AIOrouter Privacy Policy
Version: 1.2.0 Effective Date: 2026-05-13 Last Updated: 2026-05-13 French Version: Politique de confidentialité (FR)
1. Introduction & Scope
AIOCANA Technologies Inc. ("AIOrouter", "we", "us", "our"), a Canadian federal corporation based in Ontario, operates the AIOrouter API proxy service at aiorouter.ca. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the AIOrouter API, Dashboard, and website (collectively, the "Service").
This policy is governed by:
- The Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada's federal privacy law
- Quebec Law 25 (formerly Bill 64) — for users in the Province of Quebec
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
For a detailed technical analysis of our privacy practices, see our Privacy Impact Assessment (PIA).
2. Data Flow Overview
Understanding how your data moves is essential to transparency — a core PIPEDA principle. Here is the complete data flow for every API request:
You (Developer Application)
│
├── HTTPS (TLS 1.3 encrypted)
│
▼
AIOrouter Gateway — Montreal, Canada (GCP northamerica-northeast1)
│
├── 1. API Key Authentication
├── 2. AI Firewall (prompt injection & jailbreak detection)
├── 3. PII Scanner (automatic detection of sensitive personal information)
├── 4. Bidirectional PII Pseudonymization (reversible encryption — Phase 2+)
├── 5. Model Router (selects best available AI provider)
│
├── Outbound HTTPS (TLS 1.3) → PII-scrubbed prompt only
│
▼
AI Model Provider (DeepSeek, Qwen, Kimi, GLM, or Western providers)
│
└── Response ← back through AIOrouter to you
Critical protections before data leaves Canada:
- All prompts are automatically scanned for Personally Identifiable Information (PII) using Google Cloud DLP before the request leaves Canadian jurisdiction (Montreal GCP).
- Detected PII is redacted or pseudonymized — SINs, credit card numbers, health card numbers, email addresses, phone numbers, names, and street addresses are never sent in plaintext to external AI providers.
- Zero prompt retention: Prompts are processed in-memory only. We do NOT store, log, archive, or use your prompts for any purpose, including model training. After the API response is returned, the prompt is permanently deleted from memory.
- Metadata only: We retain only non-content metadata: user ID, model name, token count, timestamp, and cost — the minimum necessary for billing and security auditing.
3. Information We Collect
3.1 Information You Provide
| Data Element | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Email address | Account identification, billing communication, security notifications, breach notification | Consent (at signup) + Contractual necessity | Until account deletion + 30-day grace period |
| Account profile | Dashboard display, service personalization | Consent | Until account deletion |
| Support ticket transcripts (messages sent to support@aiorouter.ca, ticket subject/body, replies, status metadata) | Customer support, issue resolution, SLA tracking, abuse prevention | Contractual necessity + Legitimate interest (support operations and security) | Until ticket resolution + 1 year, or account deletion/anonymization, unless needed for legal/compliance dispute |
3.2 Information Generated by Service Use
| Data Element | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| API key (SHA-256 lookup hash only — we never store plaintext keys) | Authentication for API access | Contractual necessity | Until key revocation |
| Local account identifier | Dashboard authentication through the Canada-resident Auth Enclave | Consent + Contractual necessity | Until account deletion |
| Password hash (if password fallback is enabled — never plaintext) | Local account authentication fallback | Contractual necessity | Until account deletion or password reset |
| Passkey/WebAuthn credential public keys | Passkey-first dashboard authentication | Consent + Contractual necessity | Until credential removal or account deletion |
| TOTP secret (encrypted) and recovery-code hashes | Multi-factor authentication and account recovery | Consent + Contractual necessity | Until replacement, use, or account deletion |
| Usage records (model, tokens, timestamp, cost) | Billing, usage dashboard, cost analysis | Contractual necessity + CRA tax compliance | 7 years (Canada Revenue Agency requirement) |
| Billing transactions (Stripe payment records) | Payment processing, tax reporting, reconciliation | Contractual necessity + CRA tax compliance | 7 years |
