Privacy Policy

Architected Intelligence Platform
Effective Date: March 14, 2026
Last Updated: March 14, 2026

Architected Intelligence ("we," "us," "our," or the "Company") operates the Architected Intelligence Platform (the "Platform"), a hosted software product that enables organizations to create, run, and monitor automations. Each customer organization receives a dedicated Platform instance hosted and managed by Architected Intelligence — it is not a public, multi-tenant service.

This Privacy Policy describes how we collect, use, store, disclose, and protect personal information in connection with the Platform.

This Privacy Policy complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian provincial privacy legislation. It also satisfies the disclosure requirements of the Google API Services User Data Policy, including the Limited Use requirements, and the Microsoft APIs Terms of Use.

1. Accountability

Architected Intelligence has designated a Privacy Officer responsible for our compliance with this Privacy Policy and applicable privacy legislation.

Privacy Officer Contact:
Email: [email protected]
Mailing Address: 31 Naples Blvd, Hamilton, ON L9B 2J3, Ontario, Canada

2. Information We Collect

2.1 Account Information

When your organization registers for the Platform, we collect:

• Name, email address, and phone number of account holders and authorized users
• Timezone preference for scheduling and display purposes
• Organization name and billing address
• Payment and billing information (processed by our third-party payment processor)
• Role and department membership within your organization

2.2 Authentication and Security Data

We collect and store the following authentication-related information:

• Passwords: Stored using bcrypt hashing; we never store passwords in plain text. We retain hashes of the 5 most recent passwords to prevent password reuse.
• Session Data: IP address, user agent, and last activity timestamp for each active session.

2.3 OAuth Tokens (Encrypted at Rest)

When you connect third-party services to the Platform, we collect and store:

• Google: OAuth 2.0 access tokens, refresh tokens, provider email address, and the specific scopes you granted (Gmail, Google Drive, Google Calendar). We receive your name, email address, and profile picture from your Google account during authentication.
• Microsoft: OAuth 2.0 access tokens, refresh tokens, provider email address, and granted scopes (Outlook, Calendar). We receive similar profile information from your Microsoft account during authentication.

All OAuth tokens are encrypted at rest using Laravel's encryption (AES-256-CBC).

2.4 API Keys and Credentials (Encrypted at Rest)

Customers may optionally provide their own API keys for use with the Platform:

• AI Provider API Keys: Keys for OpenAI, Anthropic, Groq, and other AI providers you configure.
• External API Credentials: Keys for Brave Search, custom API connections, and other services used by your automations.

All API keys and credentials are encrypted at rest. We use these keys solely to execute automations on your behalf and do not share them with any third party.

2.5 Usage and Activity Data

We automatically collect:

• AI Usage Logs: Which user initiated the request, which AI model was used, token counts, and associated costs.
• Operation History: Job run records including status, cost, duration, and log entries.
• Audit Log: Records of all create, read, update, and delete actions, including old and new values and the identity of the user who performed each action.
• Session and Access Logs: IP addresses, browser type (user agent), pages visited, and timestamps.

2.6 Customer-Managed Data

Your organization may process its own business data ("Customer Data") through automations you create on the Platform. This includes:

• Job Data Store: Automations may store structured data from your pipelines (e.g., web search results, extracted content, processed records). The nature of this data is determined entirely by the automations you configure.
• Job Configurations: Parameters and settings you define for each automation.
• File Attachments: Output files generated by automations (e.g., Excel exports, PDF reports).

You control what data flows through your automations. Customer Data may contain sensitive or personal information depending on how you configure your automations. You are responsible for ensuring your use of the Platform complies with applicable privacy laws with respect to any personal information contained in your Customer Data.

3. Google API Services — User Data Policy Compliance

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

3.1 How We Use Google User Data

We access Google user data solely to provide the Platform's automation features that you have explicitly configured and authorized:

• Gmail: To read, compose, send, and manage email messages as directed by your automations.
• Google Drive: To read, create, modify, and organize files and folders as directed by your automations, and to store automation output files on your behalf.
• Google Calendar: To read, create, modify, and manage calendar events as directed by your automations.

