Privacy Policy

Effective Date: March 2026

1. Introduction

This Privacy Policy describes how 8103763 Canada Inc. (dba OFFICEPIER) ("we", "us", or "our") collects, uses, shares, and protects information in connection with your use of our AUDIGYD platform, websites, mobile applications, and services (collectively, the "Services").

We are committed to protecting your privacy and handling your data in a transparent and secure manner. This policy applies to all users of our Services, including account holders, workspace members, and visitors to our website.

2. Information We Collect

2.1 Personal Information

We collect information that you provide directly to us when you create an account, request a demo, fill out a form, subscribe to our services, or communicate with us. This includes:

• Full name and email address
• Company name, job title, and department
• Phone number (optional)
• Billing information (processed and stored by Stripe; we do not store payment card numbers)
• Account preferences and settings

2.2 Usage Information

When you use the Services, we automatically collect certain information about your device and how you interact with our platform, including:

• IP address and approximate geolocation
• Browser type, version, and operating system
• Pages visited, features used, and time spent on the platform
• Referring URLs and search terms
• Device identifiers for mobile application users

2.3 Audit Data

When you use the audit and compliance features of the Services, you may upload, create, or generate the following types of data ("Audit Data"):

• Audit templates, questionnaires, and assessment frameworks
• Evidence files (documents, images, spreadsheets, PDFs)
• Audit responses, scores, verdicts, and comments
• Compliance reports and analytics data
• Collaboration messages, comment threads, and activity logs

Important: Audit Data may contain Personally Identifiable Information (PII). AUDIGYD provides automated PII detection and de-identification capabilities to help you protect sensitive data within evidence files. It is your responsibility to ensure that data uploaded to the platform complies with applicable privacy laws.

3. How We Use Information

We use the information we collect for the following purposes:

• Provide and maintain the Services: Including account creation, workspace management, audit workflows, and collaboration features
• Process transactions: Billing, invoicing, and subscription management via Stripe
• Communicate with you: Service updates, security notifications, and transactional emails via SendGrid
• Improve the Services: Analytics, usage patterns, and feature development
• AI features: Template generation, scoring suggestions, PII detection, and evidence evaluation (processed via Azure OpenAI, with in-region processing)
• Security: Malware scanning, fraud detection, and abuse prevention
• Legal compliance: Meeting regulatory obligations, responding to legal requests

4. Data Controller vs. Data Processor

Under GDPR and similar privacy frameworks:

• We act as the Data Controller for personal information we collect directly from you (account information, billing data, usage data, marketing communications).
• We act as the Data Processor for Audit Data that you upload, create, or process through the platform. You (or your organization) are the Data Controller for this data. We process it solely on your behalf and in accordance with your instructions.

Enterprise customers may request a Data Processing Agreement (DPA) by contacting hello@audigyd.com.

5. Data Hosting & Residency

AUDIGYD is hosted on Microsoft Azure. During tenant creation, you select a data residency region. All Customer Data — including Audit Data, evidence files, and AI processing — remains within the selected region:

• United States: Azure East US / West US (Virginia & California)
• European Union: Azure West Europe (Netherlands)
• Canada: Azure Canada Central (Toronto)
• Australia: Azure Australia East (Sydney)
• United Kingdom: Azure UK South (London)
• United Arab Emirates: Azure UAE North (Dubai)

Azure OpenAI processing occurs within the same region as your data. We do not send your data to OpenAI's public API unless you explicitly configure a BYOK (Bring Your Own Key) integration with your own OpenAI API key.

Data never crosses regional boundaries without your explicit consent. Cross-region data transfers, if authorized, comply with Standard Contractual Clauses (SCCs) or equivalent safeguards.

6. Data Security

We implement industry-leading security measures to protect your data:

• Encryption at rest: AES-256 encryption for all stored data
• Encryption in transit: TLS 1.3 for all data transmitted between clients and servers
• Authentication: Microsoft Entra CIAM with support for multi-factor authentication (MFA) and enterprise SSO (SAML 2.0, OIDC)
• Access control: Role-based access control (RBAC) enforced at the API level
• Malware scanning: All uploaded files are automatically scanned for malware before storage
• PII detection: Automated detection and de-identification of personally identifiable information in evidence files
• Backups: Hourly incremental backups and daily full backups with 90-day retention
• Monitoring: 24/7 infrastructure monitoring with anomaly detection and automated alerting
• DDoS protection: CloudFlare DDoS mitigation and Web Application Firewall (WAF)

7. Cookies & Tracking

We use cookies and similar technologies to:

• Essential cookies: Session management, authentication, and security (required for the Services to function)
• Analytics cookies: Understanding how users interact with our website and platform (can be disabled)
• Preference cookies: Remembering your settings and preferences

We do not use third-party advertising cookies or sell your data to advertisers. You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using certain features of the Services.

8. Subprocessors

We use the following third-party services to provide the Services. Each subprocessor has been evaluated for security and privacy compliance:

We will notify you of any changes to our subprocessor list at least 30 days in advance. Enterprise customers with DPAs will receive direct notification.

9. Your Rights

Depending on your location and applicable privacy laws (GDPR, PIPEDA, CCPA/CPRA), you may have the following rights:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your personal data (subject to legal retention requirements)
• Right to Data Portability: Export your data in a machine-readable format (JSON, CSV)
• Right to Restrict Processing: Limit how we process your personal data
• Right to Object: Object to processing for direct marketing or legitimate interest purposes
• Right to Withdraw Consent: Withdraw previously given consent at any time
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights (CCPA)

To exercise any of these rights, contact us at hello@audigyd.com. We will respond within 30 days (or sooner as required by applicable law).

10. Data Retention

• Account data: Retained for as long as your account is active, plus 30 days after account deletion to allow for data export
• Audit and compliance records: Retained for 7 years to comply with regulatory requirements
• Billing records: Retained for 7 years for tax and accounting purposes
• Usage logs: Retained for 90 days for security and debugging purposes
• Marketing communications: Until you unsubscribe or request deletion

You may request deletion of your account and associated data at any time. Certain data may be retained as required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution).

11. Children's Privacy

The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child under 16, please contact us at hello@audigyd.com.

12. International Data Transfers

If you access the Services from outside Canada, your information may be transferred to and processed in Canada or the Azure region you selected during tenant creation. We ensure that all international data transfers comply with applicable data protection laws through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all subprocessors
• Adherence to PIPEDA's accountability principle for cross-border transfers

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Effective Date" above. For material changes that affect how we process your personal data, we will provide at least 30 days' notice via email.

Your continued use of the Services after any changes constitutes your acceptance of the revised policy.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: hello@audigyd.com
• Security inquiries: security@audigyd.com
• Phone: +1 (442) 201-1940
• Address: 55 Commerce Valley Dr W, Suite 502, Thornhill, ON L3T 7V9, Canada

For privacy complaints, you may also contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.