Privacy Policy

Gravicity is responsible for personal information in our possession or custody, including information that has been transferred to third-party service providers acting on our behalf. We have designated a Privacy Officer who is accountable for our compliance with this policy and applicable privacy legislation.

Our Privacy Officer oversees our compliance with PIPEDA's 10 Fair Information Principles, Quebec Law 25 requirements, and GDPR obligations where applicable. All employees and contractors who handle personal information are required to adhere to this policy and applicable data protection procedures.

We collect the following categories of personal information:

We do not intentionally collect sensitive personal information (such as health data, biometric data, or financial account numbers) through our website. If our AI automation services require processing such data for a client engagement, this is governed by a separate data processing agreement.

We identify the purposes for collecting personal information before or at the time of collection. We collect and use personal information for the following purposes:

• •Responding to inquiries: To reply to your contact form submissions, emails, and phone calls
• •Service delivery: To provide AI voice agent, chatbot, workflow automation, and analytics services to our clients
• •AI processing: To route inquiries and service data through artificial intelligence systems for analysis, summarization, and workflow execution
• •Business operations: To manage client relationships, billing, and contractual obligations
• •Website analytics: To understand how visitors use our website and improve performance (with your consent for non-essential tracking)
• •Marketing communications: To send newsletters or promotional materials (only with your express opt-in consent)
• •Legal compliance: To meet obligations under applicable law, including record-keeping and tax requirements

We will not use personal information for any purpose other than those identified above without first obtaining your consent, except where required or permitted by law.

We obtain your consent before or at the time we collect, use, or disclose your personal information, except where consent is not required by law.

Express consent is required for:

• •Marketing and promotional communications
• •Non-essential cookies and tracking technologies
• •Any use of your information beyond the original purpose of collection

Implied consent applies when:

• •You submit a contact form for the purpose of receiving a response to your inquiry
• •Processing is necessary to fulfill a contracted service

Withdrawing consent: You may withdraw your consent at any time by contacting us at privacy@gravicity.ca. We will explain the consequences of withdrawal (for example, we may no longer be able to provide certain services). Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

We collect only the personal information that is necessary for the purposes identified above. Our contact forms request only your name, email address, phone number, and company name. We do not collect information beyond what is required to respond to your inquiry or deliver our services.

Personal information is used only for the purposes for which it was collected or for purposes consistent with those purposes. We do not sell, rent, or trade your personal information to third parties.

We may disclose personal information in the following circumstances:

• •To third-party service providers who process data on our behalf (see Section 10)
• •Where required by law, regulation, court order, or governmental authority
• •To protect the rights, safety, or property of Gravicity, our clients, or the public

Data Retention Schedule

When personal information is no longer needed for its identified purpose, or when a retention period expires, we securely delete or anonymize the information using methods appropriate to its sensitivity.

We take reasonable steps to ensure that personal information is accurate, complete, and up-to-date as necessary for the purposes for which it is used. If you believe that information we hold about you is inaccurate or incomplete, please contact us and we will correct it promptly.

We protect personal information with administrative, technical, and physical safeguards appropriate to the sensitivity of the information. Our security practices are aligned with AICPA SOC 2 Trust Service Criteria and include:

• •Encryption: Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
• •Access controls: Access to personal information is restricted to authorized personnel on a need-to-know basis, with role-based access controls and multi-factor authentication
• •Monitoring and logging: We maintain logging and monitoring of access to systems that process personal information
• •Vendor management: Third-party service providers are assessed for security practices and bound by data processing agreements before receiving personal information
• •Incident response: We maintain a documented incident response plan and conduct regular risk assessments of our information systems and AI workflows
• •Personnel training: Team members receive privacy and security awareness training

The level of protection applied is proportional to the sensitivity of the personal information involved.

We use artificial intelligence tools, including large language models, to assist in processing inquiries and delivering our services. This includes automated conversation handling, workflow execution, and data analysis.

Key facts about our AI processing:

• •Data submitted to our AI workflows may be processed by third-party AI providers (identified in Section 10) subject to their data processing terms
• •Under our commercial API agreements, data sent to AI providers is not used to train their models
• •AI-generated outputs may not be fully accurate. All AI outputs used in client communications or business decisions are reviewed by our team
• •We do not use AI to make solely automated decisions that produce legal or similarly significant effects on individuals. Where AI assists in decision-making, human oversight is maintained

If you interact with an AI-powered system operated by Gravicity (such as a voice agent or chatbot), you will be informed that you are communicating with an AI system.

In delivering our services, we engage the following third-party sub-processors who may process personal information on our behalf. We require all sub-processors to maintain appropriate security and privacy controls through contractual data processing agreements.

Gravicity remains accountable for personal information transferred to third-party processors. Each sub-processor is contractually obligated to process data only for the purposes we specify, to maintain security standards at least equivalent to our own, to notify us without delay in the event of a breach, and to delete or return data upon termination of the relationship.

We will provide notice before onboarding material new sub-processors. An up-to-date list of sub-processors is available by contacting privacy@gravicity.ca.

