Privacy Policy

Governing Law: Province of Ontario, Canada — PIPEDA Compliant

This Privacy Policy describes how Coulter Digital Services Inc. ("we," "us," or "our") collects, uses, discloses, and protects Personal Information in connection with our AI consultancy and digital transformation services. This policy is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and its ten fair information principles.

1. Introduction and Scope

This Privacy Policy applies to all Personal Information collected by the Company in the course of its commercial activities, including information collected through our website, client intake process, service delivery, and ongoing business relationships.

This Policy applies to the Personal Information of our clients, prospective clients, their employees and representatives, website visitors, and any individuals whose Personal Information we may process in the course of delivering our Services.

By engaging our Services and completing the Intake Form, you consent to the collection, use, and disclosure of your Personal Information as described in this Policy.

2. Information We Collect

2.1 Information Collected Directly

  • Intake Form Data: Business name, contact names, email addresses, phone numbers, job titles, business addresses, and other information submitted through our Universal Client Intake Form.
  • Engagement Data: Information exchanged during the course of performing Services, including meeting notes, project communications, feedback, and approval records.
  • Technical Environment Data: Information about your technology stack, systems, data sources, and infrastructure provided during technical assessments.
  • Financial Information: Billing addresses, payment details, and invoicing information necessary to process payments.

2.2 Information Collected from Client Systems

In the course of delivering Services (particularly Process Automations, Custom AI Agents, and AI Readiness Audits), we may access or process data within your systems, which may include:

  • Business Process Data: Workflow data, operational records, and transaction data observed during process mapping and automation development.
  • Employee Information: Names, roles, and contact information of your team members involved in the engagement.
  • Customer or End-User Data: If your systems contain data about your customers, we may process this data to the extent necessary to deliver the Services. The scope of such processing will be defined in the SOW.

2.3 Information Collected Automatically

  • Usage Data: Pages visited, time on site, referral sources, browser type, and device information.
  • Log Data: IP addresses, access times, and server log information.
  • Cookies: We use cookies and similar technologies as described in our Cookie Notice.

3. How We Use Your Information

We use Personal Information to deliver and improve our Services, respond to inquiries, fulfill contractual obligations, process payments, communicate project updates, comply with legal requirements, and improve our service offerings using anonymized and aggregated data.

4. Legal Basis for Processing

Under PIPEDA, we process Personal Information on the following bases:

  • Consent: Where you have provided express or implied consent. Express consent is obtained for sensitive information and marketing communications.
  • Contractual Necessity: Where processing is necessary to perform our obligations under the Agreement and applicable SOW.
  • Legal Obligation: Where processing is necessary to comply with applicable Canadian federal or Ontario provincial laws.
  • Legitimate Business Purpose: Where processing is necessary for a purpose that a reasonable person would consider appropriate, such as service improvement using anonymized data.

5. Disclosure and Sharing of Information

We do not sell Personal Information. We may share Personal Information in the following limited circumstances:

  • Service Providers and Subcontractors: Trusted third parties who assist in delivering our Services, bound by contract to maintain appropriate security measures.
  • AI Model Providers: Client Data may be processed by third-party AI model providers via API calls. We configure these services to minimize data retention where possible.
  • Professional Advisors: Lawyers, accountants, and auditors as necessary.
  • Legal Requirements: Where required by law, regulation, or court order.
  • Business Transfers: In the event of a merger, acquisition, or sale, subject to the same privacy protections.

6. Cross-Border Data Transfers

Some Third-Party Tools and AI model providers may process data in jurisdictions outside of Canada, particularly the United States. When Client Data is transferred outside of Canada, we ensure compliance with PIPEDA's requirements, appropriate contractual safeguards, and we maintain accountability regardless of where data is processed.

Where a Client specifies a Canada-only data residency requirement, we will use commercially reasonable efforts to accommodate this and will disclose any limitations on service availability.

7. Data Retention

We retain Personal Information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. When Personal Information is no longer needed, we securely destroy or de-identify it using methods appropriate to the sensitivity of the data.

8. Your Rights Under PIPEDA

  • Right of Access: You may request access to the Personal Information we hold about you. We will respond within thirty (30) days.
  • Right to Correction: You may request correction of inaccurate or incomplete Personal Information.
  • Right to Withdraw Consent: You may withdraw your consent at any time, subject to legal or contractual restrictions. We will inform you of the implications.
  • Right to Challenge Compliance: You may challenge our compliance by contacting our Privacy Officer. We will investigate and respond within thirty (30) days.

9. AI-Specific Privacy Considerations

9.1 Transparency

Where our Services involve deploying AI systems that interact with individuals, we will work with the Client to ensure that individuals are informed that they are interacting with an AI system, consistent with the Office of the Privacy Commissioner of Canada's guidance.

9.2 Purpose Limitation

Personal Information processed through AI systems shall only be used for the purposes identified in the applicable SOW. We do not use Client Data for unrelated AI development or model training unless expressly authorized.

9.3 Minimization

We apply data minimization principles to AI workflows, collecting only the Personal Information necessary. Where feasible, we implement anonymization, pseudonymization, and data masking prior to processing by AI models.

9.4 Human Oversight

For AI systems that make or support decisions affecting individuals, we implement human-in-the-loop review processes where appropriate. The level of human oversight is determined during the agent architecture design phase and documented in the SOW.

9.5 Bias and Fairness

We conduct evaluation testing on AI systems to identify and mitigate potential biases. However, we cannot guarantee that AI outputs will be free from bias. Clients are encouraged to implement their own review processes.

9.6 AI Output Accountability

The Client remains responsible for any decisions made on the basis of AI-generated outputs. The Company provides tools and recommendations for appropriate human oversight, but the ultimate responsibility rests with the Client.

10. Data Security

We implement administrative, technical, and physical safeguards designed to protect Personal Information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
  • Multi-factor authentication for access to client systems
  • Role-based access controls
  • Regular security assessments and vulnerability scanning
  • Secure development practices for custom code and AI agent configurations
  • Confidentiality agreements with all personnel who may access Personal Information

While we use commercially reasonable efforts to protect Personal Information, no method of electronic transmission or storage is completely secure.

11. Breach Notification

In accordance with PIPEDA's mandatory breach reporting requirements, we will report any breach of security safeguards to the Office of the Privacy Commissioner of Canada where the breach creates a real risk of significant harm. We will notify affected individuals as soon as feasible and notify the Client within seventy-two (72) hours. We maintain a record of all breaches regardless of whether reporting thresholds are met.

12. Third-Party Services and Links

Our website and Services may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. A list of material third-party service providers is available upon request.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active clients via email at least thirty (30) days before taking effect. The most current version will always be available on our website.

14. Contact and Complaints

If you have questions about this Privacy Policy, wish to exercise your rights under PIPEDA, or have a complaint about our privacy practices, please contact:

Privacy Officer
Coulter Digital Services Inc.
Barrie, Ontario, Canada
Email: privacy@coulterdigital.com

We will acknowledge receipt within five (5) Business Days and provide a substantive response within thirty (30) days.

If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
Website: www.priv.gc.ca