Version 2025-10-01 (supersedes all prior versions)

1. WHO WE ARE AND SCOPE

1. SimplyAsk.ai Inc. (“SimplyAsk.ai”, “we”, “us”, “our”) provides the Symphona AI‑automation platform and related websites and services (together, the “Services”).
2. This Privacy Policy describes how we collect, use, disclose and protect Personal Information when you visit our websites (including simplyask.ai and symphona.ai), use the Services, interact with us for support or marketing, or otherwise communicate with us.
3. Controller vs Processor:
   
   1. Controller: We act as a “controller” (BC PIPA “organization”) for our websites, marketing, and sales activities.
   2. Processor: For Symphona accounts, we generally act as a processor/service provider on behalf of the customer (the “Customer” is the controller). In that case, we process Personal Information under the Customer’s instructions and our data‑processing terms. If your data is processed under a Customer’s account, please direct your privacy requests to that Customer; we will assist them as required.

2. CONTACT INFORMATION & PRIVACY OFFICER

• Privacy Officer: privacy@simplyask.ai
• Mailing address: SimplyAsk.ai Inc., Suite 900, 2025 Willingdon Ave, Burnaby, BC, V5C 0J3, Canada
• If you are located in British Columbia, you may also contact the Office of the Information and Privacy Commissioner for BC (OIPC) for complaints or guidance. If you are located in Mexico, see Section 14 below for your ARCO rights and how to contact us regarding the “Aviso de Privacidad.”

3. PERSONAL INFORMATION WE COLLECT

We collect the following categories of Personal Information. Specific details depend on how you interact with us.

• Identifiers and contact data: name, business email, phone number, company, job title, billing and mailing addresses.
• Account credentials and profile: username, hashed passwords, user role, preferences.
• Billing and payment data: payment method details (processed by our third‑party payment providers), tax information, transaction history.
• Service usage and telemetry: in‑app events, feature usage, workflow and API activity, timestamps, error logs, performance metrics.
• Device and network data: IP address, device identifiers, browser type, operating system, language, time zone, approximate location derived from IP.
• Customer content and configuration: data, prompts, knowledge bases, templates, files or configurations you upload or create in the Services.
• Support and communications: support tickets, email/chat correspondence, customer success notes, feedback, survey responses.
• Marketing and website analytics: page views, scroll depth, clicks, referral source/UTM, campaign engagement, cookie and SDK data as described in Section 10.

4. SOURCES OF PERSONAL INFORMATION

• Directly from you (account registration, support requests, forms, email, in‑product).
• Automatically from your device’s interaction with our websites and Services (cookies, SDKs, telemetry).
• From your employer or Customer (for Symphona accounts).
• From Authorized Resale Partners, service providers, and publicly available or commercial sources (e.g., business contact databases), where permitted.

‍4. HOW WE USE PERSONAL INFORMATION (PURPOSES)

• Primary purposes (necessary to provide the Services)
  
  • Provide, operate, secure and improve the Services and related support.
  • Create and manage accounts and authenticate users.
  • Process transactions, billing, taxes and collections.
  • Provide updates, technical notices, security alerts and administrative communications.
  • Detect, prevent and investigate fraud, abuse, security incidents and illegal activity.
  • Comply with applicable laws, enforce our agreements and protect our rights.
• Secondary purposes (optional or based on legitimate interests/consent)
  
  • Product analytics, quality, and research and development.
  • Personalization (e.g., recommended features, content).
  • Marketing, newsletters, event invitations and promotions (in compliance with CASL and other marketing laws).
  • Aggregating/anonymizing data for statistics and benchmarking.
• Mexico note (LFPDPPP): Primary purposes are necessary for your relationship with us and do not require consent. Secondary purposes are optional. You may object to secondary uses (see Section 14 for Mexico‑specific rights).

5. LEGAL BASES (EEA/UK WHERE APPLICABLE)

• Contract performance: to provide the Services, support, and fulfill our agreements.
• Legitimate interests: to secure and improve the Services, prevent fraud, understand product usage, market to business contacts (where permitted), and protect our rights. We balance these interests against your rights.
• Consent: for optional cookies/analytics, certain marketing communications, or where required by law.
• Legal obligations: to comply with tax, accounting, sanctions/export‑control, and other regulations.

