PIPEDA & PIPA BC Compliance

1. Which law applies to us

PIPEDA (Personal Information Protection and Electronic Documents Act) is the federal Canadian law governing how private-sector businesses handle personal information. It applies to most commercial activity across Canada.

PIPA BC (Personal Information Protection Act) is the provincial equivalent in British Columbia. Because 1n1.ai is operated by Techalyst Software Inc. in Vancouver, PIPA BC applies to data we collect from BC residents, and PIPEDA applies to inter-provincial data flows for the rest of Canada.

The two laws are substantially similar. We meet both. If you want to know which one applies to your specific situation, the Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner for BC have helpful guidance.

2. The ten privacy principles, applied to 1n1.ai

PIPEDA is built around ten principles. Here is how we live each one.

1. Accountability

Techalyst Software Inc. is the data controller. The founder is the named privacy contact and can be reached at legal@1n1.ai. We are responsible for any personal information we collect, including data passed to our sub-processors (listed below).

2. Identifying purposes

We collect personal information for two clear purposes:

• To run your 1n1.ai account: log you in, bill you, and let you configure your AI agents.
• To deliver the AI receptionist service: answer your callers, transcribe the conversation, and email you the recap.

We do not use your data for any other purpose without asking you first.

3. Consent

You consent to our collection of your account information when you sign up. You can withdraw consent by deleting your account at any time.

For callers contacting businesses that use 1n1.ai: by default, our AI agents disclose during the greeting that the call may be recorded. The account holder (the business owner) is responsible for ensuring this matches their local jurisdiction's consent requirements. They can adjust the disclosure wording per agent.

4. Limiting collection

We collect only what we need to operate the service. From account holders: name, email, phone (optional), billing details, and the agent configurations they create. From callers: the audio of the call, the resulting transcript, and any details the caller voluntarily shares (such as their name, callback number, or appointment request).

5. Limiting use, disclosure, and retention

We use call data only to provide the recap to the account holder, to bill accurately for usage, to support the account holder if they have a question or dispute about a call, and to meet our legal and regulatory obligations. We do not sell it, share it with advertisers, or use it to train AI models. Retention windows:

Data type	Retention
Call audio recordings	Automatically deleted from storage 730 days after the call ends. Earlier deletion can be requested (see "Requesting permanent deletion" below).
Call transcripts, recap text, conversation metadata (caller number, duration, timestamps)	Retained while your account is active for billing accuracy, recap delivery, audit, and dispute resolution. Subject to manual deletion request.
Leads captured by your agent	You can delete any lead from your account dashboard at any time. Deletion from the dashboard is immediate.
Clients, Agents, Bookings, Phone Numbers	Archivable from your dashboard. Archived items are hidden from the active view and recoverable. Permanent erasure is by request.
Billing records (invoices, payment history)	Retained for at least 7 years as required by Canadian tax law (Income Tax Act recordkeeping). This applies even if you close your account.
Account information (active accounts)	Retained while your account is active.
Closed accounts	Closed accounts are retained in our records for billing reconciliation, dispute resolution, fraud prevention, and statutory compliance. Personal information no longer needed for those purposes is removed on request, subject to the review described below.

Requesting permanent deletion. You can request permanent erasure of your data at any time by emailing legal@1n1.ai from your account email. We review every request before processing to ensure it does not conflict with:

• An active billing dispute or chargeback;
• An open law enforcement request, preservation order, court order, or regulatory inquiry;
• An ongoing investigation into a suspected violation of our Terms of Service or Acceptable Use Policy, including fraud, money laundering, abuse, or unlawful activity;
• A statutory retention requirement under applicable Canadian or foreign law (such as Canada Revenue Agency tax recordkeeping, anti-money-laundering recordkeeping, or other applicable obligations).

Once we confirm no such conflict exists, we complete the deletion within 30 business days. If a specific record cannot be deleted, we will tell you the reason and the date the legal basis for retention is expected to expire. This review process is consistent with PIPEDA Principle 5 (limiting retention to what is necessary for the identified purposes and as required by law) and standard industry practice for SaaS service providers.

