Privacy Policy

Effective date: April 1, 2026

Alverik (“we”, “us”, “our”) is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

1. Data Collection Methods and Purposes

We collect the following categories of personal information:

  • Account information: Google email address, profile name, profile picture URL (avatar), company name, and billing details provided during registration and subscription. Authentication is delegated to Google OAuth; we do not store passwords or any user credentials on our servers.
  • Company profile data: NAICS codes, capabilities, past project descriptions, and service areas you provide to build your company profile.
  • Usage data: Interaction logs, feature usage, and draft generation history to improve our service.
  • Payment data: Processed by Stripe. We do not store credit card numbers on our servers.

We collect this information to provide procurement intelligence, generate proposal drafts, score opportunities, and deliver daily digests tailored to your company profile.

2. Data Storage Location

Your primary database is hosted in Canada (Supabase, AWS ca-central-1 region), encrypted at rest and in transit.

Cross-border processing disclosure: AI-powered features (draft generation, opportunity scoring, profile extraction) use Anthropic’s Claude API, which may process data on servers located in the United States. By using these features, you acknowledge that certain data may be transmitted to and processed in the US. We minimise the data sent for processing and do not store your data in the US beyond the duration of the API request.

3. Data Sharing Practices

We do not sell your personal information. We share data only with:

  • Google LLC for authentication via Google OAuth (email address, profile name, avatar URL, and Google account identifier)
  • Stripe for payment processing
  • Anthropic (Claude API) for AI-powered features (see cross-border disclosure above)
  • Resend for transactional email delivery
  • Supabase for database hosting (ca-central-1)
  • Vercel Analytics cookieless web analytics, privacy-first, no personal data collected

No cross-company data sharing occurs. Your company profile, proposals, and competitive intelligence are isolated to your account. For a complete list of our sub-processors, see our Sub-Processors page.

4. Data Retention Periods

  • Active account data is retained for the duration of your subscription.
  • After account cancellation, data is soft-deleted and retained for 90 days before permanent deletion, allowing account recovery.
  • Billing records are retained for 7 years per Canadian tax requirements.
  • Waitlist data is retained until you unsubscribe or request deletion.

5. Your PIPEDA Rights

Under PIPEDA, you have the right to:

  • Access your personal information held by Alverik
  • Request correction of inaccurate information
  • Request deletion of your personal information
  • Withdraw consent for data processing
  • File a complaint with the Office of the Privacy Commissioner of Canada

6. CASL Compliance

All commercial electronic messages comply with Canada’s Anti-Spam Legislation (CASL). We obtain explicit consent before sending marketing communications. Transactional emails (account notifications, security alerts) are sent as permitted under CASL. You may withdraw consent at any time via your CASL preferences page or by contacting us.

7. Security Practices

Your data is encrypted in transit (TLS 1.2+) and at rest (AES-256) via our infrastructure providers. Access to production systems requires multi-factor authentication. All data access is logged and auditable.

8. Contact

Alverik
Toronto, ON, Canada
privacy@alverik.ca