6. HOW WE DISCLOSE PERSONAL INFORMATION

We do not sell Personal Information for money. We may disclose the categories of Personal Information described in Section 3 to:

• Service providers and sub‑processors who process data on our behalf (hosting, AI inference, communications, billing, analytics, support). We require appropriate contractual safeguards.
• Authorized Resale Partners (for Partner‑Governed accounts), to enable ordering, billing and support.
• Professional advisors (lawyers, accountants), auditors, and insurers under confidentiality.
• Affiliates (for internal operations consistent with this policy).
• Governmental, regulatory or law‑enforcement authorities where required by law or to protect rights, safety or property.
• In the context of a corporate transaction (merger, acquisition, financing, sale of assets), subject to confidentiality and consistent use limits.
• Aggregated or de-identified data that cannot reasonably identify you may be shared for analytics, benchmarking or research.

Sub‑processors: We publish a current list of our sub‑processors and processing locations at https://www.simplyask.ai/legal/subprocessors (or successor URL) and provide at least 30 days’ advance notice of material changes where practicable.

7. INTERNAL DATA TRANSFERS

• We host and process data in Canada and the United States, and may leverage additional regions for resilience. We use appropriate safeguards for cross‑border transfers, including:
  
  • Standard Contractual Clauses (and UK addendum) where required.
  • Organizational and technical measures (encryption in transit and at rest where applicable, access controls, audits).
• For Mexico: by using our Services, you consent to cross‑border transfers as described in this policy and as allowed by law. We will ensure transfers comply with LFPDPPP requirements.

8. DATA RETENTION

• We retain Personal Information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. We apply the following typical timeframes (subject to change based on legal, operational or security needs):
  
  • Account data: duration of the account plus up to one (1) year.
  • Billing/tax records: up to seven (7) years.
  • Service logs/telemetry: generally 12 months; key security logs longer if needed.
  • Support tickets: up to three (3) years after closure.
  • Marketing contact records: until you opt out or after 24 months of inactivity.
• Post‑termination retrieval: Following account termination or expiration, we retain Customer data for up to thirty (30) days solely to facilitate retrieval upon written request by an authorized admin. After that period, we will delete or anonymize data in accordance with our data‑retention policies, unless we must retain it longer by law or to protect our rights. Backups may persist for a limited period per our disaster‑recovery schedules.

9. SECURITY

• We maintain administrative, technical and physical safeguards appropriate to the nature of the data, including access controls, encryption in transit and at rest where applicable, vulnerability management and incident response procedures.
• No system is perfectly secure. If we confirm unauthorized access affecting Personal Information under our control, we will notify affected parties and regulators as required by law (e.g., within 72 hours where applicable).

10. COOKIES & SIMILAR TECHNOLOGIES

• We use cookies, pixels and SDKs to operate and improve the Services, understand usage, and measure marketing performance. Categories include:
  
  • Strictly necessary: required for core functionality, authentication, security.
  • Functional: remember preferences and settings.
  • Analytics: product and site analytics (e.g., usage telemetry).
  • Advertising/marketing: measuring campaign performance, retargeting where applicable.
• Your choices:
  
  • You can manage cookies in your browser settings and, where offered, via our cookie preferences tool.
  • If you are in the EEA/UK, we will request consent for non‑essential cookies.
  • Do Not Track/GPC: We do not respond to DNT signals. Where legally required, we make good‑faith efforts to honor Global Privacy Control (GPC) signals for cookie‑based sharing on our public sites.
• California “sale” or “sharing”: We do not sell Personal Information for money. Some analytics/advertising disclosures may be considered “sharing” under California law. California residents can opt out of “sharing” via the “Do Not Sell or Share My Personal Information” link in our website footer or by using a supported GPC signal.

11. YOUR RIGHTS & CHOICES

We will respond to requests within the timelines required by applicable law. We may need to verify your identity and, where we are a processor, we will refer your request to the Customer (controller).

• Global rights (subject to local law): access, rectification, deletion, portability (where applicable), restriction/objection to certain processing, and withdrawal of consent.
• Marketing communications: You can unsubscribe at any time using the link in the email or by contacting us. We comply with Canada’s Anti‑Spam Legislation (CASL).
• California (CPRA) rights: right to know/access specific pieces and categories of Personal Information; right to delete; right to correct; right to opt out of “selling” or “sharing” Personal Information; right to limit use of sensitive Personal Information (we do not use sensitive Personal Information for purposes that require a right to limit). You may exercise rights via the links in our footer or by contacting privacy@simplyask.ai. Authorized agents may submit requests; we may require proof of authorization and identity.
• EEA/UK rights: access, rectification, erasure, restriction, portability, objection to processing based on legitimate interests, and withdrawal of consent. You may lodge a complaint with your supervisory authority at any time.
• British Columbia (BC PIPA): contact our Privacy Officer to request access or correction. You may also contact the OIPC (BC) for assistance.
• Mexico (LFPDPPP) ARCO rights: see Section 14 for a detailed Mexico “Aviso de Privacidad” summary, including how to exercise ARCO rights (Access, Rectification, Cancellation, Opposition) and to object to secondary purposes.

