Privacy Policy

2. Information We Collect

We collect the following categories of information:

Data Necessity: Only information marked as required during registration or use of the Service is mandatory. Providing optional information (such as your name, firm name, or custom notes) is voluntary and will not affect your ability to use core Service features. We collect only the minimum personal information necessary to provide the Service.

Account Information

• Email address
• Name (if provided)
• Password (stored in encrypted form)
• Account preferences and settings
• Firm or organization name (if provided)

Report Inputs

• Ticker symbols and security identifiers you search for or analyze
• Peer company selections and comparison preferences
• Custom notes, annotations, or context you add to reports
• Custom disclaimers and branding elements (Pro plan)
• Watchlist configurations

Usage Data

• Reports generated (content and metadata)
• Features accessed and actions taken within the Service
• Session duration and frequency of use
• Export activity (format, frequency)

Technical Data

• IP address
• User-Agent string
• Referring URLs and pages visited
• Date and time of access

Payment Information

• Billing address
• Payment card details (processed and stored by Stripe; we do not store full card numbers)
• Transaction history and subscription status

3. How We Collect Information

Directly from You: When you create an account, generate reports, configure settings, submit support requests, or otherwise interact with the Service.

Automatically: Through cookies, server logs, and similar technologies when you access or use the Service. See Section 11 (Cookies and Tracking) for details.

From Third Parties: From authentication providers (if you sign in via third-party services like Google), payment processors (transaction confirmations), and analytics services (aggregated usage data).

4. How We Use Your Information

We use your information for the following purposes:

Service Delivery

• To create and manage your account
• To generate AI-powered analysis based on your inputs
• To process AI queries and return results
• To enable exports and report archival
• To apply your branding and customizations

Billing and Transactions

• To process subscription payments and manage billing
• To track usage for plan enforcement and overage billing
• To send receipts and billing notifications

Support and Communication

• To respond to your inquiries and provide customer support
• To send service-related announcements (e.g., maintenance, policy changes)
• To communicate about your account or subscription

Security and Compliance

• To protect against unauthorized access, fraud, and abuse
• To enforce our Terms of Service
• To comply with legal obligations and respond to lawful requests

Service Improvement

• To analyze usage patterns and improve the Service
• To develop new features and functionality
• To conduct internal research and analytics (using aggregated data)

Legal Basis for Processing

We process your personal information under the following legal bases:

• Consent: Where you have given explicit consent (e.g., creating an account, enabling optional analytics).
• Contractual Necessity: Where processing is required to provide the Service you have subscribed to.
• Legal Obligation: Where we are required to process data to comply with applicable laws or regulations.
• Legitimate Interests: Where processing is necessary for our legitimate business interests (e.g., security, fraud prevention, service improvement), provided these interests do not override your privacy rights.

Marketing Communications

With your consent, we may send you information about new features, product updates, or promotions. You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us at support@konsyra.com. Opting out of marketing communications will not affect service-related communications (such as billing notices, security alerts, or policy changes).

5. AI Processing Disclosure

6. Data Sharing and Subprocessors

We share your information only as described below. We do not sell your personal information to third parties.

Service Providers (Subprocessors)

We use the following categories of service providers to operate the Service:

Other Disclosures

We may also disclose your information:

• Legal Requirements: To comply with applicable laws, regulations, legal processes, or governmental requests.
• Protection of Rights and Legal Proceedings: To enforce our Terms of Service, protect our rights, privacy, safety, or property, and that of our users or the public, including in connection with legal proceedings, court orders, or the stages leading to possible legal action arising from improper use of the Service.
• Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity.
• With Your Consent: For any other purpose disclosed to you with your consent.

7. International Data Transfers

Your primary account and report data is stored in Canada through our database provider (Supabase, hosted in Canada). However, some of your information may be transferred to and processed in the United States through our payment processor (Stripe) and AI service providers (OpenRouter/OpenAI). These countries may have data protection laws different from those in Canada.

Our edge computing infrastructure (Cloudflare) uses automatic data location, with primary storage in North America. When we transfer personal information outside Canada, we take steps to ensure adequate protection, including:

• Using service providers that maintain robust security practices and privacy commitments
• Implementing contractual obligations requiring providers to protect your information
• Ensuring providers are subject to privacy frameworks or certifications

Before transferring personal information outside Canada, we assess the privacy protection level of the receiving jurisdiction. Where the jurisdiction does not provide substantially similar protection to Canadian law, we implement additional safeguards including contractual data protection clauses and limiting the data transferred to what is strictly necessary.

