Privacy Policy

Effective Date: March 5, 2026

Jurisdiction: Ontario/Nova Scotia, Canada
Applicable Legal Frameworks: General Data Protection Regulation (GDPR) · California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA) · EU Artificial Intelligence Act (EU AI Act) · Personal Information Protection and Electronic Documents Act (PIPEDA)
Privacy Contact: contact@approgram.ca
Data Protection Officer: contact@approgram.ca

1. Introduction and Scope

1.1 About Approgram Technologies Inc.

Approgram Technologies Inc. ("Approgram," "we," "us," or "our") is a corporation duly incorporated under the laws of the Province of Ontario/Nova Scotia, Canada. We design, engineer, deploy, and operate fully autonomous artificial intelligence agents and intelligent systems for enterprise and commercial clients across a wide range of industries worldwide.

Privacy is not a compliance formality at Approgram. It is a foundational principle embedded into how we build every product, configure every system, and manage every client relationship. This Privacy Policy represents a complete, honest, and legally binding account of how we collect, use, store, share, protect, and delete personal data. It has been written to be genuinely understood, not merely accepted.

If you have any questions about this Policy or about how your data is handled, you are always welcome to contact us directly at contact@approgram.ca. We will respond with the seriousness and promptness that your inquiry deserves.

1.2 What This Policy Covers

This Privacy Policy governs the collection, use, storage, sharing, protection, and deletion of personal data in connection with all Approgram products, platforms, services, and digital properties. This includes, without limitation, the following:

Autonomous and semi-autonomous AI agents deployed on behalf of enterprise and commercial clients in any industry vertical. Voice agents and conversational AI systems that interact with users through spoken or written natural language in real time. Content generation pipelines powered by third-party and open-source AI models, APIs, and large language model inference services. Workflow automation systems built on large language models and orchestration tools, including automation pipelines built using platforms such as n8n. Data processing systems that perform optical character recognition (OCR), document parsing and analysis, and structured or unstructured data extraction. Integrations with third-party platforms including but not limited to email services, CRM and ERP systems, Telegram bots, and WhatsApp Business accounts. Web scraping and data collection agents operating strictly within applicable legal, regulatory, and ethical boundaries. All associated web properties, client portals, administrative dashboards, and any other digital interface operated by or on behalf of Approgram.

This Policy applies whether you are a business client, an authorised user of a client, an individual end-user interacting with an Approgram-powered agent, or a visitor to our website or digital properties.

1.3 Defining Our Autonomous Systems

Clarity about what our technology does is a precondition for meaningful informed consent. For the purposes of this Policy, the terms "Autonomous AI Agent" and "Autonomous System" refer to any software application developed, operated, or maintained by Approgram that uses machine learning algorithms, large language models, retrieval-augmented generation architectures, or rule-based computational logic to perceive inputs from its environment, formulate decisions or recommendations, and execute actions with limited or no real-time human intervention in order to achieve a defined objective on behalf of a client or user.

This definition encompasses, among others, agents capable of browsing the internet, reading from and writing to external systems and databases, sending messages and communications, processing structured and unstructured documents, and executing complex multi-step automated workflows. It includes voice-based agents that engage with human users through natural spoken language. It includes agents that process special categories of personal data such as health information, financial records, and legal documents. It includes agents operating in high-stakes environments such as healthcare-adjacent services, financial decision support, legal document processing, energy management, social media management, and customer service. It also includes multi-agent systems in which more than one AI agent collaborates autonomously to complete a compound task.

Our agents are powerful tools. We design and govern them with a corresponding level of care and responsibility.

1.4 Who This Policy Applies To

This Policy applies to every individual and organisation whose personal data is processed by Approgram in any capacity. This includes business clients and their authorised users who access our services under a Master Service Agreement, Statement of Work, or equivalent contractual instrument. It includes individual end-users who interact with Approgram-powered agents deployed by our clients within their own products and services. It includes visitors to our website and digital properties. It includes any natural person whose personal data enters our systems in the course of service delivery, regardless of how or where that data was collected.

Where Approgram acts as a data processor meaning we process personal data on the documented instruction of a client who determines the purposes and means of that processing — the terms of the applicable Data Processing Agreement govern that specific relationship. This Policy primarily addresses Approgram's independent role as a data controller: the instances where we determine why and how personal data is collected and used.

If you are an end-user of a product powered by Approgram on behalf of one of our clients, please also consult the privacy policy of that client for information about how they govern their own data collection and use.

1.5 Applicable Legal Frameworks

Approgram is committed to full, good-faith compliance with every applicable data protection and AI governance framework. We apply the following laws according to their geographic scope and subject matter, and we treat the most protective applicable standard as our baseline:

The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, applies to the processing of personal data of individuals located in the European Union and European Economic Area. We apply GDPR standards as a global baseline across all our operations, not merely where required.

The California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) applies to personal data of California residents. Approgram honours all rights provided under these statutes, including the right to know, the right to delete, the right to correct, the right to data portability, and the unconditional right to opt out of the sale or sharing of personal data.

The EU Artificial Intelligence Act, Regulation (EU) 2024/1689, applies to AI systems placed on the EU market or that affect persons within the EU. We classify each of our AI systems by risk tier and apply the corresponding transparency, human oversight, logging, and conformity assessment obligations.

The Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy legislation form our primary domestic compliance framework and govern all collection, use, and disclosure of personal information within Canada.

Sector-specific legislation including applicable healthcare privacy laws, financial services regulation, and data localisation requirements may also apply depending on the nature and jurisdiction of each client deployment. Approgram works proactively with clients to identify and comply with all applicable sector-specific rules in every market where we operate.

This Policy is a legally binding document. It does not limit any rights you hold under applicable law. Where this Policy and any applicable statute conflict, the statute shall prevail to the extent of that inconsistency.

