Privacy Policy
Prime Digital AI, Inc. ("Prime Digital AI," "we," "us") builds AI tools for Canadian and American businesses. This policy explains exactly what information we collect, why, how we protect it, and how to exercise your rights under PIPEDA, Quebec Law 25, CCPA, and other applicable laws.
PIPEDAQuebec Law 25CCPA / CPRACASLGDPR-alignedOn this page
1. Who we are
Prime Digital AI, Inc. is a Delaware-incorporated company operating across Canada and the United States. We build AI products including AI-Forge (AI integration audit platform) and SecureID Chain (privacy-first HR/payroll platform, in development).
For privacy purposes, Prime Digital AI is the data controller (and "business" under CCPA) for personal information collected through our marketing site, sales process, and products.
2. Information we collect
2.1 Information you give us directly
- Booking / demo requests: name, business name, email, phone, industry, employee count, preferred call time, pain-point description.
- Concierge chat: questions you type into the on-site AI assistant, plus your email if you choose to leave one.
- Audit inputs (AI-Forge): business name, industry, employee count, location (province/state), current software stack, and free-text pain-point description.
- Account information (paid customers): billing contact, payment method (processed by Stripe — we never see or store full card numbers), subscription plan.
- Communications: emails, support messages, demo-call transcripts (only if you consent to recording).
2.2 Information we collect automatically
- Server logs: IP address, browser type, pages visited, timestamps. Retained 90 days for security and abuse prevention.
- Local storage: a session token (paid customers) and your most recent audit (stored in your own browser; not transmitted to us). The "Remember on this device" option is opt-in only.
- Analytics (Google Analytics 4 — only with your consent): if you click "Allow analytics" in our consent bar, we use Google Analytics 4 to count visits and page views. We configure it with IP anonymization, no advertising features, and we strip page URLs down to the path so no tokens or identifiers ever reach Google. If you decline, no analytics run at all. See §7 for details and how to change your choice.
2.3 What we do NOT collect
- Social Insurance Numbers, SSNs, or any government IDs (unless you become a SecureID Chain payroll customer, governed by a separate Data Processing Agreement).
- Health information.
- Financial account numbers (Stripe handles all payment data).
- Location beyond the province/state you self-report.
3. How we use your information
- Run the audit you requested and return results to your browser.
- Schedule and conduct the 20-minute demo call you booked.
- Send the founding-member offer email and follow-ups (you may opt out at any time — see §10).
- Operate, secure, and improve our products.
- Bill paying customers and handle subscription lifecycle (renewals, refunds, cancellations).
- Comply with legal obligations (tax, accounting, lawful requests).
We do not sell personal information. We do not use your data to train AI models — yours or anyone else's.
4. Legal basis for processing
Depending on your jurisdiction:
- Canada (PIPEDA + Quebec Law 25): express or implied consent for collection and use; contractual necessity for paid customers; legitimate business interest for security logs and fraud prevention.
- United States (CCPA/CPRA): processing necessary to provide the services you requested; legitimate business purposes.
- Marketing emails: express consent at booking, with one-click unsubscribe (CASL-compliant for Canadian recipients).
5. Who we share information with
We share only what is necessary, only with vetted processors who are contractually bound to confidentiality and security obligations equivalent to ours:
- Netlify (US/Canada) — website hosting and form submissions.
- Cloudflare (US/global) — DNS, CDN, edge compute (the AI-Forge proxy that calls Anthropic).
- Anthropic (US) — Claude API processing for audit generation and concierge replies. See §6 for what is and isn't sent.
- Stripe (US/Canada/global) — payment processing for paid customers.
- Google (Google Analytics 4) (US/global) — consent-based website analytics only. Receives anonymized usage data solely if you accept analytics in our consent bar; never receives your name, email, audit inputs, or tokens.
- Email infrastructure (Postmark / Resend / SES — current provider listed in our DPA on request) — transactional and marketing email delivery.
- Law enforcement or regulators — only when legally compelled, and we will notify you unless prohibited.
- Acquirer — in the event Prime Digital AI is acquired or merged, with notice to you and the right to delete your data before transfer.
We never share personal information with advertisers, data brokers, or for any purpose unrelated to operating our services.
6. How AI processes your information
AI-Forge sends the following fields to Anthropic's Claude API to generate your audit: business name, industry, employee count, location, software stack, and pain-point description. Anthropic processes the request to generate a response and, per their Commercial Terms, does not use API inputs or outputs to train their models.
The concierge chat on our marketing site sends only the question you type. If you provide an email to receive a personal reply, that email is sent to us, not to Anthropic.
We never include your name, email, billing details, or any identifier beyond the business name in the AI prompt.
You can request to opt out of all AI processing — you will receive a manually-prepared audit within 5 business days instead. Email hello@primedigitalai.ai.
7. Cookies and tracking
We do not use advertising cookies, cross-site tracking, or fingerprinting. The browser storage we use:
- Session storage (cleared when you close the tab): API/audit token if you are using the dashboard.
- Local storage (persists until you clear it): your last AI-Forge audit, your analytics consent choice, and your API/audit token only if you explicitly tick the "Remember on this device" checkbox.
- Analytics cookies — only with your consent: if you click "Allow analytics" in the consent bar, Google Analytics 4 sets its measurement cookies (e.g.
_ga) to count visits and page views. We enable IP anonymization, disable advertising features, and never send page URLs containing tokens or identifiers. If you click "No thanks," no analytics cookies are set and nothing loads.
Changing your mind: clear this site's data in your browser settings (or click "Clear session" in the AI-Forge dashboard) and the consent bar will appear again on your next visit.
8. Retention
- Demo bookings (unconverted leads): 24 months from last contact, then deleted unless you ask sooner.
- Customer account data: for the duration of your subscription plus 24 months for tax/accounting (CRA and IRS minimums).
- Audit history: stored locally in your browser by default. If you opt into server-side history (paid plans), retained until you delete it or close your account.
- Server logs: 90 days.
- Stripe payment records: 7 years (CRA / IRS requirement).
9. Security
We use industry-standard safeguards:
- TLS 1.3 for all data in transit.
- Encrypted secrets storage (Cloudflare Workers Secrets, AWS KMS for any AWS components).
- Principle of least privilege — only the founder and contracted operators with a defined need can access production systems.
- No personal data in third-party prompts beyond what is necessary to generate the audit.
- Audit token rotation supported on request.
- Incident notification: if a breach affects you, we will notify you within 72 hours of confirmation, in accordance with Quebec Law 25, PIPEDA, and CCPA timelines.
10. Your rights
Regardless of where you live, you can:
- Access a copy of the personal information we hold about you.
- Correct inaccurate information.
- Delete your information (subject to tax/legal retention obligations).
- Withdraw consent to marketing emails (one-click unsubscribe; or email us).
- Opt out of AI processing (manual audit instead).
- Export your data in a machine-readable format.
- File a complaint with the relevant regulator (see §14).
Additional rights by jurisdiction:
- Quebec residents (Law 25): right to data portability, right to be informed of automated decision-making (AI-Forge audits qualify — see §6), right to discontinue dissemination.
- California residents (CCPA/CPRA): right to know, delete, correct, limit use of sensitive personal information, opt out of sale/sharing (we do not sell or share, but you may still request confirmation).
- EU/UK residents (if you reach our site): GDPR/UK GDPR rights including objection and restriction of processing.
To exercise any right, email hello@primedigitalai.ai with the subject "Privacy Rights Request." We respond within 30 days (PIPEDA), 45 days (CCPA), or 30 days (Quebec Law 25), whichever is earliest. We will not charge a fee for the first request in any 12-month period.
11. Children
Our services are for business use only. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us information, email us and we will delete it.
12. International transfers
Most of our processors are based in the United States. When personal information of Canadian or other non-US residents is transferred to the US, we rely on:
- Contractual protections (Data Processing Agreements) with each US-based processor.
- Vendor selection limited to providers with PIPEDA-compatible practices.
- Encryption in transit and at rest.
You can ask for a list of cross-border transfers that affect your data at any time.
13. Changes to this policy
Material changes will be announced by email to active customers and a banner on our site at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the current version. Prior versions are available on request.
14. Contact us & file a complaint
Email: hello@primedigitalai.ai
Mail: Prime Digital AI, Inc., Delaware (full mailing address on request).
If we cannot resolve your concern, you have the right to file a complaint with:
- Office of the Privacy Commissioner of Canada — priv.gc.ca
- Commission d'accès à l'information du Québec — cai.gouv.qc.ca
- California Privacy Protection Agency — cppa.ca.gov