1. Who We Are
Noviya Consulting Corporation ("Noviya", "we", "us", "our") is a technology consulting company based in Vancouver, British Columbia, Canada. We deploy AI-powered co-workers ("Agents") into small and medium-sized businesses to help manage customer communications such as SMS, iMessage, email, and WhatsApp messaging.
All privacy inquiries, complaints, access requests, or questions about this policy can be directed to our Privacy Officer.
2. What Laws Apply
This Privacy Policy is designed to comply with:
- PIPEDA — Canada's Personal Information Protection and Electronic Documents Act (federal)
- BC PIPA — British Columbia's Personal Information Protection Act (provincial)
- CASL — Canada's Anti-Spam Legislation (for commercial electronic messages)
As of March 2026, Canada's proposed Consumer Privacy Protection Act (Bill C-27 / CPPA) and the Artificial Intelligence and Data Act (AIDA) have not been enacted into law. Parliament prorogued in January 2025 and neither bill has been reintroduced. This policy is drafted to meet current legal requirements under PIPEDA and BC PIPA, and we will update it if new legislation comes into force.
3. Who This Policy Applies To
This policy covers the personal information of:
- Our Clients — Business owners and their staff who contract with Noviya for Agent services
- End Customers — The customers of our clients, whose personal information is processed by the Agent during communications
- Website Visitors — Anyone who visits noviya.io or related web properties
4. What Personal Information We Collect
4.1 From Our Clients
| Information | Purpose |
|---|---|
| Business owner name, email, phone number | Account management, billing, support |
| Business information (hours, services, pricing) | Configuring the Agent |
| Payment information | Billing |
| Communication preferences | Service delivery |
4.2 From End Customers (on behalf of our Clients)
| Information | Purpose |
|---|---|
| Phone numbers | Receiving and responding to messages |
| Email addresses | Email communication (if applicable) |
| Names (when provided in conversation) | Personalized communication |
| Message content and conversation history | Maintaining context, delivering service |
| Appointment/booking details | Scheduling (if applicable) |
4.3 From Website Visitors
| Information | Purpose |
|---|---|
| IP address, browser type, device information | Website analytics and security |
| Pages visited, time on site | Understanding how visitors use our site |
| Information submitted via contact forms | Responding to inquiries |
5. How We Use Personal Information
We use personal information only for the following purposes:
- Service Delivery — Operating the Agent on our client's behalf, including receiving customer messages, generating AI-powered responses, and managing communications
- AI Processing — Sending conversation data to our AI provider (Anthropic) for processing and generating responses
- Account Management — Managing client accounts, billing, and support
- Service Improvement — Analyzing Agent performance to improve response quality for the specific client (not cross-client)
- Security and Incident Response — Detecting and responding to security incidents, errors, or Agent malfunctions
- Legal Compliance — Meeting our obligations under PIPEDA, BC PIPA, CASL, and other applicable laws
We do NOT use personal information for:
- Selling or renting to third parties
- Advertising or marketing to end customers (unless the client has obtained proper consent under CASL)
- AI model training — your data is NOT used to train any AI models
- Cross-client data sharing — each client's data is completely isolated from every other client's data
- Profiling or automated decision-making beyond the scope of the Agent's configured communication role
6. AI-Specific Disclosures
6.1 How AI Processing Works
When an end customer sends a message to our client's business, the message is:
- Received by our infrastructure (via Twilio, iMessage, or other communication platforms)
- Sent to Anthropic's Claude AI model for processing
- A response is generated based on the client's business information and communication rules
- The response is sent back to the end customer through the same communication channel
6.2 AI Output Limitations
AI-generated responses should not be relied upon without independent verification. The Agent is a communication tool designed to handle routine inquiries. It:
- May occasionally produce inaccurate information despite best efforts
- Does not provide professional advice (legal, medical, financial, or otherwise)
- Does not make binding commitments on behalf of the client's business
- Cannot access real-time information beyond what has been configured
- May not reflect the most current business information if updates have not been provided to Noviya
6.3 No AI Training
Anthropic, our AI provider, does not use data submitted through their commercial API to train AI models. This is confirmed under Anthropic's commercial terms as of March 2026. Noviya does not train or fine-tune any AI models on client or end customer data.