2. Personal Data We Collect

2.1 Our Approach to Data Collection

Approgram collects only the personal data that is necessary for a defined, legitimate, and disclosed purpose. We do not collect data speculatively. We do not build data stockpiles beyond what our services genuinely require. We do not re-purpose personal data collected for one purpose to serve an unrelated purpose without fresh, explicit consent.

The categories below describe the full scope of personal data that Approgram may collect and process across our product and client portfolio. Not every category applies to every deployment. Where a particular data type is collected in a specific client context, the applicable Data Processing Agreement or service agreement provides additional detail.

2.2 Input and Interaction Data

When individuals interact with our AI agents, we process the inputs provided to and the outputs generated by those agents. This category includes user prompts and natural language text submitted to AI agents; full conversation and session history within an agent interaction; voice recordings and transcripts generated through voice agent deployments; and content submitted through integrated communication channels, including email accounts, Telegram bots, and WhatsApp Business accounts.

This data is the operational core of our services. Without it, our agents cannot function. It is processed strictly in accordance with the purposes for which it was provided and the lawful basis applicable to each deployment.

2.3 Technical and Metadata

To operate our systems securely, detect abuse, maintain service integrity, and comply with our legal obligations, we collect certain technical metadata associated with system interactions. This includes IP addresses and geolocation data derived from IP addresses; device identifiers, browser type, and operating system information; timestamps of interactions, session durations, and behavioural interaction data such as click patterns and navigation sequences; and API call logs and system event metadata generated during agent operations.

This metadata is used for system security, fraud prevention, performance optimisation, and audit trail maintenance. It is not used to build individual profiles for advertising or unrelated commercial purposes.

2.4 Identity and Contact Information

Where users register for, or are enrolled in, Approgram-powered services, we collect identity and contact information necessary to manage the service relationship. This includes profile names and display names associated with user accounts; email addresses and other contact information; and social media handles where Approgram agents are deployed on social platforms on behalf of clients.

2.5 Third-Party Integration Data

Where clients authorise Approgram agents to connect to third-party platforms and data sources, we process data retrieved from those integrations in accordance with the client's instructions and the applicable Data Processing Agreement. This includes data from CRM systems, ERP platforms, and email service providers; data processed through workflow automation pipelines built using tools such as n8n; and publicly available web data collected through automated scraping operations conducted within lawful and ethical boundaries.

Any integration with a third-party platform is established only on the explicit authorisation of the relevant client and subject to appropriate contractual controls.

2.6 Special Categories of Personal Data

Certain categories of personal data attract heightened protection under GDPR Article 9, the CCPA/CPRA sensitive data provisions, and applicable sector regulation. These categories include data revealing health or medical information; financial records including account information, transaction history, and credit-related data; legal documents including contracts, court filings, instructions to legal counsel, and other potentially privileged communications; data extracted through optical character recognition from identity documents, regulated records, or official instruments; energy consumption data; and precise physical location data.

Approgram processes special category data only in the following circumstances: where the affected individual has given explicit, freely given, specific, informed, and separate consent for the identified processing purpose; where processing is required to perform a contract to which the individual is a party; or where processing is required to comply with a legal obligation applicable to Approgram or the relevant client.

Every deployment involving special category data is subject to enhanced technical controls, mandatory human-in-the-loop oversight requirements, restricted access permissions, shortened retention periods, and dedicated encryption protocols. These requirements are described in detail in Sections 6 and 8 of this Policy.

2.7 Data We Do Not Collect

Approgram does not knowingly collect personal data from individuals under the age of 16. Our services are not directed to minors, and we have no legitimate business purpose for collecting their data. We do not collect biometric identification data such as facial recognition templates or fingerprint data except where explicitly contracted for a specific client deployment and separately consented to by the affected individual. We do not collect data for advertising purposes, data brokerage, or sale to third parties.

3. Lawful Basis for Processing

3.1 Our Commitment to Lawful Processing

Every instance of personal data processing at Approgram is grounded in a clearly identified, documented lawful basis. Processing without a lawful basis is not a grey area it is a legal violation that we treat with absolute seriousness. The following explains the lawful basis applicable to each category of data we process.

3.2 Contract Performance

The majority of data we process is collected and used because it is strictly necessary to perform the services that our clients and their users have contracted for. Without this processing, we cannot deliver the AI agent capabilities at the core of our business. This basis applies to user prompts and natural language inputs, profile names and contact information, email and messaging content where integrated into a contracted workflow, data from third-party platform integrations authorised by the client, voice interaction recordings where voice agents are a contracted service feature, OCR-processed data forming part of a contracted document workflow, energy and location data in contracted energy management deployments, and legal documents submitted as part of a contracted legal workflow.

The legal authority for this basis is Article 6(1)(b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.

3.3 Legitimate Interests

Certain limited categories of processing are necessary to serve compelling and proportionate interests of Approgram that do not override the rights and reasonable expectations of data subjects. This basis applies to session metadata including IP addresses, device identifiers, and timestamps for security monitoring and fraud prevention; behavioural and interaction data for service performance optimisation and quality improvement; and automated decision audit logs maintained for accountability and transparency purposes.

For each use of this basis, Approgram has conducted and documented a Legitimate Interests Assessment confirming that the interest pursued is genuine and clearly defined, that the processing is necessary and proportionate to achieving that interest, that individuals have a reasonable expectation that such processing may occur, and that appropriate safeguards and opt-out mechanisms are in place. A copy of our Legitimate Interests Assessment is available to any data subject upon written request to contact@approgram.ca.

The legal authority for this basis is Article 6(1)(f) of the GDPR. You have the right to object to processing on this basis at any time, as described in Section 9 of this Policy.

3.4 Legal Obligation

Where Approgram is required by applicable law to process personal data for example, to maintain financial records for regulatory compliance, to respond to lawful orders from competent authorities, or to report personal data breaches to supervisory authorities we do so on the basis of legal obligation. This basis applies primarily to financial records, regulatory compliance documentation, and certain audit trail data.

