Privacy Policy

1. Data Controller Information

Inkscribe AI Enterprise is a product of Yo! No Code, a technology company incorporated in Toronto, Ontario, Canada.

As the Data Controller (or Data Processor, depending on context), we are responsible for determining how personal data is processed and for ensuring compliance with applicable data protection regulations, including the EU General Data Protection Regulation (GDPR) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).

2. Categories of Data Collected

We collect the following categories of data in the course of providing the Inkscribe AI Enterprise platform:

• Organizational Data: Company name, industry, team size, billing address, and subscription details provided during onboarding.
• User Identifiers: Name, email address, role, and authentication credentials for each authorized user within an organization.
• Document Metadata: File names, page counts, processing timestamps, and workspace associations. Document content is processed for service delivery only and is never used for AI model training.
• Usage Analytics: Feature usage patterns, processing volumes, session duration, and performance metrics — collected in aggregate to improve platform reliability.
• Billing Data: Payment method details (processed and stored exclusively by Stripe, our PCI-DSS Level 1 certified payment processor), invoice history, and transaction records.

3. Purpose of Processing

• Service Delivery: Processing documents, powering ScribIQ AI features, enabling team collaboration, and delivering platform functionality as described in your Enterprise Agreement.
• Security Monitoring: Detecting unauthorized access, preventing fraud, maintaining audit trails, and ensuring platform integrity.
• Billing & Invoicing: Processing payments, generating invoices, managing subscription lifecycle, and fulfilling financial reporting obligations.
• Product Improvement: Analyzing aggregated and anonymized usage patterns to improve platform performance, reliability, and feature development. Individual document content is never used for this purpose.

4. Lawful Basis for Processing (GDPR)

We process personal data under the following lawful bases as defined in GDPR Article 6:

• Contract Performance (Art. 6(1)(b)): Processing necessary to fulfill our obligations under your Enterprise Agreement, including document processing, user account management, and platform access.
• Legitimate Interests (Art. 6(1)(f)): Platform security monitoring, fraud prevention, and aggregated analytics for product improvement — balanced against your privacy rights.
• Legal Obligation (Art. 6(1)(c)): Compliance with tax regulations, financial reporting requirements, and lawful requests from regulatory authorities.

5. Data Retention

• Active Accounts: Data is retained for the duration of your active subscription, in accordance with your organization's configured retention policies.
• Terminated Contracts: Upon contract termination, a 30-day data export grace period is provided. After this period, all Document Data and associated metadata are securely and permanently deleted.
• Audit Logs: System audit logs are retained for 7 years to comply with SOC 2 and financial regulatory requirements. These logs contain access events and do not include document content.
• Billing Records: Transaction and invoicing records are retained for 7 years as required by tax and financial regulations.

6. Sub-Processors

We engage the following sub-processors in the delivery of our services:

All sub-processors are bound by Data Processing Agreements (DPAs) that require equivalent data protection standards. We will notify enterprise clients at least 30 days in advance of any new sub-processor additions.

7. International Data Transfers

• EU-US Data Privacy Framework: We participate in the EU-US Data Privacy Framework for transfers of personal data from the European Economic Area.
• Standard Contractual Clauses (SCCs): For transfers outside the scope of the DPF, we rely on the European Commission's Standard Contractual Clauses. Copies are available on request.
• Data Residency: Enterprise Supreme clients may configure regional data residency (US, EU, or custom regions) to ensure data remains within specified jurisdictions.

8. Your Rights (GDPR Articles 15–22)

If you are located in the European Economic Area, you have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests.

To exercise any of these rights, contact our DPO at privacy@inkscribeai.com. We will respond within 30 days.

9. Security Measures

• SOC 2 Type II Certified: Independently audited controls for security, availability, processing integrity, confidentiality, and privacy.
• Encryption at Rest: AES-256 encryption for all stored data, including documents, metadata, and backups.
• Encryption in Transit: TLS 1.3 for all data transmission between clients and our infrastructure.
• Zero-Trust Architecture: Every request is authenticated, authorized, and logged — regardless of network origin.
• Regular Penetration Testing: Third-party penetration testing conducted at least annually, with results available under NDA.

10. Contact & Data Processing Agreement

For privacy inquiries, data subject requests, or to request a Data Processing Agreement (DPA):

A pre-signed Data Processing Agreement (DPA) conforming to GDPR Article 28 requirements is available on request for all enterprise clients.