6.4 AI Disclosure to End Customers
We recommend that our clients inform their customers that AI-assisted communication is in use. The Agent will identify itself as an AI assistant when asked directly and will never claim to be a human.
7. Cross-Border Data Transfers
To deliver our service, personal information is transferred to and processed in countries outside Canada. We are transparent about this:
| Sub-Processor | Service | Data Processed | Location |
|---|---|---|---|
| Anthropic | AI processing (Claude API) | Message content, conversation context | United States |
| Twilio | SMS/voice communication | Phone numbers, message content | United States |
| Google Workspace | Email/calendar (if applicable) | Email content, calendar data | United States |
| Hetzner | Infrastructure hosting | All Agent data (option A) | Germany |
| Vultr | Infrastructure hosting | All Agent data (option B) | Toronto, Canada |
| Cloudflare | Security and access tunnels | Network traffic metadata | Global (US-based company) |
Important: When data is transferred outside Canada, it may be subject to the laws of those jurisdictions. Under PIPEDA, we are required to inform you that personal information transferred to the United States may be accessible to U.S. law enforcement and national security authorities under U.S. law.
We take reasonable steps to ensure that our sub-processors maintain appropriate privacy and security standards, but we cannot guarantee that their protections are equivalent to Canadian law.
8. Consent
8.1 Client Consent
By signing a service agreement with Noviya, our clients consent to the collection, use, and disclosure of personal information as described in this policy, including cross-border transfers to our sub-processors.
8.2 End Customer Consent
Our clients are responsible for obtaining appropriate consent from their end customers for automated communications. This includes:
- Ensuring end customers are aware that AI-assisted communication may be used
- Obtaining express or implied consent for commercial electronic messages as required by CASL (see Section 10)
- Informing end customers about how their data is handled, either through their own privacy policy or by directing customers to this policy
Noviya acts as a data processor on behalf of our clients. Our clients are the data controllers — they determine the purposes for which end customer data is collected and used. Noviya processes that data only as instructed by the client and as necessary to deliver the service.
8.3 Withdrawing Consent
- Clients may withdraw consent by terminating their service agreement with 30 days' notice.
- End customers may opt out of receiving messages at any time by replying STOP, UNSUBSCRIBE, or similar keywords. The Agent will honor these requests immediately.
- Any individual may contact our Privacy Officer to withdraw consent for any specific use of their personal information.
9. Data Retention and Deletion
9.1 Active Service Period
During an active client relationship, we retain:
- Client account data — for the duration of the service agreement
- End customer conversation data — for the duration of the service agreement plus any regulatory retention period
- Opt-out records — for 3 years per CASL requirements
9.2 After Termination
When a client terminates their service:
| Timeline | Action |
|---|---|
| Day 0 | Agent is shut down. All outbound communication stops. |
| Days 1–7 | Client receives a complete data export (conversation logs, customer contacts, Agent configuration). |
| Days 7–14 | All client and end customer data is permanently deleted from Noviya's systems. |
| Day 14 | Written confirmation of deletion is sent to the client. |
Exception: We may retain anonymized, aggregated data (with no personally identifiable information) for service improvement purposes. Opt-out records required by CASL are retained for the legally required period even after termination.
