Privacy Policy

Effective date: April 1, 2026

Alverik (“we”, “us”, “our”) is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

1. Data Collection Methods and Purposes

We collect the following categories of personal information:

• Account information: Google email address, profile name, profile picture URL (avatar), company name, and billing details provided during registration and subscription. Authentication is delegated to Google OAuth; we do not store passwords or any user credentials on our servers.
• Company profile data: NAICS codes, capabilities, past project descriptions, and service areas you provide to build your company profile.
• Usage data: Interaction logs, feature usage, and draft generation history to improve our service.
• Payment data: Processed by Stripe. We do not store credit card numbers on our servers.

We collect this information to provide procurement intelligence, generate proposal drafts, score opportunities, and deliver daily digests tailored to your company profile.

2. Data Storage Location

Your primary database is hosted in Canada, encrypted at rest and in transit.

Cross-border processing disclosure: AI-powered features (draft generation, opportunity scoring, profile extraction) use Anthropic’s Claude API, which may process data on servers located in the United States. In addition, Alverik’s background workers — which run ingestion, AI generation, and scheduled jobs — are hosted on Railway in the United States (us-west2), which means company profile data, opportunity details, draft content, and associated user identifiers pass through systems located in the United States while those jobs run. Alverik’s primary database is hosted in Canada at rest through Supabase, while selected processing by named sub-processors may occur outside Canada. AI and background-worker features that depend on this cross-border processing are available only after you grant express consent during onboarding. Until that consent is recorded, those features remain disabled at the server side. We aim to send only the data needed for the requested feature or job, and we publish the current DPA status for each sub-processor on our Sub-Processors page; where a DPA is marked “In Progress,” it should not be treated as completed. The full list of named sub-processors, their locations, and DPA status is on our Sub-Processors page. To ask questions, discuss alternatives, or withdraw consent where withdrawal is available, contact privacy@alverik.ca.

3. Data Sharing Practices

We do not sell your personal information. We share data only with:

• Google LLC for authentication via Google OAuth (email address, profile name, avatar URL, and Google account identifier), and as the destination inbox (Google Workspace / Gmail) for messages forwarded to privacy@alverik.ca for the purpose of data-subject-access-request (DSAR) intake
• Cloudflare, Inc. for DNS, web-application security, and Email Routing of the privacy@alverik.ca DSAR intake address (Cloudflare receives inbound messages addressed to privacy@alverik.ca and forwards them to the Google Workspace destination inbox identified above)
• Stripe for payment processing
• Anthropic (Claude API) for AI-powered features (see cross-border disclosure above)
• Resend for transactional email delivery
• Supabase for database hosting in Canada
• Railway for hosting our background workers in the United States (us-west2), which process company profile data, opportunity details, draft content, and associated user identifiers during ingestion, AI generation, and scheduled jobs (see cross-border disclosure above)
• Vercel Analytics cookieless web analytics, privacy-first, no personal data collected

No cross-company data sharing occurs. Your company profile, proposals, and competitive intelligence are isolated to your account. For a complete list of our sub-processors, see our Sub-Processors page.

4. Data Retention Periods

• Active account data is retained for the duration of your subscription.
• After account cancellation, data is soft-deleted and retained for 90 days before permanent deletion, allowing account recovery.
• Billing records are retained for 7 years per Canadian tax requirements.
• Waitlist data is retained until you unsubscribe or request deletion.

5. Your PIPEDA and Quebec Law 25 Rights

Under PIPEDA and Quebec's Law 25, you have the right to:

• Access your personal information held by Alverik
• Request correction of inaccurate information
• Request deletion of your personal information
• Withdraw consent for data processing
• Receive a structured, machine-readable copy of your personal information (data portability under Quebec Law 25 §27)
• File a complaint with the Office of the Privacy Commissioner of Canada, or — for Quebec residents — the Commission d’accès à l’information du Québec

To exercise any of these rights, email privacy@alverik.ca from the address on your Alverik account. We will acknowledge within five business days and complete your request within 30 calendar days, as required by PIPEDA and Quebec’s Law 25. Where verification of your identity requires more information, we will respond within five business days with the verification step. For portability requests, our self-serve account export at Settings → Export My Data delivers your information as a structured JSON file; we can also fulfil the request operator-side on request.

6. CASL Compliance

All commercial electronic messages comply with Canada’s Anti-Spam Legislation (CASL). We obtain explicit consent before sending marketing communications. Transactional emails (account notifications, security alerts) are sent as permitted under CASL. You may withdraw consent at any time via your CASL preferences page or by contacting us.

7. Security Practices

Your data is encrypted in transit (TLS 1.2+) and at rest (AES-256) via our infrastructure providers. Access to production systems requires multi-factor authentication. All data access is logged and auditable.

8. Contact

Alverik
Toronto, ON, Canada
privacy@alverik.ca