Privacy Policy

Last Updated: November 2, 2025

Information We Collect

We may collect personal and non-personal information from you when you visit our website, contact us, or engage our Products and Services:

• Personal Information: Name, email address, phone number, company name, and any other information you voluntarily provide when contacting us or filling out forms on our website.
• Business Information: Details about your organization, business needs, and objectives when you engage our Products and Services.
• Usage Data: Information automatically collected when you visit our website, including IP address, browser type, device information, pages visited, time spent on pages, and other analytics data.
• Communication Data: Records of our communications with you, including emails, phone calls, and meeting notes.

How We Use Your Information

We use the information we collect for various purposes, including:

• Providing, maintaining, and improving our website, Products, and Services
• Responding to your inquiries and fulfilling your requests
• Sending you relevant information, such as updates on our Products and Services, educational content, and promotional materials (you can opt out of these communications at any time)
• Analyzing website usage to enhance user experience and improve our offerings (including analyzing aggregated usage patterns, improving AI accuracy and safety, and developing new features - see "AI Training and Service Improvement" section for details)
• Protecting against unauthorized access to our systems or other illegal activities
• Complying with legal obligations under Canadian and provincial privacy laws

AI-Powered Products and Services

Overview

Elluvate specializes in artificial intelligence Products and Services. When you use our AI-powered applications (including Diligence Hub, Batch Processor, and any future Products), AI processing is integral to the platform and is the primary reason customers choose Elluvate.

By using our AI-powered Products and Services, you acknowledge that AI analysis of your data is necessary for the performance of our service contract with you.

AI Technology Providers

We partner with third-party AI service providers to deliver our platform capabilities. These providers may include:

• AI Language Model Services: Large language model providers for natural language processing, text analysis, and intelligent content generation
• Cloud AI Infrastructure: Cloud-based AI platforms and machine learning services
• Specialized AI Services: Document processing, data transformation, and analytics providers

The specific AI technologies and providers we use may change over time as we adopt new and improved solutions. We select providers based on performance, security, reliability, and compliance with data protection regulations.

Payment Processing Services

We use third-party payment processors to handle subscription payments and token purchases for our Products. These processors:

• Are PCI-DSS compliant and handle credit card information securely
• May be located outside Canada, primarily in the United States
• Are contractually prohibited from using your payment data for purposes other than processing transactions
• May be changed at our discretion to improve service quality or reduce costs

We do not store credit card numbers or CVV codes on our servers. Payment data is tokenized and stored by our payment processor partners.

How AI Processing Works

When you use Elluvate AI-powered Products and Services, we process your data with AI technology to:

• Analyze Your Content: Process documents, questionnaires, datasets, and other uploaded materials
• Generate Insights: Provide automated analyses, recommendations, regulatory citations, and compliance assessments
• Automate Workflows: Enable intelligent processing, categorization, data enhancement, and semantic search
• Deliver Core Functionality: Power the AI-driven features that define each Elluvate Product

Data Processing Location

Your data is processed in the United States using cloud infrastructure located in the US West region (Oregon). AI analysis is performed by US-based service providers.

For users located outside the United States, this constitutes a cross-border data transfer. We ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) for GDPR compliance
• Encryption in transit and at rest
• Contractual obligations with service providers to maintain data security and privacy

AI Model Training

By default, your data is NOT used to train AI models. We have contractual agreements with our AI service providers that explicitly prohibit the use of customer data for training their AI models. Your information is processed to deliver the Products and Services you have requested.

However, you may voluntarily opt in to allow Elluvate to use your interactions to improve our AI services. This optional participation helps us enhance accuracy, safety, and functionality for all users. Details about this program are provided in the "AI Training and Service Improvement" section below.

Data Retention for AI Processing

Data processed through our AI Products and Services is retained as follows:

• While Your Account is Active: Your data and AI-generated insights are retained to provide ongoing service
• After Account Closure: Data is deleted within a reasonable timeframe when no longer needed for business or legal purposes
• Backups: Data may persist in system backups for up to 35 days due to point-in-time recovery mechanisms
• Audit Logs: Records of data access and processing activities are retained for 7 years for security and compliance purposes (PIPEDA Principle 4.5)

Legal Basis for AI Processing

We process your data through AI services based on the following legal grounds:

• GDPR (European Users): Contractual necessity (Article 6(1)(b)) - AI processing is necessary to perform our AI-powered service contracts with you
• PIPEDA (Canadian Users): Express consent provided through acceptance of our Terms of Service - AI processing is necessary for service delivery (PIPEDA Principle 4.3)
• CCPA/CPRA (California Users): Business purpose processing - our AI service providers act as service providers and are contractually prohibited from selling or sharing your personal information

Opting Out of AI Processing

AI processing is integral to our Products and Services and cannot be disabled while maintaining an active account. If you do not wish to use AI-powered tools, Elluvate Products are not appropriate for your needs. Alternative non-AI compliance and data processing platforms exist in the market.