The legal authority for this basis is Article 6(1)(c) of the GDPR.

3.5 Explicit Consent

Where we process special categories of personal data under GDPR Article 9 including health data, certain financial data, and biometric data or where we process any personal data through voice agents, messaging integrations, or social media platforms, we obtain explicit, separate, freely given, informed, and unambiguous consent before any such processing commences. Consent is never bundled with terms of service acceptance or treated as a default. Each consent request specifies the exact data type, the exact processing purpose, and the exact parties involved.

Consent may be withdrawn at any time without penalty and without affecting the lawfulness of prior processing. Withdrawal of consent is effective immediately upon our receipt of your request. To withdraw consent, contact contact@approgram.ca.

Consent records — documenting what was consented to, when, by whom, and in what form are retained for the duration of the service relationship plus three years, to enable us to demonstrate compliance with applicable data protection law.

3.6 Consent Management Standards

Regardless of which lawful basis applies to a particular processing activity, Approgram adheres to the following consent management standards across all client deployments: consent requests use plain language that is genuinely comprehensible to a non-specialist; consent for different purposes is sought in separate, clearly distinguished requests; consent is never made a precondition of access to services where the relevant processing is not strictly necessary; and consent management interfaces are designed with equal prominence for acceptance and refusal.

4. How We Use Personal Data

4.1 Strict Purpose Limitation

Approgram applies the principle of purpose limitation with rigour. Personal data collected for a specific purpose is used only for that purpose and for no other purpose that is incompatible with it. If we ever determine that a new processing purpose is required, we assess its compatibility with the original purpose, document our analysis, and obtain fresh consent where required before proceeding.

The following describes the specific purposes for which we process personal data.

4.2 Service Delivery

The primary and predominant purpose for which we process personal data is delivering the AI agent services contracted by our clients. This encompasses operating, deploying, configuring, and maintaining AI agents and autonomous systems; processing inputs to generate AI outputs, responses, recommendations, and automated actions; executing client-defined workflows through automation pipelines; and facilitating authorised integrations with third-party platforms. Every processing activity in this category is strictly necessary for the performance of our contracts, and no alternative less invasive means of delivering the same outcome is available.

4.3 Security, Fraud Prevention, and System Integrity

Approgram processes technical metadata and access logs for the purpose of maintaining the security and integrity of our systems and protecting both our clients and their users from harm. This includes monitoring system access logs and API usage patterns for signs of unauthorised access, abuse, or anomalous behaviour; maintaining detailed audit trails sufficient for incident investigation and forensic analysis when required; enforcing rate limits and access controls that protect against malicious or excessive use; and identifying and responding to potential vulnerabilities in our infrastructure and agent deployments.

This processing is conducted on the lawful basis of legitimate interests. It is proportionate, necessary, and fundamental to the security commitments we make to our clients and their users.

4.4 Legal and Regulatory Compliance

Where applicable law requires us to collect, retain, or disclose personal data, we do so in strict compliance with those legal obligations. This includes complying with lawful orders and requests from competent courts, regulators, and governmental authorities; maintaining records required by financial, healthcare, legal, or other sector-specific regulations applicable to specific client deployments; responding to data subject rights requests as mandated by GDPR, CCPA, and applicable Canadian law; reporting personal data breaches to supervisory authorities and affected individuals as required by GDPR Articles 33 and 34; and fulfilling our tax, accounting, and corporate governance obligations under applicable law.

4.5 Service Improvement Using Anonymised Data

Approgram may use aggregated, anonymised, and fully de-identified data from which no individual can be identified by any reasonable means to evaluate and improve the performance, reliability, accuracy, and security of our systems and services. Because this data has been irreversibly stripped of all personal identifiers, it does not constitute personal data processing under GDPR or CCPA and does not require a lawful basis.

We are rigorous in our anonymisation methodology. We apply the technical standards endorsed by the European Data Protection Board for anonymisation, including k-anonymity analysis and other applicable techniques, to ensure that re-identification is not reasonably possible.

4.6 What We Will Never Do With Your Data

Approgram will never sell, rent, lease, licence, or otherwise transfer personal data to any third party for monetary consideration or any other valuable benefit. We will never use personal data for the purpose of advertising targeting, behavioural profiling for commercial purposes, or data brokerage. We will never share personal data with third parties except as expressly described in Section 7 of this Policy. We will never use personal data to build individual profiles for purposes unrelated to the specific contracted service. We will never subject personal data to processing activities that are incompatible with the purpose for which it was collected without fresh consent. These are unconditional commitments, not aspirational statements.

5. AI-Specific Disclosures

5.1 How Our AI Agents Process Data and Generate Outputs

Approgram's autonomous agents process user inputs and environmental data using large language models provided by third-party AI infrastructure providers, including Anthropic (Claude), OpenAI (GPT series), and Google (Gemini). These models are accessed through secure API connections and are not trained on user data submitted through our systems. Agent outputs are generated through a combination of natural language understanding and generation via transformer-based large language models; retrieval-augmented generation (RAG) where agents are connected to client-authorised data sources; structured workflow logic defined in automation pipelines; conditional and rule-based execution logic applied to agent actions; and API calls to third-party services and platforms as explicitly authorised by the client.

The AI models that power our agents are sophisticated statistical pattern-matching and prediction systems. Their outputs are probabilistic, not deterministic. They do not possess understanding or intention. Their outputs reflect patterns in training data and the specific inputs they receive. Approgram does not warrant that any AI output is factually accurate, error-free, or suitable for any particular purpose without appropriate human review. Clients and users who rely on AI outputs for consequential decisions should apply independent judgment and, where appropriate, professional expertise.

