§ Legal
Privacy.
Last updated .
CityWater is a software platform for municipal water, sewer, and storm utilities. This page describes what we collect, why, and what you can do about it. It applies to citywater.ca (this site) and app.citywater.ca (the application).
§ 01 — Who we are
The party responsible for your data.
CityWater is built and operated by Kathail, based in Ontario, Canada. We are the controller of personal information collected through our website and the processor of tenant operational data created in our application. Privacy questions and requests should go to [email protected]. A mailing address for written privacy requests is available on request from the same email.
§ 02 — What we collect
Account info, operational data, and standard web logs.
Account information. When you or your employer creates a user account, we store your name, work email, password (hashed with Argon2 — never in plaintext), assigned roles, and the tenant you belong to.
Operational data. When your utility uses the platform, we store the records you create: assets (water mains, hydrants, manholes), work orders, inspections, service requests, photos, and the geometries that locate them on a map. This data belongs to your tenant — we act as a processor on your behalf.
Activity logs. Every state-changing action — creating, updating, or deleting records, signing in, sending invitations — is recorded in an internal audit log so administrators can answer "who did what, when." Logs include user ID, timestamp, and a summary of the change.
Technical data. Standard web logs (IP address, user agent, request path) are collected by our hosting provider and retained for security and debugging.
We do not use third-party analytics, advertising trackers, or behavioural profiling cookies. The only cookie we set is a session cookie required to keep you signed in.
§ 03 — How we use it
To run the service. Not to profile you.
- — Operate, maintain, and secure the service.
- — Authenticate users and authorize access to tenant data.
- — Investigate incidents and respond to support requests.
- — Communicate about your account: security alerts, service changes, and (once commercial pricing begins) billing.
- — Improve the product in aggregate. We do not analyze individual tenant data for product purposes, and we do not use tenant data to train machine-learning models.
We do not sell personal information.
§ 04 — Sub-processors
The vendors who help us run the service.
We use a small number of sub-processors. Each is contractually bound to handle data consistent with this policy.
| Sub-processor | Purpose | Region |
|---|---|---|
| Railway | Application + database hosting | United States (us-east) |
| Backblaze B2 or Cloudflare R2 | Photo and file attachment storage | United States |
| Resend | Transactional email | United States |
If we add a sub-processor, this list updates before they begin handling data. We disclose information when required by law (subpoena, court order, regulatory request) and will notify the affected tenant unless prohibited from doing so.
§ 05 — Where your data lives
Hosted in the United States.
Application data is hosted in the United States on Railway (us-east). File attachments are stored in the United States. Because hosting is outside Canada, your data crosses borders; sub-processors are contractually bound to handle it consistent with this policy.
§ 06 — Retention
Kept while you're a customer; deleted on request.
We retain account and operational data for as long as the tenant is an active customer. After cancellation, data is retained for 30 days to allow account recovery and export, then permanently deleted. Audit logs are retained for 2 years as a security record. You can request earlier deletion in writing.
§ 07 — Security
What we do, and what we don't promise.
- — Passwords are hashed with Argon2 — never stored in plaintext or recoverable form.
- — Application traffic is served over HTTPS with HSTS.
- — Tenant data is logically separated. Database queries are scoped to the authenticated user's tenant at the session level; cross-tenant access is treated as a P0 incident.
- — Access to production systems is restricted to operations staff and audited.
-
— Session cookies are marked
Secure,HttpOnly, andSameSite=Lax. State-changing requests are CSRF-protected.
No system is perfectly secure. If you believe an account is compromised, contact us immediately at [email protected].
§ 08 — Your rights
Access, correct, delete.
Depending on where you live, you may have the right to access the personal information we hold about you, correct inaccuracies, request deletion of your account, object to or restrict certain processing, and file a complaint with a data protection authority. In Canada, that's the Office of the Privacy Commissioner.
To exercise any of these, write to [email protected]. We respond within 30 days.
§ 09 — Cookies
One cookie. No tracking.
We set one cookie — a session cookie — required to keep you signed in. It is removed when you sign out or your session expires. We do not use analytics cookies, tracking pixels, or third-party advertising cookies.
§ 10 — Changes
If we change this, we'll tell you.
If we materially change this policy, we will notify tenant administrators by email and update the "last updated" date above. Continued use after the change constitutes acceptance.
§ 11 — Contact
Reach a human.
Questions, requests, or concerns: [email protected].