Vapely Enforcement Intelligence (“the Platform”), operated by Mercury Labs, is a restricted-access intelligence tool provided exclusively to authorized law enforcement personnel, Attorney General offices, and affiliated government agencies (“Authorized Users”). This Privacy Policy describes how we collect, use, store, and protect information in connection with access to and use of the Platform.
Mercury Labs operates the Vapely Enforcement Intelligence platform at enforcement.mercurylabs.ca. For privacy-related inquiries, contact us at: privacy@mercurylabs.ca.
To gain access to the Platform, Authorized Users provide an email address and password. This information is stored securely via Supabase (a SOC 2 Type II compliant database provider). We do not store passwords in plain text.
We may collect standard server logs including IP addresses, browser type, pages visited within the Platform, and timestamps. This data is used solely for security monitoring and platform improvement.
The Platform contains audit data collected from publicly accessible online vape retail websites. This data — including store names, website URLs, product listings, and screenshots — was gathered from publicly available sources. No personal consumer data is collected or stored.
We do not sell, rent, or share Authorized User information with third parties except as required by law or as necessary to operate the Platform (e.g., our hosting and database providers).
User credentials and structured compliance data are stored in Supabase Postgres with row-level security policies. Audit evidence (HTML reports, screenshots) is stored in Cloudflare R2 object storage with access-controlled, time-limited presigned URLs. All data is encrypted in transit (TLS) and at rest.
Access to the Platform is restricted to Authorized Users with valid credentials. We implement authentication checks on every protected route and API endpoint.
Audit data is retained for as long as it is operationally relevant to enforcement activities. Authorized User accounts are retained for the duration of the user’s engagement with the Platform. Users may request account deletion by contacting us at the email below.
The Platform uses the following third-party services:
Each provider has its own privacy policy and data practices.
Authorized Users may request access to, correction of, or deletion of their personal data (email address and usage logs) by contacting us. Requests will be addressed within 30 days.
We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. Continued use of the Platform after any changes constitutes acceptance of the revised policy.
For privacy-related questions or requests:
Mercury Labs
privacy@mercurylabs.ca