5.2 EU AI Act Compliance and Risk Classification

In accordance with Regulation (EU) 2024/1689 the EU Artificial Intelligence Act Approgram has conducted a systematic risk classification of each of the AI systems it operates. Our classification framework and the obligations we apply in each tier are as follows.

General-purpose autonomous agents are assessed as limited to high risk depending on their specific deployment context. Where classified as limited risk, our primary obligation is transparency users must know they are interacting with an AI. Where classified as high risk, full conformity assessment obligations apply, including bias audits, accuracy benchmarking, comprehensive logging, and incident reporting procedures.

Voice agents deployed in customer service contexts are classified as limited risk. Our obligation is to ensure that users are informed at the outset that they are interacting with an AI system, and that escalation to a human agent is available upon request without penalty.

AI systems providing financial decision support are assessed as high risk candidates under EU AI Act Annex III. These systems are subject to mandatory conformity assessments, systematic bias testing, comprehensive logging of all recommendations and decisions, and mandatory human review above defined decision thresholds. No financial decision of material consequence is made or executed by an AI agent without human oversight and authorisation.

AI systems processing health data are classified as high risk. They are subject to the strictest data minimisation requirements, explicit consent obligations, maximum-security data handling protocols, comprehensive audit logging, and mandatory human sign-off on any action taken on the basis of health data analysis.

AI systems processing legal documents are assessed as high risk candidates. They are governed by full explainability requirements, comprehensive audit trail maintenance, accuracy and reliability standards, and mandatory human validation of any legally consequential output.

Content generation agents are classified as limited risk. Our obligation is to ensure that AI-generated content is disclosed as such where required by law or by client instruction.

Social media management and sales agents are classified as limited risk. Our obligation is to maintain transparency in automated interactions and to conduct regular monitoring and spot-check review of agent outputs.

Energy management agents are classified as limited to high risk depending on deployment scope. They are governed by comprehensive logging requirements, safety protocols, explainability standards, and automated alerting combined with human intervention capability.

Approgram commits to maintaining current and updated AI system risk assessments as the EU AI Act's phased implementation timeline progresses. Where any system is reclassified to a higher risk tier as a result of regulatory guidance or operational changes, full conformity assessment procedures will be initiated without delay.

5.3 Transparency in AI Interactions

Consistent with Article 52 of the EU AI Act, our general transparency obligations under GDPR, and our own ethical commitments, Approgram applies the following transparency standards to all AI-powered interactions:

Every individual who interacts with an Approgram voice agent, conversational agent, or messaging bot will be clearly informed, at the commencement of that interaction, that they are engaging with an AI system and not with a human being. This disclosure is unconditional and cannot be disabled by client configuration.

AI-generated content produced on behalf of clients including written content, summaries, analyses, and recommendations will be clearly labelled as AI-generated where required by applicable law or by client instruction.

Clients who deploy Approgram-powered agents within their own products and services are contractually required to provide their users with adequate, clear, and prominent disclosure of the AI-powered nature of those interactions, consistent with applicable law and the EU AI Act's transparency requirements.

Approgram will not deploy deceptive AI techniques including synthetic voice impersonation of real individuals, emotionally manipulative dialogue design, or false presentation of AI outputs as human-authored in any context, regardless of client instruction.

5.4 Bias Prevention and Algorithmic Fairness

Approgram is committed to the responsible deployment of AI systems that treat all individuals fairly and do not perpetuate, amplify, or introduce discriminatory patterns. Our bias prevention programme includes the following elements.

We conduct regular systematic evaluations of model outputs across demographic and protected characteristic categories including age, gender, race, ethnicity, disability, and socioeconomic background to detect and address discriminatory patterns. These evaluations are documented, and findings are reviewed at a governance level.

We apply diverse and representative test datasets when evaluating AI agent performance across client deployment contexts, with particular attention to underrepresented populations and edge cases.

We impose contractual requirements on our primary LLM providers Anthropic, OpenAI, and Google to maintain and enforce their own responsible AI and fairness policies. We monitor public disclosures and regulatory developments relating to our providers' models for relevant bias-related findings.

We maintain a documented incident logging and escalation procedure for bias-related reports. Any user or client who believes they have been subjected to a biased or discriminatory AI output is encouraged to report it to contact@approgram.ca. All such reports are reviewed, documented, and addressed as part of our ongoing model governance process.

We apply an unconditional policy against using AI agent outputs as the sole basis for any decision with significant legal or similarly significant effects on an individual — including decisions affecting access to services, financial products, healthcare, or employment — without independent human review.

Approgram maintains a Responsible AI Policy, available upon written request to contact@approgram.ca, which sets out our full internal governance framework for algorithmic fairness, explainability, human oversight, and accountability.

5.5 Explainability and the Right to an Explanation

Where Approgram's AI agents make, or materially contribute to, automated decisions that affect an individual in a legally significant or similarly consequential way, those individuals are entitled to a meaningful explanation of that decision. Upon request, Approgram will provide a plain-language account of the factors and inputs that contributed to the decision or recommendation, information about the model's confidence level and any material limitations of its output, and access to a qualified human reviewer who can independently assess the decision and its basis.

To request an explanation of an automated decision, contact contact@approgram.ca with the subject line "Explanation Request" and include sufficient detail to identify the relevant interaction. We will respond within 15 business days.

6. Model Training and Data Retention

6.1 Model Training Our Current Position

Approgram Technologies Inc. does not currently use any customer or user personal data to train, fine-tune, improve, or otherwise modify AI or machine learning models whether our own or those operated by our sub-processors.

The large language models currently used by Approgram including Anthropic Claude, the OpenAI GPT series, and Google Gemini are pre-trained models developed by their respective providers and accessed by Approgram exclusively through secure API interfaces. When user data is submitted to these models through our systems, it is used solely for the purpose of real-time inference that is, generating a response to that specific input and is governed by the data processing terms of those providers. Our agreements with each LLM provider explicitly prohibit the use of our customers' data to train or improve the provider's underlying models.