By using the Service, you consent to the transfer of your information to these countries as described in this Privacy Policy.

8. Data Retention

Personal data is processed and stored for as long as required to fulfill the purpose for which it is collected.

• Personal data collected for the performance of a contract between Konsyra and you (or your Firm) is retained until such contract has been entirely performed or you request that the data be deleted.
• Personal data collected for Konsyra's legitimate interests (such as security logging, fraud prevention, and service improvement) shall be retained as long as needed to fulfill such purposes.
• Konsyra may retain personal data for a longer period whenever you have given consent to such processing, as long as such consent is not withdrawn. Furthermore, Konsyra may be required to retain personal data for a longer period to comply with a legal obligation or an order of a regulatory authority.

Once the applicable retention period expires, your personal data will be securely deleted or anonymized. You may contact us at any time to request information about specific retention periods applicable to your data.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security).
• Encryption at Rest: Sensitive data is encrypted at rest using industry-standard encryption.
• Access Controls: Access to personal information is restricted to authorized personnel who need it to perform their duties.
• Secure Infrastructure: We use enterprise-grade cloud infrastructure with robust physical and logical security controls.
• Regular Updates: We regularly update and patch our systems to address security vulnerabilities.
• Incident Response: We have procedures in place to detect, respond to, and recover from security incidents.

Privacy Impact Assessments: We conduct privacy impact assessments before introducing new technologies, features, or data processing activities that involve personal information, in accordance with applicable privacy legislation.

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. Your Privacy Rights (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act Respecting the Protection of Personal Information in the Private Sector (as modernized by Law 25), and other applicable provincial privacy laws, you have the following rights regarding your personal information:

• Right of Access: You have the right to request access to the personal information we hold about you and to receive information about how it is used and disclosed.
• Right of Correction: You have the right to request correction of any inaccurate or incomplete personal information we hold about you.
• Right to Withdraw Consent: You may withdraw your consent to our collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. Withdrawal may affect your ability to use the Service.
• Right to Deletion: You may request deletion of your personal information. We will delete or anonymize your information unless retention is required for legal, regulatory, or legitimate business purposes.
• Right to Data Portability: You have the right to request a copy of the personal information you have provided to us in a structured, commonly used, and machine-readable format. Where technically feasible, you may request that we transmit this information directly to another service provider.
• Right to De-indexation: If your personal information is being disseminated in a manner that contravenes applicable law, you have the right to request that we cease such dissemination and de-index the information from any publicly accessible source under our control.
• Right to Complain: If you believe we have not handled your personal information appropriately, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca, or with the Commission d'accès à l'information du Québec if you are a Quebec resident.

How to Exercise Your Rights: To exercise any of these rights, please contact us at support@konsyra.com. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Service. Cookies are small text files stored on your device that help us recognize you and maintain your session.

Cookies and Local Storage We Use

• Essential (Cookies): Authentication session cookies set by our identity provider (Supabase) are required for login and security. These are HTTP-only, secure cookies that expire based on your session.
• Functional (Local Storage): Your preferences (such as dark mode) are stored in your browser's local storage, not as cookies. This data remains on your device and is not transmitted to our servers.

We do not use third-party analytics cookies, advertising cookies, or tracking pixels. Our first-party usage analytics use browser session storage (cleared when you close your browser tab) and are not cookie-based.

Your Choices

Most web browsers allow you to control cookies through their settings. You can view, delete, or block cookies at any time. Note that disabling essential cookies may prevent you from logging in or using certain features of the Service.

Privacy by Default: The Service is configured with the highest level of privacy settings by default. We do not use third-party tracking and do not enable non-essential data collection without your affirmative consent.

12. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at legal@konsyra.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

Material Changes: For significant changes that affect how we collect, use, or share your personal information, we will provide notice via email to your registered email address or through prominent notice on the Service at least 30 days before the changes take effect.

Non-Material Changes: Minor changes (such as clarifications or formatting) may be made without notice.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. We recommend reviewing this page periodically.

The "Last updated" date at the top of this Privacy Policy indicates when it was last revised.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Privacy Officer: Konsyra has designated a Privacy Officer responsible for overseeing compliance with applicable privacy laws, including PIPEDA and Quebec's Law 25, and for responding to privacy-related inquiries. The Privacy Officer can be reached at privacy@konsyra.com.

We will acknowledge your inquiry within 5 business days and respond to privacy-related requests within 30 days, or as required by applicable law.