Sign in Start a project

— Legal

Privacy Policy.

We collect what we need to deliver your project, never sell your data, and comply with Canadian privacy law (PIPEDA & CASL).

Last updated · April 26, 2026

1. Information we collect

We collect only what's needed to deliver the service you asked for. The full inventory:

  • Account information: Name, email address, company name, and a hashed password when you register. Phone number if you provide one.
  • Sign-in identifiers: If you sign in with Google, we receive your Google email, full name, profile picture URL, and a Google account identifier (the sub claim). See section 4.
  • Project information: Business details, design preferences, links you submit, documents, and answers shared during our AI-guided onboarding or Quick Brief process. This may be collected before you register so we can generate an instant proposal.
  • Payment information: Card details are entered directly into Stripe and never reach our servers. We retain only Stripe customer / charge / subscription identifiers, the amount, currency, and tax breakdown.
  • Voice recordings: If you use the voice-input feature, the audio is sent to a third-party transcription provider (see section 3) and the resulting text is stored with your project record. The audio file itself is discarded after transcription.
  • Files you upload: Support-ticket attachments, design-review uploads, proposal files, and screenshots. See section 7.
  • Booking data: If you schedule a strategy call, we receive your name, email, time zone, and meeting time from Calendly. See section 5.
  • Website-assessment input: If you use our free site-assessment / compliance-scan tool, we record the URL you submit, the technology fingerprint of that site, and a screenshot. See section 6.
  • Usage and security data: Pages visited, features used, IP address, user agent, and session activity — used for product improvement and abuse detection (rate limits, breach forensics).
  • Support communications: Messages, attachments, and feedback submitted through our ticket system, design-review tools, and contact form.

2. How we use your information

  • Deliver the service you bought (build, host, maintain, support).
  • Authenticate you and protect your account (rate limits, breach detection, audit logs).
  • Process payments, issue invoices and receipts, and meet Canadian tax-record obligations.
  • Communicate with you about project updates, support tickets, design reviews, and service-impacting events.
  • Improve our platform — measured in aggregate. We do not use your project content or AI conversations to train external models.
  • Comply with legal obligations and respond to lawful requests from authorities.

3. AI & voice services

Our platform uses AI for project discovery, content drafting, and customer support, plus voice input for hands-free Quick Brief.

  • xAI (Grok), United States — powers the AI assistants and Quick Brief drafting. Your prompts and the relevant project context are sent to xAI's API to generate a response. xAI states it does not train on API content; we pass the same restriction through.
  • Groq, United States — powers voice transcription. When you record audio in our interface, the audio is sent to Groq's Whisper endpoint and a text transcript is returned. The audio file is not retained by us after transcription. OpenAI Whisper is used as a fallback if Groq is unavailable.
  • AI-generated artifacts (proposals, briefs, draft replies) are reviewed by a human on our team before delivery to you.
  • You can opt out of voice input at any time — typed input always works.

4. Google sign-in

If you choose Continue with Google on the sign-in or registration page, we use Google's OAuth 2.0 flow to authenticate you. From Google we receive:

  • Your Google email address (the same email becomes your account email here).
  • Your full name and profile picture URL (used to populate your profile).
  • A stable Google account identifier (the sub claim) that we store so we can re-recognize the same Google account on future sign-ins.

We do not receive — and do not request — access to your Gmail, Calendar, Contacts, Drive, or any other Google service. Google's own privacy policy applies to data Google holds about you. You can revoke our access at any time at myaccount.google.com/permissions — that prevents future sign-ins but does not delete the account you've already created with us; for that, see section 10.

5. Bookings (Calendly)

Strategy calls are scheduled through Calendly (United States). When you book a call we receive your name, email, time zone, the time of the meeting, and any answers you provide on the booking form. Calendly's own privacy policy applies to data Calendly holds. We use Calendly bookings only to run the scheduled call and to send reminder emails (24h and 1h before).

6. Website assessment tool

Our free assessment tool lets you submit a URL and receive a compliance / performance report. When you use it:

  • We fetch the public homepage of the URL you submit and analyse its TLS configuration, response headers, performance characteristics, cookie banners, and visible third-party trackers.
  • We retain the URL, a compact technology fingerprint, the report we generated, and (optionally) a single screenshot.
  • You should only run assessments on websites you own or have permission to scan. We log the IP and account that triggered each scan; abusive use will be blocked.
  • Assessments are linked to your account if you are signed in. If not, they are kept anonymously for 12 months and then deleted.

7. Files you upload

Support-ticket attachments, design-review uploads, proposal files, and screenshots are stored on our servers and are accessible only to you, the assigned team members, and our administrators. Filenames are randomised so they cannot be guessed by URL, and direct file access requires an authenticated session. Please do not upload personal health information, credit-card numbers, or other sensitive data unless you are on our healthcare-grade hosting plan with a signed BAA / DPA in place — see section 15.

8. Data sharing & processors

We do not sell your personal information. We share data only with the third-party processors below, each under contractual data-protection terms:

  • Stripe (United States) — payment processing and subscription billing.
  • xAI / Grok (United States) — generative AI for proposals, drafting, and the AI assistant.
  • Groq (United States) — voice transcription (Whisper). OpenAI is a fallback provider.
  • Google (United States) — Google sign-in (OAuth) and, where applicable, Google Analytics for site usage.
  • Resend (United States) — transactional and service email delivery.
  • Calendly (United States) — strategy-call scheduling.
  • Hostinger (Lithuania / EU and US edge) — hosting of apworks.cloud and client production sites that opt into our standard hosting tier.
  • Healthcare-grade hosting providers (Canada / US) — for clients on our HIPAA / PHIPA / HIA / Law 25 tier; specific provider disclosed in the BAA / DPA.
  • Legal authorities — only when required by valid legal process.

9. Data security

  • HTTPS / TLS on every page (HSTS enforced in production).
  • Passwords stored as bcrypt hashes; never logged in plain text.
  • Strict Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers.
  • HttpOnly + Secure + SameSite=Lax session cookies; admin and client sessions are isolated.
  • CSRF tokens (timing-safe verification) on every state-changing request, with same-origin guard as a fallback.
  • Database-backed login rate limiting (5 attempts per IP per 5 minutes).
  • Stripe webhook signatures verified (HMAC-SHA256, 5-minute replay window).
  • File uploads validated by MIME type and extension whitelist; outbound URL fetching is bounded (size + redirect limits) to prevent server-side request forgery.
  • Card data never touches our servers — handled entirely by Stripe.

10. Your rights & how to exercise them

Under PIPEDA, Quebec Law 25, and equivalent provincial statutes (HIA, HIPA, PHIA, PHIPA), you have the right to:

  • Access a copy of the personal information we hold about you.
  • Correct inaccurate or incomplete personal information.
  • Delete your account and associated personal data ("right to erasure").
  • Port your data — receive an export in a machine-readable format (JSON).
  • Withdraw consent for any non-essential processing at any time.
  • Opt out of marketing communications (every email includes an unsubscribe link, per CASL).

To exercise any of these rights, email privacy@apworks.cloud from the address on file. We will acknowledge within 5 business days and complete the request within 30 days. We may need to keep certain records longer where the law requires (e.g. tax records — see section 13).

11. Cookies

We use essential session cookies (AP_CLIENT_SID, AP_ADMIN_SID) to maintain your sign-in state. These are HttpOnly, Secure (in production), and SameSite=Lax. We use Google Analytics to measure aggregate site usage; analytics cookies can be blocked by your browser without breaking the site. We do not use third-party advertising or behavioural-tracking cookies.

12. Cross-border data transfer

Artificial Perfection Ltd. is a Canadian company operating under Canadian privacy law. Several of our processors (Stripe, xAI, Groq, Google, Resend, Calendly) operate in the United States. By using our services you consent to the cross-border transfer of your personal information to the United States and other jurisdictions where our processors operate. We require each processor to maintain protections substantially equivalent to those of PIPEDA. Healthcare clients on our compliance-tier hosting can request a Canada-only data-residency configuration — disclosed and contractually committed in the BAA / DPA.

13. Data retention

  • Account data: retained as long as your account is active; deleted within 30 days of an erasure request, except where retention is required by law.
  • AI conversations: retained for 12 months and then anonymised (linked identifiers stripped).
  • Voice recordings: not retained after transcription. Transcripts follow the conversation retention rule above.
  • Website assessments: 12 months.
  • Uploaded files: retained as long as the parent ticket / project / proposal is active; permanently deleted 90 days after that.
  • Booking data (Calendly): 24 months.
  • Payment and tax records: 7 years (Canadian tax-record law).
  • Security logs (login attempts, admin audit log): 12 months.
  • Backups: retained for up to 30 days on rolling cycle; deletion requests are honoured in active databases immediately and propagate to backups within the rotation cycle.

14. Breach notification

If we discover a security breach involving your personal information that creates a real risk of significant harm, we will:

  • Notify the affected individuals within 72 hours of confirming the breach, by email to the address on file.
  • File a Privacy Breach Report with the Office of the Privacy Commissioner of Canada (and provincial commissioners where applicable) on the same timeline.
  • Maintain an internal breach record for 24 months as required by PIPEDA.
  • For healthcare clients on our compliance tier, notify per the BAA / DPA — typically 24 hours.

Our breach notice will describe what happened, what data was involved, what we've done about it, and what you can do to protect yourself.

15. Healthcare clients (BAA / DPA)

If you are a regulated health-information custodian or trustee (clinic, practice, hospital, etc.) and your project handles protected health information (PHI), we will sign a Business Associate Agreement (HIPAA), a Data Processing Agreement aligned with PHIPA / HIA / PIPA / HIPA / PHIA / Law 25, or both, before any PHI is transmitted to or stored on our infrastructure. Our healthcare-tier hosting selects a region matching your provincial requirement (e.g. Quebec data stays in Quebec or Canada). PHI may not be uploaded to non-healthcare-tier services — including our standard ticket system, AI assistants, or voice transcription.

16. Canadian & provincial compliance

We comply with:

  • PIPEDA (federal) — applies to all our commercial activities.
  • CASL (federal) — every commercial email has an unsubscribe link.
  • Quebec Law 25 — explicit consent, breach notification, data residency on request, designated Privacy Officer.
  • Provincial health-privacy statutes — PHIPA (ON), HIA (AB), PIPA (BC), HIPA (SK), PHIA (MB / NS / NL), PHIPAA (NB), HIA (PEI), HIPMA (YT), HIA (NWT) — applied via our healthcare tier.
  • HIPAA (US) — for US-based healthcare clients on our healthcare tier with a signed BAA.

You may file a complaint with the Office of the Privacy Commissioner of Canada or your provincial commissioner if you believe we have not handled your information properly. We'd appreciate the chance to address it directly first — see section 19.

17. Children's privacy

Our services are intended for businesses and adult users. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact our Privacy Officer and we will delete it.

18. Changes to this policy

We may update this Privacy Policy as we add features or as the law changes. The "Last updated" date at the top of this page reflects the most recent revision. Material changes (new categories of data, new processors, weakened rights) will be announced by email to active accounts at least 14 days before they take effect.

19. Privacy Officer & contact

Per PIPEDA Principle 1 and Quebec Law 25, we have designated a Privacy Officer responsible for our compliance:

For data-rights requests, security disclosures, or breach notifications, please email the Privacy Officer directly. We acknowledge within 5 business days.

Questions about how your data is handled?