Artificial Perfection
WorkWebsitesApplicationsStudioStart a project

— Legal

Privacy Policy.

We collect what we need to respond to inquiries, prepare quotes, deliver projects, support clients, and protect the service. We never sell your data.

Last updated · July 14, 2026

On this page

  1. 1. Information we collect
  2. 2. How we use it
  3. 3. AI, chat & voice services
  4. 4. Google sign-in
  5. 5. Scheduling tools
  6. 6. Website assessment tool
  7. 7. Files you upload
  8. 8. Data sharing & processors
  9. 9. Data security
  10. 10. Your rights & how to exercise them
  11. 11. Cookies
  12. 12. Cross-border transfer
  13. 13. Data retention
  14. 14. Breach notification
  15. 15. Healthcare clients (BAA / DPA)
  16. 16. Canadian & provincial compliance
  17. 17. Children's privacy
  18. 18. Changes to this policy
  19. 19. Privacy Officer & contact

1. Information we collect

We collect only what's needed to deliver the service you asked for. The full inventory:

  • Account information: Name, email address, company name, and a hashed password when you create or receive access to a client workspace. Phone number if you provide one.
  • Sign-in identifiers: If you sign in with Google, we receive your Google email, full name, profile picture URL, and a Google account identifier (the sub claim). See section 4.
  • Inquiry and project information: Business details, design preferences, links you submit, documents, brief answers, quote requests, audit inputs, email messages, and project notes. This may be collected before an account exists so our team can evaluate the request and respond.
  • Payment information: Card details are entered directly into Stripe and never reach our servers. We retain only Stripe customer, payment, invoice, or payment-link identifiers, the amount, currency, and tax breakdown.
  • Voice recordings: If you use the voice-input feature, the audio is sent to a third-party transcription provider (see section 3) and the resulting text is stored with your project record. The audio file itself is discarded after transcription.
  • Files you upload: Support-ticket attachments, design-review uploads, proposal files, and screenshots. See section 7.
  • Scheduling data: If you schedule a call, we receive your name, email, time zone, meeting time, and form answers from the scheduling provider or email thread. See section 5.
  • Website-assessment input: If you use our free site-assessment / compliance-scan tool, we record the URL you submit, the technology fingerprint of that site, and a screenshot. See section 6.
  • Usage and security data: Pages visited, features used, IP address, user agent, and session activity — used for product improvement and abuse detection (rate limits, breach forensics).
  • Support communications: Messages, attachments, and feedback submitted through our ticket system, design-review tools, and contact form.

2. How we use your information

  • Respond to inquiries, prepare quotes, deliver approved projects, coordinate launch, and provide agreed support.
  • Authenticate you and protect your account (rate limits, breach detection, audit logs).
  • Process payments, issue invoices and receipts, and meet Canadian tax-record obligations.
  • Communicate with you about project updates, support tickets, design reviews, and service-impacting events.
  • Improve our website, client workspace, and internal workflow — measured in aggregate. We do not use your project content or chat transcripts to train external models.
  • Comply with legal obligations and respond to lawful requests from authorities.

3. AI, chat & voice services

We may use AI and voice tools to help with first-pass project discovery, internal drafting, support triage, and chat responses. Formal quotes, proposals, and project commitments are reviewed by our team before delivery.

  • xAI (Grok), United States — powers AI-assisted chat, brief drafting, and internal response drafts. Your prompts and relevant project context may be sent to xAI's API to generate a response. xAI states it does not train on API content; we pass the same restriction through.
  • Groq, United States — powers voice transcription. When you record audio in our interface, the audio is sent to Groq's Whisper endpoint and a text transcript is returned. The audio file is not retained by us after transcription. OpenAI Whisper is used as a fallback if Groq is unavailable.
  • AI-generated drafts, summaries, and suggested replies are reviewed by a human where they affect scope, pricing, delivery commitments, or client-facing proposals.
  • You can opt out of voice input at any time — typed input always works.

4. Google sign-in

If you choose Continue with Google on the sign-in or registration page, we use Google's OAuth 2.0 flow to authenticate you. From Google we receive:

  • Your Google email address (the same email becomes your account email here).
  • Your full name and profile picture URL (used to populate your profile).
  • A stable Google account identifier (the sub claim) that we store so we can re-recognize the same Google account on future sign-ins.

We do not receive — and do not request — access to your Gmail, Calendar, Contacts, Drive, or any other Google service. Google's own privacy policy applies to data Google holds about you. You can revoke our access at any time at myaccount.google.com/permissions — that prevents future sign-ins but does not delete the account you've already created with us; for that, see section 10.

5. Scheduling tools

If we use Calendly or another scheduling tool for a call, we receive your name, email, time zone, meeting time, and any answers you provide on the booking form. The scheduling provider's own privacy policy applies to data it holds. We use scheduling data only to run the call, send reminders, and follow up about the project.

6. Website assessment tool

Our free assessment tool lets you submit a URL and receive a compliance / performance report. When you use it:

  • We fetch the public homepage of the URL you submit and analyse its TLS configuration, response headers, performance characteristics, cookie banners, and visible third-party trackers.
  • We retain the URL, a compact technology fingerprint, the report we generated, and (optionally) a single screenshot.
  • You should only run assessments on websites you own or have permission to scan. We log the IP and account that triggered each scan; abusive use will be blocked.
  • Assessments are linked to your account if you are signed in. If not, they are kept anonymously for 12 months and then deleted.

7. Files you upload

Support-ticket attachments, design-review uploads, proposal files, and screenshots are stored on our servers and are accessible only to you, the assigned team members, and our administrators. Filenames are randomised so they cannot be guessed by URL, and direct file access requires an authenticated session. Please do not upload personal health information, credit-card numbers, or other sensitive data unless a signed BAA / DPA or equivalent written agreement covers that workflow — see section 15.

8. Data sharing & processors

We do not sell your personal information. We share data only with the third-party processors below, each under contractual data-protection terms:

  • Stripe (United States) — payment processing, invoices, and payment links.
  • xAI / Grok (United States) — generative AI for chat, summaries, drafting, and internal workflow assistance.
  • Groq (United States) — voice transcription (Whisper). OpenAI is a fallback provider.
  • Google (United States) — Google sign-in (OAuth) and, where applicable, Google Analytics for site usage.
  • Resend (United States) — transactional and service email delivery.
  • Calendly or similar scheduling tools — call scheduling when used.
  • Hosting providers — hosting of our own website and, where separately scoped, client staging or production websites. Specific providers may vary by project and compliance requirements.
  • Legal authorities — only when required by valid legal process.

9. Data security

  • HTTPS / TLS on every page (HSTS enforced in production).
  • Passwords stored as bcrypt hashes; never logged in plain text.
  • Strict Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers.
  • HttpOnly + Secure + SameSite=Lax session cookies; admin and client sessions are isolated.
  • CSRF tokens (timing-safe verification) on every state-changing request, with same-origin guard as a fallback.
  • Database-backed login rate limiting (5 attempts per IP per 5 minutes).
  • Stripe webhook signatures verified (HMAC-SHA256, 5-minute replay window).
  • File uploads validated by MIME type and extension whitelist; outbound URL fetching is bounded (size + redirect limits) to prevent server-side request forgery.
  • Card data never touches our servers — handled entirely by Stripe.

10. Your rights & how to exercise them

Under PIPEDA, Quebec Law 25, and equivalent provincial statutes (HIA, HIPA, PHIA, PHIPA), you have the right to:

  • Access a copy of the personal information we hold about you.
  • Correct inaccurate or incomplete personal information.
  • Delete your account and associated personal data ("right to erasure").
  • Port your data — receive an export in a machine-readable format (JSON).
  • Withdraw consent for any non-essential processing at any time.
  • Opt out of marketing communications (every email includes an unsubscribe link, per CASL).

To exercise any of these rights, email privacy@apworks.cloud from the address on file. We will acknowledge within 5 business days and complete the request within 30 days. We may need to keep certain records longer where the law requires (e.g. tax records — see section 13).

11. Cookies

We use essential session cookies (AP_CLIENT_SID) to protect forms and maintain client sign-in state. These are HttpOnly, Secure in production, and SameSite=Lax. The public website does not currently load advertising pixels or non-essential analytics cookies. If optional analytics are introduced, this policy and the consent controls will be updated before those tools are enabled.

