Privacy Policy

Effective date: March 23, 2026

Plain-language summary: LUMINARYX™ is a B2B SaaS platform serving Canadian municipalities. We collect data to operate our service, store it in Canada, do not sell it, and give you meaningful control over it. This policy covers both our marketing website (luminaryx.ca) and the LUMINARYX™ platform.

1. Who We Are

LUMINARYX™ is a trade name of 17691190 Canada Inc., a federally incorporated Canadian corporation. Our platform helps Canadian municipalities govern artificial intelligence use through structured workflows, audit trails, and regulatory compliance tools.

For the purposes of applicable privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA), British Columbia's Freedom of Information and Protection of Privacy Act (FOIPPA), and Quebec's Act respecting the protection of personal information in the private sector (Law 25), 17691190 Canada Inc. is the data controller responsible for your personal information.

2. Information We Collect

2.1 Information you provide directly

Account registration: Name, work email address, job title, municipality name, and province.
Contact and inquiry forms: Name, email address, municipality, and any message content you submit.
Platform use: AI governance decisions, workflow submissions, approval notes, and audit log entries that you or your colleagues create within the platform.
Billing: Billing contact name and email. Payment card details are processed directly by Stripe and are never stored by LUMINARYX™.

2.2 Information collected automatically

Log data: IP address, browser type, pages visited, timestamps, and error logs collected for security, abuse prevention, and service diagnostics.
Session and authentication data: Encrypted session tokens and MFA verification state stored in Redis and our database.
Usage analytics: Aggregate, non-personally-identifiable feature usage patterns used to improve the product.

2.3 Information from third parties

We do not purchase or receive personal information from data brokers. We may receive limited information from single sign-on (SSO) providers (Microsoft Entra ID / Azure AD) if your organization enables SSO, limited to the claims provided by that identity provider (typically name, email, and organizational role).

3. How We Use Your Information

Service delivery: Creating and managing your account, processing governance decisions through the platform, generating audit trails and compliance reports, and providing technical support.
Billing and subscriptions: Managing trial periods, processing subscription payments via Stripe, and sending invoices.
Security: Detecting and preventing unauthorized access, fraud, and abuse; enforcing rate limits; maintaining audit logs for security investigations.
Product improvement: Understanding how features are used in aggregate to prioritize development.
Communications: Sending transactional emails (account notices, MFA codes, password resets), service updates, and, with your consent, product news. You may unsubscribe from marketing emails at any time.
Legal compliance: Meeting our obligations under PIPEDA, provincial privacy legislation, and any other applicable law.

We do not use your municipality's governance data to train AI models. We do not sell, rent, or trade personal information to any third party for commercial purposes.

4. Legal Basis for Processing

Under PIPEDA and Quebec Law 25, we rely on the following legal bases:

Contractual necessity: Processing required to provide the LUMINARYX™ service under our Master Subscription Agreement.
Consent: Marketing communications, optional analytics, and any processing beyond service delivery where we seek your consent.
Legitimate interests: Security monitoring, fraud prevention, and aggregate product analytics, balanced against your privacy interests.
Legal obligation: Processing required to comply with applicable Canadian law.

5. Data Sharing and Disclosure

5.1 Service providers (sub-processors)

We share personal information only with trusted service providers who process data on our behalf under contractual privacy and security obligations:

Amazon Web Services (ca-central-1): Cloud infrastructure and database hosting in Canada.
Stripe: Payment processing. Stripe's privacy policy governs card data.
DeepL: Machine translation of document content (translation requests only; no personal profile data is shared).
Microsoft 365: Transactional and operational email delivery.

5.2 Legal disclosures

We may disclose personal information when required by law, court order, or government authority, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of LUMINARYX™, our customers, or the public.

5.3 Business transfers

In the event of a merger, acquisition, or sale of substantially all assets, personal information may be transferred as part of that transaction. We will notify affected customers by email and provide opt-out rights where required by law.

