AlterFlow AI
Legal

Privacy Policy

Effective date: December 17, 2024 · Last updated: March 12, 2026

1. Introduction

AlterFlow AI ("we," "our," or "us") is a Toronto-based consultancy that builds custom software platforms for enterprises. We are committed to protecting your privacy and handling your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial privacy laws, and other relevant data protection legislation.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (alterflow.ai), use our services, or communicate with us.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide, including:

  • Contact information: name, email address, phone number, company name, and job title when you submit our contact form or communicate with us
  • Project information: details about your business processes, requirements, and technical environment shared during discovery and engagement
  • Account credentials: login information if you access a platform we build or maintain on your behalf
  • Payment information: billing details necessary to process invoices (we do not store full payment card numbers)
  • Communications: emails, messages, and any other correspondence you send to us

2.2 Information Collected Automatically

When you visit our website, we may automatically collect:

  • Device information: browser type and version, operating system, screen resolution
  • Network information: IP address, approximate geographic location (city/region level)
  • Usage data: pages visited, time spent on pages, referring URLs, click patterns
  • Cookies and similar technologies: see Section 8 below

2.3 Customer Data

When providing our services, we may process data on behalf of our customers ("Customer Data"). Customer Data is processed only in accordance with the customer's instructions and the applicable service agreement. We act as a processor (not controller) of Customer Data. This policy primarily addresses information we collect as a controller.

3. How We Use Your Information

We use your information for the following purposes:

  • Service delivery: to provide, maintain, and improve our consulting and development services
  • Communication: to respond to your inquiries, provide project updates, and send service-related notices
  • Marketing: to send information about our services, with your consent where required under CASL (Canada's Anti-Spam Legislation)
  • Analytics: to understand how our website is used and to improve user experience
  • Security: to detect, prevent, and address technical issues, fraud, or security incidents
  • Legal compliance: to comply with applicable laws, regulations, and legal processes

4. Legal Basis for Processing

We process your personal information based on:

  • Consent: where you have given explicit consent (e.g., subscribing to communications). You may withdraw consent at any time
  • Contractual necessity: where processing is necessary to perform a contract with you or take pre-contractual steps at your request
  • Legitimate interests: where processing is necessary for our legitimate business interests (e.g., improving our services, security), provided these interests do not override your rights
  • Legal obligation: where processing is required to comply with applicable law

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information with:

  • Service providers: trusted third parties who assist in operating our business (e.g., hosting providers, analytics tools, payment processors). These providers are contractually obligated to protect your data and use it only for the services they provide to us
  • Professional advisors: lawyers, accountants, and auditors as necessary for our business operations
  • Legal authorities: when required by law, regulation, legal process, or enforceable government request
  • Business transfers: in connection with a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to the same privacy protections

6. AI and Machine Learning

We build AI-powered solutions for our customers. Important points regarding data and AI:

  • Customer Data is never used to train third-party AI models unless explicitly authorized by the customer in writing
  • AI processing of Customer Data is performed only as specified in the applicable service agreement
  • All AI actions within platforms we build are logged and auditable
  • We do not use website visitor data to train AI models

7. International Data Transfers

Your information may be processed in Canada and, where necessary, in other jurisdictions where our service providers operate (e.g., United States for cloud hosting). When transferring data outside of Canada, we ensure appropriate safeguards are in place, including contractual protections consistent with PIPEDA requirements.

We offer Canadian data residency options for customers who require that all data remain within Canada.

8. Cookies and Tracking Technologies

Our website uses the following types of cookies:

  • Essential cookies: required for the website to function properly (e.g., session management, security). These cannot be disabled
  • Analytics cookies: help us understand how visitors interact with our website (e.g., page views, navigation patterns). Data is aggregated and anonymized where possible
  • Preference cookies: remember your settings and preferences (e.g., theme selection)

We do not use advertising or behavioral tracking cookies. You can control cookie preferences through your browser settings. Disabling essential cookies may affect website functionality.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption of data in transit (TLS) and at rest
  • Access controls with role-based permissions and least-privilege principles
  • Regular security scanning and vulnerability assessment
  • Secure secret management for production credentials
  • Automated backups with tested recovery procedures
  • Access logging and monitoring

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

10. Data Retention

We retain personal information as follows:

  • Contact form submissions: retained for the duration of our business relationship plus 2 years, or until you request deletion
  • Customer project data: as specified in the applicable service agreement, typically for the duration of the engagement plus any contractual retention period
  • Website analytics: aggregated data retained indefinitely; identifiable data (e.g., IP addresses) retained for up to 14 months
  • Financial records: retained for 7 years as required by Canadian tax law (CRA requirements)
  • Communications: retained for the duration of the business relationship plus 2 years

When personal information is no longer needed, we securely delete or anonymize it.

11. Your Privacy Rights

Under PIPEDA (All Canadians)

You have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate or incomplete information
  • Withdraw consent for the collection, use, or disclosure of your information (subject to legal or contractual restrictions)
  • Challenge our compliance with PIPEDA by filing a complaint with the Office of the Privacy Commissioner of Canada

Under Quebec Privacy Law (Law 25)

If you are a Quebec resident, you additionally have the right to:

  • Data portability in a commonly used format
  • Request de-indexing of your personal information from search results
  • Be informed of automated decision-making that affects you

For European Residents (GDPR)

If you are located in the European Economic Area, you have additional rights under GDPR, including:

  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing based on legitimate interests
  • Right to lodge a complaint with your local data protection authority

For California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale or sharing of personal information (we do not sell personal information)
  • Non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at [email protected]. We will respond to requests within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

12. Canadian Anti-Spam Legislation (CASL)

We comply with Canada's Anti-Spam Legislation. We will only send you commercial electronic messages (e.g., marketing emails) if:

  • You have given express consent (e.g., opted in to our mailing list)
  • We have implied consent through an existing business relationship

Every commercial message includes our contact information and a clear unsubscribe mechanism. Unsubscribe requests are processed within 10 business days. Service-related communications (e.g., project updates, security notices) are not considered commercial messages under CASL.

13. Data Breach Notification

In the event of a data breach involving personal information that creates a real risk of significant harm, we will:

  • Notify affected individuals as soon as feasible
  • Report the breach to the Office of the Privacy Commissioner of Canada as required under PIPEDA
  • Maintain records of all breaches as required by law
  • Notify customer organizations if their Customer Data is affected, in accordance with the applicable service agreement

14. Children's Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 16, we will take steps to delete it promptly. If you believe we have collected information from a child, please contact us at [email protected].

15. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email to active customers or by posting a notice on our website. The "Last updated" date at the top of this page indicates the most recent revision.

17. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint about our handling of your personal information, please contact us at:

AlterFlow AI
Toronto, Ontario, Canada
Email: [email protected]

If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada.