ZERO

Privacy Policy

Last updated: April 2026

Effective date: April 2026

R3LAB Inc. ("we", "us", "R3LAB") operates the ZERO skill-based entertainment platform ("ZERO" or "the Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information. We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation in Canada.

1. Information we collect

Account information:

  • Email address (required for authentication)
  • Display name (provided by you)
  • Profile image (optional, auto-generated if not provided)
  • Account creation timestamp

Payment information (for paid members):

  • Billing address (required for tax purposes)
  • Last four digits of payment card (for display only)
  • Stripe customer ID and subscription ID
  • Transaction history

We never see or store your full credit card number or CVV. Payment processing is handled entirely by Stripe, which is PCI DSS compliant.

Activity information:

  • Challenge participation and results
  • Scores and rankings
  • Community posts and reactions
  • Pages visited and features used

Technical information:

  • IP address (for fraud prevention and geographic compliance)
  • Device and browser type
  • Approximate location (from IP address)
  • Session timestamps

Identity verification (for recognition reward recipients):

If you are selected to receive a recognition reward of $500 CAD or more in a calendar year (cumulative), we may collect additional information required by law:

  • Legal name and address
  • Social Insurance Number (SIN) for T4A tax reporting (Canadian winners)
  • Government-issued photo ID for identity verification (via Stripe Identity)
  • Date of birth for age verification

This information is collected only when required for legal tax reporting and is handled with enhanced security.

2. How we use your information

  • Provide and operate the ZERO platform
  • Process subscription payments and distribute recognition rewards
  • Authenticate your account and secure access
  • Send service-related emails (welcome, reward notifications, payment confirmations)
  • Send optional marketing emails (with your consent, per CASL)
  • Comply with legal obligations (tax reporting, fraud prevention, regulatory requests)
  • Detect and prevent fraud, abuse, and unauthorized access
  • Improve the platform based on aggregate usage data
  • Enforce our Terms of Service

3. Legal basis for processing

Under Canadian privacy law, we process your personal information based on:

  • Consent: You provide consent when signing up and agreeing to these policies
  • Contractual necessity: To provide the service you've subscribed to
  • Legitimate interest: Fraud prevention, security, and platform operation
  • Legal obligation: Tax reporting, regulatory compliance

4. Third-party service providers

We share your information with the following third-party processors, each of whom has their own privacy policy and security practices:

  • Stripe — payment processing, subscription management, customer portal, and identity verification for large rewards. Stripe is PCI DSS Level 1 certified. Stripe Privacy Policy: stripe.com/privacy
  • Neon (Neon Database) — PostgreSQL database hosting. Located in the US West region. Neon Privacy Policy: neon.tech/privacy-policy
  • Vercel — web application hosting and CDN. Vercel Privacy Policy: vercel.com/legal/privacy-policy
  • Resend — transactional email delivery. Resend Privacy Policy: resend.com/legal/privacy-policy
  • Google Analytics — anonymized usage analytics (optional, can be disabled via cookie settings)
  • DiceBear — avatar generation (based on deterministic seed, no personal data sent)

We do not sell your personal information to anyone. We do not share your information with advertisers or data brokers.

5. Cross-border data transfers

Some of our service providers are located outside Canada (primarily in the United States). When we transfer your information to these providers, we ensure appropriate safeguards are in place, including standard contractual clauses and commitments to comparable levels of privacy protection. You consent to such cross-border transfers by using ZERO.

6. Data retention

  • Account data: Retained while your account is active
  • Transaction records: Retained for 7 years (Canadian tax law requirement)
  • Challenge participation history: Retained indefinitely for leaderboards and audit trails
  • Identity verification records: Retained for 5 years (FINTRAC guideline)
  • Tax forms (T4A, etc.): Retained for 7 years (CRA requirement)
  • Technical logs (IP, sessions): Retained for 90 days
  • Email marketing consent records: Retained for 3 years after last communication (CASL)

When you request account deletion, we delete your personal information within 30 days, subject to legal retention requirements above.

7. Your rights

Under Canadian privacy law, you have the right to:

  • Access your personal information we hold
  • Correct inaccurate or incomplete information
  • Withdraw consent for future processing (subject to contractual obligations)
  • Request deletion of your account and data (subject to legal retention)
  • Export your data in a portable format
  • Opt out of marketing communications at any time
  • Complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca)

To exercise any of these rights, email privacy@mrzeroai.com. We will respond within 30 days.

8. Security

We implement reasonable administrative, technical, and physical safeguards to protect your personal information, including:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest (database encryption)
  • Access controls and authentication
  • Regular security reviews
  • Incident response procedures

No system is perfectly secure. We cannot guarantee the absolute security of your information, but we take reasonable steps to protect it.

9. Children's privacy

ZERO is only for users 18 years of age or older. We do not knowingly collect personal information from minors. If we become aware that we have collected information from a minor, we will delete it immediately. Parents who believe their child has provided information to ZERO should contact privacy@mrzeroai.com.

10. CASL compliance (Canada's Anti-Spam Legislation)

All commercial electronic messages we send comply with CASL:

  • Express consent is obtained at signup for marketing emails
  • Every email includes the sender's identification
  • Every email includes a functional unsubscribe mechanism
  • Unsubscribe requests are honored within 10 business days
  • We do not send commercial messages to unconsented recipients

11. Cookies and tracking

ZERO uses the following cookies:

  • Essential cookies (always on): authentication, session management, CSRF protection
  • Analytics cookies (optional): Google Analytics for aggregate usage statistics

We do NOT use:

  • Advertising cookies
  • Third-party marketing trackers
  • Cross-site tracking
  • Pixel tags from advertisers

You can disable non-essential cookies through your browser settings.

12. Changes to this policy

We may update this Privacy Policy periodically. Material changes will be announced via email and in-product banner at least 14 days before taking effect. Continued use of ZERO after the effective date constitutes acceptance.

13. Contact

Privacy questions, data requests, or complaints:

Email: privacy@mrzeroai.com

R3LAB Inc.
Privacy Officer
[Address TBD]
Ontario, Canada

If you are unsatisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.