1. Introduction

CompliantAI Inc. ("Stepscale," "we," "us," or "our") is a Canadian artificial intelligence (AI) software company headquartered at 100 King St West, Toronto, ON M5X 1C7, Canada. We build AI agent technology for small- and medium-sized businesses ("SMBs") across North America.

Protecting the privacy, confidentiality, and security of our customers' information is foundational to our values. This Privacy Policy explains how we collect, use, disclose, and safeguard "Personal Information" (defined below) when you interact with our websites, platform, APIs, and related services (collectively, the "Services").

This policy is drafted to comply with:

• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) 

• Applicable provincial private-sector privacy statutes (e.g., Alberta's PIPA, B.C.'s PIPA, Québec's Law 25);

• Relevant U.S. federal and state laws such as the California Consumer Privacy Act (CCPA) where those laws apply to our activities; and

• Generally accepted privacy principles contained in the EU's General Data Protection Regulation (GDPR) for customers located in the European Economic Area.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy and agree to the practices described herein.

2. Scope & Applicability

This Privacy Policy applies to Personal Information that we process about:

• Customers & Authorized Users – individuals who register for or use a Stepscale account, including employees of our corporate customers.

• Website Visitors – individuals who visit or interact with our public websites or marketing pages.

• Prospects & Business Contacts – individuals who communicate with us, request a demo, download content, or otherwise express interest in our Services.

It does not apply to anonymous or aggregated information that cannot reasonably be linked to an identifiable individual.

3. Definitions

• Personal Information ("PI") – information about an identifiable individual as defined under PIPEDA and analogous laws.

• Processing – any operation performed on PI, such as collection, use, storage, disclosure, or deletion.

• Controller / Business – the organization that determines the purposes and means of processing PI (Stepscale when we handle our customers' own PI).

• Processor / Service Provider – an entity that processes PI on behalf of a Controller

• Sub-Processor – a third-party vendor engaged by Stepscale to process PI as part of providing the Services.

4. Information We Collect

• Personal Information – Includes your name, email, phone number, job title, company, and billing details.

• Usage Data – Data such as IP addresses, browser type, device information, and interaction logs with our platform to improve user experience and functionality.

• Third-party data – Information from third-party integrations strictly on a need-to-know-basis to provide our services

We do not knowingly collect sensitive personal data such as social insurance numbers, health data, or children's data, nor do we use any customer data to train machine-learning models.

5. How We Use Information

1. Service Delivery & Operations

• Authenticate users, provide our AI agents, process prompts, and display results.

2. Improve & Develop the Services

• Analyze anonymized or aggregated usage patterns to improve our User Experience

• Debug and monitor service issues using Highlight.io (PI is redacted where feasible).

3. Security & Fraud Prevention

• Detect, investigate, and prevent malicious activity, spam, or abuse.

4. Customer Support

• Respond to inquiries, troubleshoot bugs, and fulfill requests.

5. Legal & Compliance

• Comply with applicable laws, lawful requests, and enforce our Terms and Conditions.

6. Marketing (Optional / Consent-Based)

• Send product updates, event invitations, or promotional content. You may unsubscribe at any time via the link in each email.

We are committed to the confidentiality and integrity of your data. Under no circumstances is customer data used to train or improve our AI models. Furthermore, All third-party model providers commit to refrain from using any information you provide for the purpose of training their own models.

6. Legal Bases for Processing

Under PIPEDA, we collect, use, and disclose Personal Information with your knowledge and consent, except where otherwise permitted or required by law. Depending on your jurisdiction, our lawful bases include: 

• Performance of a Contract – processing necessary to provide the Services you requested.

• Consent – for optional marketing or non-essential cookies.

• Legitimate Interests – operating our platform, preventing fraud, improving security (balanced against your rights and expectations).

• Legal Obligation – compliance with tax, accounting, and other statutory requirements.

7. Sub-Processors & Third-Party Vendors

We engage carefully-vetted service providers and sub-processors who process Personal Information strictly under our instructions.

• AWS – Hosting, storage, networking

• OpenRouter - Large language model inference

• OpenAI - Large language model inference

• Highlight.io - Error logging

• Pipedream - Integration orchestration

• Stripe - Payments processing

8. Data Retention & Deletion 

Upon termination, customers may request complete deletion of their data. We will fulfill verified requests within 14 days and confirm completion.

9. International & Cross-Border Data Transfers

Stepscale's infrastructure is hosted in the United States. Accordingly, your Personal Information may be transferred from Canada or other locations to the U.S. and subject to U.S. laws.

We rely on the following safeguards:

• Contractual measures requiring U.S. vendors to provide a comparable level of protection to Canadian standards.

• Encryption in transit (TLS 1.2/1.3) and at rest (AES-256) for all customer content.

• Disclosure to individuals that their PI may be accessible to U.S. authorities under lawful orders.

10. Security Safeguards

We implement administrative, technical, and physical controls aligned with industry standards including:

• Encryption in transit (TLS 1.2/1.3) and at rest (AES-256).

• Virtual Private Network segmentation, Application and Network Firewalls, and DDoS mitigation.

• Vulnerability scanning and penetration testing.

• Access audits and anomaly detection.

11. Your Privacy Rights & Choices

Depending on your jurisdiction, you may have the right to:

• Access the Personal Information we hold about you.

• Correct inaccurate or incomplete Personal Information.

• Delete Personal Information under certain circumstances.

• Data Portability – receive a copy in a structured, machine-readable format.

• Withdraw Consent for non-essential processing such as marketing emails.

To exercise any of these rights, please email privacy@stepscale.ai. We will respond within 30 days (or the timeframe required by applicable law).

12. Cookies & Similar Technologies

We use cookies and local storage to:

• Authenticate users and maintain sessions (strictly necessary).

• Remember user preferences.

• Perform aggregate analytics via privacy-focused tools (e.g., Highlight.io) to improve our Services. 

Where required by law, we obtain your consent before setting non-essential cookies. You can adjust browser settings to refuse cookies; however, some features may not function properly.

13. Data Breach Response & Notification

In the event of a security incident involving Personal Information, we follow a documented incident-response plan that includes: 

1. Immediate containment and investigation.

2. Internal escalation to our response team.

3. Notification to affected customers within 24 hours of confirmation of a breach.

4. Cooperation with regulatory authorities as required by law.

5. Post-incident review and remediation.

14. Children's Privacy

Our Services are intended for business users aged 18 and older. We do not knowingly collect Personal Information from children under 13. If we learn that such information has been provided, we will delete it promptly.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect operational, legal, or regulatory changes. If we make material changes, we will provide notice via email at least 30 days before the new terms take effect. Your continued use of the Services after the effective date constitutes acceptance of the revised Policy.

16. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Email: privacy@stepscale.ai

Mailing Address: 100 King St West, Toronto, ON M5X 1C7, Canada