We state this clearly because we know it matters. If this changes, you will know before it does.

6.2 Future Model Training A Forward-Looking Commitment

Approgram may, at some point in the future, develop proprietary AI models for use in our products. In that event, the following commitments apply unconditionally and cannot be waived or modified by any internal business decision without updating this Policy with the required notice:

We will never use personal data to train proprietary models without first obtaining explicit, separate, freely given, informed, and documented opt-in consent from every affected data subject. Consent for training purposes will be entirely separate from, and additional to, any consent obtained for service delivery. No individual's access to or quality of service will be degraded as a result of their declining to consent to training use of their data. Data subjects will be given a clear, easily accessible, penalty-free mechanism to opt out of training use at any time, including retroactively in respect of any training use they previously consented to. Any personal data used for training purposes will be anonymised or pseudonymised to the maximum extent technically feasible prior to use, and we will commission an independent technical review to verify that anonymisation is effective. We will update this Policy and notify all affected clients and users with a minimum of thirty calendar days' advance notice before any training on personal data commences.

These are not aspirational statements. They are binding commitments written into the legal framework of this document.

6.3 Data Retention

Approgram retains personal data only for as long as is strictly necessary to fulfil the specific purpose for which it was collected, or as required by applicable law. We maintain a documented data retention schedule that is reviewed annually. The following describes our retention periods by data category.

User prompts and natural language inputs are retained for thirty days for operational purposes and for ninety days for audit log and security purposes, after which they are permanently deleted by automated cryptographic purge.

Session metadata, including IP addresses, device identifiers, and timestamps, is retained for thirty days and deleted by automated log rotation.

Profile names and contact information are retained for the duration of the contractual relationship with the relevant client plus two years, after which they are permanently deleted on a scheduled basis.

Email and messaging content processed through Telegram, WhatsApp, or other integrated channels is retained for thirty days following the completion of processing, after which it is permanently deleted using encrypted deletion protocols.

Behavioural and interaction data, including click patterns and session duration metrics, is retained for sixty days and deleted by automated purge.

Social media handles are retained for the duration of the contractual relationship plus one year, after which they are permanently deleted upon request or on a scheduled basis.

Financial records are retained for a minimum of seven years in compliance with applicable regulatory obligations, after which they are permanently purged from secure archives.

Health data and other special category data under GDPR Article 9 is retained for the duration of the contractual relationship plus five years, subject to any longer statutory minimum applicable in the relevant jurisdiction, after which it is permanently deleted using encrypted secure deletion protocols.

Legal documents are retained for a minimum of seven years in compliance with applicable legal and regulatory obligations, then permanently purged from secure archives.

OCR-processed data is retained for thirty days following the completion of processing and then permanently deleted by automated purge.

Energy usage and location data is retained for ninety days for operational purposes and two years for aggregated analytical purposes, after which it is deleted by automated tiered purge.

Voice agent interaction recordings are retained for thirty days, extended to ninety days where an active dispute, complaint, or legal hold applies, after which they are permanently deleted using encrypted deletion protocols.

Third-party integration data, including data retrieved from CRM and ERP systems, is retained for the duration of the active integration plus sixty days following disconnection, after which it is deleted and all relevant API access tokens are revoked.

Automated decision audit logs, which we maintain for accountability and legal compliance purposes, are retained for three years and then securely archived and purged.

6.4 Deletion and Anonymisation Procedures

Personal data that has reached the end of its applicable retention period is permanently disposed of using methods proportionate to the sensitivity of the data. These methods include cryptographic erasure, in which encryption keys are permanently and irrecoverably destroyed, rendering the encrypted data permanently inaccessible and effectively deleted; secure overwrite, in which data is overwritten using methods compliant with NIST Special Publication 800-88 guidelines for media sanitisation; physical destruction of any retired storage media; and irreversible anonymisation, in which all personal identifiers are stripped and the residual data is verified to be incapable of re-identification by any reasonable means.

Where a data subject submits a valid erasure request under GDPR Article 17 or CCPA Section 1798.105, we will process that request within thirty calendar days of receipt. Where the erasure of specific data is subject to a legal hold, a regulatory retention obligation, or a compelling legitimate business reason that precludes immediate deletion, we will notify the data subject within that thirty-day period with a clear explanation of the basis for retention, the estimated duration of the hold, and the steps we will take to delete the data as soon as the hold is lifted.

7. Sub-Processors and Data Sharing

7.1 Our Sub-Processor Governance Framework

Approgram engages a limited number of carefully vetted sub-processors third-party service providers who process personal data on our behalf and under our instruction to assist in delivering our services. We do not grant sub-processors unrestricted access to personal data. We limit each sub-processor's access to only the data categories necessary for their specific function.

Every sub-processor we engage is required to enter into a Data Processing Agreement with Approgram that imposes data protection obligations at least equivalent to those in this Policy; maintain and demonstrate appropriate technical and organisational security measures; process personal data only on Approgram's documented written instructions; notify Approgram without undue delay of any actual or suspected personal data breach; submit to audit by Approgram or its authorised representative where required; and, for transfers outside the European Economic Area, implement Standard Contractual Clauses as approved by the European Commission under GDPR Article 46(2)(c), or rely on another valid transfer mechanism.

We review our sub-processor relationships regularly and terminate any engagement where a sub-processor fails to meet our standards.

7.2 Our Current Sub-Processors

The following sub-processors are currently engaged by Approgram in connection with our services. Where indicated, Standard Contractual Clauses and Data Processing Agreements are in place.

Anthropic, Inc. provides large language model inference services through the Claude API. The data transferred consists of prompts and conversational context. Anthropic is located in the United States. A Data Processing Agreement and Standard Contractual Clauses are in place.

OpenAI, L.L.C. provides large language model inference services through the GPT API. The data transferred consists of prompts and conversational context. OpenAI is located in the United States. A Data Processing Agreement and Standard Contractual Clauses are in place.