| IP address (per API request) | Security monitoring, geo-anomaly detection, rate limiting, audit logging | Legitimate interest (security) | 90 days (with audit logs) |
| User agent (per API request) | Security monitoring, compatibility analysis | Legitimate interest (security) | 90 days |
| PII scan results (boolean detection flags + PII type names only — NO actual PII values) | Compliance audit, privacy breach detection | Legal obligation (PIPEDA) | 90 days (in GCS audit logs) |
| Consent records (scope, version, timestamp) | PIPEDA consent compliance, re-consent management | Legal obligation (PIPEDA) | Until account deletion |
| DSAR requests (request type, status, resolution) | PIPEDA Principle 9 individual access compliance | Legal obligation (PIPEDA) | 1 year after completion |
| Breach records (incident type, affected data, notification status) | PIPEDA breach notification compliance | Legal obligation (PIPEDA) | 2 years after resolution |
| Authentication audit logs (login events, MFA challenges, session activity) | Security monitoring, account takeover detection | Legitimate interest (security) | 90 days |
| Active session records (device info, IP, last activity) | Session management, remote logout | Contractual necessity | Until session expiry or logout |
3.3 Information We DO NOT Collect
- ❌ Plaintext passwords (password fallback, if enabled, stores only a one-way hash in Canadian infrastructure)
- ❌ Payment card numbers (processed entirely by Stripe — we never see or store full card numbers)
- ❌ Government-issued ID documents
- ❌ Biometric data
- ❌ Social media profiles
- ❌ Precise geolocation (we derive approximate country/region from IP address for security purposes only)
- ❌ Prompt content (processed in memory only, never stored or logged)
3.4 Prompt Content — Special Notice
Your prompts (the text you send to AI models) are never stored, logged, or retained. They exist only in server memory during the brief period between receiving your request and returning the AI model's response (typically <500ms). After the response is returned, the prompt is permanently removed from memory with no recovery possible.
We do NOT:
- Store your prompts for debugging
- Use your prompts for model training or fine-tuning
- Share your prompts with third parties (beyond the minimal PII-scrubbed forwarding to your selected AI provider)
- Log prompt content in any monitoring or analytics system
4. How We Use Your Information
We use your personal information for the following purposes, and for no other purposes without your consent:
4.1 Service Provision
- Process and route your API requests to AI model providers
- Authenticate your identity and authorize API access
- Calculate and bill for API usage
- Display usage statistics and billing history in your Dashboard
4.2 Security & Compliance
- Detect and block prompt injection attacks and jailbreak attempts (AI Firewall)
- Detect and redact Personally Identifiable Information before data leaves Canada
- Monitor for unusual API usage patterns, geo-anomalies, and potential account compromise
- Enforce rate limits and prevent service abuse
- Generate compliance audit logs as required by PIPEDA
- Detect and notify you of potential privacy breaches
4.3 Communication
- Send billing receipts, payment confirmations, and subscription updates
- Notify you of material changes to this Privacy Policy or Terms of Service
- Alert you of security incidents affecting your account
- Send service status updates and maintenance notifications (with your consent)
4.4 Service Improvement (Anonymized Only)
- Analyze aggregate, anonymized usage patterns (e.g., "Qwen3 is used 40% more often on weekends")
- Identify most-requested AI models to optimize provider relationships
- Monitor system performance and plan capacity
We do NOT use your personal information for:
- Automated individual decision-making that produces legal effects (any automated routing decisions are explained transparently)
- Profiling for marketing purposes
- Selling or renting your data to third parties
5. PII Protection & Security Safeguards
IMPORTANT LIMITATION: The security measures described in this section represent AIOrouter's commercially reasonable efforts to protect your personal information. No method of electronic storage or transmission is 100% secure. AIOrouter cannot and does not guarantee absolute security against all possible threats, including but not limited to zero-day exploits, advanced persistent threats, supply chain attacks, and sophisticated cyberattacks that may defeat any defensive system. You acknowledge and accept this residual risk as a condition of using the Service.
