CanadianPrivacy Policy
TAATIQ Technology Inc. · Last Updated: March 2026
1. Scope and Who This Policy Covers
This Privacy Policy ("Policy") applies to all personal data processed by TAATIQ Technology Inc. ("TAATIQ," "we," "our," or "us") in connection with:
- The TAATIQ website and all associated subdomains (collectively, the "Site")
- The TAATIQ AI intelligent agent platform, APIs, and related software ("Platform")
- Demonstrations, trials, and proof-of-concept engagements
- Sales, marketing, and support communications
- Any other context in which TAATIQ collects personal data
This Policy applies to:
- Prospective and current enterprise clients and their authorized users
- End customers whose interactions are handled by TAATIQ-powered agents on behalf of our clients
- Website visitors
- Job applicants
- Partners and vendors
This Policy does not apply to data processed by our enterprise clients using the TAATIQ Platform on their own customers' behalf, where the client is the data controller and TAATIQ acts as a data processor as well as TAATIQ suppliers and partners. In those contexts, the relevant client, supplier and/or partner's privacy policy governs. Clients' data processing obligations are addressed in separate Data Processing Agreements (DPAs).
2. Who We Are – Data Controller Details
TAATIQ is the data controller responsible for the personal data processed through the Site and in connection with our direct marketing, sales, and recruitment activities.
| Legal Name | TAATIQ Technology Inc. |
| Registered | Ontario, Canada |
| Data Controller | TAATIQ |
| DPO / Privacy | info@taatiq.ai |
| Website | www.taatiq.com |
Where TAATIQ processes personal data on behalf of an enterprise client (e.g., processing end-customer interactions through the Platform), TAATIQ acts as a data processor under instructions from the client as data controller.
3. Information We Collect
We collect personal data in three principal ways: information you provide to us directly, information generated automatically when you use our Site or Platform, and information we receive from third parties.
3.1 Information You Provide Directly
- Identity data: first name, last name, job title, company name
- Contact data: business email address, phone number, mailing address
- Account credentials: username and encrypted password for Platform access
- Communication data: messages, enquiries, and correspondence sent to us
- Transaction data: billing information, contract details, purchase history
- Preference data: communication preferences, consent records
- Recruitment data: CV/résumé, cover letter, employment history, references
3.2 Information Collected Automatically
- Technical data: IP address, browser type and version, operating system, device identifiers
- Usage data: pages visited, features accessed, session duration, clickstream data
- Location data: approximate geographic location derived from IP address
- Cookie and tracking data: as described in Section 6
- Log data: server logs, error reports, performance metrics
3.3 Information from Third Parties
- Business intelligence data from providers such as LinkedIn, ZoomInfo, or any other provider used for B2B prospecting
- Integration data passed through connected enterprise systems (CRM, scheduling, ticketing)
- Referral data from partners or ecosystem integrators
- Publicly available professional information (e.g., company websites, LinkedIn profiles)
3.4 Special Categories of Data
TAATIQ does not intentionally collect special category data (health, racial or ethnic origin, political opinions, religious beliefs, biometric data, etc.). If our Platform is deployed in a context where such data may be incidentally disclosed (e.g., a healthcare client's customers), this is governed by the applicable DPA and the client's data controller obligations.
4. How and Why We Use Your Information
We use personal data only for specified, explicit, and legitimate purposes. The table below sets out each purpose, the categories of data involved, and the legal basis relied upon.
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Providing and operating the Platform | Identity, Contact, Account, Usage | Contract performance |
| Processing demo and sales enquiries | Identity, Contact, Communication | Pre-contractual steps / Legitimate interests |
| Account management and client onboarding | Identity, Contact, Transaction | Contract performance |
| Billing and invoicing | Identity, Contact, Transaction | Contract performance / Legal obligation |
| Customer support and troubleshooting | Identity, Contact, Technical, Communication | Contract performance / Legitimate interests |
| Platform security and fraud prevention | Technical, Usage, Log data | Legitimate interests / Legal obligation |
| Analytics and performance improvement | Usage, Technical (aggregated/anonymized) | Legitimate interests |
| Marketing communications (opted-in) | Identity, Contact, Preference | Consent |
| Re-marketing to existing clients | Identity, Contact, Usage | Legitimate interests |
| Regulatory and legal compliance | All relevant categories | Legal obligation |
| Recruitment and HR administration | Identity, Contact, Recruitment | Pre-contractual steps / Legal obligation |
We will never use your personal data for purposes incompatible with those stated above, nor sell or rent your data to third parties for their own marketing purposes.
5. Legal Bases for Processing (GDPR / UK GDPR)
For individuals located in the European Economic Area (EEA) or the United Kingdom, we are required to identify a valid legal basis for each processing activity. We rely on the following bases:
5.1 Contract Performance (Article 6(1)(b) GDPR)
Processing necessary to enter or perform a contract with you – including operating the Platform, managing accounts, and providing support.
5.2 Legal Obligation (Article 6(1)(c) GDPR)
Processing required to comply with applicable laws, including tax and accounting obligations, anti-money-laundering requirements, and regulatory obligations.
5.3 Legitimate Interests (Article 6(1)(f) GDPR)
Processing where we have a legitimate business interest that is not overridden by your rights and interests. This includes Platform security, fraud prevention, service improvement, and B2B marketing to existing or prospective clients. We conduct Legitimate Interests Assessments (LIAs) for all processing relying on this basis.
5.4 Consent (Article 6(1)(a) GDPR)
Where you have freely given, specific, informed, and unambiguous consent – including for non-essential cookies and direct marketing to individuals. You may withdraw consent at any time without affecting prior processing.
6. Cookies and Tracking Technologies
Our Site uses cookies and similar technologies to provide functionality, analyse performance, and (where consented) personalise your experience. A cookie is a small text file stored on your device.
| Category | Purpose | Examples | Consent Required? |
|---|---|---|---|
| Strictly Necessary | Essential to Site function; cannot be disabled | Session tokens, load balancers, CSRF protection | No – exempt |
| Functional / Preference | Remember your settings and preferences | Language, region, demo form pre-fill | Yes |
| Analytics & Performance | Measure usage and improve the Site | Google Analytics 4, Hotjar, Segment | Yes |
| Marketing & Re-targeting | Deliver relevant advertising and track campaign ROI | LinkedIn Insight, Google Ads, HubSpot tracking | Yes |
You can manage or withdraw cookie consent at any time via our Cookie Preference Centre, accessible from the footer of every page. Withdrawing consent does not affect prior lawful processing.
7. How We Share Your Information
We do not sell, rent, or trade your personal data. We share data only in the following circumstances, and only with parties who are contractually required to protect it:
7.1 Service Providers and Sub-processors
We engage carefully vetted third-party vendors to support our operations. These include:
- Cloud infrastructure providers (e.g., AWS, Google Cloud, Microsoft Azure)
- CRM and sales tools (e.g., HubSpot, Salesforce)
- Communication platforms (e.g., Twilio, SendGrid)
- Analytics providers (e.g., Google Analytics, Segment)
- Payment processors (e.g., Stripe)
- Customer support platforms (e.g., Intercom, Zendesk)
All sub-processors are bound by Data Processing Agreements that restrict use of your data to our documented instructions.
7.2 Enterprise Clients
Where TAATIQ acts as a data processor for an enterprise client, we share relevant interaction data with that client as required to deliver the contracted service. This is governed by the applicable DPA.
7.3 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of all or part of our business, personal data may be transferred to the acquiring entity. We will notify affected individuals before their data is transferred and becomes subject to a different privacy policy.
7.4 Legal and Regulatory Disclosure
We may disclose personal data where required by law, court order, regulatory authority, or to protect the rights, property, or safety of TAATIQ, our clients, or the public. We will notify you of such requests where legally permitted to do so.
7.5 With Your Consent
We may share data for purposes not listed here with your explicit prior consent.
8. International Data Transfers
TAATIQ operates globally. Personal data may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your jurisdiction.
Where we transfer personal data originating from the EEA, UK, or Switzerland to countries not recognized as providing adequate protection, we rely on the following safeguards:
- European Commission Standard Contractual Clauses (SCCs) – Module 2 (Controller to Processor) and Module 3 (Processor to Processor) as applicable
- UK International Data Transfer Agreements (IDTAs) for UK-originating transfers
- Binding Corporate Rules (BCRs) where applicable and approved
- Adequacy decisions recognized by the relevant authority
A copy of our current transfer mechanisms is available upon request at privacy@taatiq.ai.
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or to comply with applicable legal, regulatory, accounting, or reporting requirements.
| Data Category | Retention Period | Basis for Retention |
|---|---|---|
| Active client account data | Duration of contract + 7 years | Contract; legal/tax obligations |
| Prospect and marketing data | 3 years from last engagement | Legitimate interests; consent |
| Platform interaction logs | 90 days (rolling) | Security; service delivery |
| Support and correspondence records | 5 years from resolution | Legitimate interests; legal claims |
| Invoice and financial records | 7 years (or local statutory minimum) | Legal obligation |
| Cookie consent records | 3 years from consent event | Accountability obligation |
| Recruitment data (unsuccessful) | 12 months from decision | Legitimate interests (legal claims) |
| Anonymized analytics data | Indefinite (not personal data) | N/A – anonymized |
At the end of the applicable retention period, data is securely deleted or irreversibly anonymized. Backup copies are purged within 30 days of the primary deletion schedule.
10. Security of Your Information
We implement a layered security programme proportionate to the risks associated with processing personal data in an enterprise AI environment. Our measures include:
Technical Controls
- AES-256 encryption for data at rest; TLS 1.2+ for data in transit
- Role-based access controls (RBAC) with least-privilege principles
- Multi-factor authentication (MFA) mandatory for all system access
- Continuous penetration testing and vulnerability scanning
- Intrusion detection and security information and event management (SIEM)
- Automatic session expiry and anomaly-based access monitoring
Operational Controls
- Annual third-party security audits (SOC 2 Type II in progress)
- Data processing agreements with all sub-processors
- Background screening for employees with access to personal data
- Security awareness training for all staff – mandatory, annual
- Documented incident response plan with defined SLAs
Incident Response
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by applicable law), and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
11. Your Rights and How to Exercise Them
Depending on your jurisdiction, you may have the following rights in relation to your personal data. We honour all applicable rights regardless of where you are located.
| Right | What It Means | Jurisdictions |
|---|---|---|
| Right of Access | Obtain a copy of the personal data we hold about you | EEA, UK, CA, US* |
| Right to Rectification | Correct inaccurate or incomplete personal data | EEA, UK, CA, US* |
| Right to Erasure | Request deletion of your personal data where no legal ground to retain exists | EEA, UK, CA |
| Right to Restriction | Limit how we process your data in certain circumstances | EEA, UK |
| Right to Portability | Receive your data in a structured, machine-readable format | EEA, UK |
| Right to Object | Object to processing based on legitimate interests or direct marketing | EEA, UK |
| Right to Opt-Out of Sale | Opt out of any sale or sharing of your personal data | US (CCPA/CPRA) |
| Right to Non-Discrimination | We will not discriminate for exercising privacy rights | US (CCPA/CPRA) |
| Right to Withdraw Consent | Withdraw consent at any time without penalty | All jurisdictions |
| Right to Lodge a Complaint | Complain to your local supervisory authority | EEA, UK, CA |
* US rights vary by state. See Section 17 for state-specific detail.
How to Submit a Request
Submit data rights requests by emailing privacy@taatiq.ai with the subject line "Privacy Rights Request" and sufficient information for us to verify your identity. We will respond within 30 days (EEA/UK: one calendar month). Where we cannot fulfil a request, we will explain why.
You will never be charged a fee for exercising your rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline – and will explain our reasoning in writing.
12. AI-Specific Processing Disclosures
Given the nature of the TAATIQ AI Platform, we are committed to transparency about how AI systems interact with personal data. This section supplements the standard privacy disclosures above.
12.1 Automated Decision-Making and Profiling
TAATIQ AI agents engage in automated processing to understand customer intent and determine appropriate responses. This constitutes automated processing under applicable privacy law. Where such processing produces legal or similarly significant effects on individuals, we ensure that:
- Individuals are informed that automated processing is occurring
- A human review option is available upon request
- Meaningful information about the logic involved is provided on request
In practice, most TAATIQ interactions are operational in nature (answering queries, booking appointments) and do not produce significant legal effects.
12.2 AI Model Training
TAATIQ AI does not use personal data from client deployments to train, fine-tune, or improve our underlying AI models without explicit written consent from the data controller and, where required by law, the affected individuals. Any model training using client interaction data is governed by specific contractual provisions in the applicable DPA.