You may exercise your right to object to AI processing by closing your account, after which your data will be deleted in accordance with our retention policy.

AI Training and Service Improvement

Overview

Elluvate is committed to continuously improving the accuracy, safety, and functionality of our AI-powered Products and Services. To achieve this, we offer users the optional opportunity to contribute their interactions to help enhance our AI systems.

This participation is entirely voluntary. By default, your data is NOT used for AI training or service improvement beyond what is necessary to deliver your requested services.

What We May Use (If You Opt In)

If you choose to participate in our AI improvement program, we may use the following information:

• Your Prompts and Questions: The questions, instructions, and queries you provide to our AI systems
• AI-Generated Outputs: The analyses, insights, recommendations, and responses generated for you
• Feedback Submissions: Ratings, corrections, or comments you provide about AI-generated content
• Usage Patterns: How you interact with AI features, which capabilities you use most, and workflow patterns
• Performance Metrics: Response times, accuracy indicators, and quality measurements

How We Use This Information

Data from users who opt in to our improvement program is used to:

• Train and Improve Our AI Models: Enhance the accuracy, relevance, and performance of Elluvate's AI systems
• Strengthen Safety Safeguards: Identify and prevent harmful, biased, or inappropriate outputs
• Develop New Capabilities: Create new features, enhance existing functionality, and expand AI capabilities (including predictive suggestions and intelligent recommendations based on anonymized usage patterns)
• Optimize Prompts and Workflows: Improve the effectiveness of our AI interactions and user experience
• Conduct Quality Analysis: Measure performance, identify improvement areas, and validate enhancements

Privacy Protections

To protect your privacy when using opted-in data for improvements, we implement the following safeguards:

• Automated Filtering: We use automated systems to detect and filter sensitive information before training use
• Data Minimization: Only data necessary for specific improvement purposes is retained
• Aggregation: Where possible, we use aggregated and de-identified data rather than individual interactions
• Access Controls: Strict limitations on who can access training data, with audit logging of all access
• Secure Storage: Training data is encrypted and stored in secure, isolated systems

Important Note: While we implement technical safeguards including differential privacy and k-anonymity techniques, no anonymization method provides absolute guarantees against re-identification. We are transparent about these limitations.

What We Do NOT Do

Regardless of whether you opt in to our improvement program, we commit that:

• ❌ We do not sell your data to third parties for any purpose
• ❌ We do not use your data to train third-party AI models operated by other companies
• ❌ We do not share your data with competitors or use it to benefit other customers
• ❌ We do not use your confidential business information in ways that would compromise your competitive position
• ❌ We do not use deleted conversations or data for any training or improvement purposes

How to Opt In or Opt Out

Default Setting: By default, your account is set to opt out of AI training and improvement. Your data is only used to deliver the services you request, plus temporary safety monitoring (30 days).

To Opt In:

• Visit your account settings and enable "Contribute to AI Improvements"
• Or email privacy@elluvate.com with subject "Opt In - AI Training" and your account email

To Opt Out (or Confirm Opt-Out Status):

• Your account is opted out by default - no action needed
• You can verify your status in account settings under "Privacy Controls"
• Or email privacy@elluvate.com with subject "Confirm Opt-Out Status"

Effect on Service: Opting out of AI training does NOT affect your ability to use Elluvate Products and Services. All features remain fully functional regardless of your choice.

Data Retention for Training Purposes

• Opted Out (Default): Data is retained for 30 days for safety monitoring, then automatically deleted. Not used for training.
• Opted In: Data may be retained for up to 5 years to support ongoing model improvements and quality analysis. You can revoke consent and request deletion at any time.

Aggregated and Anonymized Data

Separately from the opt-in training program, we may use aggregated, de-identified data that cannot reasonably be used to identify you or your organization. This includes:

• Overall usage statistics (e.g., "95% of users complete questionnaires within 3 days")
• Performance metrics (e.g., "average AI response time is 8 seconds")
• Feature adoption rates (e.g., "batch processing used by 40% of active users")
• Anonymized interaction patterns for product analytics
• Timing and progress metrics for comparative analytics
• Industry trends and best practice patterns

This aggregated data helps us understand broad usage trends, measure service quality, and make product decisions. We may use aggregated data to provide you with comparative insights (e.g., how your usage patterns compare to industry averages) and to identify emerging trends across our user base. It does not require opt-in consent because it cannot identify individual users.

