E2 Solutions · Command Center

Privacy Policy

Effective May 14, 2026 · Last updated May 23, 2026

We're E2 Solutions, a BC-registered sole proprietorship operating the Command Center platform at runcommandcenter.ca. We take privacy seriously because our business depends on small business owners trusting us with their customer data and their connected accounts. This policy explains what we collect, why, who we share it with, and how you can control it. We've tried to write it in plain English instead of legalese.

Who this covers

This policy covers two types of people:

  • Our clients — small business owners and their team members who subscribe to Command Center.
  • Our clients' customers— the leads and customers whose information our clients store in Command Center. If you're an end customer wondering why our client has your data, that's their decision and their notice to give you; we're the storage and processing infrastructure.

What we collect from clients

  • Account information (name, email, mobile phone, business name, address)
  • Brand and voice configuration (logo, colors, sample posts, preferred hashtags)
  • Team member contact info (names, phone numbers) used for the SMS photo upload allowlist
  • Integration tokens for connected services (Facebook Page access, Google Business Profile, etc.) — these are encrypted at rest and only used to perform the actions you've approved
  • Billing information processed by Stripe (we never see or store full card numbers)
  • Usage data — which features you used, when, errors encountered

What we store on your behalf

Your contacts, leads, customer messages, jobsite photos, pipeline status, notes, and AI-generated post drafts. This is your data. You can export all of it as CSV + JSON at any time from your dashboard, no questions asked.

How we use it

  • To run the automations you signed up for
  • To send you SMS and email notifications you've enabled
  • To generate AI content (post drafts, blog drafts, customer messages) using your voice samples and brand config — sent to Anthropic's Claude API for processing
  • To power the Co-Pilot voice + text assistant. Your typed or spoken commands go to Anthropic's Claude API for intent parsing. For voice, the audio is transcribed by OpenAI's Whisper API and the resulting text is what reaches Claude. The raw audio is not stored on our infrastructure.
  • To publish to your connected channels (Facebook Page, Google Business Profile, your blog) when you approve the content
  • To process your subscription payment via Stripe
  • To diagnose problems and improve the product (we look at logs and aggregate usage; we don't read your customer messages or jobsite photos as a matter of course)

What we will never do

  • Sell your data, your customers' data, or your leads
  • Share your data with marketing partners or data brokers
  • Use your customer data to train AI models. AI calls are stateless — data goes to Claude for the specific generation, results come back, nothing is retained for training
  • Touch your connected accounts beyond the actions you've explicitly approved (e.g., we'll never post to Facebook without your approval click)
  • Read your customer SMS conversations or jobsite photos out of curiosity. Engineers may see specific data when troubleshooting a support ticket you've filed, with audit logs.

Service providers we share data with

Command Center is built on several infrastructure services. Each one only sees the data needed for its job:

  • Supabase — primary database and authentication. Hosted on AWS in North America.
  • Vercel — application hosting and edge network.
  • Cloudflare — DNS and content delivery.
  • Twilio — SMS and voice routing.
  • Postmark — transactional email delivery.
  • Anthropic — Claude API for AI content generation and the Co-Pilot assistant. Anthropic does not retain or train on data sent through their API.
  • OpenAI— Whisper API for speech-to-text transcription. Used in two places: call recording transcripts (when the Call Recording add-on is enabled) and Co-Pilot voice input. Per OpenAI's API terms, audio sent to Whisper is not used for model training and is retained for a maximum of 30 days for abuse review before deletion. We do not store the raw audio on our infrastructure for Co-Pilot voice — it streams to Whisper, returns text, and the blob is discarded.
  • Meta (Facebook / Instagram) — only when you approve a post for publication; we send the post content using the Page Access Token you authorized.
  • Google — only when you approve a post for your Google Business Profile.
  • Stripe — subscription billing.

Each of these providers has their own privacy policy and security practices. We choose providers we trust, but they are independent parties.