We request only the specific scopes necessary for the features you choose to enable. We do not use Google user data for any purpose other than providing the specific Platform features you have chosen to use.

3.2 Limited Use Disclosure

In accordance with Google's Limited Use requirements:

1. We limit our use of Google user data to providing user-facing features that are prominent in our Platform's user interface.
2. We do not transfer Google user data to third parties unless: (a) it is necessary to provide user-facing features that are prominent in our Platform's user interface; (b) it is necessary for security purposes (e.g., investigating abuse); (c) it is necessary to comply with applicable law; or (d) the data is aggregate and anonymized and used for internal operations.
3. We do not use Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.
4. We do not allow humans to read Google user data unless: (a) we have obtained the user's affirmative consent; (b) it is necessary for security purposes; (c) it is necessary to comply with applicable law; or (d) our use is limited to internal operations and the data has been aggregated and anonymized.

3.3 Google User Data and AI-Powered Automations

The Platform enables you to build automations that may combine data from multiple services. When you configure an automation that reads data from Google services (such as Gmail messages or Google Drive files) and processes that data using an AI provider (such as OpenAI, Anthropic, or Groq), the relevant content is transmitted to the AI provider solely to execute the automation you explicitly configured. This constitutes a user-directed, user-facing feature of the Platform.

In such cases: (a) the transfer occurs only because you configured the automation to do so; (b) the data is used only to generate the output you requested; (c) we do not use Google user data to train, improve, or fine-tune any AI or machine learning models; and (d) no Google user data is retained by the AI provider beyond what is necessary to process the specific request, subject to the AI provider's own data handling policies.

You are responsible for reviewing the data handling practices of any AI provider you choose to integrate with your automations.

3.4 Storage and Retention of Google User Data

• Google OAuth tokens are stored encrypted at rest on our servers.
• Google user data processed by your automations is retained only as long as necessary to execute the automation or as configured by your organization.
• You may revoke the Platform's access to your Google account at any time through your Google Account permissions page (https://myaccount.google.com/permissions) or through the Platform's settings.
• Upon disconnection or account deletion, we delete your stored Google OAuth tokens and any cached Google user data within 30 days.

4. Microsoft API Services — User Data Policy Compliance

Our use of information received from Microsoft APIs (via Microsoft Graph) adheres to the Microsoft APIs Terms of Use and the Microsoft Publisher Agreement.

4.1 How We Use Microsoft User Data

We access Microsoft user data solely to provide the Platform's automation features that you have explicitly configured and authorized:

• Outlook: To read, compose, send, and manage email messages as directed by your automations.
• Microsoft Calendar: To read, create, modify, and manage calendar events as directed by your automations.

We request only the specific Microsoft Graph permissions necessary for the features you choose to enable. We do not use Microsoft user data for any purpose other than providing the specific Platform features you have chosen to use.

4.2 Data Handling

• We do not use Microsoft user data for advertising, marketing, or any purpose unrelated to the Platform features you have configured.
• We do not sell, rent, or lease Microsoft user data to any third party.
• We access Microsoft user data only as necessary to execute the automations you have configured.

4.3 Microsoft User Data and AI-Powered Automations

As with Google data (see Section 3.3), when you configure an automation that reads data from Microsoft services (such as Outlook messages) and processes that data using an AI provider, the relevant content is transmitted to the AI provider solely to execute the automation you explicitly configured. The same safeguards apply: (a) the transfer occurs only at your direction; (b) the data is used only to generate the output you requested; (c) we do not use Microsoft user data to train, improve, or fine-tune any AI or machine learning models; and (d) no Microsoft user data is retained by the AI provider beyond what is necessary to process the specific request, subject to the AI provider's own data handling policies.