9.3 End Customer Deletion Requests
If an end customer requests deletion of their personal information:
- The request is escalated to the client
- Noviya deletes the data from our systems within 7 business days of the client's confirmation
- The end customer is notified that their data has been deleted
10. CASL Compliance (Anti-Spam)
Noviya's Agents may send commercial electronic messages (SMS, email) on behalf of clients. Under CASL:
10.1 When Consent is Required
- Express consent is required for promotional messages, follow-ups, and review requests
- Implied consent exists for customers with an existing business relationship (within the last 2 years of a purchase, or 6 months of an inquiry)
- No consent required for purely transactional messages (appointment confirmations, service updates related to an active transaction)
10.2 Identification Requirements
All commercial electronic messages sent by the Agent include:
- The client's business name
- The client's contact information (phone number, address, or email)
- A clear unsubscribe mechanism
10.3 Unsubscribe Mechanism
- End customers can opt out at any time by replying STOP, UNSUBSCRIBE, CANCEL, or similar keywords
- Opt-outs are processed immediately (no further messages sent)
- Opt-out requests are honored within 10 business days as required by CASL
- Opt-out records are maintained for 3 years
10.4 Client Responsibility
Our clients are responsible for ensuring they have proper consent before Noviya configures the Agent to send outbound commercial messages. If Noviya determines that a requested messaging workflow does not have adequate consent documentation, we will decline to configure it until consent is established.
10.5 Penalties
CASL penalties can reach $1 million per violation for individuals and $10 million per violation for businesses. Noviya takes CASL compliance seriously and will not knowingly configure an Agent to send messages that violate CASL.
11. Data Security
We implement reasonable security measures to protect personal information, including:
- Encryption in transit — All data transmitted between systems uses TLS/SSL encryption
- Data isolation — Each client's Agent runs in a separate, isolated Docker container. No client can access another client's data.
- Access controls — Only authorized Noviya personnel can access client data, and only for service delivery purposes
- Secure infrastructure — Hosted on reputable providers (Hetzner, Vultr) with Cloudflare Tunnels for secure access
- Incident response — Multi-level kill switch system to immediately pause or shut down an Agent if a security issue is detected
11.1 Breach Notification
In the event of a data breach involving personal information:
- We will assess the scope and severity of the breach
- We will notify affected clients within 72 hours of becoming aware of the breach
- If the breach creates a real risk of significant harm to individuals, we will notify the Office of the Privacy Commissioner of Canada and/or the BC Office of the Information and Privacy Commissioner as required by law
- We will notify affected individuals as required by PIPEDA and BC PIPA
- We will provide a report on the breach and steps taken to prevent recurrence
12. Your Rights
Under PIPEDA and BC PIPA, you have the right to:
12.1 Access
You can request access to the personal information we hold about you. We will respond within 30 days of receiving your request. We may charge a nominal fee for access requests that require significant effort to fulfill.
12.2 Correction
If your personal information is inaccurate or incomplete, you can request that we correct it. We will make corrections within a reasonable timeframe and notify any third parties to whom we have disclosed the information.
12.3 Deletion
You can request deletion of your personal information, subject to:
- Legal retention requirements (e.g., CASL opt-out records)
- Legitimate business reasons that override the deletion request
- Data that has been anonymized and is no longer personally identifiable
12.4 Complaints
If you are not satisfied with how we handle your personal information, you can:
- Contact our Privacy Officer at [email protected]
- File a complaint with the Office of the Privacy Commissioner of Canada (www.priv.gc.ca)
- File a complaint with the BC Office of the Information and Privacy Commissioner (www.oipc.bc.ca)
13. Cookies and Website Analytics
Our website (noviya.io) may use:
- Essential cookies — Required for the website to function (no consent required)
- Analytics cookies — To understand how visitors use our site (e.g., Cloudflare Web Analytics, which does not use cookies and does not track individuals)
We do not use advertising cookies or tracking pixels. We do not sell website visitor data to third parties.
14. Children's Privacy
Our services are designed for business-to-business use. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child, we will delete it promptly.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes:
- We will update the "Last Updated" date at the top of this policy
- We will notify our clients by email at least 30 days before significant changes take effect
- The updated policy will be posted on our website
Your continued use of our services after the updated policy takes effect constitutes acceptance of the changes.
16. Contact Us
For any questions, concerns, or requests related to this Privacy Policy:
Noviya Consulting Corporation
Privacy Officer: Anatoly Predeine
Email: [email protected]
Location: Vancouver, BC, Canada
We aim to respond to all privacy inquiries within 10 business days.