Privacy Policy

Last updated: April 18, 2026

Obsidian AI Labs Inc. ("we", "us", "our") is a Canadian corporation headquartered in St. Thomas, Ontario. This policy explains what information we collect when you interact with obsidianailabs.ca or engage us for services, how we use it, and the choices you have.

Information we collect

We only collect what we need to run the business and respond to you:

• What you send us directly. If you email info@obsidianailabs.ca or fill out a form, we receive and store the contents of that message along with your email address so we can reply and keep a record of the conversation.
• Basic web analytics. Standard web server logs (IP address, user agent, requested URL, timestamp) used to understand how the site is performing and to investigate abuse. We do not currently run third-party analytics trackers, cookies, or advertising pixels on this site.
• Project / engagement data. If you become a client, we collect only the information required to deliver the work we agreed on. The specifics vary by engagement and are always documented in the statement of work.

How we use it

• To reply to inquiries and deliver the services you engage us for.
• To maintain operational and financial records required under Canadian law.
• To investigate technical problems or abusive behaviour against the site.

We do not sell your information. We do not share it with advertising networks. We do not use it to train third-party AI models.

Third parties

To run the business we use a small set of vendors, each of which may process information on our behalf:

• Email and productivity: Google (Gmail, Google Workspace).
• Infrastructure and hosting: DigitalOcean, GoDaddy.
• Payments and accounting: Stripe, QuickBooks.
• AI model providers: Anthropic, Google (Gemini), OpenAI. Used only for the portions of engagements that require LLM processing, and only with content you explicitly authorize us to send.

Each of these vendors has their own privacy policy. We have standard commercial agreements with them and do not grant them rights to use your information outside of delivering the service we pay them for.

Data retention

We keep correspondence and project records for as long as we have an active relationship with you, plus the retention period required by Canadian tax and corporate law (currently a minimum of 6 years for financial records). You can request deletion of any data we hold about you that is not subject to a legal retention requirement.

Your rights

Under Canadian privacy law (PIPEDA) and provincial equivalents, you have the right to:

• Ask what personal information we hold about you.
• Correct it if it's wrong.
• Ask for deletion (subject to legal retention requirements).
• Withdraw consent for future communication.

Email info@obsidianailabs.ca for any of the above and we'll respond within a reasonable time, typically under two weeks.

How to request data deletion

If you've connected to one of our applications (including Facebook, Instagram, Google, or any other third-party login) and want us to delete the personal information associated with that connection, follow these steps:

1. Send an email to info@obsidianailabs.ca with the subject line "Data Deletion Request".
2. Include the email address, phone number, or social account handle that's associated with the data you want removed.
3. Tell us briefly which application or service the data was connected to (for example: "Facebook login on obsidianailabs.ca", "Digital Assistant onboarding", "form submission on /apply").

We will confirm receipt within 2 business days and complete the deletion within 30 days, except where Canadian law requires us to retain the record (for example: financial transactions covered by the 6-year tax retention rule, or signed contracts subject to limitation periods). If a legal hold prevents full deletion, we'll tell you exactly which fields we must retain and for how long.

If you accessed our services through a Facebook or Instagram login, you can also remove our app's access from your account settings at facebook.com/settings/apps. Removing access there will stop new data flow from those platforms; emailing the address above ensures any data we already received is also deleted.

Security

We follow industry-standard practices for protecting data in transit (TLS) and at rest. No system is perfectly secure, but we try hard, and we'll tell you promptly if we believe your information has been exposed in an incident affecting us.

AI assistant services: how we handle client data

If you engage us for one of our AI assistant tiers (Obsidian Executive Assistant, Digital Assistant, or Digital Worker), additional data handling applies. The rules below are binding and are referenced in every engagement contract.

Dedicated, per-client infrastructure

Every client's AI assistant runs on dedicated infrastructure provisioned for that client alone. We do not co-mingle client workloads. If you cancel or your engagement ends, your dedicated infrastructure is destroyed and the underlying storage is wiped within 7 calendar days.

API keys and third-party credentials you share with us

To wire your AI assistant into your existing tools, you share API keys and OAuth tokens for services like Gmail, Google Calendar, Notion, HighLevel, Stripe, Twilio, or others as scoped in your contract. These credentials are:

• Transmitted to us through an encrypted shared vault (1Password, Bitwarden, or equivalent). We refuse plaintext email submission and rotate any key accidentally sent in the clear.
• Stored only in the server-side environment of your dedicated assistant instance. Never checked into source control. Never shared with other clients.
• Used only for the integrations and scopes you authorize in the engagement scoping document.
• Available to you for rotation at any time. If you rotate a key, we update the assistant and confirm continuity.

Content that flows through your assistant

Your assistant processes the content you give it (emails it drafts, documents it reviews, records from your CRM, and similar). That content is:

• Sent to the AI model provider listed in your scoping document (typically Anthropic's Claude API) to produce responses. Anthropic's own data-handling terms apply to that leg. We do not grant them rights to train on your content and we configure our API calls accordingly where the provider supports that flag.
• Logged on your dedicated instance for operational troubleshooting. Logs are retained 30 days unless you request shorter.
• Never transmitted to third parties outside the integrations you explicitly authorized.

Agent actions and human approval

By default, agents operate in "draft-only" mode. Outbound actions (emails sent on your behalf, CRM updates, payments processed, etc.) require your approval before they execute. You can optionally move individual agents to "auto-send" mode after a review period; that choice is yours and is documented in your operator handoff.

Incidents and breaches

If we become aware of a credential leak, data exposure, or compromise affecting your instance, we notify you within 24 hours of confirmation with what we know, what we're doing about it, and what you should do on your side. We keep a written incident log for every event.

Cancellation and data export

At any time you can request a full export of content and configuration from your assistant instance. We deliver it in a standard format (JSON + markdown) within 7 calendar days at no additional cost. After an engagement ends, your data is exported (if requested) and then deleted from our systems within 7 calendar days, subject only to the legal retention requirement described in the "Data retention" section above.

Data residency

Your dedicated infrastructure is provisioned in Canada (Toronto DigitalOcean region) by default. US residency or other regions are available on request for compliance-sensitive engagements; price and availability depend on the provider.

Sub-processors

The third parties listed earlier in this policy act as sub-processors for AI assistant engagements. We do not add new sub-processors to an active engagement without notifying you in advance.

Changes to this policy

If this policy changes materially, we'll update the "Last updated" date at the top and, for active clients, notify you directly.

Contact

Questions about privacy go to info@obsidianailabs.ca. Obsidian AI Labs Inc., St. Thomas, Ontario, Canada.