12. Cross-border data transfer

Artificial Perfection Ltd. is a Canadian company operating under Canadian privacy law. Several of our processors (Stripe, xAI, Groq, Google, Resend, Calendly) operate in the United States. By using our services you consent to the cross-border transfer of your personal information to the United States and other jurisdictions where our processors operate. We require each processor to maintain protections substantially equivalent to those of PIPEDA. Healthcare clients on our compliance-tier hosting can request a Canada-only data-residency configuration — disclosed and contractually committed in the BAA / DPA.

13. Data retention

  • Account data: retained as long as your account is active; deleted within 30 days of an erasure request, except where retention is required by law.
  • Chat transcripts and AI-assisted drafts: retained for 12 months and then anonymised where practical, unless they are part of an active project record.
  • Voice recordings: not retained after transcription. Transcripts follow the conversation retention rule above.
  • Website assessments: 12 months.
  • Uploaded files: retained as long as the parent ticket / project / proposal is active; permanently deleted 90 days after that.
  • Scheduling data: 24 months.
  • Payment and tax records: 7 years (Canadian tax-record law).
  • Security logs (login attempts, admin audit log): 12 months.
  • Backups: retained for up to 30 days on rolling cycle; deletion requests are honoured in active databases immediately and propagate to backups within the rotation cycle.

14. Breach notification

If we discover a security breach involving your personal information that creates a real risk of significant harm, we will:

  • Notify affected individuals as soon as feasible where the breach creates a real risk of significant harm.
  • Report the breach to the Office of the Privacy Commissioner of Canada and applicable provincial commissioners as required by law.
  • Maintain an internal breach record for 24 months as required by PIPEDA.
  • For healthcare clients on our compliance tier, notify per the BAA / DPA — typically 24 hours.

Our breach notice will describe what happened, what data was involved, what we've done about it, and what you can do to protect yourself.

15. Healthcare clients (BAA / DPA)

If you are a regulated health-information custodian or trustee (clinic, practice, hospital, etc.) and your project handles protected health information (PHI), we will sign a Business Associate Agreement (HIPAA), a Data Processing Agreement aligned with PHIPA / HIA / PIPA / HIPA / PHIA / Law 25, or both, before any PHI is transmitted to or stored on systems we manage. PHI may not be uploaded to standard project tools, chat, AI assistants, or voice transcription unless the written compliance agreement specifically allows it.

16. Canadian & provincial compliance

We comply with:

  • PIPEDA and applicable substantially similar provincial privacy laws — applied according to the activity, location, and information involved.
  • CASL (federal) — marketing messages are sent only on an applicable consent basis and include the required sender details and unsubscribe mechanism.
  • Quebec Law 25 — explicit consent, breach notification, data residency on request, designated Privacy Officer.
  • Provincial health-privacy statutes — PHIPA (ON), HIA (AB), PIPA (BC), HIPA (SK), PHIA (MB / NS / NL), PHIPAA (NB), HIA (PEI), HIPMA (YT), HIA (NWT) — applied via our healthcare tier.
  • HIPAA (US) — for US-based healthcare clients on our healthcare tier with a signed BAA.

You may file a complaint with the Office of the Privacy Commissioner of Canada or your provincial commissioner if you believe we have not handled your information properly. We'd appreciate the chance to address it directly first — see section 19.

17. Children's privacy

Our services are intended for businesses and adult users. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact our Privacy Officer and we will delete it.

18. Changes to this policy

We may update this Privacy Policy as we add features or as the law changes. The "Last updated" date at the top of this page reflects the most recent revision. Material changes (new categories of data, new processors, weakened rights) will be announced by email to active accounts at least 14 days before they take effect.

19. Privacy Officer & contact

Per PIPEDA Principle 1 and Quebec Law 25, we have designated a Privacy Officer responsible for our compliance:

  • Privacy Officer: David Qi, Co-Founder
  • Email: privacy@apworks.cloud
  • General inquiries: hello@apworks.cloud
  • Mailing address: Artificial Perfection Ltd., Toronto, Ontario, Canada

For data-rights requests, security disclosures, or breach notifications, please email the Privacy Officer directly. We acknowledge within 5 business days.

Questions about how your data is handled?

Artificial Perfection
WorkJournalTermshello@apworks.cloud

© 2026 Artificial Perfection Ltd. · Toronto, Ontario, Canada