AdvisorIQ

Privacy Policy

Effective Date: February 28, 2026

1. Introduction

Astrabyte Technologies Inc. ("Astrabyte," "we," "us," or "our") is a corporation incorporated under the laws of Ontario, Canada, with its principal offices in Toronto, Ontario. We operate AdvisorIQ (the "Service"), an AI-powered research assistant built exclusively for licensed financial advisors and registered investment advisors ("RIAs").

This Privacy Policy explains what information we collect, how we use it, how we protect it, and what rights you have regarding your data. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

2. Information We Collect

We collect the following categories of information in connection with the Service:

2.1 Account Information

When you register for the Service, we collect your full name, corporate email address, firm name, and role within your firm. This information is necessary to create and administer your account, manage firm-level access controls, and communicate with you about the Service.

2.2 Client Data

You may upload or input information about your advisory clients into the Service, including client names, portfolio holdings, investment objectives, risk tolerance profiles, account types, meeting notes, and action items ("Client Data"). We process Client Data strictly as a Data Processor on your behalf and solely to operate the Service. We do not access, review, or use Client Data for any purpose other than providing the Service as described herein and in our Data Processing Agreement.

2.3 Uploaded Documents

You may upload documents (PDFs, DOCX, TXT, CSV, and XLSX files) to the Service's document vault. These documents are processed, split into indexed segments, and stored securely to enable retrieval-augmented generation ("RAG") for research queries. Uploaded documents are associated with your firm, your advisor account, or a specific client as you designate.

2.4 Query and Audit Data

Every research query you submit, every AI-generated response, and every associated citation is logged as part of an immutable compliance audit trail. This audit data includes the query text, response text, cited sources, confidence scores, token usage, and timestamps. This data is retained for a minimum of seven (7) years in accordance with securities industry recordkeeping standards (SEC Rule 204-2, IIROC/CIRO requirements).

2.5 Usage Data

Our servers automatically collect limited technical data when you access the Service, including your IP address, browser type, operating system, access times, and pages viewed. This data is used solely for security monitoring, performance optimization, and diagnosing technical issues.

3. How We Use Your Information

We use the information we collect exclusively for the following purposes:

  • Service delivery: To provide, operate, and maintain the Service, including processing your research queries, generating AI-assisted responses with cited sources, producing pre-meeting briefs, and storing your uploaded documents.
  • Account administration: To manage your account, authenticate your identity, enforce role-based access controls, and process billing through our payment processor.
  • Compliance and audit: To maintain immutable audit logs of all queries and AI-generated responses as required by applicable securities regulations.
  • Security: To monitor for unauthorized access, detect fraud, and protect the integrity of the Service and your data.
  • Service communications: To send you transactional emails related to your account, including security alerts, service updates, and billing notices.
  • Legal compliance: To comply with applicable laws, regulations, and legal processes.

We do not use your Personal Data, Client Data, uploaded documents, or query history to train, fine-tune, or improve any artificial intelligence or machine learning models. Your data is used solely to generate responses to your specific queries during your active sessions.

4. Information We Do Not Collect

We do not collect financial account numbers, Social Security numbers, Social Insurance numbers, credit card numbers (payment processing is handled entirely by our PCI-compliant payment processor), passwords (authentication is managed by our identity provider), or any biometric data.

5. No Third-Party Sharing

We do not sell, rent, trade, or otherwise disclose your Personal Data or Client Data to any third party. We do not share your data with advertisers, data brokers, analytics companies, or any other external party for their own commercial purposes.

The Service operates on secure cloud infrastructure. All data processing occurs within our controlled technical environment. Your data is never transmitted to, accessed by, or made available to any external party for purposes other than the direct operation of the Service.

The only circumstances under which we may disclose your data are: (a) when required by law, regulation, subpoena, court order, or governmental request; (b) to protect the rights, property, or safety of Astrabyte, our users, or the public; or (c) with your explicit written consent.

6. Data Security

We implement rigorous technical and organizational security measures designed to protect your data, including:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
  • Encryption at rest: All stored data, including uploaded documents, database records, and backup copies, is encrypted using AES-256 encryption.
  • Access controls: We enforce the principle of least privilege. Only authorized personnel with a legitimate operational need may access production systems.
  • Multi-tenant isolation: Each firm's data is logically isolated at the application level. Advisors within a firm can only access data associated with their firm and their assigned clients.
  • Immutable audit logs: Compliance records cannot be modified or deleted, ensuring the integrity of your regulatory audit trail.

Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incident in accordance with Section 9 (Data Breach Notification).

7. Data Retention

  • Account information: Retained for the duration of your active subscription and deleted within thirty (30) days of account termination, unless a longer retention period is required by law.
  • Client Data and uploaded documents: Retained for the duration of your active subscription. Upon termination, you may request export or deletion, which will be executed within thirty (30) days.
  • Audit logs (queries and responses): Retained for a minimum of seven (7) years from the date of creation, in accordance with applicable securities recordkeeping requirements. These records are immutable and cannot be deleted during the retention period.
  • Usage data: Retained for up to twelve (12) months for security and performance monitoring purposes, then automatically purged.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your Personal Data:

  • Access: You may request a copy of the Personal Data we hold about you.
  • Correction: You may request that we correct inaccurate or incomplete Personal Data.
  • Deletion: You may request deletion of your Personal Data, subject to our legal retention obligations (including the seven-year audit log retention requirement).
  • Data portability: You may request an export of your data in a structured, commonly used format (CSV or PDF).
  • Withdrawal of consent: Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.
  • Complaint: You have the right to lodge a complaint with the applicable data protection authority in your jurisdiction.

To exercise any of these rights, contact us at the address provided in Section 13. We will respond to verified requests within thirty (30) days, or within the timeframe required by applicable law.

9. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your Personal Data or Client Data, we will notify affected users without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach. Notification will include the nature of the breach, the categories of data affected, the measures taken to address the breach, and recommended steps you can take to protect yourself and your clients. We will also notify the applicable data protection authority as required by law.

10. Canadian Privacy Compliance (PIPEDA)

As a Canadian corporation, Astrabyte complies with the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation. We collect, use, and disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances, and only with your knowledge and consent. You may contact the Office of the Privacy Commissioner of Canada if you have concerns about our privacy practices.

11. Additional Disclosures for U.S. Residents

If you are a resident of California, Colorado, Connecticut, Virginia, or another U.S. state with comprehensive privacy legislation, you may have additional rights under applicable state law, including the right to know what personal information is collected and whether it is sold or shared, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising your privacy rights.

We do not sell or share your personal information as defined by the California Consumer Privacy Act ("CCPA"), the California Privacy Rights Act ("CPRA"), or any other applicable U.S. state privacy law.

12. Children's Privacy

The Service is a business-to-business product designed exclusively for licensed financial professionals. We do not knowingly collect personal information from individuals under the age of eighteen (18). If we learn that we have collected personal information from a minor, we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service at least thirty (30) days before the changes take effect. The "Effective Date" at the top of this page indicates when this version became effective. Your continued use of the Service after a revised Privacy Policy takes effect constitutes your acceptance of the revised policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Astrabyte Technologies Inc.
Toronto, Ontario, Canada
research@advisoriq.dev