (subject to the retention obligations described in Section 8);
  • Withdraw consent for future processing;
  • Lodge a complaint with the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner for British Columbia, or your local data protection authority.

Account deletion.Because accounts are administered centrally by your organization’s administrators, you cannot delete your own account directly from within the app. However, you can request account deletion at any time by:

  • Emailing legal@onni.com with the subject “Account deletion request”.

We will acknowledge your request within 5 business days and complete deletion of your account and associated personal information within 30 days of receipt, subject to the retention obligations described in Section 8 (audit trail entries required for tax, legal, or regulatory recordkeeping may be retained in de-identified form for the periods listed there). To exercise any other rights listed above, contact our Privacy Officer at the address in Section 13, and we will respond within the timeframes required by applicable law (within 30 days under PIPEDA, unless an extension is permitted).

11. Notice for California residents

This section applies if you are a resident of California and accesses CapWestPO from California. It supplements the disclosures elsewhere in this Privacy Policy and is provided to comply with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”).

Categories of personal information we collect.In the twelve (12) months preceding the “Last updated” date at the top of this page, we have collected the following categories of personal information about authorised users: identifiers (work email address, display name, your assigned role); other information you submit through the application (purchase order content, comments, and attachments associated with a request); and internet or other electronic network activity information (session and audit log entries). The sources, purposes, and categories of recipients for each category are described in Sections 2, 3, and 5 of this Privacy Policy.

No sale or sharing of personal information.We do not sell your personal information, and we do not share your personal information for cross-context behavioural advertising, as those terms are defined under the CCPA. We have not done so in the twelve (12) months preceding the “Last updated” date at the top of this page.

Your CCPA rights. Subject to verification of your identity, you have the right to: (a) know what personal information we have collected about you, the categories of sources, the business or commercial purpose, and the categories of third parties with whom we share it; (b) request deletion of personal information we have collected from you; (c) correct inaccurate personal information; and (d) limit the use and disclosure of sensitive personal information (we do not use or disclose sensitive personal information for any purpose that would trigger this right). You may exercise these rights by contacting our Privacy Officer using the details in Section 13 below. We will not discriminate against you for exercising any of these rights. We do not offer financial incentives in exchange for personal information.

Authorised agent.You may use an authorised agent to submit a request on your behalf. We may require proof of the agent’s authority and verification of your own identity before responding.

12. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes to the service, to our sub-processors, or to applicable law. When we make material changes, we will revise the “Last updated” date at the top of this page and, where appropriate, notify users by email or via an in-app notice. Previous versions of this Privacy Policy are available on request from the Privacy Officer.

13. Privacy Officer

CapWestPO is operated by Onni Contracting Ltd., part of the Onni Group of Companies, based in Vancouver, British Columbia. In accordance with section 4(3) of the BC Personal Information Protection Act, we have designated a Privacy Officer responsible for compliance with this policy and applicable privacy laws. For privacy questions, to exercise a privacy right, to request account deletion, or to report a security concern, contact:

Chief Privacy Officer
Onni Group of Companies
200 – 1010 Seymour Street
Vancouver, BC  V6B 3M6
Canada

By phone: 604-602-7711
By email: legal@onni.com

© 2026 Onni Contracting Ltd. CapWestPO is an internal procurement tool for CapWest Build personnel.