Privacy Policy

Assyro Inc. and its affiliates, collectively "Assyro," "we," "our," or "us," recognize the importance of privacy. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard Personal Information in connection with our websites, including www.assyro.com, our authenticated platform at app.assyro.com, our products and services, and our interactions with customers, users, prospects, suppliers, and other business contacts.

Assyro is based in Ontario, Canada. This Privacy Policy is designed to address our obligations under Canadian private-sector privacy law, including the Personal Information Protection and Electronic Documents Act, and to explain our practices for business customers, users, and prospects in the United States. If a separate customer agreement, data processing addendum, business associate agreement, or other written agreement applies, that agreement may contain additional terms for customer content processed through the Assyro platform.

Additional trust and legal resources are available on our Legal page, including our Terms of Use and Security page.

Meaning of Personal Information

"Personal Information" means information about an identifiable individual as described under applicable privacy laws. It may include name, email address, telephone number, account identifiers, device identifiers, IP address, usage data, support communications, and information contained in documents uploaded to our services.

Personal Information does not include information that has been anonymized or aggregated so that there is no serious possibility it can be used to identify an individual. In some Canadian jurisdictions, business contact information used solely to communicate with an individual in relation to their employment, business, or profession may also be excluded from the definition of Personal Information.

Information We Collect

We collect Personal Information directly from you, automatically from your browser or device, from your organization, and from service providers or partners that help us provide, secure, and improve our products and services. The categories we collect may include:

Customer Content and AI Processing

app.assyro.com is our authenticated platform. When your organization uploads regulatory documents or other customer content, we process that content to provide the products and services requested by your organization, such as submission package support, eCTD validation, regulatory monitoring, filing support, document analysis, retrieval, drafting assistance, quality checks, and related platform functionality.

Your organization is responsible for ensuring that it has the rights, authority, and notices required to upload customer content to the platform. You should not upload patient-identifiable health information, protected health information regulated by HIPAA, personal health information regulated by Ontario health privacy laws, special categories of personal information, or other sensitive personal information unless your organization has entered into an agreement with us that permits that processing and you are authorized to do so.

We do not sell customer content or share it for cross-context behavioural advertising. We do not use customer content to train third-party foundation models unless your organization expressly authorizes that use in a written agreement or product setting. When we use third-party AI model providers to support the services, we use them as service providers or subprocessors under contractual limits requiring them to process customer content only to provide services to us and not for their own direct marketing purposes.

Depending on the feature and provider configuration, prompts, uploaded files, outputs, logs, and related metadata may be transmitted to third-party AI providers or infrastructure providers in Canada, the United States, or other jurisdictions. Access to customer content is limited to authorized personnel and service providers with a business need to provide, secure, troubleshoot, or support the services, or as otherwise required by law or contract.

Consent and Choices

We collect, use, and disclose Personal Information with your consent or as permitted or required by applicable law. Consent may be express or implied depending on the circumstances and the sensitivity of the information. Where we request consent during account registration, onboarding, or a similar workflow, we may use an "I agree" mechanism or another affirmative action that links to this Privacy Policy and our applicable terms.

You may withdraw consent by contacting us at legal@assyro.com, subject to legal or contractual restrictions and reasonable notice. In some cases, withdrawing consent may limit our ability to provide certain products or services. We may retain limited information where needed to honour your preferences, meet legal obligations, resolve disputes, enforce agreements, maintain security, or keep required records.

How We Use Personal Information

We may use Personal Information for purposes such as:

• providing, operating, maintaining, securing, and improving our products and services;
• creating and managing accounts, authenticating users, and administering access controls;
• processing customer content and platform activity to deliver requested functionality;
• billing, invoicing, managing subscriptions, and processing payments;
• responding to inquiries, support tickets, feedback, and other requests;
• sending account, service, security, product, legal, and administrative notices;
• monitoring usage, troubleshooting, debugging, identifying errors, and improving features;
• maintaining audit logs, detecting abuse or fraud, and investigating security incidents;
• managing business relationships, CRM records, sales outreach, and marketing preferences;
• complying with legal and regulatory obligations and enforcing agreements and policies;
• generating de-identified or aggregated information for analytics, research, and business planning; and
• other purposes that we identify at the time of collection or for which you provide consent.

We do not use Personal Information to engage in interest-based or behavioural advertising for our services across third-party websites or services.

Cookies and Similar Technologies

We use cookies, pixels, local storage, log files, and similar technologies to operate and secure our websites and platform, remember preferences, understand usage, measure performance, and improve our communications. We may use essential, functional, security, and analytics technologies.

Analytics and infrastructure providers may include Google Analytics, PostHog, and Cloudflare. Information collected may include IP address, device and application identifiers, browser type, internet service provider or mobile carrier, pages and files viewed, searches, operating system and system configuration information, date and time stamps, and interaction data. These technologies may help us identify, locate, or understand usage patterns associated with a browser, device, or account.

You can manage cookies through your browser or device settings, privacy-focused browsers or extensions, available in-product controls, and provider opt-out tools such as the Google Analytics opt-out browser add-on. If you block cookies, some features may not work as intended.

How We Share Personal Information

We do not sell Personal Information or share it for cross-context behavioural advertising, as those terms are commonly used under US state privacy laws. We may disclose Personal Information to service providers and other parties in the circumstances described below:

Where appropriate, we use contractual safeguards such as data processing agreements or equivalent terms. We do not authorize service providers to use Personal Information for their own direct marketing purposes.