4.4 Storage and Retention of Microsoft User Data

• Microsoft OAuth tokens are stored encrypted at rest on our servers.
• Microsoft user data processed by your automations is retained only as long as necessary to execute the automation or as configured by your organization.
• You may revoke the Platform's access to your Microsoft account at any time through your Microsoft account settings (https://account.microsoft.com/privacy) or through the Platform's settings.
• Upon disconnection or account deletion, we delete your stored Microsoft OAuth tokens and any cached Microsoft user data within 30 days.

5. Purposes for Collecting, Using, and Disclosing Personal Information

We collect, use, and disclose personal information for the following purposes:

• Providing the Platform: To operate, maintain, and deliver the features of the Platform, including executing automations you configure.
• Account Management: To create and manage your account, authenticate your identity, and manage your subscriptions.
• Communication: To send you service-related notices, security alerts, and support messages.
• Improvement: To analyze usage patterns and improve the Platform's functionality, performance, and reliability.
• Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Billing: To process payments and manage your subscription.

We do not sell personal information. We do not use personal information for automated decision-making or profiling that produces legal effects.

6. Consent

By creating an account and using the Platform, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy.

For Google and Microsoft API data, you provide explicit consent when you authorize the Platform to access your account through the OAuth consent flow. You may withdraw this consent at any time by disconnecting the relevant account through the Platform's settings or through your Google or Microsoft account settings.

Where we rely on consent, you may withdraw it at any time by contacting our Privacy Officer or using the relevant Platform settings. Withdrawal of consent may affect our ability to provide certain features of the Platform.

7. Limiting Collection

We collect only the personal information necessary for the purposes identified in this Privacy Policy. We request only the minimum Google and Microsoft API scopes and permissions required to deliver the automation features you choose to use. We periodically review our data collection practices to ensure they remain proportionate to the Platform's functionality.

8. Accuracy

We take reasonable steps to ensure that the personal information we hold is accurate, complete, and up to date for the purposes for which it is used. You may update your account information at any time through the Platform's settings. If you become aware that personal information we hold about you is inaccurate or incomplete, please contact our Privacy Officer and we will correct it promptly.

9. Limiting Use, Disclosure, and Retention

9.1 Use and Disclosure

We do not use or disclose personal information for purposes other than those for which it was collected, except with your consent or as required by law.

We may share personal information with the following categories of third parties, solely to the extent necessary for the stated purposes:

• AI Providers (OpenAI, Anthropic, Groq, and others): When your automations use AI features, prompts and content are transmitted to the relevant AI provider for processing. We send only the data necessary to execute the specific automation. If you provide your own API keys, requests are made using your credentials. AI providers may have their own data retention and usage policies; we encourage you to review them.
• Email Service Provider (Resend): We use Resend to deliver transactional emails and notifications. Resend receives recipient email addresses and notification content necessary for delivery.
• Google and Microsoft: OAuth token exchanges and authorized access to your Gmail, Google Drive, Google Calendar, Outlook, and Microsoft Calendar data per the scopes you granted. We access only the data required by your automations.
• Search Providers (Brave Search): When your automations perform web searches, search queries are transmitted to Brave Search for processing.
• Infrastructure Providers: Cloud hosting and database services that store and process data on our behalf, located in Canada or jurisdictions with comparable privacy protections.
• Payment Processors: To process subscription payments. We do not store full credit card numbers on our servers.
• Legal and Compliance: Law enforcement, regulators, or other parties when required by applicable law, regulation, or legal process.

All third-party service providers are bound by contractual obligations to protect personal information and use it only for the purposes for which it was disclosed, except where the customer has provided their own API keys, in which case the customer's direct relationship with that provider governs.

9.2 Retention

We retain personal information only as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specifically:

• Account Data: Retained for the duration of your subscription and for up to 90 days following account closure.
• OAuth Tokens: Deleted within 30 days of disconnection or account closure.
• Platform Logs: Retained for up to 12 months for security and troubleshooting purposes.
• Billing Records: Retained as required by applicable tax and financial reporting legislation.
• Customer Data: Retained and deleted in accordance with your organization's configuration and instructions.