PIPEDA Principle 7 requires that we protect your personal information with security safeguards appropriate to the sensitivity of the information. AIOrouter implements a multi-layer Privacy Shield:
Layer 0: Privacy Infrastructure (Built-in — All Users)
| Control | Description |
|---|---|
| Zero Prompt Retention | Prompts are processed exclusively in server memory and never persisted to disk, database, or log files. Technically enforced — no storage path exists for prompt content. |
| Canada Data Residency | All infrastructure (Cloud Run, Cloud SQL, Redis, GCS, Cloud Logging audit bucket) operates in northamerica-northeast1 (Montreal, Quebec, Canada). Your data never leaves Canadian jurisdiction except for the minimal, PII-scrubbed prompt forwarded to your selected AI provider. |
| TLS 1.3 Encryption | All data in transit (both inbound from you and outbound to AI providers) is encrypted with TLS 1.3, the current industry standard. |
| HTTPS-Only | The Service only accepts connections over HTTPS. HTTP requests are automatically rejected. |
Layer 1: One-Way PII Redaction (Built-in — All Users)
| Control | Description |
|---|---|
| GCP DLP Integration | Google Cloud Data Loss Prevention (DLP) API automatically scans all outbound prompts for 7 Canadian infoTypes: SIN, credit card numbers, health card numbers, email addresses, phone numbers, person names, and street addresses. |
| Automatic Redaction | Detected PII is replaced with [REDACTED {TYPE}] before the prompt leaves our infrastructure. |
| AI Firewall | 21 rule categories detect and block prompt injection, jailbreak attempts, and malicious content before processing. |
| Response PII Scanning | AI model responses are scanned for PII leakage (some models may inadvertently return PII from their training data). Detected PII in responses is flagged in audit logs. |
Layer 1.5: Bidirectional PII Pseudonymization (Phase 2+)
When enabled, GCP DLP CryptoDeterministicConfig with AES-256-SIV encryption replaces detected PII with reversible semantic placeholders (e.g., [PERSON_1] instead of [REDACTED NAME]). This preserves LLM comprehension while maintaining cryptographic privacy — the original values can only be recovered with keys stored in GCP Cloud KMS (Montreal). See our Security Architecture for technical details.
Additional Safeguards
| Control | Description |
|---|---|
| Cloud Armor WAF | Google Cloud Armor Web Application Firewall with OWASP ModSecurity Core Rule Set protects against SQL injection, XSS, path traversal, and other web attacks at the network edge. |
| CMEK Encryption at Rest | All data at rest (Cloud SQL, GCS audit logs) is encrypted using Google-managed encryption keys with optional Customer-Managed Encryption Keys (CMEK) available for enterprise customers. |
| Redis Security | Redis Memorystore connections require TLS + AUTH password authentication. Redis instances are on private VPC only — no public endpoint. |
| Non-Root Container | Production containers run as non-root user with read-only filesystem, no Linux capabilities, and distroless base images (no shell access). |
| API Key Security | API keys are stored as SHA-256 lookup hashes of 256-bit random keys. Plaintext keys are never stored and cannot be recovered — if lost, you must generate a new key. |
For complete technical details, see our Security Architecture document.
5.5 Internal Privacy Management
PIPEDA Principle 1 (Accountability) requires that we implement internal practices to protect your personal information. AIOrouter maintains the following internal privacy management program:
Employee Training: All AIOCANA Technologies Inc. personnel with access to customer data must sign a Non-Disclosure Agreement (NDA) before onboarding and complete annual privacy compliance training. Training covers:
- PIPEDA requirements and the 10 Fair Information Principles
- Quebec Law 25 obligations
- Phishing awareness and social engineering defense
- Data security best practices and incident reporting procedures
Access Control: We enforce the Principle of Least Privilege — all access to production systems requires Multi-Factor Authentication (MFA). Privileged operations are logged in audit trails stored in a Montreal GCS bucket with Object Versioning, Uniform Bucket-Level Access, public-access prevention, and a 400-day lifecycle retention policy (Bucket Lock available on Enterprise tier). Access rights are reviewed quarterly, and access is immediately revoked upon role change or departure.
Internal Audit: We conduct regular internal reviews of privacy practices, data access patterns, and security controls. Findings are documented and remediated according to severity.
These internal measures are available for partner diligence review upon request. Contact privacy@aiorouter.ca for our internal privacy management summary.
6. Data Sharing & Sub-Processors
We share your information only as described below. We do NOT sell, rent, or trade your personal information.