Google LLC provides large language model inference through the Gemini API and cloud infrastructure through Google Cloud Platform. The data transferred includes prompts and encrypted infrastructure data. Google operates globally with data centres in Canada, the United States, and the European Union. A Data Processing Agreement and Standard Contractual Clauses are in place.

Amazon Web Services, Inc. provides cloud infrastructure and encrypted data storage services. The data transferred consists of encrypted data at rest and in transit. AWS operates data centres in Canada, the United States, and the European Union. A Data Processing Agreement and Standard Contractual Clauses are in place.

Microsoft Corporation provides cloud infrastructure and AI services through Microsoft Azure. The data transferred consists of encrypted data at rest and in transit. Azure operates data centres in Canada, the United States, and the European Union. A Data Processing Agreement and Standard Contractual Clauses are in place.

DigitalOcean, LLC provides cloud compute and hosting infrastructure. The data transferred consists of encrypted infrastructure data. DigitalOcean operates in the United States and Canada. A Data Processing Agreement is in place.

n8n GmbH provides workflow automation orchestration services. The data transferred consists of workflow metadata and automation triggers. n8n is incorporated in Germany and operates within the European Union. A Data Processing Agreement is in place, and EU data residency standards apply.

Meta Platforms, Inc. (WhatsApp Business API) provides messaging channel integration services. The data transferred includes message content and user identifiers as required for message delivery. Meta is located in the United States. Processing is governed by the WhatsApp Business API Terms of Service and Approgram's DPA with Meta.

Telegram FZ-LLC provides bot-based messaging integration services. The data transferred includes message content and user identifiers. Telegram is incorporated in the United Arab Emirates and operates globally. Processing is governed by Telegram's Bot API Terms and applicable contractual obligations.

Web scraping and data collection service providers are engaged on a project basis to collect publicly available web data for use in client AI workflows. These providers process only publicly available data within the boundaries of applicable laws. Contractual data protection obligations are imposed on all such providers.

Additional automation and integration tool providers may be engaged on a project-specific basis to support workflow integrations. These providers process workflow metadata only. All such providers are subject to DPA or equivalent contractual data protection terms.

This sub-processor list is current as of the Effective Date of this Policy and is subject to change. Approgram maintains a live sub-processor register. Clients and data subjects may request the most current version by contacting contact@approgram.ca at any time.

7.3 International Data Transfers

Approgram is headquartered in Ontario, Canada. Canada has been recognised by the European Commission as providing an adequate level of protection for personal data transferred from the EU, pursuant to the adequacy decision under GDPR Article 45. For transfers to sub-processors located in the United States or other jurisdictions that have not received an EU adequacy decision, Approgram relies on Standard Contractual Clauses as approved by the European Commission in Decision (EU) 2021/914 (the 2021 SCCs), incorporated into each relevant sub-processor Data Processing Agreement. We supplement these contractual safeguards with technical measures including end-to-end encryption of all data in transit and at rest, pseudonymisation of data where technically feasible before cross-border transfer, and regular assessment of the legal environment in transfer destination countries for developments that could undermine the protections afforded by the SCCs.

7.4 No Sale of Personal Data An Unconditional Commitment

Approgram does not sell, rent, lease, licence, or otherwise disclose personal data to any third party for monetary consideration or any other form of valuable benefit. This commitment applies universally to all data categories and all data subjects, including California residents whose rights under CCPA Section 1798.100 et sequentia we fully recognise and honour. We are not in the business of data monetisation. We are in the business of building intelligent systems. Our clients pay us for our technology and expertise not for access to their users' data.

8. Security and Human Oversight

8.1 Our Security Philosophy

Approgram treats the security of personal data and the integrity of our AI systems as a shared and indivisible responsibility. Security is not a feature that can be bolted onto an existing design. It is a foundational engineering requirement that shapes every system we build, every vendor we onboard, and every process we operate.

8.2 Encryption

All personal data stored within Approgram's infrastructure whether held in databases, object storage, backup systems, or any other persistent medium is encrypted at rest using AES-256 encryption. All data transmitted between our systems, our clients, and our sub-processors is encrypted in transit using TLS 1.2 or higher, with TLS 1.3 used wherever supported. API keys, model credentials, client secrets, and other sensitive configuration data are stored exclusively in encrypted secret management systems with full access logging. Encryption keys are managed under a formal key management policy with rotation schedules, access controls, and audit trails.

8.3 Access Control

Access to personal data within Approgram's systems is governed by a formal role-based access control (RBAC) framework. Access is granted on a strict least-privilege basis: no individual or system has broader access to personal data than is specifically required to perform their defined function. All personnel with access to personal data are required to authenticate using multi-factor authentication on all systems. Access rights are reviewed on a quarterly basis and are immediately and irrevocably revoked upon a team member's departure, change of role, or any security-related concern. Access logs for all personal data systems are maintained, monitored, and subject to automated anomaly detection.

8.4 Infrastructure and Model Security

The infrastructure on which Approgram's AI models and data processing systems operate is hosted on cloud providers that hold current SOC 2 Type II attestations and ISO/IEC 27001 certifications. API endpoints are protected by authentication, rate limiting, IP allowlisting where applicable, and automated anomaly detection systems. Network segmentation and firewall controls strictly separate production AI systems and their data from development and testing environments. Approgram conducts regular penetration testing and vulnerability assessments by qualified independent security firms. Findings from such assessments are tracked to remediation with defined SLA timelines based on severity.

8.5 Incident Response

Approgram maintains a comprehensive, documented Incident Response Plan that is reviewed and tested at least annually. In the event of an actual or suspected personal data breach, we follow a defined response protocol with the following key commitments: we will contain and assess the breach without undue delay; we will notify the applicable supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms, in accordance with GDPR Article 33; we will notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34; and we will conduct a post-incident review and implement remediation measures to prevent recurrence. We maintain a breach register documenting all incidents, their scope, our response, and the lessons learned.

