Privacy Policy
Effective Date: February 5, 2026
Last Reviewed: February 5, 2026
Next Review Date: February 5, 2026
Version: 1.0
1. Introduction
Bridgit ("we," "us," or "our") is committed to protecting your privacy and personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our services.
Compliance Framework: This policy is designed to align with ISO 27001 and SOC2 Trust Services Criteria. Bridgit is not currently certified unless otherwise stated. We comply with:
- The General Data Protection Regulation (GDPR) for users in the European Economic Area
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws for Canadian users
- Applicable data protection laws in other jurisdictions where we operate
Important Notice: Bridgit acts as a Data Processor for organizational customers who are Data Controllers. This means our business customers determine the purposes and means of processing personal data, while we process data on their behalf according to their instructions.
2. Data Controller Information
Data Controller:
Bridgit
Ottawa, Ontario
Email: info@askbridgit.ca
Website: www.askbridgit.ca
Data Protection Officer:
Matthew Bromwich
Email: mbromwich@askbridgit.ca
For questions about this Privacy Policy or to exercise your privacy rights, please contact our Data Protection Officer using the information above.
3. Personal Information We Collect
We collect the following categories of personal information:
| Category | Examples | Legal Basis (GDPR) |
|---|---|---|
| Identity Data | Name, username, title, organizational role | Contract performance |
| Contact Data | Email address, telephone number, mailing address | Contract performance |
| Usage Data | Information about how you use our services, access times, pages viewed, interaction patterns | Contract performance |
| Profile Data | Preferences, feedback, survey responses, account settings | Contract performance |
| Financial Data | Payment card details, billing information, transaction history | Contract performance |
Legal Basis for Processing (GDPR): We process your personal information based on contract performance - processing is necessary to fulfill our contractual obligations to you or your organization.
PIPEDA Compliance: For Canadian users, we process personal information in accordance with PIPEDA and applicable provincial privacy laws. We collect personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
4. How We Use Your Personal Information
We use your personal information for the following purposes:
Primary Purposes:
- Service Delivery: To provide, maintain, and improve our services
- Account Management: To create and manage your account
- Communication: To respond to inquiries, provide customer support, and send service-related notifications
- Transaction Processing: To process payments and fulfill orders
- Security: To detect, prevent, and address technical issues, fraud, and security incidents
Secondary Purposes:
- Service Improvement: To analyze usage patterns and improve user experience
- Compliance: To comply with legal obligations and enforce our terms of service
Consent: Where required by law, we will obtain your explicit consent before using your personal information for purposes beyond those for which it was originally collected.
5. AI Features and Automated Processing
AI Model Training Policy
We do not permit AI service providers to train on user data. We have contractual agreements with our AI providers that prohibit the use of customer data for model training purposes.
User Responsibilities
Users are responsible for ensuring that sensitive, confidential, or personal data is not submitted to AI-assisted features without appropriate safeguards. We recommend:
- Anonymizing data before using AI features
- Reviewing outputs before relying on them
- Understanding that AI features are assistive tools, not decision-makers
No Automated Decision-Making
We do not engage in fully automated decision-making with legal or similarly significant effects. Our AI features are assistive and require human review. All AI-generated content should be reviewed and validated by users before use in decision-making processes.
GDPR Article 22 Compliance: You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. Our services do not perform such automated decision-making.
6. Data Sharing and Disclosure
Service Providers (Sub-Processors)
We may share your personal information with trusted third-party service providers who assist us in operating our services, including:
- Cloud hosting providers
- Payment processors
- Customer support platforms
- Analytics services
Sub-Processor List: A current list of sub-processors is available upon request by contacting our Data Protection Officer.
Data Processing Agreements: All sub-processors are bound by data processing agreements that require them to protect your personal information and process it only according to our instructions.
Legal Disclosures
We may disclose your personal information when required by law or in response to:
- Court orders or legal processes
- Requests from government authorities
- Protection of our rights, property, or safety
- Prevention of fraud or security threats
Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify you of any such change and the choices you may have.
No Sale of Personal Information: We do not sell your personal information to third parties for marketing purposes.
7. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
Retention Periods by Category:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account Data | Duration of active account + 2 years | Contract performance, legal obligations |
| Transaction Records | 7 years from transaction date | Tax, accounting, and legal requirements |
| Usage Logs | 13 months | Security monitoring, service improvement |
| Marketing Consents | Until consent withdrawn + 3 years | Compliance documentation |
| Support Communications | 3 years from last interaction | Customer service quality, dispute resolution |
Current Retention Development: Currently, our retention policy is in development with evolving retention periods as our processes are refined. The periods above represent our target framework. We will update this policy as our retention procedures are finalized.
Deletion Procedures: After the retention period expires, we securely delete or anonymize personal information in accordance with our data deletion procedures and applicable legal requirements.
8. International Data Transfers
GDPR Transfers
If you are located in the European Economic Area (EEA), your personal information may be transferred to and processed in countries outside the EEA, including Canada. We ensure such transfers comply with GDPR requirements through:
- Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with service providers
- Adequacy Decisions: We transfer data to countries recognized by the European Commission as providing adequate protection
- Additional Safeguards: We implement supplementary measures where necessary to ensure data protection
PIPEDA Cross-Border Transfers
For Canadian users, when we transfer personal information outside Canada, we take steps to ensure your information receives comparable protection, including contractual commitments from recipients.
Your Rights: You have the right to obtain information about the safeguards we use for international transfers by contacting our Data Protection Officer.
