Enterprise Privacy & Data Protection Policy

1. Introduction

AI Xens ("we," "our," or "us") is committed to protecting the privacy and personal information of our clients, website visitors, and enterprise partners. As a strategic AI implementation consulting firm based in Ontario, Canada, we understand that data privacy is foundational to modern technology and to the trust our clients place in us.

We practice Privacy by Design — our infrastructure is engineered to protect your data at the edge before it ever reaches our systems. Our approach ensures that privacy is not an afterthought but a core architectural principle of everything we build and operate.

2. Global Compliance Frameworks

Our data architecture and privacy practices are engineered to comply with the world's most stringent privacy regulations. We do not treat compliance as a minimum bar — it is the foundation of our data practices.

• PIPEDA (Canada): Adherence to the ten Fair Information Principles, ensuring accountability, consent, and data minimization for all individuals whose information we process.
• GDPR (European Union): Strict opt-in requirements, dual legal-basis documentation (consent and legitimate interest), the right to erasure, and pseudonymous-by-default data processing. Note: pseudonymisation means raw identifiers are replaced with derived values; the data is still personal data under GDPR but is protected by technical safeguards that prevent individual re-identification without access to separately-held keys.
• CCPA / CPRA (California): Transparent data mapping, the right to know what is collected, and a strict guarantee that we do not sell your personal data under any circumstances.

2.1 PIPEDA Fair Information Principles

Our Canadian privacy practices are built upon the ten Fair Information Principles outlined in PIPEDA:

3. Information We Collect

3.1 Personal Information Collected Directly

We collect personal information that you provide directly to us, including:

• Contact Information: Name, email address, phone number, job title, company name
• Professional Information: Industry, company size, AI implementation challenges, business objectives
• Communication Records: Correspondence, meeting notes, project documentation
• Financial Information: Billing details, payment information (processed through secure third-party payment processors)
• Consultation Information: AI readiness assessment data, strategic planning information, implementation requirements

3.2 Dormant-by-Default Behavioural Analytics

Our website utilises a strict opt-in only analytics engine. Until you explicitly click "Accept Analytics" on our cookie consent interface, all behavioural tracking scripts remain completely dormant — no session is created, no storage is written, and no data leaves your browser.

If consent is granted, we collect pseudonymised interaction data (such as scroll depth and funnel progression) to improve our digital services. All raw identifiers are transformed into derived values before storage, and the data cannot be practically linked to you as an individual without access to separately-held key material. Under GDPR, pseudonymous data is still personal data; it is protected by the technical safeguards described in Section 3.3.

3.4 Information from Third Parties

We may receive information about you from professional references, business partners, and public professional networking platforms in the context of a consulting engagement.

3.5 Your Responsibility for Information Accuracy

4. How We Use and Disclose Personal Information

4.1 Use of Personal Information

We use personal information for the following purposes. Where we operate under GDPR, the applicable legal basis under Article 6 is noted alongside each purpose.

• Providing AI consulting services, assessments, and strategic implementation support — GDPR Art. 6(1)(b): performance of a contract
• Communicating about our services and responding to inquiries — GDPR Art. 6(1)(b): pre-contractual steps at your request
• Contract administration, invoicing, and project management — GDPR Art. 6(1)(b): performance of a contract
• Sending marketing communications — GDPR Art. 6(1)(a): explicit consent (opt-in required; you may withdraw at any time)
• Improving our website and services through behavioural analytics — GDPR Art. 6(1)(a): explicit consent via our cookie banner (opt-in required)
• Recording consent decisions and contact form receipt confirmations on our website — GDPR Art. 6(1)(f): legitimate interest — consent logs are required by our Art. 7 accountability obligations; form receipt confirmations serve the operational interest of both parties. A Legitimate Interest Assessment (LIA) is on file.
• Complying with legal and regulatory requirements — GDPR Art. 6(1)(c): legal obligation
• Protecting our rights and interests and those of our clients — GDPR Art. 6(1)(f): legitimate interest

4.2 Disclosure of Personal Information

We may disclose personal information in the following circumstances:

• With Consent: When you have provided explicit consent for disclosure
• Infrastructure Providers: To trusted, enterprise-grade cloud infrastructure providers who assist us in hosting and operating our digital services, strictly under Data Processing Agreements (DPAs). These providers are bound by contractual obligations that meet or exceed applicable privacy law requirements.
• Legal Requirements: When required by law, court order, or regulatory authority
• Business Protection: To protect our rights, property, or safety, or that of our clients or others
• Business Transactions: In connection with a merger, acquisition, or sale of business assets (with appropriate safeguards and required notifications)

Strict Anti-Sale Policy: Under no circumstances does AI Xens sell, rent, or trade your personal or corporate data to third parties, data brokers, or advertising networks.

5. Cookies and Tracking Technologies

5.1 Strict Opt-In Mechanism

We rely on a compliant Consent Management architecture. Non-essential cookies and tracking scripts are blocked by default. You have full control over your preferences and may withdraw consent at any time without penalty.

Our cookie banner distinguishes two tiers:

• Essential (Always On): Consent-decision logging (recording whether you accepted or declined analytics) and contact form receipt confirmations. These are processed under legitimate interest (GDPR Art. 6(1)(f)). No session identifier or page-view data is transmitted before you interact with the consent banner — these events fire only upon a specific user action (clicking a consent button or submitting a contact form). You have the right to object to legitimate-interest processing; see Section 7.
• Analytics (Opt-In): Pseudonymised session journey data (scroll depth, funnel stage, engagement scoring). These require your explicit consent and are never collected without it.

5.2 Types of Storage We Use

• Strictly Necessary: A localStorage key recording your consent preference — set only after you interact with the consent banner
• Analytics (Opt-In): A pseudonymous session identifier, rotated per session, used only to link behavioural events within a single visit

5.3 Cookie Consent and Management

You can review and update your preferences at any time using the controls below. Changes take effect immediately upon interaction.

Your Rights Regarding Cookies

Under PIPEDA, GDPR, and CCPA, you have the right to:

• Know what tracking technologies we use and their purpose
• Withdraw consent for non-essential tracking at any time
• Request deletion of any personal information collected
• File a complaint with the applicable regulatory authority

You may also manage preferences by adjusting your browser settings to block or delete cookies, which will not affect your ability to use our website.

6. Data Security and Protection

6.1 Security Measures

We implement appropriate technical, physical, and organizational security measures to protect personal information against unauthorized access, use, disclosure, alteration, or destruction, including:

• End-to-end encryption of data in transit (TLS 1.3) and at rest
• Serverless architecture deployed on a global edge network, reducing data exposure and attack surface
• IP address pseudonymisation using daily-rotating cryptographic hashing (HMAC-SHA256)
• Access controls and authentication requirements
• Regular security assessments and monitoring
• Secure disposal of personal information when no longer needed

6.2 Data Retention

We retain personal information only as long as necessary to fulfil the purposes for which it was collected, comply with legal requirements, resolve disputes, and enforce our agreements. Specific retention periods include:

• Client Records: 7 years after completion of services (for business and tax purposes)
• Marketing Communications: Until consent is withdrawn or contact becomes inactive
• Behavioural Analytics: 12 months from collection date
• Operational / Functional Records: 90 days from collection date
• General Inquiries: 2 years after last contact

6.3 Data Breach Response

In the event of a data breach that poses a real risk of significant harm, we will:

• Notify the Privacy Commissioner of Canada as soon as feasible
• Notify affected individuals if the breach creates a real risk of significant harm
• Take immediate steps to contain and remedy the breach
• Maintain records of all breaches as required by law

7. Your Global Privacy Rights

Depending on your jurisdiction (including the EU, UK, Canada, and California), you possess comprehensive rights regarding your data. AI Xens respects and honours all of these rights regardless of jurisdiction:

• The Right to Access & Portability: Request a copy of the personal data we hold about you in a portable format.
• The Right to Erasure (Right to be Forgotten): Request the complete deletion of your records from our systems.
• The Right to Rectification: Request corrections to inaccurate or incomplete data.
• The Right to Withdraw Consent: Revoke previously granted consent for analytics or marketing at any time without penalty. Use the button in Section 5.3 for immediate effect.
• The Right to Object: Object to processing based on legitimate interest where your individual rights outweigh our interests.
• The Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
• The Right to Know (CCPA): Know what personal information we have collected, from what sources, for what purpose, and to whom it has been disclosed.

7.1 Marketing Communications

You may opt out of marketing communications at any time by:

• Clicking the unsubscribe link in any of our emails
• Contacting our Privacy Management at contact@aixens.com

7.2 How to Exercise Your Rights

To exercise any of these rights, contact our Privacy Management team at contact@aixens.com. We will respond to verified requests within 30 days and may require reasonable verification of your identity. There is no charge for making a request.

8. International Data Transfers

Your personal information is primarily stored and processed in Canada. Some of our infrastructure providers operate data centres located in other countries, including the United States. When we transfer personal information outside of Canada, we ensure that appropriate contractual safeguards are in place — specifically, data processing agreements that require the recipient to provide protections at least equivalent to those required under PIPEDA and, where applicable, the GDPR.

By using our services, you acknowledge that your personal information may be transferred and processed in jurisdictions outside your own for the purposes described in this Privacy Policy.

9. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have inadvertently collected personal information from a minor, we will take prompt steps to delete such information from our systems and notify the relevant guardian where required by law.

10. Privacy Complaints Process

10.1 Internal Complaint Process

If you have concerns about our privacy practices, please contact our Privacy Management first. We will:

1. Acknowledge receipt of your complaint within 5 business days
2. Investigate your complaint thoroughly and impartially
3. Provide a written response within 30 days of receiving your complaint
4. Take appropriate corrective action if your complaint is substantiated

10.2 External Complaint Options

If you are not satisfied with our response, you may file a complaint with the applicable regulatory authority for your jurisdiction:

11. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. We will post the updated policy on our website and update the "Last Updated" date at the top of this document.

For material changes that may significantly affect how we use your personal information, we will provide additional notice and seek your renewed consent where required by law. The consent_version field in our analytics system is updated whenever such a material change occurs, providing a verifiable audit trail of which policy version each user accepted.

12. Contact Information