Legal

Privacy Policy

Last Updated: 2026-04-18 · Version 1.0-draft · DOSSIAR Labs Inc.

Important — Draft, not lawyer-reviewed.

This document is a draft prepared by DOSSIAR engineering and has NOT been reviewed by a licensed Canadian immigration lawyer. Do NOT rely on this for legal protection in production use. Engage a lawyer before operating.

§1. Introduction and Scope

§1.1 DOSSIAR Labs Inc. ("DOSSIAR", "we") is committed to protecting the personal information of our users. This Policy describes how we collect, use, disclose, retain, and safeguard personal information in connection with the DOSSIAR Service.

§1.2 This Policy complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec Law 25, Alberta/BC PIPAs, and the EU GDPR for EEA/UK visitors.

§2. Personal Information We Collect

§2.1(a) Account Information

full name; professional email;
firm or institution (optional);
RCIC or law-society number (optional);
password (hashed and salted);
2FA metadata (not the seed);
preferred language.

§2.1(b) Practice Inputs and AI-Generated Outputs

case notes, SOPs, PFL drafts, rebuttals;
Simulated Officer verdicts, likelihoods, concerns, citations;
chat transcripts, session metadata;
CPD progress, scenario completions, score history.

§2.1(c) Billing Information

billing name, address, tax registration;
last four digits and brand of payment card (receipts only); full card numbers are handled exclusively by Stripe;
invoice and transaction history.

§2.1(d) Usage Telemetry

IP address, approximate geolocation;
browser, OS, device;
referrer, pages, events, timestamps;
error logs and performance traces.

§2.1(e) Correspondence

emails, support tickets, chat messages;
call recordings only where disclosed and consented.

§3. How We Use Personal Information

§3.1(a) Service delivery (performance of contract / PIPEDA);
§3.1(b) Security and fraud prevention (legitimate interest / PIPEDA);
§3.1(c) Billing (performance of contract);
§3.1(d) Service improvement: de-identified, aggregated practice data only. Enterprise seats may opt out. Real client data must not be submitted (Terms §5);
§3.1(e) Service communications: account, billing, security, policy updates;
§3.1(f) Marketing (express opt-in under CASL, S.C. 2010, c. 23, and GDPR Art. 6(1)(a)); one-click unsubscribe in every message;
§3.1(g) Legal and regulatory compliance.

§4. Disclosure to Service Providers

§4.1 Sub-processors, each bound by written DPA:

Sub-processor	Purpose	Location
Supabase, Inc.	Database, auth, storage	Canada (ca-central-1)
OpenAI, L.L.C.	LLM inference	United States
Anthropic, PBC	LLM inference	United States
Cohere Inc.	Reranking / retrieval	Canada / United States
Stripe, Inc.	Payments (PCI-DSS L1)	United States / Canada
Resend, Inc.	Transactional + marketing email	United States / EU
PostHog Inc.	Product analytics (EU region)	European Union
Vercel Inc.	Application hosting	Canada / Global edge

§4.2 Current list at /legal/subprocessors.

§4.3 No sale of personal information. No behavioural advertising.

§4.4 M&A transfers subject to acquirer accepting materially equivalent commitments.

§5. Data Residency and Cross-Border Transfers

§5.1 Account and practice data: Canadian data centres (ca-central-1).

§5.2 LLM inference: US-based providers over TLS 1.3. Zero-data-retention where available; otherwise up to 30 days for abuse monitoring only.

§5.3 EEA/UK: SCCs (Commission Implementing Decision (EU) 2021/914) + TIA where required.

§5.4 Bi-annual transparency report on government requests.

§6. Your Rights

§6.1(a) access (PIPEDA Principle 9; GDPR Art. 15);
§6.1(b) correction (PIPEDA Principle 9; GDPR Art. 16);
§6.1(c) deletion (PIPEDA / GDPR Art. 17), subject to §7;
§6.1(d) portability — JSON or CSV (GDPR Art. 20);
§6.1(e) restrict or object (GDPR Arts. 18 & 21);
§6.1(f) withdraw consent;
§6.1(g) complain to the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, a provincial IPC, or your EU/UK supervisory authority.

§6.2 To exercise any right, contact dpo@dossiar.com. Response within 30 days (90 for complex, with notice), free in most cases.

§7. Retention

§7.1(a) Account: life + up to 90 days post-deletion.
§7.1(b) Chat and practice inputs: 90 days default; Enterprise may configure shorter.
§7.1(c) CPD records: 7 years (CICC audit support).
§7.1(d) Billing/tax: 7 years (Income Tax Act, Excise Tax Act).
§7.1(e) Audit logs: 7 years.
§7.1(f) Aggregated, de-identified analytics: indefinite.

§7.2 On expiry, data is irreversibly deleted or de-identified.

§8. Cookies

§8.1 Functional-only:

sb-access-token, sb-refresh-token — session auth (HTTP-only, Secure, SameSite=Lax);
dossiar_prefs — UI preferences (theme, language);
csrf_token — CSRF protection.

§8.2 No third-party ad trackers. PostHog runs with IP anonymization and session-level aggregation.

§8.3 EEA/UK: cookie-consent banner; non-essential analytics only after explicit opt-in.

§9. Children

§9.1 The Service is exclusively for adults (18+). We do not knowingly collect information from minors.

§10. Security

§10.1 TLS 1.3; AES-256 at rest; RBAC; least-privilege; staff 2FA; annual pentest; SOC 2 Type II (in progress, Q4 2026).

§10.2 On a qualifying breach:

§10.2(a) notify Privacy Commissioner / supervisory authority within 72 hours;
§10.2(b) notify affected individuals without unreasonable delay;
§10.2(c) retain breach records for at least 24 months.

§11. International Users

§11.1 Operated from Canada. Access from outside Canada constitutes consent to Canadian data transfer.

§12. Data Protection Officer

§12.1 DPO: dpo@dossiar.com. Registered office: Toronto, Ontario, Canada.

§12.2 EU Art. 27 representative to be designated when required.

§13. Changes to This Policy

§13.1 Material changes: 30 days' email notice.

§14. Contact

§14.1 Privacy: privacy@dossiar.com
§14.2 DPO: dpo@dossiar.com

Effective Date: 2026-04-18 · Version 1.0-draft