This is a summary policy. The operative policy at anyimmi.com/legal/privacy applies and controls. Contact privacy@anyimmi.com for the canonical version.
1. Data we collect
Account data: name, email, firm name, RCIC registration number (if applicable). Tool inputs: what you paste, upload, or type into a tool. Tool outputs: the drafts and results we generate. Usage: timestamps, tool IDs, credit debits, model providers.
2. Where it lives
Postgres, Redis, Meilisearch, and object storage in ca-central-1 (Montreal). Replicas stay in Canada. LLM inference is CA-region by default (Gemini). US-region models (OpenAI, Anthropic) are only invoked with explicit per-firm opt-in and PII scrubbing.
3. PII handling
For any non-CA model call, we scrub 21 categories of PII before the request leaves the router: full name, DOB, passport, SIN, UCI, address, phone, email, IP, next-of-kin name, employer, bank account, CRA BN, health card, driver's licence, child/spouse/parent names, file number, GCKey/MyCIC username, medical record. Extractions stay in your browser session.
4. Retention
Audit log: 7 years (CICC §8.2) plus 10 years rolling (firm liability window). Tool outputs: firm-controlled, default 2 years, deletable at any time. Tool inputs: 90 days then rolled into aggregate eval data, never replayed verbatim.
5. Your rights
You can export all firm data at any time via the portal. You can request deletion of non-audit data under PIPEDA. Audit log entries cannot be deleted — this is a regulatory requirement, not a product choice.
6. Sub-processors
Supabase (Postgres, Auth — ca-central-1), Upstash (Redis — ca-central-1), Vercel (hosting — ca-central-1), Google Cloud (Gemini — ca-central-1), Stripe (billing — USD primary). Full list at anyimmi.com/legal/subprocessors.
7. Contact
Privacy questions: privacy@anyimmi.com. Security incidents: security@anyimmi.com.