Enterprise and API Customers

For customers on Enterprise or API plans (when available), additional protections apply:

• ✅ No Training by Default: Your data is never used for AI training without explicit written agreement
• ✅ No Human Review: Your data is not reviewed by Elluvate staff except when you request technical support
• ✅ Isolated Processing: Your data remains within your organization's tenant and is not shared across customers
• ✅ Custom Retention: You control data retention policies and deletion schedules
• ✅ Contractual Guarantees: These protections are documented in Enterprise Data Processing Addendums

Enterprise customers may choose to opt in to share anonymized, aggregated data for service improvements, but this is entirely optional.

Changes to This Program

We may update our AI training and improvement program as technology evolves and best practices develop. Any material changes will be communicated via:

• Email notification to your registered email address
• Prominent notice on our website and platform
• Updated Privacy Policy with "Last Updated" date change

If you have opted in, we will seek renewed consent for any material changes to how we use training data. You can withdraw consent at any time.

Sharing Your Information

We value your privacy and do not sell, rent, or trade your personal information to third parties for their marketing purposes. We may share your information in the following circumstances:

• Service Providers: We may share information with trusted third-party service providers who assist us in operating our website, conducting our business, or providing Products and Services to you (e.g., cloud hosting providers, email service providers, analytics services, payment processors).
• Business Transfers: If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
• Legal Requirements: We may disclose your information if required to do so by law or in response to valid legal requests, such as court orders or government regulations.
• With Your Consent: We may share your information with others when we have your explicit consent to do so.

Data Security

We implement appropriate technical and organizational measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction. However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

As a company specializing in data and AI solutions, we take a particularly rigorous approach to data security, applying industry best practices and regular security assessments to our own systems.

Our security measures include:

• Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using industry-standard encryption (AES-256 for databases and storage)
• Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA) for administrative access
• Network Security: Virtual Private Cloud (VPC) isolation, firewall rules, and intrusion detection systems
• Regular Audits: Periodic security assessments and penetration testing
• Monitoring: Continuous monitoring procedures for security events and suspicious activities
• Employee Training: Regular privacy and security training for all employees handling customer data

Third-Party Accountability Framework

Under PIPEDA Principle 4.1.3, Elluvate remains accountable for personal information transferred to third-party service providers. We have implemented a comprehensive accountability framework:

Third-Party Selection Criteria

• SOC 2 Type II certification or equivalent security attestation
• Demonstrated compliance with GDPR, PIPEDA, and CCPA requirements
• Industry reputation and financial stability assessment
• Technical security capabilities evaluation

Contractual Protections

All third-party service providers sign agreements that include:

• Data processing restrictions limiting use to Elluvate's specified purposes only
• Prohibition on selling, sharing, or using customer data for AI model training
• Security and encryption requirements matching or exceeding Elluvate's standards
• Data breach notification obligations within 24 hours of discovery
• Right to audit and inspect third-party security practices
• Data deletion obligations upon contract termination

Ongoing Monitoring and Compliance

• Regular Reviews: Performance and compliance assessments of all critical third-party processors
• Annual Audits: Review of security attestation reports (SOC 2, ISO 27001) from all processors
• Incident Management: Joint incident response protocols with service providers
• Continuous Evaluation: Ongoing assessment of emerging privacy risks and technology alternatives

Third-Party Categories and Examples

We engage the following categories of third-party service providers (specific vendors may change):

• Cloud Infrastructure Providers: Servers, databases, storage, and networking services
• AI/ML Service Providers: Large language models, document processing, and machine learning platforms
• Payment Processors: Credit card processing and subscription billing services
• Email Service Providers: Transactional and marketing email delivery
• Analytics Providers: Website analytics and user behavior tracking
• Security Providers: Intrusion detection, vulnerability scanning, and security monitoring

Accountability in Practice: While third parties process data on our behalf, Elluvate retains full responsibility for compliance with Canadian privacy law. If a third-party processor misuses your data, you may hold Elluvate accountable, and we will work with the processor to remedy the situation.

Foreign Legal Access to Your Data

USA PATRIOT Act and CLOUD Act

Because our cloud infrastructure and AI service providers are based in the United States, your personal information is subject to U.S. laws that permit government access under certain circumstances:

• USA PATRIOT Act (2001): Allows U.S. government agencies to access data stored by U.S. companies for national security investigations, often without notifying the data subject
• CLOUD Act (2018): Permits U.S. law enforcement to compel U.S. technology companies to provide stored data regardless of where the data is physically located
• FISA Court Orders: The Foreign Intelligence Surveillance Court can issue secret orders requiring data disclosure, with gag orders preventing companies from notifying affected users

Practical Implications for Canadian Users

By using Elluvate Products and Services, you acknowledge that:

• Your data stored in U.S. cloud infrastructure may be accessed by U.S. government agencies without your knowledge or consent
• Such access may occur through legal orders that prevent our service providers from notifying us or you
• Canadian privacy laws cannot prevent this foreign legal access, though they require we inform you of the possibility
• Encrypted data may be compelled to be decrypted or accessed through other means

Our Commitments

While we cannot prevent lawful foreign government access, we commit to:

• Transparency: Notify you of government data requests when legally permitted to do so
• Resistance: Challenge overly broad or legally questionable data requests
• Minimization: Provide only the minimum data required by law, not bulk access
• Documentation: Maintain internal records of all government data requests (published in annual transparency reports when possible)

Alternative Options

If foreign legal access is unacceptable to you, consider:

• Using privacy tools that encrypt data before it reaches our servers (client-side encryption)
• Storing sensitive data outside our Products and using Elluvate only for non-sensitive processing
• Seeking alternative Canadian-only cloud providers (though they may have limitations in AI capabilities)

Legal Basis for Disclosure: This disclosure fulfills Elluvate's obligations under PIPEDA Principle 4.1.3 (Accountability) and British Columbia's Personal Information Protection Act (PIPA) to inform individuals when their personal information may be accessed by foreign governments.

Multi-Tenant Security Architecture

What is Multi-Tenancy?

Our SaaS Products (Diligence Hub, Batch Processor) use a multi-tenant architecture where multiple organizations (tenants) share the same underlying infrastructure and application while their data remains logically isolated.

Think of it like an apartment building: Multiple tenants live in the same building (shared infrastructure), but each has their own private apartment (isolated data) with locked doors (access controls).

How We Ensure Your Data Remains Private

• Logical Data Isolation: Every piece of data is tagged with a unique tenant identifier (tenant_id). Database queries automatically filter to return only your organization's data.
• Authentication and Authorization: User credentials (email, time-based authentication code) are verified, then access is limited to data belonging to the authenticated user's tenant. Cross-tenant access is blocked at the application layer.
• Row-Level Security: Database queries include mandatory tenant_id filters. Even if a query is malformed, the database enforces tenant isolation at the row level.
• Encryption: All data is encrypted at rest with unique encryption keys per tenant where feasible. Data in transit is always encrypted with TLS 1.2+.
• Audit Logging: All data access is logged with tenant_id, user_id, timestamp, and operation type. Logs are monitored for unauthorized cross-tenant access attempts.

Security Testing and Compliance

• Penetration Testing: Annual third-party security assessments specifically test multi-tenant isolation controls
• Code Reviews: All database queries undergo security review to verify tenant_id filtering
• Automated Testing: Integration tests verify that users cannot access other tenants' data under any circumstances
• Compliance Monitoring: Quarterly audits of access logs to detect and investigate anomalies

Benefits and Trade-offs

Benefits:

• Cost efficiency: Shared infrastructure reduces costs, making advanced AI capabilities affordable
• Rapid updates: All tenants receive security patches and feature updates simultaneously
• Scalability: Infrastructure scales automatically to handle all tenants' workloads

Trade-offs:

• Shared resources: Performance may be affected if other tenants have high usage spikes (mitigated by auto-scaling)
• Theoretical risk: If logical isolation fails (e.g., software bug), data could be exposed to other tenants (mitigated by defense-in-depth controls)

Single-Tenant Alternative

For organizations with strict data isolation requirements (e.g., government entities, highly regulated industries), we offer dedicated single-tenant deployments where your data resides on isolated infrastructure. Contact sales@elluvate.com to discuss Enterprise options.

Data Breach Notification

Our Breach Response Commitment

In the event of a data breach involving your personal information, Elluvate commits to the following response procedures in compliance with PIPEDA and British Columbia PIPA requirements:

Internal Detection and Assessment (0-24 hours)

• Immediate Investigation: Security team investigates scope, cause, and affected data within 24 hours of detection
• Risk Assessment: Evaluate risk of harm to affected individuals (identity theft, financial loss, reputational damage, etc.)
• Containment: Take immediate steps to stop the breach and prevent further unauthorized access
• Evidence Preservation: Secure forensic evidence for investigation and potential law enforcement involvement

Notification Requirements

If the breach poses a real risk of significant harm, we will notify:

• Affected Individuals: Direct email notification as soon as feasible explaining:
  • What happened and when it was discovered
  • What types of personal information were involved
  • Steps we've taken to contain the breach and prevent recurrence
  • Steps you should take to protect yourself (e.g., change passwords, monitor credit)
  • Contact information for questions and support
• Privacy Commissioner of Canada: Report to PIPEDA authorities if breach poses real risk of significant harm
• Provincial Authorities: Report to B.C. Office of the Information and Privacy Commissioner if required under PIPA
• Law Enforcement: Coordinate with police if criminal activity is suspected

Ongoing Communication and Support

• Dedicated Support Channel: Temporary hotline and email support for affected users
• Regular Updates: Weekly updates on investigation findings and remediation progress
• Credit Monitoring: Offer free credit monitoring services if financial information was compromised
• Incident Report: Publish public incident report within 30 days (unless prohibited by law enforcement)

Remediation and Prevention

• Conduct thorough root cause analysis
• Implement technical and process changes to prevent similar incidents
• Engage third-party security auditors to validate remediation
• Update security training and incident response procedures

What You Should Do If Notified

If you receive a data breach notification from Elluvate:

• Review Authentication: Verify your account access and any other accounts using the same email address
• Monitor Accounts: Watch for suspicious activity on financial accounts and credit reports
• Report Suspicious Activity: Contact us immediately if you notice unauthorized access or identity theft
• Be Alert for Phishing: Scammers may exploit breaches - verify any communications claiming to be from Elluvate

Questions About Breach Response: Contact our Privacy and Security Team at privacy@elluvate.com

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our website and hold certain information. Cookies are files with a small amount of data that may include an anonymous unique identifier. These are sent to your browser from a website and stored on your device.

We use the following types of cookies:

• Essential Cookies: Required for the website to function properly
• Analytical/Performance Cookies: Allow us to recognize and count the number of visitors and see how visitors move around our website
• Functionality Cookies: Enable the website to remember choices you make

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our website.

Third-Party Websites

Our website may contain links to third-party websites. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of any websites you visit.

Children's Privacy

Our website, Products, and Services are not intended for individuals under the age of 19. We do not knowingly collect personal information from children under 19. If you are a parent or guardian and you believe your child has provided us with personal information, please contact us, and we will take steps to remove that information from our systems.

Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information, which may include:

• The right to access the personal information we have about you
• The right to request correction of inaccurate personal information
• The right to request deletion of your personal information
• The right to object to or restrict processing of your personal information
• The right to data portability
• The right to withdraw consent

Canadian Users (PIPEDA Rights)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canadian users have specific rights:

• Right of Access (Principle 4.9): Request a copy of all personal information we hold about you
• Right to Correction (Principle 4.6): Challenge the accuracy and completeness of your information and request updates
• Right to Withdraw Consent (Principle 4.3.8): Withdraw consent for data processing (may affect service availability)
• Right to File Complaint: Lodge a complaint with the Privacy Commissioner of Canada if you believe we've violated your privacy rights

How to Exercise Your Rights

To exercise any of these rights, please contact our Privacy Officer at privacy@elluvate.com with the following information:

• Full name and email address associated with your account
• Specific right you wish to exercise (access, correction, deletion, etc.)
• Detailed description of your request
• Proof of identity (to prevent unauthorized access to your personal information)

Response Timeline: We will respond to your request within 30 days (PIPEDA Principle 4.9.4). If additional time is required due to complexity, we will notify you within 30 days and provide an expected completion date.

Costs: Access requests are provided free of charge. If fulfilling your request requires significant technical effort (e.g., retrieval from backup systems), we may charge a reasonable fee, disclosed before work begins.

International Data Transfers

Your information may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction. If you are located outside Canada and choose to provide information to us, please note that we transfer the data to the United States and process it there.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy, and no transfer of your personal information will take place to an organization or a country unless there are adequate controls in place.

Cross-Border Transfer Safeguards:

• Standard Contractual Clauses (SCCs) with all US-based service providers
• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Contractual obligations requiring service providers to comply with PIPEDA principles
• Annual audits of third-party security and privacy practices

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this page. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy Officer at privacy@elluvate.com.

For general support inquiries, please contact support@elluvate.com.

Privacy Commissioner of Canada:
If you believe we have not adequately addressed your privacy concerns, you may file a complaint with:
Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
Website: www.priv.gc.ca