Your personal information may be transferred to and processed in countries outside of your province or country of residence. Specifically:

• •Canada (OVH): Our primary hosting infrastructure is located in Canada
• •United States (Anthropic, OpenRouter): When data is processed through our AI services, it may be transmitted to servers in the United States

For residents of Quebec:

Before transferring personal information outside Quebec, we conduct a Privacy Impact Assessment as required by Law 25 to ensure that the receiving jurisdiction provides equivalent protection. Our transfers to the United States are governed by data processing agreements that include contractual safeguards.

For residents of the European Union/EEA:

The European Commission has recognized Canada as providing an adequate level of data protection for commercial organizations subject to PIPEDA (adequacy decision renewed January 15, 2024). For onward transfers to the United States (Anthropic, OpenRouter), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by technical measures including encryption in transit and at rest. You may obtain a copy of the applicable safeguards by contacting us at privacy@gravicity.ca.

Our website uses cookies and similar technologies. In compliance with Quebec Law 25 and the EU ePrivacy Directive, we obtain your express opt-in consent before placing any non-essential cookies or tracking technologies on your device.

Cookie categories:

Privacy by default: All non-essential cookie categories are disabled by default. No non-essential cookies or tracking scripts will load until you actively choose to enable them.

Granular control: You may accept or reject cookies by individual category.

Changing your preferences: You can modify your cookie settings at any time through the cookie preferences link in the website footer. Withdrawing consent is as simple as granting it.

Consent records: We record the timestamp, choices, and policy version associated with your cookie consent.

Under PIPEDA and Quebec Law 25, you have the following rights regarding your personal information:

• •Access: You may request access to the personal information we hold about you, including information about who it has been disclosed to
• •Correction: You may request that we correct inaccurate or incomplete personal information
• •Withdrawal of consent: You may withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual obligations
• •Data portability (Quebec): You may request that we provide your personal information in a structured, commonly used, and technologically neutral format
• •De-indexing (Quebec): You may request that we cease disseminating your personal information, or de-index any hyperlink attached to your name that provides access to information, where the dissemination contravenes the law or a court order

To exercise any of these rights, contact us at privacy@gravicity.ca. We will respond to your request within 30 calendar days. We may need to verify your identity before processing a request. If we refuse a request, we will provide written reasons and inform you of your recourse.

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) provides you with additional rights. Gravicity acts as the data controller for personal information collected through this website.

Lawful bases for processing:

Where we rely on legitimate interest, our interests are: responding to and managing business inquiries; delivering AI automation consulting services; and maintaining the security of our systems.

Your GDPR data subject rights:

In addition to the rights listed in Section 13, EU/EEA residents have the right to:

• •Erasure ("right to be forgotten"): Request deletion of your personal data when it is no longer necessary for the purposes collected, or when you withdraw consent (Art. 17)
• •Restriction of processing: Request that we limit how your data is processed in certain circumstances (Art. 18)
• •Data portability: Receive your personal data in a structured, commonly used, machine-readable format (Art. 20)
• •Objection: Object to processing based on legitimate interests, including profiling (Art. 21)
• •Automated decision-making: Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22)
• •Withdraw consent: Withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal (Art. 7(3))

We will respond to all data subject requests within one month of receipt, which may be extended by two additional months for complex requests, in accordance with Art. 12(3).

Data provision:

Providing personal information through our contact form is neither a statutory nor a contractual obligation. However, if you choose not to provide the information requested, we may be unable to respond to your inquiry or provide our services.

Right to lodge a complaint:

You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement. A list of supervisory authorities is available at edpb.europa.eu.

We comply with Canada's Anti-Spam Legislation (CASL). We will not send you commercial electronic messages unless:

• •You have provided express consent (opt-in) to receive such messages, or
• •We have implied consent based on an existing business relationship (e.g., you are an active client or made an inquiry within the past 6 months)

Every commercial electronic message we send will:

• •Identify Gravicity as the sender, including our mailing address and contact information
• •Include a functional unsubscribe mechanism that remains active for at least 60 days
• •Process unsubscribe requests within 10 business days

Submitting a contact form on our website constitutes implied consent to receive a response to your inquiry. It does not constitute consent to receive marketing communications. If our contact form includes a marketing opt-in, it will be a separate, unchecked checkbox.

In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm (RROSH), we will:

• •Report to the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible after determining that a breach has occurred, as required by PIPEDA s. 10.1
• •Notify affected individuals as soon as feasible, providing: a description of the breach, the types of personal information involved, the steps we have taken, our contact information, and steps the individual can take to mitigate potential harm
• •Notify relevant third parties where doing so could reduce the risk of harm (e.g., law enforcement, credit reporting agencies)
• •Maintain breach records for a minimum of 24 months, regardless of whether the RROSH threshold was met, as required by PIPEDA s. 10.3

For EU/EEA residents:

Where a breach is likely to result in a high risk to your rights and freedoms, we will notify the relevant EU/EEA supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33). If the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay (GDPR Art. 34).

Our website and services are directed to businesses and are not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take prompt steps to delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, provide additional notice (such as a prominent website notice or email notification).

We encourage you to review this policy periodically. Continued use of our website or services following the posting of changes constitutes your acceptance of those changes, except where consent is required by law.

If you have questions or concerns about this Privacy Policy or our handling of your personal information, please contact our Privacy Officer:

We will investigate all complaints promptly and respond within 30 days. If you are not satisfied with our response, you have the right to escalate your complaint to the appropriate regulatory authority: