Privacy Policy

1. Who we are

Aurora is a Canadian AI automation consultancy headquartered in Toronto, Ontario. In addition to our consulting practice, we provide M&A target-research engagements to named institutional clients.

Privacy Officer (PIPEDA Principle 1 — Accountability)

The individual accountable for our compliance with this policy is:

Direct all privacy questions, access requests, correction requests, deletion requests, opt-outs, and complaints to the Privacy Officer at the address above.

2. Information we collect

2.1 Website visitors

When you visit aurora-designs.ca, we collect:

• Server logs — IP address (truncated where feasible), user agent string, referring URL, timestamps, and HTTP response codes, generated automatically by our hosting provider for security and abuse-prevention purposes
• Analytics data — pseudonymous interaction data (pages viewed, session duration, device class, approximate region) collected via Google Analytics 4 (see Section 4)
• Direct submissions — name, business email, organization, and any free-text content you provide if you contact us by email or book a meeting via Calendly

2.2 M&A engagement data

When Aurora is retained for a target-research engagement, we process publicly available business contact information about company officers, including:

• Name and job title (e.g., CEO, CFO, owner)
• Business email address and business telephone number
• Organization name, address, sector, and ownership data
• Public award, contract, or grant records associated with the organization

This data is sourced from US federal public-record systems — including USASpending.gov, SAM.gov, and SBIR.gov — and from public web sources. It is entity-level B2B information, not consumer data.

Aurora relies on the business contact information exemption in PIPEDA s. 4.01 where applicable: when we collect, use, or disclose name, title, work address, work telephone, or work email solely to enable a business communication, the substantive PIPEDA principles do not apply to that processing. Where data falls outside s. 4.01 (for example, if it is enriched with non-business attributes), the full PIPEDA regime applies.

2.3 What we do not collect

• We do not collect government-issued identifiers (SIN, SSN, driver's licence, passport)
• We do not collect financial account numbers, payment card details, or credit data
• We do not collect biometric, health, precise geolocation, or other sensitive personal information as defined by CPRA s. 1798.140(ae)
• We do not knowingly collect data about anyone under 18 years of age

3. Why we collect it (legal basis)

We collect personal information only for purposes a reasonable person would consider appropriate (PIPEDA s. 5(3)).

Under PIPEDA

• Legitimate business purpose — providing M&A target-research services to named engagement clients, communicating with prospects who reach out to us, securing our website, and meeting our contractual, tax, and legal obligations
• Implied consent — for processing of publicly available business contact information (PIPEDA s. 4.01 and Schedule 1, clause 4.3.6, plus the publicly-available-information regulations under the Act)
• Express consent — for any direct marketing communications and any processing that goes beyond what s. 4.01 contemplates

Under CCPA/CPRA

Aurora processes California-resident data only as necessary for our legitimate B2B research and consulting purposes. Aurora does not sell or share personal information as those terms are defined in CCPA s. 1798.140 and we do not engage in cross-context behavioural advertising. The B2B exemption to CCPA expired on January 1, 2023; California-resident officers in our research data therefore have the full set of consumer rights described in Section 10.

4. Cookies & analytics

aurora-designs.ca uses a small number of cookies and similar technologies:

• Strictly necessary — set by our hosting provider for security and load-balancing
• Analytics — Google Analytics 4 (measurement ID G-6CFNJDK3VB) sets cookies (e.g., _ga, _ga_*) to measure pseudonymous site usage. IP addresses are truncated by Google before storage

You can:

• Refuse non-essential cookies in your browser settings
• Install the Google Analytics opt-out browser add-on
• Send a Global Privacy Control signal — we honour GPC signals from California residents as a valid opt-out of sale and sharing

5. Sub-processors & sharing

We use the following sub-processors. Each is engaged under terms that require it to process personal information only on our instructions and to maintain comparable safeguards. Sub-processors are headquartered in the United States unless otherwise noted.

Infrastructure & analytics

• Cloudflare, Inc. — website hosting (Cloudflare Pages), DNS, content delivery, edge security. Data centres: global.
• Google LLC — Google Analytics 4 (web analytics).

Business operations

• Google LLC (Google Workspace) — business email, calendar, Drive document storage.
• Calendly LLC — appointment booking, used only when you choose to book a meeting.
• Notion Labs, Inc. — internal workspace, engagement notes, and project documentation.

AI-assisted research & productivity

• Anthropic, PBC (Claude) — AI assistant used for research, drafting, and analysis support. Engaged on commercial terms that exclude inputs from model training.
• OpenAI, L.L.C. (ChatGPT) — AI assistant used for research, drafting, and analysis support. Engaged on tiers (API / Team / Enterprise) that exclude inputs from model training.
• Sana Labs AB (Sana.ai), a Workday, Inc. company — AI-assisted knowledge management and learning. Acquired by Workday in November 2025. Data processing in the European Economic Area and the United States.
• Granola AI, Inc. — AI meeting transcription and note-taking. We have configured the workspace-level opt-out so that meeting content is not used to train Granola's AI models.
• Komodo Technologies, Inc. (kommodo.ai) — screen-recording tool used for internal documentation, training material, and process walkthroughs. We do not route identifiable engagement personal information through Komodo.

Design & creative tools

• Figma, Inc. — design and prototyping. Engaged as a sub-processor only where designs incorporate identifiable personal information (e.g., client logos or contact mocks).
• Canva Pty Ltd — graphic design. Engaged as a sub-processor only where designs incorporate identifiable personal information. Headquartered in Australia.

Aurora's developer tooling (including Microsoft Visual Studio / VS Code) operates on a developer's local device and does not function as a sub-processor of engagement personal information.

We share engagement deliverables only with the named client who retained us for that engagement, under a written engagement contract that includes confidentiality and data-handling terms. We do not sell, license, rent, or syndicate engagement data to any third party, and we do not redistribute the data after delivery.

We may disclose personal information without your consent where required or permitted by law (PIPEDA s. 7(3)), including in response to a lawful subpoena, warrant, or court order; to investigate a breach of an agreement or contravention of law; or to protect the rights, property, or safety of Aurora, our clients, or others.

6. Cross-border transfers

Personal information processed by Aurora may be transferred to, stored in, or accessed from the United States:

• By our sub-processors listed in Section 5, all of whom are US-based
• By our M&A engagement clients, who are US-based and receive engagement deliverables

While in another jurisdiction, personal information may be subject to the laws of that jurisdiction and may be accessed by its courts, law enforcement, and national-security authorities — including, in the United States, under the CLOUD Act, the Foreign Intelligence Surveillance Act (FISA s. 702), and Executive Order 12333. We disclose this transfer in accordance with the Office of the Privacy Commissioner of Canada's Guidelines for processing personal data across borders (January 2009, as updated).

To require comparable protection, we use contractual safeguards:

• Data Processing Addenda with each sub-processor binding them to PIPEDA's ten fair information principles
• Engagement contracts with M&A clients that impose confidentiality, purpose-limitation, and deletion-on-completion obligations

Where Quebec-resident data is in scope, we conduct a Privacy Impact Assessment before any transfer outside Quebec, as required by Law 25 s. 17.

7. Data retention

We retain personal information only as long as necessary to fulfil the purpose for which it was collected, or as required by law:

• Engagement deliverables and working data — deleted from Aurora-controlled systems at the earlier of (a) termination of the relevant client engagement, or (b) thirty-six (36) months after the last engagement-related activity. We do not maintain archival copies of engagement data after deletion. We maintain a record of destruction noting the date and manner of deletion.
• Server access logs — retained for up to 90 days for security and abuse-prevention purposes, then automatically deleted
• Analytics data — Google Analytics retention is set to 14 months; aggregated reporting data may persist longer
• Direct correspondence (email, contact-form submissions) — retained for the duration of any business relationship plus the limitation period under the Ontario Limitations Act, 2002 (typically 2 years), then deleted
• Tax and accounting records — retained for 6 years from the end of the relevant tax year, as required by the Income Tax Act

If you ask us to delete personal information sooner under your rights below, we will do so unless a statutory retention obligation prevents it.

