Privacy
Privacy Policy
Last updated: 3 July 2026 · Effective for mindforgeai.pro and MindForge AI client services
1. Organization identity
This Privacy Policy describes how MindForge AI Inc. ("MindForge AI", "we", "us") collects, uses, discloses and protects personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy principles.
Data controller: MindForge AI Inc.
100 King Street West, Suite 5600, Toronto, ON M5X 1C9, Canada
BN 738164025 RC0001
Privacy contact: [email protected]
2. Scope
This policy applies to personal information collected through mindforgeai.pro, our contact and enquiry forms, email and phone communications, client engagements, discovery sprints and production AI builds. It also describes our general approach to client data and model training data handled during applied-AI projects. Separate data processing agreements may apply to client engagements and supersede general terms where they conflict.
3. Personal information we collect
Website visitors and enquiries
- Contact details: name, email address, phone number, company name and job title when you submit a form or email us.
- Message content: information you provide in enquiry messages describing your project, workflow or technical requirements.
- Technical data: IP address, browser type, device information, pages visited and referral source — collected via server logs and, if consented, analytics cookies.
- Cookie and consent preferences stored locally in your browser.
Client engagement data
- Business contact information for project stakeholders, billing contacts and authorized signatories.
- Project documentation, requirements, architecture notes and communications related to AI strategy, prototypes and production deployments.
- Access credentials and API keys provided for integration work — stored securely and deleted per agreement terms.
Client data and model data
During applied-AI projects we may process client datasets, documents, knowledge base content and evaluation datasets necessary to build retrieval-augmented generation systems, fine-tune models, train ML models and run model evaluation. The categories and sensitivity of this data depend on your project. We do not use client data for unrelated purposes without explicit consent.
4. Purposes of collection and use
We collect and use personal information for the following purposes:
- Responding to enquiries and scheduling build sessions or discovery sprints.
- Delivering contracted AI design, development and consulting services including generative-AI applications, AI assistants, workflow automation and MLOps.
- Managing client relationships, invoicing CAD project fees and retainer billing.
- Operating, securing and improving our website.
- Complying with legal obligations and resolving disputes.
- Conducting model evaluation, guardrail testing and responsible-AI assessments on client-authorized data only.
We do not sell personal information. We do not use website enquiry data to train general-purpose AI models.
5. Legal bases and consent
Under PIPEDA, we rely on meaningful consent and legitimate business purposes. When you submit our contact form, you must actively consent via the PIPEDA checkbox — it is not pre-checked. You may withdraw consent for marketing communications at any time by emailing [email protected]. Withdrawal does not affect processing already completed or processing necessary to fulfil a contract.
For client projects, data processing purposes are defined in statements of work and data processing agreements. Fine-tuning or retention of client data for model improvement requires explicit written consent beyond standard project delivery.
6. Disclosure to third parties
We may share personal information with:
- Cloud infrastructure providers (hosting, compute) under contractual confidentiality obligations.
- LLM and API providers (e.g., OpenAI, Anthropic, Azure) when required to deliver client projects — subject to client-approved subprocessors.
- Professional advisors (legal, accounting) bound by confidentiality.
- Law enforcement or regulators when required by law.
Subprocessors are selected for PIPEDA-compatible practices. A list is available on request for active client engagements.
7. Cross-border transfers
Some service providers may process data in the United States or other jurisdictions. When personal information crosses borders, we assess risks and implement contractual safeguards. Client agreements specify permitted regions for data processing. On-prem or Canadian-region-only deployments are available for sensitive workloads.
8. Retention
Enquiry records are retained for up to twenty-four months unless a client relationship develops. Client project data is retained per the statement of work — typically ninety days to twelve months after project completion unless a retainer continues. Backups may persist for an additional thirty days. Financial records are retained as required by Canadian tax law. You may request deletion subject to legal retention requirements.
9. Security measures
We implement administrative, technical and physical safeguards including access controls, encryption in transit, least-privilege credentials, secure development practices and staff confidentiality obligations. No system is perfectly secure; we notify affected clients of breaches as required by law and contract.
10. Individual access and correction rights
You have the right to request access to personal information we hold about you, to challenge its accuracy and to request correction. Submit requests to [email protected] with sufficient detail to identify your records. We respond within thirty days or explain any extension permitted under PIPEDA. Access may be limited where prohibited by law or subject to legal privilege.
11. Cookies and similar technologies
Our website uses essential cookies for basic function and optional analytics cookies with your consent. See our Cookie Policy for categories, durations and opt-out instructions. Cookie consent choices are stored locally for six months.
12. Client-data and model-data handling
Client datasets used in RAG knowledge bases, fine-tuning or ML training remain client property unless otherwise agreed. We isolate client environments where feasible, log access and delete data per contract terms. Model weights fine-tuned on client data are delivered to the client or destroyed per agreement. We document human-in-the-loop review processes but do not guarantee model accuracy — evaluation results are shared candidly.
13. Children's privacy
Our services are directed at business professionals. We do not knowingly collect personal information from individuals under sixteen.
14. Office of the Privacy Commissioner of Canada
If you believe we have not addressed your privacy concern adequately, you may contact the Office of the Privacy Commissioner of Canada:
Website: www.priv.gc.ca
Toll-free: 1-800-282-1376
15. Changes to this policy
We may update this Privacy Policy to reflect legal or operational changes. Material updates will be posted on this page with a revised "Last updated" date. Continued use of our website after changes constitutes notice; active clients will be notified of material changes affecting project data.
16. Complaint handling procedure
If you submit a privacy complaint, we acknowledge receipt within five business days and investigate promptly. We document findings and corrective actions. If you remain dissatisfied after our response, you may escalate to the Office of the Privacy Commissioner of Canada. We cooperate fully with regulatory inquiries related to personal information under our control.
17. De-identification and aggregation
We may create aggregated, de-identified statistics from website analytics that cannot reasonably identify individuals. Such statistics may inform studio operations and marketing content. We do not attempt re-identification of de-identified data.
18. Automated decision-making
We do not use personal information from website forms for solely automated decisions producing legal or similarly significant effects without human review. Client AI systems we build may include automated components governed by separate client agreements and human-in-the-loop requirements.
19. Data breach notification
In the event of a breach involving personal information that creates a real risk of significant harm, we notify affected individuals and the Privacy Commissioner as required under PIPEDA. Notifications describe the circumstances, information involved and steps we are taking.
19a. Record keeping
We maintain records of consent, processing purposes and subprocessors relevant to client engagements. These records support accountability under PIPEDA and are available to clients under contract upon request.
19b. Anonymised analytics
When analytics cookies are consented to, collected data is aggregated for traffic analysis. We configure analytics to reduce identification risk and honour withdrawal of consent by ceasing optional analytics loading on subsequent visits after preference update.
19c. Employee and contractor access
Personnel with access to personal information are bound by confidentiality obligations and receive training on PIPEDA principles. Access follows least-privilege: engineers see client data required for active projects only.
19d. Privacy impact assessments
For client projects involving sensitive personal information or large-scale processing, we conduct privacy impact assessments as part of discovery. Assessments identify risks, mitigation measures and human-in-the-loop requirements before production deployment proceeds.
19e. Vendor management
We review subprocessors for security and privacy practices before engagement. Material changes to subprocessors during client projects are communicated per contract. Clients may object to new subprocessors where agreements allow alternative implementations.
19f. Contact log retention
Records of privacy-related correspondence are retained for accountability and regulatory response purposes in accordance with the retention schedules described above.
19g. Minors and employment data
Our B2B services are not directed at minors. We do not knowingly collect personal information from children. Employment-related personal information of client personnel processed during projects is handled solely for project delivery under client direction and contract terms.
20. Contact
Privacy inquiries: [email protected]
General: [email protected]
Phone: +1 (416) 704-2851
Mail: MindForge AI Inc., 100 King Street West, Suite 5600, Toronto, ON M5X 1C9, Canada