Compliance

How we handle your data responsibly.

We follow Canadian privacy law, process payments through a PCI-certified provider, and give you control over your data. Here is everything you need to know.

See our framework Your rights
PIPEDA
Canadian privacy law
CASL
Anti-spam compliance
PCI
Payment security (via Stripe)
Montreal
Primary data residency

Regulatory compliance

The regulations we follow.

PIPEDA

Personal Information Protection and Electronic Documents Act

  • We collect only the data we need to run your account and deliver our products.
  • Every time you accept our terms, we record the exact version, the timestamp, and your IP address.
  • If we update our terms, you are asked to accept the new version before you can continue.
  • You can request access to your personal data at any time. We respond within 30 days.
  • Error tracking is configured to never capture personally identifiable information.

CASL

Canada’s Anti-Spam Legislation

  • We obtain consent before sending commercial electronic messages.
  • Every consent record includes a timestamp and IP address for audit purposes.
  • Recurring billing consent is captured and stored separately from terms acceptance.
  • You can withdraw consent at any time through your account settings.

PCI DSS

Payment Card Industry Data Security Standard

  • We never see, store, or process raw credit card numbers.
  • All payment processing is handled by Stripe, which is PCI DSS Level 1 certified — the highest level of certification.
  • Stripe webhook events are verified with cryptographic signatures to prevent tampering.
  • All prices and transactions are processed in Canadian dollars (CAD).

Data handling

Where your data goes and how long we keep it.

Data residency

Our primary infrastructure runs in Montreal, Canada. Your account data, files, and settings are stored on Canadian servers.

  • AI features using the shared pool may route prompts to US-based inference providers. These providers operate under a Zero Data Retention (ZDR) policy — they do not keep your data after processing.
  • Payment processing goes through Stripe, which operates globally.
  • Error monitoring uses Sentry, configured to never capture personal information.

Data retention

We keep your data for as long as your account is active or as needed to provide our products.

  • After account closure, we retain data for a reasonable period to comply with legal obligations and resolve any disputes.
  • AI metadata — request counts, latency, and token usage — is retained for 90 days for billing and operational purposes.
  • Anonymized and aggregated data may be retained indefinitely for analytics and product improvement.

AI data handling

We offer two AI modes. Each handles your data differently.

  • Shared Pool (Professional, Business, Enterprise): Prompts are routed through Adiuvo infrastructure to the inference provider. The provider operates under Zero Data Retention. Automated PII detection runs on every payload before delivery. You can opt out of anonymized data collection in your account settings.
  • BYOK — Bring Your Own Key (Business, Enterprise): You provide your own API key. Prompts are sent using your key. We do not store, inspect, or log prompt or response content. Your API key is encrypted at rest with AES-256 and decrypted in memory only.

Cookies

We use cookies for authentication, analytics, and referral tracking. We do not use advertising cookies.

  • Essential cookies handle login sessions and security. They cannot be disabled.
  • Analytics cookies (Google Analytics GA4) collect aggregated usage data to help us improve our products.
  • Referral cookies track partner attribution for 90 days using a random identifier — no personal information.
  • Stripe sets cookies during checkout for payment processing.

Third-party processors

Who else touches your data.

We use a small number of trusted providers. Each one is listed here along with what data they handle.

Stripe

Purpose: Payment processing and billing

Data shared: Payment details, billing address, transaction history

Sentry

Purpose: Error tracking and monitoring

Data shared: Error logs only — PII capture is disabled

Google Analytics (GA4)

Purpose: Website traffic analytics

Data shared: Aggregated and anonymized usage data

LLM inference providers

Purpose: AI features (shared pool mode)

Data shared: Prompts in transit only — Zero Data Retention policy

Your rights

What you can ask us to do.

Under PIPEDA, you have rights over your personal data. Here is what you can do and how to do it.

1

Access your data

You can request a copy of the personal data we hold about you. We respond within 30 days, as required by PIPEDA.

2

Export your data

Products like ProjectLocker and FinAuto Pro let you export your data as ZIP or CSV files directly from your dashboard. After account closure, we give you a reasonable period to export your content.

3

Request an audit trail

If an Adiuvo admin has accessed your account through impersonation, you can request the complete audit log. Every action taken during impersonation is recorded — including the admin's identity, IP address, and each request made.

4

Delete your account

You can request account deletion at any time. We retain data only as long as needed to meet our legal obligations, then it is removed.

5

Withdraw consent

You can withdraw consent for data processing at any time through your account settings or by contacting us directly.

To exercise any right

Email [email protected] with your request. We respond within 30 days.

Or use our contact form

Related policies

Privacy PolicyTerms of ServiceCookie PolicyAcceptable Use Policy

Common questions

Quick answers about compliance.

Where is my data stored?

Your account data is stored on servers in Montreal, Canada. AI features using the shared pool may route prompts to US-based inference providers, but those providers do not keep your data after processing.

Do you sell my data?

No. We do not sell, rent, or trade your personal information to anyone. We do not use advertising cookies or share data with ad networks.

Can I export my data?

Yes. Several products offer built-in export tools (ZIP, CSV). You can also request a copy of your personal data at any time.

What happens to my data if I cancel?

Your data stays in your account. Nothing is deleted when you cancel. After account closure, we retain data for a reasonable period for legal obligations, then remove it.

How do you handle AI prompts?

In shared pool mode, prompts pass through Adiuvo infrastructure to the inference provider under a Zero Data Retention policy. In BYOK mode, prompts go directly to the provider using your own API key — we never see them.

Who can I contact about compliance?

Email [email protected] with any compliance questions. For privacy-specific requests, email [email protected]. We respond within 30 days as required by PIPEDA.

Questions?

Have a compliance question?

Our team is happy to walk you through how we handle data, what regulations we follow, and how we can meet your organization's requirements.

Contact us