5.4 We do not sell your data

LUMINARYX™ does not sell, license, or otherwise transfer personal information to third parties for advertising, profiling, or any commercial purpose unrelated to service delivery.

6. Canadian Data Residency

All municipal governance data processed and stored by LUMINARYX™ is hosted exclusively in AWS ca-central-1 (Montreal, Canada). We do not transfer municipal client data outside Canada.

Our website infrastructure may use content delivery networks with nodes outside Canada for performance purposes, but no personal information or governance data is stored in those edge nodes.

Payment data is processed by Stripe and subject to Stripe's data residency practices. We recommend reviewing Stripe's privacy policy if cross-border payment data handling is a concern for your organization.

7. Data Retention

Active account data: Retained for the duration of your subscription plus a 90-day grace period following cancellation.
Audit trail records: Retained for a minimum of 7 years to support municipal governance, accountability, and potential audit or legal proceedings. Audit log entries are append-only and cannot be deleted.
Billing records: Retained for 7 years as required by Canadian tax law.
Contact inquiry data: Retained for 2 years from the date of inquiry, then deleted.
Security logs: Retained for 90 days for security monitoring and incident response.

Upon account closure, we will delete or anonymize personal information within 90 days, except where longer retention is required by law or necessary to maintain the integrity of audit trails.

8. Your Privacy Rights

Under PIPEDA and applicable provincial privacy legislation, you have the following rights:

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete personal information.
Withdrawal of consent: Withdraw consent for processing based on consent (e.g., marketing emails) at any time without affecting the lawfulness of prior processing.
Complaint: Lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) or applicable provincial privacy commissioner if you believe we have violated applicable privacy law.

Quebec residents have additional rights under Law 25, including the right to data portability (in a structured, commonly used format) and the right to request that automated decision-making not apply to decisions with significant effects on you.

To exercise any of these rights, contact us at privacy@luminaryx.ca. We will respond within 30 days. Identity verification may be required before processing requests.

9. Security

We implement technical and organizational security measures appropriate to the sensitivity of the data we process, including:

Encryption in transit (TLS 1.2+) and at rest for database storage.
Hash-chained HMAC audit trails that detect and surface any tampering with governance records.
Multi-factor authentication (MFA) required by default for all platform users.
Rate limiting per IP address and per email address to prevent brute-force attacks.
Fail-closed Redis architecture for session token management.
Role-based access control with separation of duties enforced at the workflow level.
Regular security review as part of our ISO 42001 compliance program.

No system is completely secure. If you believe you have discovered a security vulnerability, please report it responsibly to security@luminaryx.ca.

10. Cookies and Tracking

Our marketing website (luminaryx.ca) uses minimal cookies:

Strictly necessary: Session cookies required to operate the contact form and website functionality. These cannot be disabled.
Analytics: Aggregate, anonymized page-view analytics to understand website usage. No cross-site tracking or advertising cookies are used.

The LUMINARYX™ platform uses session cookies and secure HttpOnly cookies for authentication. These are essential for platform operation and cannot be disabled while using the service.

We do not use third-party advertising cookies, retargeting pixels, or tracking technologies that follow you across the web.

11. Children's Privacy

LUMINARYX™ is a business-to-business platform designed exclusively for municipal government professionals. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has submitted information through our platform, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Post the updated policy at luminaryx.ca/privacy-policy with a new effective date.
Notify active platform subscribers by email at least 14 days before the changes take effect.

Your continued use of the platform after the effective date constitutes acceptance of the updated policy. If you do not agree with material changes, you may terminate your subscription in accordance with our Terms of Service.

13. Contact Us

For any privacy-related questions, access requests, or complaints, please contact our Privacy Officer:

Joy Guyot, Privacy Officer
17691190 Canada Inc. (LUMINARYX™)
privacy@luminaryx.ca

We will acknowledge your request within 5 business days and respond fully within 30 days. If we require an extension, we will notify you within the initial 30-day period.

You may also contact the Office of the Privacy Commissioner of Canada at priv.gc.ca if you have unresolved concerns.