12.3 Voice and Conversation Data
Where the Platform processes voice interactions:
- Call recording and transcription may occur – end customers are informed via a disclosure message at the start of the interaction
- Voice recordings are retained for the period specified in the client's DPA (default: 90 days)
- Transcripts may be shared with the client for quality and service purposes
- Biometric voice data is not extracted or stored for identification purposes
12.4 Conversational Data and Contextual Intelligence
Conversation histories may be processed to maintain context within a single session and, where configured by the client, across sessions to deliver a more personalized experience. Cross-session data processing is disclosed to end customers by the relevant client under their own privacy obligations.
TAATIQ is committed to responsible AI practices aligned with emerging regulatory frameworks including the EU AI Act, the NIST AI Risk Management Framework, and applicable sectoral guidelines.
13. Children's Privacy
The TAATIQ Platform and website are designed for and directed exclusively to business professionals and enterprise users. We do not knowingly collect, process, or retain personal data from individuals under the age of 18 (or the applicable age of digital consent in their jurisdiction).
If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly. If you believe we may hold data relating to a child, please contact info@taatiq.com immediately.
14. Third-Party Links and Integrations
Our Site may contain links to third-party websites, and our Platform integrates with third-party enterprise systems. Once you leave our Site or interact with third-party services, this Policy no longer applies.
We are not responsible for the privacy practices of third-party sites or services. We encourage you to review the privacy policies of any third parties you interact with. Our enterprise integration partners are listed in our current sub-processor registry, available at info@taatiq.com.
15. Changes to This Policy
We review and update this Policy at least annually, and whenever there are material changes to our processing activities, applicable law, or regulatory guidance. The "Last Updated" date at the top of this document reflects the most recent revision.
For material changes that affect your rights or how we process your data, we will provide notice by:
- Prominently posting the updated Policy on our Site
- Sending an email notification to active users and clients
- Where required by law, obtaining fresh consent before processing under the new terms
Your continued use of our Site or Platform after the effective date of a revised Policy constitutes your acknowledgement of the changes. Where changes require your consent, we will seek it explicitly.
16. How to Contact Us
We welcome questions, concerns, and feedback about this Policy and our data practices. We aim to respond to all enquiries within 5 business days.
| Privacy & Data Enquiries | info@taatiq.com |
| Subject Line | Privacy Enquiry / Privacy Rights Request / Data Breach Report |
| Address | TAATIQ Technology Inc. (Ontario, Canada), www.taatiq.com |
| Response Commitment | Acknowledgement within 2 business days; substantive response within 30 calendar days |
If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EEA, contact your national data protection authority.
17. Jurisdiction-Specific Addenda
Addendum A – Canada (PIPEDA / Quebec Law 25)
For Canadian residents, personal data is collected and processed in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, An Act to modernize legislative provisions as regards the protection of personal information (Law 25 / Bill 64).
Key rights under Canadian law include the right to access your personal information and to challenge its accuracy. Privacy complaints may be directed to the Office of the Privacy Commissioner of Canada at priv.gc.ca.
Quebec-specific requirements: We conduct Privacy Impact Assessments (PIAs) before any new collection or processing initiative. Our PIA register is maintained and available to the Commission d'accès à l'information upon request.
Addendum B – United States (CCPA / CPRA and State Laws)
For residents of California and other US states with applicable privacy legislation, the following additional rights and disclosures apply.
California (CCPA / CPRA)
Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), California residents have the right to:
- Know what personal information is collected, used, shared, or sold
- Delete personal information collected from them (with exceptions)
- Opt out of the sale or sharing of personal information – we do not sell personal information
- Correct inaccurate personal information
- Limit use of sensitive personal information
- Non-discrimination for exercising CCPA rights
TAATIQ does not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioural advertising without consent.
To submit a CCPA rights request: email info@taatiq.com with subject line "CCPA Request". We will verify your identity before processing any request.
Other US States
We acknowledge and respect the privacy rights established under the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and other applicable state laws. Requests from residents of these states will be processed in accordance with the rights granted under their respective laws.
Addendum C – European Economic Area & United Kingdom (GDPR / UK GDPR)
The GDPR (Regulation (EU) 2016/679) and UK GDPR apply to our processing of personal data of individuals located in the EEA and UK respectively. All processing activities described in this Policy comply with GDPR principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
Our nominated representative for EU data protection matters and lead supervisory authority will be confirmed upon formal establishment of our EU entity. UK processing is overseen by the ICO.
© 2026 TAATIQ Technology Inc. All rights reserved. · www.taatiq.com