8. Safeguards

We implement physical, organizational, and technological safeguards proportionate to the sensitivity of the information (PIPEDA Principle 7):

• Encryption in transit (TLS 1.2+) for all web traffic and email
• Encryption at rest for engagement data on Aurora-controlled systems
• Multi-factor authentication on all administrative accounts
• Role-based access controls; engagement data is accessible only to the personnel working on that engagement
• No cloud replication or backup of engagement data outside the systems necessary to perform the engagement
• Sub-processor due diligence and written data-processing agreements
• Documented deletion of engagement data at project completion
• Privacy training on engagement and annually thereafter for all Aurora personnel, associates, and contractors with access to engagement data; each individual annually certifies their compliance with this policy and any client-specific confidentiality obligations

No system can be guaranteed perfectly secure. We do not warrant absolute security but commit to the safeguards above and to prompt notification in the event of a breach (Section 15).

9. Your rights — PIPEDA (Canada)

Under PIPEDA you have the right to:

• Access — request confirmation of whether we hold personal information about you, what we hold, how it is being used, and to whom it has been disclosed (Principle 9)
• Correct — request correction of inaccurate or incomplete personal information. Where we agree the record is inaccurate, we will amend it; the original entry is retained alongside the correction. Where we decline to correct (for example, because the request pertains to a professional opinion made in good faith, or because we are unable to verify the alleged inaccuracy), you have the right to append a short statement of disagreement to your record, and we will note the disagreement on subsequent uses or disclosures of the information
• Withdraw consent — at any time, subject to legal or contractual restrictions and reasonable notice
• Challenge our compliance — escalate concerns to our Privacy Officer (Principle 10)

To exercise any of these rights, email the Privacy Officer at [email protected]. To protect your privacy, we will verify your identity before disclosing personal information or making any change to a record. Verification is proportionate to the sensitivity of the request and may include confirmation of identifiers we already hold. We will respond within 30 days of receiving a verifiable request (PIPEDA s. 8(3)), with a single extension of up to 30 additional days if necessary, on written notice to you. Where we cannot fulfil a request — for example, because the data has been deleted at engagement completion — we will explain the reason.

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada:

10. Your rights — California (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA as amended by the CPRA:

• Right to know what personal information we collect, the sources, the purposes, and the categories of recipients
• Right to delete the personal information we hold about you, subject to statutory exceptions
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing — Aurora does not sell or share personal information, so this right is honoured by default. We honour Global Privacy Control (GPC) signals as a valid opt-out
• Right to limit use of sensitive personal information — Aurora does not collect sensitive personal information as defined in CPRA s. 1798.140(ae)
• Right to non-discrimination — we will not deny services, charge different prices, or provide a lesser quality of service because you exercised any right

Categories of personal information collected in the past 12 months: Identifiers (CCPA s. 1798.140(v)(1)(A)) — name, business email, business phone, IP address. Internet/network activity (s. 1798.140(v)(1)(F)) — analytics interaction data. Professional information (s. 1798.140(v)(1)(I)) — job title, employer, public award/contract records. Sources: directly from you, US federal public-record systems, public web sources, and our analytics provider. Categories of recipients: our sub-processors (Section 5) and our named engagement clients.

To exercise any right, email [email protected]. We will respond within 45 calendar days, extendable once by an additional 45 days on written notice. Authorized agents may submit requests on your behalf with verifiable authorization.

You may also contact the California Privacy Protection Agency at cppa.ca.gov or the California Attorney General at oag.ca.gov/privacy/ccpa.

11. Your rights — Quebec (Law 25)

If you reside in Quebec, the rights in Section 9 apply, plus the following Quebec-specific protections under the Act respecting the protection of personal information in the private sector:

• Privacy Impact Assessment — we conduct a PIA before transferring Quebec-resident personal information outside Quebec or implementing any project that involves the acquisition, development, or overhaul of an information system involving personal information (Law 25 s. 3.3, s. 17)
• Automated decision-making — Aurora does not currently use exclusively automated decision-making to render decisions about individuals. If we ever do, we will inform you, allow you to submit observations, and offer human review on request (Law 25 s. 12.1)
• Data portability — request that personal information you have provided to us be communicated to you in a structured, commonly used technological format, or to another organization you designate (Law 25 s. 27)
• De-indexing — request that we cease disseminating personal information about you, or de-index a hyperlink, where dissemination contravenes the law or a court order or causes serious injury (Law 25 s. 28.1)

Direct all Quebec-related requests to the Privacy Officer. You may also file a complaint with the Commission d'accès à l'information du Québec at cai.gouv.qc.ca.

