Privacy Policy

1. Introduction

This Privacy Policy describes how Gid Solutions, Inc., a Delaware corporation operating as "Gid AI" ("we", "our", or "us"), with its principal place of business at 390 Henri-Bourassa, Papineauville, Quebec, Canada, J0V 1R0, collects, uses, shares, and protects information when you use the Gid platform — our AI-assisted restaurant management and employee engagement service.

We built Gid with privacy by design and aim to be transparent about every piece of data we touch. This Policy is read alongside our Terms of Service, our Data Processing Agreement, our list of Sub-processors, and our Acceptable Use Policy.

2. Information We Collect

Account and Profile Information

• Contact details (name, email, phone number)
• Company information (business name, role, industry)
• Account credentials and authentication data
• Profile preferences and settings

Service Usage Data

• Training session participation and progress
• Communication logs (SMS, voice, app interactions)
• Performance metrics and feedback
• Scheduling and attendance data

Technical Information

• Device information and browser details
• IP addresses and location data (general geographic area)
• Usage analytics and system performance data
• Log files and error reports

Integration Data

• POS and PMS system data (when integrated)
• Sales metrics and operational data
• Employee scheduling and time tracking information

3. How We Use Your Information

Service Delivery

• Provide personalized AI coaching and training
• Generate insights and performance analytics
• Facilitate communication between team members
• Optimize scheduling and workforce management

Platform Improvement

• Analyze usage patterns to improve our services
• Develop new features and capabilities
• Ensure system reliability and performance
• Conduct security monitoring and threat detection

Communication

• Send service updates and important notices
• Provide customer support and technical assistance
• Share product updates and new features

4. Data Infrastructure and Security

Cloud Infrastructure

We utilize enterprise-grade cloud infrastructure to ensure data security and availability:

• Google Cloud Platform: Primary hosting and data processing
• Amazon Web Services (AWS): Additional services and redundancy
• Firebase: Real-time database and authentication services

Security Measures

• End-to-end encryption for data in transit and at rest
• Multi-factor authentication and access controls
• Regular security audits and penetration testing
• Built on SOC 2 Type II and ISO 27001 certified infrastructure (Google Cloud Platform, Firebase)
• Automated backup systems and disaster recovery

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share data only in these limited circumstances:

Service Providers

• Trusted third-party services that help us operate our platform
• Cloud infrastructure providers (Google Cloud, AWS)
• Analytics and monitoring services
• Payment processors and billing services

Legal Requirements

• When required by law, regulation, or legal process
• To protect our rights, property, or safety
• To prevent fraud or security threats

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

6. Your Rights and Choices

Access and Control

• Access: Request copies of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal data
• Portability: Export your data in a standard format
• Restriction: Limit how we process your information

Account Deletion

Account deletion is available to all users in all regions, regardless of whether GDPR, CCPA, PIPEDA, or DPDP applies to you. You can delete your account and all associated data at any time using any of these methods:

• In the app (primary path): Account Settings → Delete My Account. This is the recommended path and complies with Apple App Store Guideline 5.1.1(v) and Google Play account deletion requirements.
• Online, no login required: Visit www.gidai.ca/delete-account. The web form is publicly reachable so users who have uninstalled the app can still request deletion.
• By email: Send a request to privacy@gidai.ca with the subject line "Account Deletion Request".

Deletion removes your account credentials, personal profile information, training records, scheduling data, and all user-generated content authored by you, including:

• Chat messages and channel posts you authored;
• Voice-agent transcripts and call recordings tied to your account;
• Training submissions and capsule responses;
• Uploaded media (avatars, files, images, documents);
• Any custom configurations or preferences attached to your profile.

Deletion is processed within a 30-day grace window (so accidental clicks can be reversed by signing back in), followed by permanent removal within a further 30 days. Some records are retained only as required by law:

• Financial / billing records for 7 years (tax and audit law);
• Compliance audit row containing a hashed email and timestamps (GDPR Art 30 record-of-processing);
• Hashed email on our suppression list, so we never re-contact you after deletion.

None of the retained records includes substantive personal data beyond what is strictly required by law. Full retention details are in Section 7.

Communication Preferences

• Opt out of marketing communications
• Control notification settings
• Manage data sharing preferences

7. Data Retention

We retain your information only as long as necessary to:

• Provide our services and support your account
• Comply with legal obligations
• Resolve disputes and enforce our agreements
• Improve our services and security

Typically, we retain:

• Account data: While your account is active plus 90 days after closure
• Usage analytics: 24 months
• Communication logs: 12 months
• Financial records: 7 years (as required by law)

8. International Data Transfers

We primarily operate in Canada, the United States, and India. When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard contractual clauses approved by data protection authorities
• Adequacy decisions from relevant regulatory bodies
• Certification schemes and codes of conduct

9. Compliance and Regulations

We comply with applicable data protection laws, including:

• GDPR: European General Data Protection Regulation (EU and UK)
• CCPA: California Consumer Privacy Act
• PIPEDA: Personal Information Protection and Electronic Documents Act (Canada, federal)
• DPDP: Digital Personal Data Protection Act, 2023 (India)
• Industry standards: Restaurant and hospitality data protection requirements

9.A Your data subject rights and how to exercise them

Wherever you live, you have the same operational toolkit to control your personal data. We process every request within 72 hours, with a 30-day grace window on deletions in case you change your mind.

Right to portability (GDPR Art 20, PIPEDA Principle 9, DPDP Section 11)

Receive a copy of every piece of data we hold on your behalf, in a structured, commonly used, machine-readable format (JSON in a single ZIP archive).

• Inside the Gid app: Account Settings (top-right menu) and tap "Export my data". Email arrives within 30 minutes.
• From the web: gidai.ca/data-export. Two-step magic-link confirmation by email.
• Sensitive fields like access tokens, password hashes, and API keys are redacted by design. They have no portability value and exporting them would weaken your security.

Right to erasure (GDPR Art 17, PIPEDA Principle 9, DPDP Section 12)

Permanently delete your account and personal data. We use a 30-day grace window so accidental clicks never lose your data.

• Inside the Gid app: Account Settings, then "Delete my account". You confirm by typing your email and acknowledging the consequences.
• From the web: gidai.ca/delete-account. Same magic-link confirmation as the export flow.
• Cancel anytime within 30 days by signing back in. On day 31 we permanently delete your profile, schedules, tasks, training records, chat messages, and uploaded files.
• Stripe subscription is cancelled the moment you submit the request (no further charges).
• Compliance audit row retained 7 years per GDPR Art 30 record-of-processing requirement. The audit row contains a hashed email and timestamps. No personal data beyond that.

Right of access, correction, restriction, and objection

Email privacy@gidai.ca with the right you want to exercise. We respond within 72 hours and complete the action within 30 days, in line with GDPR Art 12, PIPEDA's Openness principle, and DPDP Section 13.

India Grievance Officer (DPDP Section 13)

Our designated Grievance Officer is Alexandre Verville, founder, reachable at privacy@gidai.ca. Response time: 72 hours. If your concern is not resolved, you may contact the Data Protection Board of India.

Cookie consent

We do not load any analytics cookies until you accept them in the consent banner shown on your first visit. Decline is honored permanently for 12 months; we also auto-decline when your browser sends Do Not Track or Global Privacy Control signals. You can change your choice anytime by clicking Cookie preferences.

Suppression list

If you exercise your right to erasure or unsubscribe from our cold-email outreach, your email address (hashed) is added to a global suppression list. We will never contact you again unless you explicitly subscribe back. This protects you from accidental re-engagement after deletion.

9.B U.S. state privacy rights

If you are a resident of a U.S. state with a comprehensive privacy law — including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or Montana — you have specific rights regarding your personal information. We honor these rights for all U.S. residents, regardless of state of residence, to simplify the experience.

