1. Overview & scope
This Privacy Policy explains how OntarioAI Limited (“OntarioAI”, “we”, “us”) collects, processes, stores and transfers personal data in connection with our Human-AI Governance platform and related services (“Services”).
This policy applies to: visitors to our website (ontarioai.com); users of the OntarioAI platform (Pulse, Nudge, Guardian, Pilot); employees and contractors of our enterprise customers where personal data is processed via the Services; and prospective customers, investors and partners who interact with us.
We are registered as a data controller under UK GDPR and EU GDPR. Our registered Data Protection Officer contact is listed in Section 10.
2. Data we collect
2.1 Data you provide directly
- Account data: name, work email, job title, organisation name when you register or request a demo
- Communications: messages, enquiries, and support requests you send us
- Payment data: billing information processed by our PCI-DSS-compliant payment processor (we do not store card numbers)
2.2 Data collected automatically
- Usage data: pages visited, features accessed, session duration, click-path data
- Technical data: IP address, browser type, device identifiers, operating system
- Platform signal data: where deployed under enterprise contract, anonymised and aggregated behavioural signal data processed on behalf of your employer (see enterprise DPA)
3. How we use your data
| Purpose | Data used | Legal basis |
|---|---|---|
| Delivering and operating the Services | Account, usage, platform signal | Contract performance |
| Account management and support | Account, communications | Contract performance |
| Billing and payments | Payment data | Contract performance |
| Product improvement and analytics | Usage, technical data (anonymised) | Legitimate interests |
| Security, fraud prevention, and compliance | Technical, usage data | Legal obligation / Legitimate interests |
| Marketing communications (opt-in) | Name, work email | Consent |
| Legal obligations (e.g. audit records) | All categories as required | Legal obligation |
4. Legal bases for processing
Under UK GDPR and EU GDPR, we rely on the following legal bases:
- Contract performance — processing necessary to provide the Services you have contracted for
- Legitimate interests — processing for security, fraud prevention, analytics, and product improvement where these do not override your rights
- Legal obligation — processing required to comply with applicable laws
- Consent — marketing communications and optional analytics cookies, always withdrawable
5. Data sharing & third parties
We do not sell, rent or trade your personal data. We share data only in the following circumstances:
- Service providers: cloud infrastructure (AWS EU regions), analytics (aggregated, anonymised), CRM, payment processing. All processors are contractually bound to process data only on our instructions.
- Enterprise customers: where we process data on behalf of your employer, we act as a data processor under a signed Data Processing Agreement.
- Legal requirements: where required by law, court order, or regulatory authority.
- Business transfers: in the event of a merger, acquisition or sale, with prior notice and equivalent data protections maintained.
6. International data transfers
Our primary data infrastructure operates within the UK and EU. Where transfers to third countries are necessary (e.g. certain support tools), we rely on:
- UK International Data Transfer Agreements (IDTAs)
- EU Standard Contractual Clauses (SCCs) — 2021 version
- Adequacy decisions where applicable
For GCC-deployed instances, data residency is maintained within in-region infrastructure and governed by applicable sovereign AI data requirements.
7. Data retention
We retain personal data only for as long as necessary for the purpose it was collected, or as required by law:
| Data category | Retention period |
|---|---|
| Account data | Duration of contract + 2 years |
| Usage & technical logs | 13 months rolling |
| Financial records | 7 years (statutory requirement) |
| Marketing consent records | Until consent is withdrawn + 1 year |
| Support communications | 3 years from resolution |
| Anonymised analytics | Indefinite (no personal data) |
8. Your rights
Under UK GDPR / EU GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion (“right to be forgotten”)
- Restriction — request we limit processing in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests or for direct marketing
- Withdraw consent — at any time where processing is consent-based
To exercise any right, contact privacy@ontarioai.com. We will respond within 30 days. You also have the right to lodge a complaint with your supervisory authority (ICO in the UK; relevant DPA in your EU member state).
9. Cookies & tracking
We use the following categories of cookies:
| Category | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Authentication, session management, security | No |
| Functional | Remembering preferences, language settings | No |
| Analytics | Aggregated usage statistics (anonymised) | Yes |
| Marketing | Interest-based content (opt-in only) | Yes |
You can manage cookie preferences at any time via the Cookie Settings link in the site footer, or via your browser settings.
This policy was last updated on 1 January 2026. We will notify registered users of material changes by email with at least 14 days’ notice.