Privacy Policy

Last updated: 2026-04-19  ·  Aletheos Technologies Inc.  ·  Ontario, Canada

1. Who We Are

Aletheos Technologies Inc. ("Aletheos", "we", "us") operates the privacy intelligence platform at aletheos.tech. We help individuals and businesses exercise their legal right to data erasure under GDPR Article 17, CCPA, and related privacy laws.

Our contact email for privacy matters is privacy@aletheos.tech.

2. Data We Collect

When you create an account or use our services, we collect:

• Account data: your email address, used to issue your API key and communicate with you.
• Scan inputs: names, email addresses, and other identifiers you submit for scanning — used only to perform the requested scan.
• Usage data: scan counts, API key usage, and plan tier — used for quota enforcement and billing.
• Technical data: IP addresses and request timestamps — used for rate limiting and security.

3. How We Use Your Data

• To deliver the privacy scanning and removal services you requested.
• To send transactional emails (account confirmation, scan reports).
• To enforce usage quotas and prevent abuse.
• To improve our broker database and scan accuracy.

We do not sell your data. We do not use your data for advertising. We do not share your scan inputs with third parties except to submit removal requests to data brokers on your behalf.

4. Scan Reports & Audit Trails

When a scan is performed, a one-time downloadable report is generated and emailed to you. Aletheos does not store these reports permanently — they are generated on demand for privacy reasons. Once downloaded, it is your responsibility to retain them.

5. Data Retention

• Account data is retained for the life of your account.
• Scan inputs and results are retained for 90 days, then permanently deleted.
• Usage logs are retained for 12 months for quota and billing purposes.
• You may request deletion of all your data at any time by emailing privacy@aletheos.tech.

6. Your Rights (GDPR, CCPA & PIPEDA)

Regardless of where you reside, you have the right to:

• Access the personal data we hold about you (PIPEDA Principle 4.9, GDPR Art. 15, CCPA §1798.110).
• Correct inaccurate data (PIPEDA Principle 4.9, GDPR Art. 16).
• Request deletion of your data (GDPR Article 17, CCPA §1798.105, PIPEDA equivalent).
• Withdraw consent at any time (PIPEDA Principle 4.3.8). Withdrawal will not affect processing that has already occurred.
• Restrict or object to processing.
• Data portability (GDPR Art. 20).
• File a complaint with the Privacy Commissioner of Canada or the Ontario Information and Privacy Commissioner.

To exercise any of these rights, contact us at privacy@aletheos.tech. We will respond within 30 days.

6a. Privacy Officer (PIPEDA Accountability)

Under PIPEDA Principle 1 (Accountability), Aletheos designates a Privacy Officer responsible for compliance with Canadian privacy law.

• Privacy Officer contact: privacy@aletheos.tech
• Mailing address: Ontario, Canada (full street address available upon written request)

6b. Data Residency & Cross-Border Transfer

Aletheos stores customer data on infrastructure located outside Canada:

• Database: Supabase — Amazon Web Services, US East (Ohio / us-east-2).
• API hosting: Railway — Amazon Web Services (US regions).
• Website hosting: Hostinger KVM 4 VPS (Americas region).
• Email delivery: SendGrid (US).
• Payments: Stripe (US, Canada).

By using Aletheos, you consent to the transfer, storage, and processing of your personal data outside Canada, including in the United States. Data in these jurisdictions may be subject to foreign legal processes (including U.S. law enforcement access under statutes such as the CLOUD Act) that would not apply if the data remained in Canada. You have the right to withdraw this consent — contact our Privacy Officer to do so.

7. Security

All data is transmitted over TLS. API keys are hashed before storage. We use Supabase with Row Level Security enabled. Our infrastructure is hosted on Railway (API) and Hostinger (website), both of which maintain SOC 2 compliant environments. In the event of a privacy breach involving a real risk of significant harm, we will notify affected individuals and the Privacy Commissioner of Canada as required by PIPEDA (s. 10.1).

8. Third-Party Sub-Processors

• Supabase — database hosting (AWS us-east-2)
• Railway — API hosting (AWS US)
• Hostinger — website hosting
• SendGrid — transactional email delivery
• Stripe — subscription billing & PCI-compliant payment processing
• Cloudflare — DNS, TLS, Workers AI inference
• OpenAI, Anthropic, Google, Groq, Together AI — AI model scanning (your scan inputs are sent only when you explicitly run an AI Model Scan)
• Kaggle, Hugging Face — SLM training infrastructure (not used for customer PII)

A current sub-processor list is maintained in the Data Processing Agreement.

9. Cookies & Tracking

We use strictly necessary cookies to maintain session state in the consumer dashboard. We do not use advertising cookies or cross-site trackers. We do not sell personal information. Analytics cookies, if enabled, require your consent per PIPEDA — see our Cookie Policy.

10. CASL (Email Communications)

We comply with Canada's Anti-Spam Legislation (CASL). We send commercial electronic messages only to recipients who have given express consent. Every commercial email includes our business identity, a physical mailing address, and a one-click unsubscribe link. Unsubscribe requests are honoured within ten (10) business days. See our CASL Compliance statement.

11. Retention

Under PIPEDA Principle 4.5, personal data is retained only as long as necessary to fulfill the purposes for which it was collected.

• Account data — life of the account plus 12 months
• Scan inputs — deleted after the scan completes unless retained for your audit record
• Billing records — 7 years (Canadian tax retention)
• CASL consent records — 3 years after the consent relationship ends
• Breach records — 2 years after remediation (PIPEDA recordkeeping)

12. Governing Law & Disputes

This Privacy Policy and our processing of your personal data are governed by PIPEDA (federal) and the applicable provincial privacy laws of Ontario, Canada. Any disputes shall be brought in the courts of Ontario, Canada.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email to registered users. Continued use of the platform after changes constitutes acceptance.