12. CHILDREN

Our Services are intended for business users and are not directed to individuals under the age of 18. We do not knowingly collect Personal Information from children. If you believe a child provided us with Personal Information, contact us and we will delete it.

13. OUR PROCESSOR ROLE FOR BUSINESS CUSTOMERS

When a Customer uses the Services and we process Personal Information on their behalf (e.g., Symphona accounts), the Customer’s privacy notice governs. We will process and disclose Personal Information only under the Customer’s documented instructions and our data‑processing terms. If you submit a privacy request regarding data we process on behalf of a Customer, we will direct your request to the Customer.

14. MÉXICO (AVISO DE PRIVACIDAD)

Identidad y Domicilio del Responsable: SimplyAsk.ai Inc., Suite 900, 2025 Willingdon Ave, Burnaby, BC, V5C 0J3, Canadá; correo: privacy@simplyask.ai. Finalidades del Tratamiento:

• Primarias (necesarias): proveer, operar y mejorar los Servicios; crear y administrar cuentas; brindar soporte; facturación y cobros; seguridad, prevención de fraudes; cumplimiento legal.
• Secundarias (opcionales): analítica de producto; personalización; mercadotecnia B2B; encuestas y eventos. Opciones y Medios para Limitar el Uso o Divulgación: Usted puede oponerse al uso para finalidades secundarias enviando un correo a privacy@simplyask.ai con asunto “Oposición a finalidades secundarias”, incluyendo su nombre, empresa, email asociado y la(s) finalidad(es) a las que se opone. Medios para Ejercer Derechos ARCO: Envíe su solicitud a privacy@simplyask.ai con (i) nombre y datos de contacto; (ii) descripción clara de los datos objeto del derecho; (iii) copia de documento que acredite su identidad o, en su caso, representación. Responderemos en los plazos de la LFPDPPP y su Reglamento. Transferencias: Transferimos datos a prestadores de servicios (encargados/sub‑procesadores) y, en su caso, a afiliadas o autoridades, bajo las salvaguardas legales aplicables. Las transferencias internacionales se realizan conforme a la LFPDPPP. Revocación de Consentimiento: Puede revocar su consentimiento para finalidades secundarias en cualquier momento sin efectos retroactivos, enviando un correo a privacy@simplyask.ai. Cambios al Aviso: Publicaremos actualizaciones en este documento con “Última Actualización” y, de ser material, podremos notificarle por correo o dentro del producto.

15. CASL & MARKETING COMMUNICATIONS

We send commercial electronic messages in compliance with CASL. You can withdraw consent at any time using the unsubscribe link in our emails or by contacting privacy@simplyask.ai. Transactional and service communications may still be sent where permitted.

16. THIRD-PARTY SITES & SERVICES

Our websites and Services may link to third‑party sites or integrate with third‑party services. Their privacy practices are governed by their own policies. We are not responsible for third‑party privacy practices.

17. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. If we make material changes, we will provide at least 30 days’ advance notice to registered users (e.g., by email or in‑product notice) and post the revised policy with a new ‘Version’ date. Your continued use of the Services after the effective date constitutes acceptance of the revised policy.

18. HOW TO CONTACT US

• Email: privacy@simplyask.ai
• Mail: SimplyAsk.ai Inc., Suite 900, 2025 Willingdon Ave, Burnaby, BC, V5C 0J3, Canada

19. CALIFORNIA “NOTICE AT COLLECTION”

• Categories collected: identifiers (name, email, IP), commercial information (transactions), internet/electronic activity (usage, logs), geolocation (approximate via IP), professional information (role/company), and in some cases in‑app content/configurations you supply. We do not intentionally collect sensitive personal information for our websites or Symphona accounts.
• Purposes: see Section 4. We do not sell Personal Information for money. Certain analytics/advertising disclosures may be “sharing.” See Section 10 for opt‑out.
• Retention: see Section 8 for retention periods/criteria.
• Your rights: see Section 11. Opt out of “sharing” via the “Do Not Sell or Share My Personal Information” link in our footer or via supported GPC signals.

20. ADDITIONAL DISCLOSURES

• Sub‑processors: https://www.simplyask.ai/legal/subprocessors (or successor URL).
• Data‑processing addendum: https://www.simplyask.ai/legal/dpa.