6.1 Sub-Processors
| Sub-Processor | Service Provided | Data Shared | Location |
|---|---|---|---|
| Google Cloud Platform (GCP) | Cloud Run, Cloud SQL, Redis Memorystore, GCS, Secret Manager, Cloud DLP, Cloud KMS | All infrastructure data (see §3.2) | Montreal, Canada |
| Stripe, Inc. | Payment processing | Payment transaction data, last 4 digits of card number, billing address (CAD) | Global (Stripe Canada) |
| DeepSeek | AI model inference (DeepSeek V4 Pro, R2) | PII-scrubbed prompt content (in-memory only) | China / Global |
| Alibaba Cloud (Qwen) | AI model inference (Qwen3-235B) | PII-scrubbed prompt content (in-memory only) | China / Global |
| Moonshot AI | AI model inference (Kimi-K2) | PII-scrubbed prompt content (in-memory only) | China |
| Zhipu AI | AI model inference (GLM-5) | PII-scrubbed prompt content (in-memory only) | China |
| Baidu AI Cloud | AI model inference (Ernie 5.0) | PII-scrubbed prompt content (in-memory only) | China |
| OpenAI | AI model inference (GPT-5.5 — at-cost) | PII-scrubbed prompt content (in-memory only) | United States |
| Anthropic | AI model inference (Claude — at-cost) | PII-scrubbed prompt content (in-memory only) | United States |
| Google AI | AI model inference (Gemini — at-cost) | PII-scrubbed prompt content (in-memory only) | United States |
Critical note about AI providers: The prompt content forwarded to AI providers has been PII-scrubbed by our security layer BEFORE leaving Canada. The AI providers receive only the redacted/pseudonymized content, NOT your original prompts with personal information.
Authentication residency: By default, AIOrouter account identifiers, passkey credential public keys, encrypted TOTP secrets, recovery-code hashes, sessions, and authentication audit logs are processed in Canadian infrastructure. Optional OAuth or enterprise SSO may involve a third-party identity provider only when enabled by AIOrouter and explicitly selected or contracted by the customer; any such provider will be disclosed before use.
6.2 When We May Disclose Information
We may disclose your information:
- With your consent — when you explicitly authorize us to do so
- To comply with legal obligations — court orders, warrants, or legally binding requests from Canadian authorities with jurisdiction
- To protect rights and safety — to investigate and defend against legal claims, fraud, or security incidents
- In a business transfer — if AIOCANA Technologies Inc. is acquired or merged, your data may be transferred as a business asset (you will be notified)
6.3 New Sub-Processors
We will notify you at least 30 days before engaging any new sub-processor not listed above. You may object to new sub-processors on reasonable data protection grounds. Enterprise customers have additional rights under our Data Processing Agreement (DPA).
7. Data Retention
We retain your personal information only as long as necessary for the purposes described in this policy:
| Data Category | Retention Period | Legal/Operational Basis |
|---|---|---|
| Email address | Until account deletion + 30 days grace | Account identification |
| API key (SHA-256 lookup hash) | Until key revocation | Authentication |
| Local account authentication records | Until account deletion | Dashboard access |
| Passkey/TOTP/recovery records | Until credential removal, replacement, use, or account deletion | MFA and account recovery |
| Usage records (model, tokens, cost) | 7 years | Canada Revenue Agency (CRA) tax record keeping requirements |
| Billing transactions (Stripe) | 7 years | CRA requirements + financial audit |
| IP addresses | 90 days | Security + audit |
| PII scan results (flags only) | 90 days | PIPEDA compliance audit |
| Consent records | Until account deletion | PIPEDA consent compliance |
| DSAR requests | 1 year after completion | PIPEDA compliance record |
| Breach records | 2 years after resolution | PIPEDA Schedule 1 requirement |
| Support ticket transcripts | Until ticket resolution + 1 year, or account deletion/anonymization unless needed for legal/compliance dispute | Customer support and SLA audit |
| Auth audit logs | 90 days | Security monitoring |
| Active sessions | Until expiry or logout | Session management |
After retention periods expire, data is permanently deleted or irreversibly anonymized. Billing records required by CRA are retained for the full 7-year period.
Prompt content is never retained — it exists only in memory during active request processing and is permanently deleted upon response.
8. Your Rights
Under PIPEDA and Quebec Law 25, you have the following rights regarding your personal information:
8.1 Right to Access
You can view your account information, usage history, billing records, and consent status directly in the AIOrouter Dashboard at any time.
8.2 Right to Data Portability (Law 25 §14)
You can export your personal data in a structured, machine-readable format via the Dashboard or by submitting a Data Subject Access Request (DSAR) to privacy@aiorouter.ca. We will respond within 30 days.