Your rights

• Right to know. Request a list of the categories of personal information we collect, the sources, the purposes, and the categories of third parties we share with.
• Right of access. Request a copy of the specific pieces of personal information we have collected about you in the preceding 12 months (24 months for California requests from January 2024 onward).
• Right to delete. Request that we delete personal information we have collected from you.
• Right to correct. Request that we correct inaccurate personal information.
• Right to opt out of sale, sharing, and targeted advertising. We do not sell personal information, we do not share personal information for cross-context behavioral advertising, and we do not engage in targeted advertising as those terms are defined in U.S. state privacy laws. No opt-out is needed because these activities do not occur.
• Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes that require an opt-out under California, Connecticut, or Colorado law.
• Right to opt out of profiling that produces legal or similarly significant effects. We do not engage in such profiling. Some features may inform managerial decisions; final decisions are made by a human, and AI outputs are advisory only (see Terms Section 5).
• Right to non-discrimination. We will not discriminate against you for exercising any of these rights (such as by denying service, charging different prices, or providing a lesser quality of service).
• Right to appeal. If we deny your request, you may appeal the decision by replying to our response with "Appeal" in the subject line. We will respond within 45 days. Required appeal mechanism under Virginia, Colorado, and Connecticut law; we honor it for all U.S. residents.

How to exercise your rights

• In the Gid app: Account Settings → "Export my data" (right to access & portability) or "Delete my account" (right to delete).
• From the web: gidai.ca/data-export or gidai.ca/delete-account.
• By email: privacy@gidai.ca with the right you want to exercise in the subject line.
• By phone: +1 (289) 217-6976 (California consumers, per CCPA § 1798.130(a)(1)(A)).

Identity verification

To protect you, we verify the identity of the requester before disclosing or deleting personal information. For account-holders, we verify by sending a confirmation link to the email on the account. For non-account-holders or where we cannot reasonably verify identity, we may need to ask for additional information; if we still cannot verify, we will inform you and explain why.

Authorized agents

You may use an authorized agent to submit a request on your behalf. We require the agent to provide a signed written authorization from you (or, in California, a power of attorney). We will still verify your identity directly before fulfilling the request.

Universal opt-out signals

For users protected under California, Colorado, or Connecticut law, we honor the Global Privacy Control (GPC) and other recognized universal opt-out preference signals as a valid request to opt out of "sale" and "sharing" (where those activities apply). Because we do not engage in either, the practical effect is to confirm that no opt-out is needed.

Categories of personal information we collect (CCPA §1798.110)

• Identifiers: name, email, phone, account identifier, IP address (truncated).
• Customer records (Civil Code § 1798.80(e)): employment role, work address, work phone.
• Protected classifications: only where the Customer chooses to record them for compliance purposes (such as EEO categories).
• Commercial information: billing records, subscription history.
• Internet or other network activity: log files, request metadata, feature usage.
• Geolocation: general area only, derived from IP. We do not collect precise geolocation.
• Audio, electronic information: chat messages, voice transcripts (when Customer enables voice features).
• Professional or employment information: schedules, training records, performance metrics.
• Inferences: generated from the above for the purposes of providing the Service (such as suggested training topics).

We do not collect "sensitive personal information" categories beyond what is strictly necessary for the Service (such as account credentials, which CCPA classifies as sensitive). We do not use sensitive personal information to infer characteristics about you.

Retention

See Section 7 (Data Retention) above. For California consumers, the retention periods listed there constitute the disclosure required by CCPA § 1798.130(a)(5)(D).

Notice at collection

This Policy serves as our "notice at collection" under CCPA § 1798.100(b). We collect categories of personal information only for the business purposes described in Section 3 (How We Use Your Information).

Quebec Law 25 specific rights

For Quebec residents, in addition to the rights above, we provide:

• Privacy Officer / Person in charge of personal information: Alexandre Verville, privacy@gidai.ca;
• Privacy Impact Assessment obligations for new technologies, automated decisions, and confidential disclosures, conducted as required by Law 25;
• Right to be informed of automated decisions that produce legal effects. Where Gid uses AI features that materially influence a decision about you, we will inform you and explain the principal factors and parameters on request;
• Right to data portability in a structured, commonly used technological format (see § 9.A "Right to portability");
• Complaints may be filed with the Commission d'accès à l'information du Québec at cai.gouv.qc.ca.

10. Children's Privacy

Our services are designed for business use and are not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such information, we will take steps to delete it promptly.

11. Updates to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. We will:

• Notify you of material changes via email or platform notification
• Post the updated policy on our website
• Update the "Last Updated" date at the top of this policy

Your continued use of our services after such changes constitutes acceptance of the updated policy.

12. Contact Us