United States Privacy Notice

Assyro primarily provides business-to-business software and services. For US customers and users, we collect and process business contact information, account information, technical and usage data, billing metadata, communications, and customer content as described in this Privacy Policy. We use this information to provide and secure the services, manage customer relationships, communicate with prospects and customers, comply with law, and support ordinary business operations.

Depending on your state of residence and the law that applies to a particular interaction, you may have rights to request access, correction, deletion, portability, information about our data practices, or to opt out of certain sales, sharing, targeted advertising, or profiling. Because we do not sell Personal Information or share it for cross-context behavioural advertising, we do not currently offer a separate "Do Not Sell or Share My Personal Information" link. You can submit privacy requests at legal@assyro.com.

We do not knowingly use or disclose sensitive Personal Information for purposes other than those permitted by applicable law or a written agreement. We will not discriminate against you for exercising privacy rights, although some requests may affect our ability to provide requested services.

Marketing and CASL Choices

We may contact business prospects and customers using professional contact information from public or business sources, CRM records, events, referrals, or direct interactions, subject to applicable law and your communication preferences.

Commercial electronic messages from us will identify Assyro and include legally required sender information and a working unsubscribe mechanism where required, including under Canada's Anti-Spam Legislation and the US CAN-SPAM Act. You may opt out of marketing emails by using the unsubscribe link in those messages or by contacting us at legal@assyro.com. We process unsubscribe requests promptly and no later than 10 business days after receiving them. We may still send transactional, security, legal, or service-related communications.

If you want us to remove your information from a sales prospecting list, contact us at legal@assyro.com and we will handle the request in accordance with applicable law.

Retention

We retain Personal Information only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law, contract, security, dispute resolution, or legitimate business needs. Unless a customer agreement states otherwise, our standard retention practices are:

• account-related Personal Information and customer content: for the customer relationship, plus 90 days after termination or expiry to support export or transition;
• billing and transaction records: 7 years from the applicable transaction for tax and financial record-keeping;
• customer communications and support interactions: 3 years after resolution or last contact;
• sales prospect information: 2 years from last contact or until we receive a valid removal request, whichever comes first;
• platform usage and analytics data in identifiable form: up to 2 years, after which it is deleted, anonymized, or aggregated;
• server logs containing IP addresses and related technical metadata: up to 12 months; and
• anonymized or aggregated analytics: indefinitely in non-identifiable form.

Customers may request earlier deletion of specific uploaded documents, subject to contract, law, security, and technical constraints. Some information may persist for a limited period in backups and be deleted as backups are cycled.

International Transfer and Storage

Personal Information may be stored and processed in Canada, the United States, and other jurisdictions where we or our service providers operate. Service providers such as hosting, infrastructure, analytics, payment, AI model, email, communications, and support providers may process information outside your province, state, or country of residence. Cloudflare may process web traffic metadata through its global network to provide content delivery and security services.

Other jurisdictions may have privacy laws that differ from those in Canada. While information is outside Canada, it may be subject to the laws of the jurisdiction where it is located, including lawful access by courts, law enforcement, regulators, or government authorities. Before communicating Personal Information outside Quebec, where required, we assess whether it would receive adequate protection and implement appropriate safeguards.

Security

We use physical, organizational, contractual, and technical safeguards designed to protect Personal Information and customer content against loss, theft, unauthorized access, disclosure, copying, use, modification, and destruction. Access is limited on a business need-to-know basis to authorized personnel and service providers subject to confidentiality and security obligations.

Safeguards may include encryption in transit and at rest, role-based access controls, multi-factor authentication for internal production access, audit logging, access reviews, backups, security monitoring, vendor review, contractual security terms, and incident response procedures. Payment processing is handled by Stripe or other payment processors, and we do not store full payment card numbers.

No method of transmission or storage is completely secure. You are responsible for using strong, unique credentials, protecting account access, and promptly notifying us if you believe your account or information has been compromised.

Access, Correction, and Other Rights

You may request access to or correction of Personal Information we hold about you. You may also have rights, depending on your jurisdiction, to request deletion, portability, restriction, withdrawal of consent, objection to certain processing, or information about our privacy practices. To exercise a right, contact us at legal@assyro.com.

We may need to verify your identity and authority before responding. We will respond within the time required by applicable law and may refuse or limit a request where permitted by law, including where disclosure would reveal information about another person, confidential commercial information, privileged information, or information retained for legal, security, or compliance reasons.

Rights Outside Canada

If you are located in the United States, the European Economic Area, the United Kingdom, or another jurisdiction with additional privacy rights, we will handle privacy requests in accordance with the law that applies to your request. Our legal bases for processing may include contract performance, legitimate interests, compliance with legal obligations, and consent where required. You may also have the right to lodge a complaint with your local data protection authority, attorney general, or other regulator.

Third-Party Websites and Services

Our websites and services may link to third-party websites, platforms, products, or services. This Privacy Policy does not apply to those third parties. We are not responsible for their privacy practices, and you should review their privacy notices before providing information to them.

Children's Privacy

Our products and services are intended for business and professional users. They are not intended for children under 13, and we do not knowingly collect Personal Information from children under 13. If you believe a child has provided Personal Information to us, contact us at legal@assyro.com and we will take appropriate steps to delete it.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes become effective when we post the revised Privacy Policy on our website unless otherwise stated. Where required by law or where changes are material, we may provide additional notice through the services, by email, or by other appropriate means.

Contact

Questions, concerns, complaints, or requests about this Privacy Policy or our privacy practices should be sent to our Privacy Officer at legal@assyro.com.