6. Accuracy

You can edit your account information, agent configurations, and uploaded knowledge files at any time through your 1n1.ai dashboard. If you spot an inaccuracy you cannot fix yourself, email us and we will correct it.

7. Safeguards

We use industry-standard security measures:

• Encryption in transit: TLS 1.2+ on every connection (HTTPS forced site-wide).
• Encryption at rest: AES-256 encryption applied automatically at the storage infrastructure layer (DigitalOcean Spaces) for all stored call recordings and uploads.
• Password hashing: bcrypt with per-user salt. We never see or store plain-text passwords.
• Two-factor authentication: available on every account. 2FA secrets stored encrypted.
• Access controls: only the account holder and accounts they explicitly grant admin access to can see their data. Our staff access is gated by role and logged.
• Sub-processor security: every sub-processor we use (listed below) maintains independent industry certifications (SOC 2, ISO 27001, or equivalent).

8. Openness

This page and our Privacy Policy document our practices in plain language. If anything is unclear, email legal@1n1.ai and we will explain.

9. Individual access

You can request a copy of your personal information at any time:

• Self-serve: download a JSON export of your account, agents, and recent conversation metadata from your Profile settings.
• Full export: for everything including audio recordings, email legal@1n1.ai and we will deliver it within 30 days.

10. Challenging compliance

If you believe we have mishandled your data, contact us first at legal@1n1.ai. We will respond within 30 days. If you are not satisfied with our response, you can file a complaint with either privacy commissioner (see section 7 below).

3. Data flow

The 1n1.ai stack is built and operated by us. The core component is bridge.1n1.ai, our own Node.js WebSocket server that mediates every live call. There are two paths depending on how the call comes in.

Web and embed calls

1. The visitor opens your site or our hosted page. The orb widget runs on-device voice activity detection (VAD) in the browser, so audio only streams when someone is speaking.
2. The browser opens a secure WebSocket (wss://) to bridge.1n1.ai and streams 16 kHz PCM audio chunks.
3. bridge.1n1.ai routes each audio chunk through our model router to one of our voice AI providers (Google Gemini, OpenAI, Anthropic Claude, Telnyx, Groq) for speech-to-text, LLM reasoning, and text-to-speech. We may add or swap providers over time to deliver the best quality.
4. The AI's response audio is streamed back through bridge.1n1.ai to the visitor's browser.
5. When the call ends, our Laravel backend records quota and finalizes the conversation. A Horizon worker extracts leads and queues the recap email.

Phone calls

1. The caller dials your 1n1.ai number. Telnyx (our PSTN carrier) accepts the call and notifies our Laravel backend via webhook.
2. If you have configured human-first answering for that number, Telnyx tries your human number first (rings up to 15 seconds, no AI involved, not recorded). If a human answers, the call stays private end-to-end.
3. If no one picks up (or human-first is not configured), Telnyx bridges the call's audio to bridge.1n1.ai as 20 ms PCM frames over WebSocket.
4. From there, the flow is identical to the web path: model router, voice AI providers for STT/LLM/TTS, response streamed back through Telnyx to the caller.
5. When the call ends, the Laravel backend finalizes and the Horizon worker extracts leads and sends the recap email.

Where data ends up

Conversations, leads, and client records are written to our MySQL database (DigitalOcean Toronto). Audio recordings are stored as chunked WAV files in S3-compatible object storage (also DigitalOcean Toronto). The recap email is delivered via Resend.

The voice AI providers process audio in real time and do not retain it for their own use. The PSTN carrier holds audio only for the duration of the call. Only the components we operate (bridge.1n1.ai, the Laravel backend, MySQL, object storage) persist your data, and they all run in Canadian data centers.

4. Data residency

All persistent customer data (database rows, transcripts, audio recordings, uploaded knowledge files) is stored in Canadian data centers, specifically DigitalOcean's Toronto region.