Google API services and your Google account data

When you connect a Google account to Command Center, we request specific permissions (called “OAuth scopes”) so the platform can do the work you signed up for. We only ever access the data you explicitly authorize, and only for the purposes described below.

Google Calendar — scopes: .../auth/calendar and .../auth/calendar.events. We read your calendars and events to display your scheduled jobs and appointments inside the Command Center dashboard, and we create new events (with Google Meet links when you want them) when you book an appointment through the platform. Every read and write happens because you took an action in the UI — we never access your Calendar in the background.

Google Business Profile — scope: .../auth/business.manage. We publish posts (text + photos) to your Google Business Profile when you click Approve on an AI-generated post draft. Posting is human-approved every time — we never publish unattended.

Account identity — scopes: openid, .../auth/userinfo.email, .../auth/userinfo.profile. We use these to confirm which Google account you connected and to display your name + photo in the Connected Accounts settings page.

Command Center's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We do not transfer Google user data to third parties except as necessary to provide or improve Command Center features that you have requested.
  • We do not use Google user data for serving advertisements.
  • We do not use Google user data to train AI models. AI calls are stateless — data goes to Anthropic's Claude API for the specific generation, results come back, nothing is retained for training.
  • Humans do not read your Google user data, except when you explicitly grant access for support troubleshooting (with audit logs), when required to comply with law, or for security investigations.

You can revoke Command Center's access to your Google account at any time at myaccount.google.com/permissions or from inside Command Center at Loadout → Connected Accounts.

Where data lives

Primary storage is in North America (Supabase's AWS regions). Some processing necessarily routes through US-based infrastructure (Vercel edge, Twilio, Postmark). When you publish content to Meta or Google, that content lives on their servers globally per their own policies.

How long we keep your data

  • While your subscription is active: as long as you keep using Command Center.
  • After you cancel: 30 days, during which you can export everything. After 30 days, all your data is permanently deleted from our active systems.
  • Backups: may persist for up to 90 days as part of disaster-recovery snapshots, then are overwritten.
  • Billing records: kept for 7 years to comply with Canadian tax law.

Your rights

You can, at any time:

  • Export all your data as CSV + JSON from the dashboard
  • Request deletion of your account by emailing us (see contact below). Deletion completes within 30 days.
  • Revoke our access to your connected accounts directly at the source (Facebook, Google, etc.). Detailed instructions live at runcommandcenter.ca/security.
  • Correct or update your information from the dashboard
  • File a complaintwith the Office of the Privacy Commissioner of Canada or the BC Information & Privacy Commissioner if you believe we've mishandled your data.

Security

All connections use HTTPS. Database access is restricted via Postgres Row-Level Security so one client's data is logically isolated from another. Integration tokens are encrypted at rest. Backups are encrypted. We use Supabase Auth for password handling (we never see passwords). For payment processing, Stripe is PCI-DSS Level 1 certified.

No system is unbreakable. We'll notify affected clients within 72 hours of discovering a breach that affects their data.

Cookies and tracking

We use essential cookies for authentication (keeping you logged in) and basic operational analytics. We don't use third-party advertising trackers, retargeting pixels, or cross-site cookies. We don't share data with ad networks.

Children

Command Center is not intended for use by children. Our daycare and preschool clients use Command Center to manage their own business operations — including child contact records with parental consent. The legal relationship is between the daycare and the parents; we're the storage and processing infrastructure those clients use to honor the consent they've obtained.

Changes to this policy

We may update this policy as the product evolves. Material changes get notified via email at least 14 days before they take effect. The current version is always at runcommandcenter.ca/privacy with an “Effective” date at the top.

Contact

Questions, requests, or complaints? Reach our privacy officer:

  • Carson Watson, Owner & Privacy Officer
  • E2 Solutions (BC Sole Proprietorship — FM1106808)
  • Email: e2cawatson@gmail.com
  • Mail: 7179 201 St #58, Langley BC V2Y 2Y9, Canada

We aim to respond to privacy requests within 7 business days.