Privacy Policy

Privacy at Anitarian.

Effective April 16, 2026 · Last updated April 16, 2026.

Introduction

Anitarian is operated by Anitarian, a British Columbia, Canada–registered entity. This policy explains data collection, use, disclosure, and protection practices for our AI platform and services. Your data belongs in Canada — accounts, stored content, and records are maintained on Canadian infrastructure. Limited operations like web search and AI inference route through external providers, but only anonymized query content — without IP addresses, account identifiers, or personal data — is shared.

Our commitment to Canadian data sovereignty

  • All account information, user content, and conversation history is stored exclusively in Canada.
  • AI inference runs on Canadian infrastructure by default.
  • When Canadian capacity is exceeded, requests route to vetted European Union partners as a fallback.
  • Web search, payment authorization, and email delivery use external providers but only receive anonymized requests from our servers.
  • No personal identifiers, IP addresses, or account information accompany external requests.

Regulatory alignment

  • PIPEDA — Personal Information Protection and Electronic Documents Act
  • Quebec Law 25 — Act to modernize legislative provisions regarding personal information protection
  • CPCSC — Canadian Program for Cyber Security Certification (for defence contractors)

Information we collect

Information you provide

Account information: name, email, payment information. For enterprise: organization name, business address, billing contact.

User content: prompts, uploaded documents, materials for AI processing — collected solely to deliver requested services.

Communications: support requests and feedback content.

Information collected automatically

Usage data: feature interactions, timestamps, session duration.

Technical information: device type, browser type, IP address, general location at city or region level. No precise geolocation tracking.

Cookies: essential cookies required for service functionality. No third-party advertising or tracking cookies.

How we use your information

We process personal information for the following purposes, each with a PIPEDA legal basis: providing and maintaining services (contract / consent); processing payments (contract); responding to support (legitimate interest); improving services (legitimate interest); ensuring security and preventing fraud (legal obligation / legitimate interest); complying with legal obligations (legal obligation); sending service-related communications (contract).

What Anitarian does NOT do

  • Sell personal information.
  • Use content to train AI models without explicit consent.
  • Share data with third-party advertisers.
  • Share IP addresses, account identity, or personal identifiers with non-Canadian service providers.

How we protect your information

Technical safeguards

  • Encryption in transit: TLS 1.3 for all data transmission.
  • Encryption at rest: AES-256 for user content and personal information.
  • Access controls: role-based access limiting employee access on a need-to-know basis.
  • Infrastructure security: Canadian data centres maintain SOC 2 Type II compliance with physical security controls.

Organizational safeguards

  • Regular security assessments and penetration testing.
  • Employee privacy and security training.
  • Incident response procedures.
  • Vendor due diligence for service providers.

Data retention

  • Account information: deleted within 30 days after termination (except where required by law).
  • User content: deleted within 30 days of request or account termination.
  • Usage logs: anonymized retention up to 12 months for service improvement.
  • Billing records: retained 7 years per Canadian tax law.

Information sharing and disclosure

Service providers

All service providers are contractually bound to process data only per company instructions, maintain confidentiality, implement appropriate security, and process data within Canada where possible. Providers include a Canadian infrastructure host (Canada), Stripe (payment processing — Canada with limited US processing for card networks), self-hosted SearXNG (web search proxied through Canadian servers; anonymized query only), and approved Canadian and EU inference partners (EU fallback uses anonymized prompt content only).

Legal requirements

Disclosure permitted only if required by law: valid Canadian court orders or subpoenas, Canadian law enforcement requests, Canadian regulatory authority requirements.

Foreign requests: because accounts and stored content reside in Canada, stored data is not subject to US law enforcement requests under the PATRIOT Act or CLOUD Act. Foreign government requests must proceed through Canadian legal channels (e.g., Mutual Legal Assistance Treaties) requiring Canadian court approval.

Business transfers

Personal information may transfer if the company is involved in a merger, acquisition, or asset sale. Notice will be provided and consent obtained where required.

Your privacy rights

Rights under PIPEDA

  • Access personal information held by the company.
  • Correct inaccurate or incomplete personal information.
  • Withdraw consent for processing (subject to legal/contractual restrictions).
  • Know how information has been used and disclosed.
  • Complain to the company or the Office of the Privacy Commissioner of Canada.

Additional rights under Quebec Law 25

Quebec residents also have rights to data portability (receive personal information in structured, commonly used format), de-indexation (request cessation of dissemination or de-indexing of hyperlinks attached to name), and to be informed about automated decision-making when decisions affecting them result solely from automated processing.

How to exercise rights

Contact the Privacy Officer at team@anitarian.ai. Response timeframe is 30 days. Identity verification may be requested.

Children's privacy

Services are not directed to individuals under 18. We do not knowingly collect personal information from children. Any discovered child personal information will be deleted promptly.

International users

Anitarian is designed for Canadian organizations and individuals. Non-Canadian users should know their information will be transferred to, stored, and processed in Canada. The European Commission recognizes Canada as providing adequate data protection; EEA users' transfers to Canada are lawful under GDPR adequacy provisions.

Changes to this policy

This policy may be updated periodically. Notification methods include posting an updated policy with a new "Last Updated" date, email notification for significant changes, and acknowledgment requirements for changes affecting rights. Continued service use after changes constitutes acceptance of the updated policy.

Contact us

Office of the Privacy Commissioner of Canada · 30 Victoria Street, Gatineau, Quebec K1A 1H3 · 1-800-282-1376

Commission d'accès à l'information du Québec · 525, boul. René-Lévesque Est, bureau 2.36, Québec G1R 5S9 · 418 528-7741


Summary

What Anitarian does

  • Stores all account data and content in Canada.
  • Anonymizes queries before routing to external service providers.
  • Encrypts data in transit and at rest.
  • Deletes data upon request.
  • Complies with PIPEDA and Law 25.

What Anitarian doesn't do

  • Share user IPs or identities with sub-processors.
  • Sell personal information.
  • Use content to train AI without consent.
  • Share data with advertisers.
  • Process foreign government requests for stored data without Canadian court approval.