Real-time voice and language processing happens on servers operated by our voice AI providers (Google Gemini, OpenAI, Anthropic Claude, Telnyx, Groq, and any others we add over time). These providers may process data in their own global infrastructure. We do not control where their real-time inference runs; however, they process audio in real time and do not retain it after the call ends.

5. Sub-processors

We use the following sub-processors to deliver the service. Each is bound by a data processing agreement and maintains its own industry-standard security certifications.

Sub-processor	Purpose	Data handled
DigitalOcean (Toronto, Canada)	Application hosting, database, file storage (Spaces)	All account and call data at rest
Google Gemini, OpenAI, Anthropic Claude, Telnyx, Groq	Voice AI providers used for real-time conversation, text-to-speech (TTS), speech-to-text (STT), transcription, and agent prompt generation. We may switch providers or add new ones over time to deliver the best voice quality and reliability.	Audio stream and transcript during the call; account holder's business description and uploaded knowledge files at agent-creation time. None of these providers retain your data for their own use or AI training.
Telnyx	Phone number provisioning and PSTN call delivery	Caller phone number, call audio during the call only
Stripe	Subscription billing and payment processing	Billing name, email, and payment method (Stripe handles card data; we never see it)
Resend	Transactional email (recaps, account notifications)	Recipient email address, message content
Google and Apple (identity providers, only used if the account holder chooses to sign in with one of them)	Identity verification at sign-in via OAuth / Sign in with Apple	Provider's stable user identifier, name (Apple sends name on first sign-in only), and email address (which may be Apple's private email relay). No call data, leads, or account content is shared back to these providers.

We do not engage new sub-processors that handle your data without updating this list. You can subscribe to changes by emailing legal@1n1.ai and requesting sub-processor change notifications.

6. Your rights

Under PIPEDA and PIPA BC, you have the right to:

• Access the personal information we hold about you.
• Correct any inaccurate information.
• Withdraw consent at any time (this means closing your account).
• Receive a copy of your personal information in a portable format (JSON export).
• Request deletion of your personal information.
• Be informed of any breach affecting your data within 72 hours of our becoming aware of it.

To exercise any of these rights, email legal@1n1.ai. We respond within 30 days.

7. Complaints

If you are not satisfied with our response to a privacy concern, you have the right to file a formal complaint with either:

8. Breach notification

If we discover a breach that creates a real risk of significant harm to your personal information, we will:

• Notify you directly by email within 72 hours of confirming the breach.
• Notify the Office of the Privacy Commissioner of Canada as required by PIPEDA.
• Maintain an internal record of the breach for a minimum of two years.

The notification will include what data was affected, what we are doing about it, and what you can do to protect yourself.

9. Children's data

1n1.ai is built for business owners. Account holders must be at least 18 years old. We do not knowingly collect personal information from children under 13. If you believe a child has provided information to us, email legal@1n1.ai and we will delete it.

10. What this page does not cover

This page focuses on our own collection and handling of personal information. As an account holder, you are responsible for your own compliance obligations when you use 1n1.ai to collect data from your customers (the callers). Specifically:

• Caller consent: confirm the recording disclosure on your agent matches your jurisdiction's requirements (most Canadian provinces allow one-party consent recording, but you should verify for your industry).
• Caller data: data captured during calls (caller phone numbers, voice content, anything they share) belongs to your business. You are the data controller for that data; we are your sub-processor. You should have your own privacy policy that explains how you handle caller information.
• Industry-specific rules: regulated industries (legal, medical, financial) may have additional obligations (PHIPA in Ontario, the Health Information Act in Alberta, etc.). Consult a lawyer if you are unsure.

11. Changes to this page

If we materially change our PIPEDA practices, we will update this page and notify active account holders by email at least 30 days before the change takes effect.

12. Contact

For any privacy question, email legal@1n1.ai. We aim to respond within 5 business days.