8.6 Human Oversight Framework

Approgram believes that fully autonomous AI systems operating without any human oversight in high-stakes contexts represent a risk that no responsible AI company should accept. Our Human Oversight Framework is a structured, documented system for ensuring that human judgment is applied at the points where it is most needed.

Human review is automatically triggered meaning the system cannot proceed without a human decision in the following circumstances: processing of any special category personal data, including health information, financial records, and legal documents, where a human operator must confirm the action before it is executed; any AI-generated recommendation that, if acted upon, could have legally significant, financially material, or medically consequential effects on an individual; situations where an agent's internal confidence score for an action or recommendation falls below a defined threshold, indicating that the model is operating in territory where uncertainty is high; detection of anomalous or unexpected patterns in agent behaviour, triggered by our automated monitoring systems; any request by a user for human review this right is unconditional, exercisable at any time, and cannot be overridden by any client configuration; and high-stakes financial transactions or decisions above thresholds defined in client-specific deployment agreements and reviewed during initial deployment design.

Designated human operators are responsible for reviewing all escalated decisions within defined service level timeframes, typically between four and twenty-four business hours depending on the urgency and nature of the matter. Every human review intervention is logged in immutable audit records that cannot be altered or deleted. Human reviewers receive documented training in the capabilities, limitations, and known failure modes of the AI systems they oversee. Escalation paths to senior personnel are clearly defined for complex, novel, or high-stakes cases. The right of any individual to request human review of an automated decision that affects them is absolute and is described in detail in Section 9 of this Policy.

8.7 Personnel Security

All Approgram employees, contractors, and other personnel who have access to personal data or AI systems are subject to appropriate pre-engagement screening including background checks proportionate to their level of access; a written confidentiality and data protection agreement; mandatory data protection and security awareness training upon commencement and annually thereafter; and ongoing compliance with our internal Acceptable Use Policy, which governs all interactions with personal data and AI systems. Violations of our data protection or security policies are treated as serious disciplinary matters.

9. Your Rights as a Data Subject

9.1 A Commitment to Meaningful Rights

Data protection rights are only meaningful when they can actually be exercised. Approgram is committed to making the exercise of your rights straightforward, prompt, and free of charge. We apply the following rights to all individuals whose data we process, regardless of jurisdiction, to the fullest extent technically and legally feasible. Where you are a resident of the EU, UK, California, or Canada, the specific legal instruments underpinning these rights are identified below.

9.2 Your Right to Access

You have the right to obtain confirmation of whether we hold personal data about you and, if we do, to receive a copy of that data along with information about its source, the purposes for which it is processed, the categories of data involved, and the recipients or categories of recipients with whom it has been shared. This right is provided by GDPR Article 15, CCPA Section 1798.100, and PIPEDA Principle 9. We will respond to access requests within thirty calendar days of receipt.

9.3 Your Right to Rectification

You have the right to request that inaccurate or incomplete personal data we hold about you be corrected without undue delay. This right is provided by GDPR Article 16 and the CCPA/CPRA right to correct. Please contact contact@approgram.ca with details of the information you believe is inaccurate and what the correct information should be.

9.4 Your Right to Erasure

You have the right to request the deletion of personal data we hold about you where that data is no longer necessary for the purpose for which it was collected; where you have withdrawn consent and no other lawful basis for processing exists; where you have objected to processing based on legitimate interests and our interests do not override yours; or where the processing is unlawful. This right is provided by GDPR Article 17, CCPA Section 1798.105, and PIPEDA. Erasure requests are processed within thirty calendar days. Where a legal hold or regulatory retention obligation applies, we will inform you of the basis and timeline for that hold.

9.5 Your Right to Restriction of Processing

You have the right to request that we restrict how we process your personal data in certain circumstances for example, while you contest the accuracy of data we hold, while an objection to processing is being assessed, or where you need us to retain data that would otherwise be deleted for the purpose of a legal claim. This right is provided by GDPR Article 18. During any period of restriction, we will continue to store the data but will not process it for any other purpose without your consent.

9.6 Your Right to Data Portability

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance. This right applies where processing is based on consent or contract and is carried out by automated means. This right is provided by GDPR Article 20 and the CCPA right to data portability. We provide data in JSON or CSV format upon request.

9.7 Your Right to Object

You have the right to object at any time to processing of your personal data that is based on our legitimate interests, including profiling based on legitimate interests. Upon receipt of a valid objection, we will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing is necessary for the establishment, exercise, or defence of legal claims. This right is provided by GDPR Article 21.

9.8 Your Right Not to be Subject to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing including profiling that produces legal or similarly significant effects concerning you, without human intervention, the ability to express your point of view, and the right to contest the decision. Approgram does not make fully automated decisions with legal or significant effects without human oversight. If you believe such a decision has been made in your case, contact contact@approgram.ca with the subject line "Automated Decision Review Request." A human reviewer will assess and respond within fifteen business days.

9.9 Your Right to Withdraw Consent

Where we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time with immediate effect. Withdrawal does not affect the lawfulness of any processing conducted before the withdrawal. Following withdrawal, we will cease all processing based on that consent and will delete or anonymise the relevant data within thirty days unless another lawful basis for retention applies.

9.10 Your Right to Opt Out of Profiling

If Approgram's systems engage in any automated profiling relevant to your individual profile or behaviour — for example, in the context of a marketing or sales agent deployment you have the right to object to that profiling at any time by contacting contact@approgram.ca. We will cease profiling activities affecting you within fifteen business days of receiving a valid opt-out request and will confirm that action to you in writing.