8.3 Right to Deletion (Law 25 §15)
You may request deletion of your personal information by submitting a request to privacy@aiorouter.ca. Account deletion includes:
- A 30-day grace period (you can cancel the deletion during this time)
- Immediate API key revocation upon submission
- Subscription pause (no further charges)
- Permanent data deletion after the 30-day grace period (except billing records required by CRA)
8.4 Right to Withdraw Consent
You may withdraw consent for optional data processing (marketing communications, third-party data sharing) at any time via the Dashboard. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
8.5 Right to Challenge Compliance (PIPEDA Principle 10)
You may challenge our compliance with this Privacy Policy by contacting our Privacy Officer at privacy@aiorouter.ca. We will investigate and respond to all complaints within 30 days. You also have the right to file a complaint with:
- Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca
- Commission d'accès à l'information du Québec (CAI): www.cai.gouv.qc.ca (for Quebec residents)
8.6 Automated Decision Transparency (Law 25 §12.1)
AIOrouter uses automated model routing to select the best AI provider for your requests based on availability, cost, and performance. This routing is purely operational (not legal or profiling). You can view which provider handled your request in the X-Provider response header. If you believe an automated routing decision has affected you negatively, contact privacy@aiorouter.ca for human review.
9. Cookies & Tracking
9.1 Dashboard (Web Application)
Our Dashboard uses essential session cookies only:
- Authentication cookie:
__Host-session— httpOnly, Secure, SameSite=Strict, 15-minute expiry - No advertising cookies, no third-party trackers, no analytics cookies
9.2 API Endpoints
Our API endpoints (/v1/*) use no cookies. Authentication is via the Authorization: Bearer {api_key} header.
9.3 Do Not Track
We honor Do Not Track (DNT) browser signals. Since we use no tracking cookies, this has no practical effect — but we respect the signal.
10. Children's Privacy
The AIOrouter Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@aiorouter.ca immediately, and we will delete the information.
11. International Data Transfers
11.1 Canada Data Residency
All primary data processing and storage occurs in Montreal, Quebec, Canada (GCP northamerica-northeast1). Your personal information (email, API key hash, usage records, billing data) never leaves Canada.
11.2 Outbound Prompt Forwarding
Your prompts, after PII scrubbing, are forwarded to AI model providers whose servers may be located in China or the United States. These transfers are:
- Minimized: Only the PII-scrubbed prompt is sent (no personal identifiers)
- Temporary: In-memory processing only — providers do not receive your identity
- Necessary: Essential for fulfilling the API service you requested
By using the Service, you consent to this minimal cross-border data transfer for the purpose of AI model inference.
12. Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. When we make material changes:
- We will notify you via email (to your registered email address) at least 30 days before the changes take effect
- We will display a notice in your Dashboard
- For material changes affecting consent scope, you will be prompted to re-consent at your next Dashboard login
The version number and last updated date are displayed at the top of this page. We encourage you to review this policy periodically.
Version History:
| Version | Date | Summary of Changes |
|---|---|---|
| 1.2.0 | 2026-05-13 | Security limitation disclaimer added to §5 — clarifies that no security system is absolute; commercially reasonable efforts only |
| 1.1.0 | 2026-05-05 | Auth residency repair — default account authentication remains in Canadian infrastructure; optional third-party IdP/SSO only by opt-in disclosure |
| 1.0.0 | 2026-05-05 | Initial publication — complete PIPEDA + Law 25 compliant policy |
13. Contact & Accountability
Privacy Officer
Under PIPEDA Principle 1 (Accountability), AIOCANA Technologies Inc. has designated a Privacy Officer responsible for compliance with this Privacy Policy:
- Name: Taya Chu, Founder
- Email: privacy@aiorouter.ca
- Response Time: Within 30 days (PIPEDA statutory requirement)
General Inquiries
- Support: support@aiorouter.ca
- Billing: billing@aiorouter.ca
- Website: https://aiorouter.ca
PIPEDA Complaint Process
If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada:
- Website: www.priv.gc.ca
- Phone: 1-800-282-1376
- Mail: 30 Victoria Street, Gatineau, Quebec K1A 1H3
Quebec Residents — Law 25
Quebec residents may also file a complaint with the Commission d'accès à l'information du Québec:
- Website: www.cai.gouv.qc.ca
- Phone: 1-888-528-7741
14. Legal Basis & Governing Law
This Privacy Policy is governed by the laws of the Province of Qubec and the federal laws of Canada, including but not limited to:
- Personal Information Protection and Electronic Documents Act (PIPEDA) — S.C. 2000, c. 5
- Quebec Act Respecting the Protection of Personal Information in the Private Sector (Law 25 / formerly Bill 64)
Related Documents:
- Privacy Impact Assessment (PIA) — Detailed PIPEDA compliance analysis
- Data Processing Agreement (DPA) — For enterprise customers
- Terms of Service — Legal terms governing Service use
- Security Architecture — Technical security controls detail