10. Safeguards

We protect personal information using security safeguards appropriate to the sensitivity of the information, including:

• Encryption of data in transit (TLS 1.2+) and at rest
• AES-256-CBC encrypted storage of all OAuth tokens, API keys, and credentials
• Bcrypt hashing of all passwords with password reuse prevention
• Role-based access controls and department-level data isolation within the Platform
• Comprehensive audit logging of all data access and modifications
• Session management with IP and user agent tracking
• Regular security assessments and vulnerability monitoring
• Incident response procedures with notification obligations
• Employee access limited to those with a business need

10.1 Breach Notification

In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm to individuals, we will:

• Notify the Office of the Privacy Commissioner of Canada as soon as feasible, and in any event within 72 hours of our determination that a reportable breach has occurred.
• Notify affected individuals as soon as feasible, with a description of the breach, the types of personal information involved, steps we are taking to mitigate harm, and steps individuals can take to protect themselves.
• Notify any other organization or government institution that may be able to reduce the risk of harm.
• Maintain records of all breaches of security safeguards, whether or not they meet the reporting threshold, for a minimum of 24 months.

11. Openness

This Privacy Policy is publicly available on our website at https://archint.net/privacy. We make information about our privacy policies and practices readily available. Upon request, our Privacy Officer will provide:

• A description of the types of personal information we hold and the general purposes for which it is used.
• A copy of this Privacy Policy and any supplementary privacy documentation.
• Information about how to make an access or correction request or file a complaint.

We will notify users of material changes to this Privacy Policy by email or through the Platform at least 30 days before the changes take effect.

12. Individual Access and Correction

You have the right to:

• Access the personal information we hold about you by submitting a request to our Privacy Officer.
• Correct inaccurate or incomplete personal information.
• Request deletion of your personal information, subject to legal retention obligations.
• Export your data in a machine-readable format.
• Withdraw consent for specific processing activities.

We will respond to access and correction requests within 30 days. If we cannot fulfil a request, we will provide written reasons.

To exercise any of these rights, contact our Privacy Officer at the address listed in Section 1.

13. Challenging Compliance

You have the right to challenge our compliance with this Privacy Policy and applicable privacy legislation by contacting our Privacy Officer.

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada:

• Website: https://www.priv.gc.ca
• Phone: 1-800-282-1376

14. Cross-Border Data Transfers

Our servers are located in Canada and the United States. Your dedicated Platform instance may be hosted in either jurisdiction depending on your subscription configuration. Personal information may also be accessible from or processed in jurisdictions outside Canada through third-party service providers. For example, AI service providers may process data in the United States. In such cases, the information may be subject to the laws of those jurisdictions. We mitigate risk through contractual data protection agreements with all sub-processors, limiting cross-border transfers to service providers with demonstrated security practices, and ensuring that any transfer is necessary for the operation of the Platform. A list of sub-processors and their jurisdictions is available upon request from our Privacy Officer.

15. Customer Data and Data Processing

As a B2B platform, your organization acts as the data controller for Customer Data processed through the Platform. We act as a data processor on your behalf. Your organization is responsible for:

• Ensuring a lawful basis for processing any personal information contained in Customer Data.
• Providing appropriate privacy notices to individuals whose data is processed through your automations.
• Complying with applicable privacy laws regarding Customer Data.

We process Customer Data solely in accordance with your instructions as implemented through your automation configurations. We recommend that organizations using the Platform maintain their own privacy policies and data processing agreements with their end users and data subjects.

A Data Processing Agreement (DPA) is available upon request for customers who require formal data processor terms, including details on sub-processors, breach notification timelines, data subject rights assistance, and audit rights. Contact our Privacy Officer to request a DPA.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email or in-Platform notification. The "Last Updated" date at the top of this policy indicates the most recent revision.

17. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact:

Privacy Officer
Architected Intelligence
31 Naples Blvd, Hamilton, ON L9B 2J3
Ontario, Canada
Email: [email protected]

This Privacy Policy was last reviewed on March 14, 2026.