9.11 California Residents — Additional Rights

If you are a California resident, you are entitled to the full set of rights provided by the CCPA and CPRA, including the right to know what personal information is collected, used, shared, or sold; the right to delete personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information noting that Approgram does not sell or share personal information; the right to limit the use and disclosure of sensitive personal information; the right to data portability; and the right to non-discrimination for exercising any of these rights. We will never discriminate against California residents or any individuals who exercise their data protection rights.

9.12 How to Exercise Your Rights

To exercise any of the rights described in this Section, please contact us at contact@approgram.ca with the subject line "Data Subject Rights Request." You may also contact our Data Protection Officer directly at contact@approgram.ca. We will acknowledge your request within five business days and respond substantively within thirty calendar days. For requests that are complex or numerous, we may extend our response period by up to a further sixty calendar days, in which case we will notify you of the extension and the reasons within the initial thirty-day period. All rights requests are processed free of charge.

To protect your personal data, we will verify your identity before processing any rights request. We may ask you to provide reasonable evidence of identity, which will be used only for verification purposes and will not be retained or processed for any other purpose.

9.13 Your Right to Lodge a Complaint with a Supervisory Authority

If you are dissatisfied with our response to a rights request, or if you believe that we have processed your personal data unlawfully, you have the right to lodge a complaint with the supervisory authority applicable to your jurisdiction. In Canada, the relevant authority is the Office of the Privacy Commissioner of Canada, accessible at www.priv.gc.ca. In the European Union, the relevant authority is your national Data Protection Authority; a directory of EU DPAs is available at edpb.europa.eu. In the United Kingdom, the relevant authority is the Information Commissioner's Office, accessible at ico.org.uk. In California, the relevant authority is the California Privacy Protection Agency, accessible at cppa.ca.gov.

We would always welcome the opportunity to address your concerns directly and promptly before any escalation to a supervisory authority. Please contact us first we are committed to resolving legitimate concerns with seriousness and respect.

10. Cookies and Tracking Technologies

Approgram's web properties and client portals use cookies and similar tracking technologies to operate and improve our digital services. We deploy three categories of cookies.

Strictly necessary cookies are required for our platforms to function. They enable core features such as user authentication, session management, and security. They cannot be disabled without rendering the service inoperable and do not require consent under applicable law.

Functional cookies enable personalisation and preference retention — for example, remembering your language selection or interface configuration. They are optional and can be disabled without affecting core platform functionality.

Analytical cookies collect aggregated, anonymised data to help us understand how our web properties are used, identify performance issues, and improve user experience. No personal data collected through analytical cookies is used for profiling or advertising purposes. You may opt out of analytical cookies at any time through our cookie preference centre.

We do not deploy advertising cookies, cross-site tracking cookies, or any cookies designed to build individual profiles for commercial targeting. Cookie preferences can be managed through the cookie consent tool presented on your first visit to our web properties, or at any time through your browser settings or our preference centre.

11. Children's Privacy

Approgram's services are designed for, and directed exclusively to, adults and business users. We do not knowingly collect personal data from individuals under the age of 16. If you have reason to believe that a person under 16 has provided personal data to us without appropriate parental or guardian consent, please contact contact@approgram.ca immediately. We will take prompt steps to verify the concern, delete the relevant data, and prevent any further collection.

12. Changes to This Privacy Policy

Approgram reserves the right to update and revise this Privacy Policy at any time to reflect changes in our services, technology, legal obligations, or business practices. When we make material changes, we will take the following steps: we will post the updated Policy on our website with a clearly visible revised Effective Date; we will notify all registered users and clients by email at least thirty calendar days before the changes take effect; and where applicable law requires fresh consent for materially new processing activities, we will obtain that consent before the new processing commences.

For changes that are non-material — such as minor clarifications, formatting updates, or corrections of typographical errors — we will update the Policy and revise the Effective Date without individual notification. The current version of this Policy is always available at our website.

Your continued use of Approgram's services following the effective date of any updated Policy constitutes your acknowledgment of and agreement to the revised terms, subject to any applicable consent requirements. If you object to any change, you are entitled to cease using our services and to request deletion of your personal data in accordance with Section 9.4 of this Policy.

13. Contact Information and Data Protection Officer

13.1 General Privacy Inquiries

For all privacy-related inquiries, data subject rights requests, questions about this Policy, concerns about our data practices, or any other data protection matter, please contact us at the following:

Approgram Technologies Inc.
Ontario, Canada
General Privacy Contact: contact@approgram.ca

We are committed to responding to all privacy inquiries with care and promptness. No inquiry will be redirected, dismissed, or left unanswered.

13.2 Data Protection Officer

Approgram has designated a Data Protection Officer (DPO) who is responsible for overseeing our data protection programme, ensuring compliance with applicable privacy law, serving as the primary point of contact for supervisory authorities and data subjects, and providing internal guidance on data protection matters. The DPO operates with full independence and reports at the highest level of our organisation.

Data Protection Officer: abhijeet@approgram.ca

13.3 EU and UK Representative

Pursuant to Article 27 of the GDPR and its UK equivalent, organisations outside the EU and UK that process personal data of EU and UK data subjects are required to designate a representative within the EU or UK. Approgram has currently designated our Data Protection Officer to serve in this representative capacity pending the formal appointment of a dedicated EU and UK-based representative as our operations in those jurisdictions scale.

EU and UK data subjects may contact our current representative directly at contact@approgram.ca for all data protection matters. We are committed to appointing a locally based EU and UK representative as a matter of priority, and this appointment will be reflected in an updated version of this Policy with immediate effect upon confirmation.

14. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the Province of Ontario and the applicable federal laws of Canada. For data subjects located in the European Union or European Economic Area, the GDPR shall take precedence over domestic Canadian law to the extent of any conflict in respect of their personal data rights. For California residents, the CCPA and CPRA shall take precedence to the extent of any conflict with domestic Canadian law in respect of their personal data rights.

Subject to the mandatory jurisdiction pr