9. Your Privacy Rights
GDPR Rights (EEA Users)
You have the following rights under GDPR:
| Right | Description |
|---|---|
| Access | Request copies of your personal information |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your personal information ("right to be forgotten") |
| Restriction | Request limitation of processing in certain circumstances |
| Data Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw Consent | Withdraw consent where processing is based on consent |
| Lodge Complaint | File a complaint with your supervisory authority |
PIPEDA Rights (Canadian Users)
Under PIPEDA, you have the right to:
- Access your personal information held by us
- Challenge the accuracy and completeness of your information
- Request correction of errors or omissions
- Withdraw consent for certain uses (subject to legal or contractual restrictions)
- File a complaint with the Office of the Privacy Commissioner of Canada
Exercising Your Rights
To exercise any of these rights, please contact our Data Protection Officer at mbromwich@asbridgit.ca. We will respond to your request:
- GDPR: Within one month (extendable by two months for complex requests)
- PIPEDA: Within 30 days, with possible extension to 60 or 90 days in certain circumstances
Identity Verification: We may require proof of identity before processing requests to protect your privacy.
No Fee: We do not charge a fee for processing rights requests unless they are manifestly unfounded, excessive, or repetitive.
10. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to enhance your experience and analyze service usage.
Types of Cookies We Use:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential Cookies | Enable core functionality, security, and session management. These cannot be disabled. | Session/1 year |
| Functional Cookies | Remember your preferences and settings to provide enhanced features | 1-2 years |
Your Cookie Choices
Browser Settings: You can configure your browser to refuse cookies or alert you when cookies are being sent. Note that disabling essential cookies may prevent you from using certain features.
Cookie Management: You can manage your cookie preferences through our cookie consent banner or by contacting us.
Do Not Track
Some browsers transmit "Do Not Track" signals. Our services do not currently respond to Do Not Track signals, as there is no industry consensus on how to interpret them.
11. Data Security
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.
Security Measures Include:
Technical Safeguards:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Multi-factor authentication for account access
- Regular security testing and vulnerability assessments
- Intrusion detection and prevention systems
- Secure software development practices
Organizational Safeguards:
- Access controls and role-based permissions
- Employee confidentiality agreements
- Security awareness training
- Incident response procedures
- Regular security policy reviews
ISO 27001 and SOC2 Alignment: Our security practices are designed to align with ISO 27001 information security management standards and SOC2 Trust Services Criteria for security, availability, and confidentiality.
Breach Notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and applicable supervisory authorities within the timeframes required by law (72 hours under GDPR; as soon as practicable under PIPEDA).
12. Children's Privacy
We do not knowingly collect personal information from minors under the age of 16 (or the applicable age of digital consent in your jurisdiction). Our services are not directed to children.
Parental Notice: If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information promptly.
Parental Rights: If you believe we have collected information from your child, please contact us immediately at info@askbridgit.ca.
13. Third-Party Links and Services
Our services may contain links to third-party websites, applications, or services that are not operated by us. This Privacy Policy does not apply to third-party services.
Your Responsibility: We encourage you to review the privacy policies of any third-party services you access. We are not responsible for the privacy practices of third parties.
14. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service offerings.
Notification of Changes:
- Material Changes: We will notify you by email or through a prominent notice on our website at least 30 days before the changes take effect
- Minor Changes: We will update the "Last Reviewed" date at the top of this policy
Your Continued Use: Your continued use of our services after changes become effective constitutes acceptance of the updated Privacy Policy.
Policy Archive: Previous versions of this policy are available upon request.
15. Contact Information and Complaints
General Inquiries
For questions about this Privacy Policy or our privacy practices:
Email: info@askbridgit.ca
Data Protection Officer: mbromwich@asbridgit.ca
Address: Bridgit, Ottawa, Ontario
Website: www.askbridgit.ca
Filing Complaints
GDPR (EEA Users): You have the right to lodge a complaint with your local supervisory authority if you believe we have violated your data protection rights.
PIPEDA (Canadian Users): You may file a complaint with the Office of the Privacy Commissioner of Canada:
- Website: www.priv.gc.ca
- Toll-free: 1-800-282-1376
Internal Resolution: We encourage you to contact us first so we can address your concerns directly.
16. Additional Jurisdiction-Specific Rights
California Residents (CCPA)
If you are a California resident, you may have additional rights under the California Consumer Privacy Act, including:
- Right to know what personal information is collected
- Right to know if personal information is sold or disclosed
- Right to opt-out of the sale of personal information
- Right to deletion
- Right to non-discrimination
Note: We do not sell personal information as defined by CCPA.
Other Jurisdictions
If you reside in a jurisdiction with specific privacy laws, you may have additional rights. Please contact us to learn more about your rights.
17. Definitions
Personal Information/Personal Data: Information that identifies, relates to, or could reasonably be linked with you or your household.
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
Data Controller: The entity that determines the purposes and means of processing personal data.
Data Processor: An entity that processes personal data on behalf of the Data Controller.
Sub-Processor: A third-party processor engaged by a Data Processor.
18. Consent and Acknowledgment
By using our services, you acknowledge that you have read, understood, and agree to this Privacy Policy. Where required by law, we will obtain your explicit consent for specific processing activities.
Withdrawal of Consent: Where processing is based on consent, you may withdraw your consent at any time by contacting us. This will not affect the lawfulness of processing based on consent before its withdrawal.
End of Privacy Policy
This policy was generated with AI assistance.