12. Commercial messages (CASL)

Where Aurora sends commercial electronic messages (CEMs) to recipients in Canada, we comply with Canada's Anti-Spam Legislation (S.C. 2010, c. 23):

• Sender identification — every CEM identifies Aurora Digital Solutions Inc. as the sender and includes a contact mechanism (this email or web URL) valid for at least 60 days from the date the message is sent
• Consent basis — we send CEMs only where we have express consent, an applicable existing business or non-business relationship (CASL s. 10(9)–(13)), or a conspicuous publication of the recipient's business contact information (CASL s. 10(9)(b)) where the message is relevant to the recipient's business role
• Unsubscribe — every CEM includes a working unsubscribe mechanism that requires no payment, no account creation, and no information beyond an email address. We process unsubscribe requests within 10 business days
• Records — we retain proof of consent for at least 3 years

To unsubscribe from all Aurora communications, use the unsubscribe link in any message you receive, or email [email protected] with the subject "Unsubscribe."

13. Children's data

aurora-designs.ca and our services are directed to businesses, not to individuals under the age of majority. We do not knowingly collect personal information from anyone under 18, or under 13 in any jurisdiction subject to the US Children's Online Privacy Protection Act. If you believe we hold information about a minor, contact the Privacy Officer and we will delete it.

14. No sale, no AI training

We commit to the following:

• We do not sell, rent, license, or syndicate personal information to any third party
• We do not share personal information for cross-context behavioural advertising
• We do not use engagement data, contact submissions, or website-visitor data to train, fine-tune, or evaluate any artificial-intelligence or machine-learning model that Aurora owns, operates, or controls

Third-party AI tools

Aurora uses a number of third-party AI tools as sub-processors (Section 5). These tools have different default behaviours regarding model training. We apply the following operational rules to ensure engagement personal information is not used to train AI models:

• Tools that exclude customer inputs from training by default (such as Sana, and Anthropic's commercial Claude tier) — used as sub-processors without further restriction on the type of content routed through them, subject to the safeguards in Section 8.
• Tools that train on customer inputs by default but offer an opt-out (such as Granola, and ChatGPT on tiers that permit training opt-out) — Aurora configures the available opt-out before any engagement personal information is routed through the tool. Aurora maintains the opt-out as an account-level setting and re-verifies it on a periodic basis.
• Tools whose public terms do not document a training opt-out — Aurora does not route identifiable engagement personal information through such tools. Use is limited to internal documentation, public information, or content that has been redacted of identifiable personal information.

Aurora's use of AI tools is supervised: outputs are reviewed by Aurora personnel before they are relied upon, and no decision producing legal or similarly significant effects is rendered by an automated system without human oversight (see Section 11 on Quebec Law 25 automated decision-making).

15. Breach notification

In the event of a breach of security safeguards involving personal information under our control:

• PIPEDA — where the breach creates a real risk of significant harm, we will report to the OPC and notify affected individuals as soon as feasible (PIPEDA s. 10.1) and maintain a record of every breach for 24 months
• Quebec Law 25 — where the breach involves Quebec-resident data and presents a risk of serious injury, we will notify the Commission d'accès à l'information and affected individuals promptly, consistent with the 72-hour expectation in OPC and CAI guidance
• US state laws — we will comply with applicable US state breach-notification statutes, including the California Civil Code s. 1798.82

16. Updates & complaints

We review this policy annually and on an as-needed basis to reflect changes in our data practices, sub-processor relationships, and applicable law. Material changes will be posted here with an updated effective date and, where appropriate, communicated by email to active engagement clients. Continued use of our services after the effective date of an update constitutes acceptance of the updated policy.

For any question, request, or complaint, contact: