2.1 Account Information

• Contact Details: Email address, full name, phone number (if provided)
• Authentication Credentials: Encrypted passwords, authentication tokens
• Profile Information: Job title, union affiliation, role within organization
• Account Settings: Communication preferences, notification settings

2.2 Chat and Interaction Data

• Message Content: Questions, responses, and conversations with our AI system
• Conversation Metadata: Timestamps, session duration, message frequency
• User Queries: Specific questions about collective bargaining agreements
• AI Response Data: Generated responses, response quality ratings
• Conversation History: Complete chat logs for service provision and improvement

2.3 Usage Analytics and Technical Data

• Usage Patterns: Features accessed, time spent in application, frequency of use
• Performance Data: Response times, error rates, system performance metrics
• Session Information: Login times, session duration, feature interactions
• Navigation Data: Pages visited, clicks, user journey through the application

2.4 Device and Technical Information

• Device Details: Device type, model, operating system and version
• Application Data: App version, update history, crash reports
• Network Information: IP address, internet service provider, connection type
• Browser Information: Browser type and version (for web users)
• Location Data: General geographic location (country/region level only)

2.5 Feedback and Support Data

• User Ratings: Thumbs up/down ratings on AI responses
• Feedback Comments: Written feedback about service quality
• Support Requests: Help desk inquiries, bug reports, feature requests
• Survey Responses: Voluntary participation in user research or surveys

2.6 Union-Specific Data

• Collective Bargaining Agreements: Uploaded documents for AI training (with explicit consent)
• Union Membership Data: Member lists, roles, organizational structure (admin-provided)
• Billing Information: Subscription details, payment history (processed by third parties)

3.1 Direct Collection

• Information you provide when creating accounts or profiles
• Content you submit through chat interactions
• Feedback and ratings you voluntarily provide
• Documents uploaded by union administrators

3.2 Automatic Collection

• Technical data collected through cookies and similar technologies
• Usage analytics gathered during your use of the Service
• Performance monitoring data from application usage
• Error logs and crash reports from the application

3.3 Third-Party Sources

• Authentication services (if you sign in through third-party providers)
• Payment processors for billing information
• Integration partners with your explicit consent

4.1 Primary Service Provision

• AI Chat Services: Processing your questions and generating relevant responses
• Conversation History: Maintaining chat logs for reference and continuity
• Personalization: Tailoring responses based on your specific collective bargaining agreements
• Account Management: Managing your account, authentication, and access controls

4.2 Service Improvement and Development

• AI Model Training: Improving response accuracy and relevance using aggregated data
• Feature Development: Developing new features based on usage patterns
• Quality Assurance: Monitoring service quality and identifying improvement opportunities
• Performance Optimization: Enhancing system performance and reliability

4.3 Communication and Support

• Service Notifications: Important updates about the Service
• Technical Support: Responding to help requests and troubleshooting issues
• Security Alerts: Notifying you of security-related events
• Product Updates: Information about new features and improvements (with your consent)

4.4 Legal and Security Purposes

• Fraud Prevention: Detecting and preventing fraudulent or unauthorized activities
• Security Monitoring: Protecting against security threats and vulnerabilities
• Legal Compliance: Meeting legal obligations and regulatory requirements
• Dispute Resolution: Investigating and resolving disputes or violations

4.5 Analytics and Business Intelligence

• Usage Analytics: Understanding how the Service is used to improve user experience
• Business Metrics: Measuring service performance and user satisfaction
• Research and Development: Conducting research to enhance AI capabilities

5.1 Contract Performance

• Providing the Service as agreed in our Terms of Service
• Managing your account and subscription
• Processing payments and billing

5.2 Legitimate Interests

• Improving our Service and developing new features
• Ensuring security and preventing fraud
• Conducting analytics for business optimization
• Direct marketing (where not requiring consent)

5.3 Consent

• AI model training using your conversation data
• Marketing communications beyond service-related updates
• Processing special categories of data (where applicable)
• Sharing data with specific third parties

5.4 Legal Obligations

• Complying with applicable laws and regulations
• Responding to legal requests and court orders
• Meeting regulatory reporting requirements

6.1 No Sale of Personal Information

We do not sell, trade, or rent your personal information to third parties for commercial purposes.

6.2 Service Providers and Processors

We may share data with trusted third-party service providers who assist in operating our Service:

• Cloud Infrastructure: Supabase, AWS, or other cloud providers for data storage and processing
• Analytics Providers: Services for usage analytics and performance monitoring
• Payment Processors: Stripe or other payment services for billing
• Communication Services: Email and notification service providers
• Security Services: Fraud detection and security monitoring providers

All service providers are bound by strict confidentiality agreements and data processing addendums.

6.3 Legal Requirements

We may disclose information when required by law or to:

• Comply with valid legal processes (subpoenas, court orders, government requests)
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users or others
• Investigate fraud or security issues
• Enforce our Terms of Service

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to equivalent privacy protections.

6.5 Consent-Based Sharing

With your explicit consent, we may share information with:

• Integration partners for enhanced functionality
• Research institutions for academic studies
• Business partners for joint offerings

7.1 Data Storage

• Primary Storage: Supabase with row-level security policies
• Geographic Location: Data stored in secure facilities in [specify regions]
• Backup Systems: Encrypted backups maintained for disaster recovery
• Redundancy: Multiple data centers for reliability and availability

7.2 Security Measures

We implement comprehensive security measures including:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access controls and principle of least privilege
• Authentication: Multi-factor authentication for administrative access
• Monitoring: 24/7 security monitoring and intrusion detection
• Auditing: Regular security audits and vulnerability assessments
• Incident Response: Established procedures for security incident handling

7.3 Data Retention

• Active Accounts: Data retained while your account remains active
• Chat History: Conversation history retained indefinitely unless you request deletion
• Analytics Data: Aggregated analytics data retained for up to 7 years
• Account Deletion: Personal data deleted within 90 days of account closure
• Legal Retention: Some data may be retained longer as required by law
• Backup Retention: Backup systems may retain data for up to 1 year for disaster recovery

7.4 Data Deletion

You may request deletion of:

• Specific conversations or messages
• Your entire chat history
• Your complete account and associated data
• Specific categories of personal information

8.1 Universal Rights

All users have the right to:

• Access: Request information about what personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal exceptions)
• Data Portability: Receive your data in a machine-readable format
• Objection: Object to certain types of data processing
• Withdraw Consent: Withdraw consent for specific processing activities

8.2 How to Exercise Your Rights

To exercise your privacy rights:

• In-App Settings: Use privacy controls within the application
• Email Request: Send requests to privacy@avichat.ca
• Written Request: Mail requests to our business address
• Union Administrator: Contact your union administrator for some requests

We will respond to requests within 30 days (or as required by applicable law).

8.3 Verification and Limitations

• We may require identity verification for some requests
• Some rights may be limited by legal obligations or legitimate interests
• Certain data may be retained for legal or business purposes
• We will explain any limitations when responding to your requests

9.1 Canadian Privacy Rights (PIPEDA)

Under Canadian privacy law, you have rights to:

• Know what personal information we collect and how it's used
• Access your personal information upon request
• Request correction of inaccurate information
• File complaints with the Privacy Commissioner of Canada

9.2 California Privacy Rights (CCPA/CPRA)

California residents have additional rights including:

• Right to Know: Detailed information about personal information collection and use
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of the sale of personal information (we don't sell data)
• Right to Non-Discrimination: Equal service regardless of privacy choices
• Right to Correct: Request correction of inaccurate personal information

9.3 European Privacy Rights (GDPR)

If you are in the European Economic Area, UK, or Switzerland, you have additional rights including:

• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion in specific circumstances
• Right to Restrict Processing: Limit how we process your data
• Right to Object: Object to processing based on legitimate interests
• Right to Data Portability: Receive data in a structured, machine-readable format
• Right to Lodge Complaints: File complaints with supervisory authorities

10.1 Age Restrictions

AviChat is not intended for children under 18 years of age. We do not knowingly collect personal information from minors without appropriate parental consent.

10.2 Parental Rights

If we learn we have collected information from a child under 18 without parental consent, we will:

• Delete the information promptly
• Terminate the associated account
• Implement additional safeguards to prevent recurrence

10.3 Educational Use

If the Service is used in educational contexts involving minors, additional protections apply:

• Written consent from educational institutions
• Enhanced data protection measures
• Limited data collection and use
• Compliance with applicable educational privacy laws

11.1 Cross-Border Processing

Your information may be transferred to and processed in countries other than your country of residence, including:

• United States
• European Union
• Other countries where our service providers operate

11.2 Transfer Safeguards

For international transfers, we implement appropriate safeguards:

• Adequacy Decisions: Transfers to countries with adequate protection levels
• Standard Contractual Clauses: EU-approved contractual protections
• Certification Programs: Participation in recognized privacy frameworks
• Binding Corporate Rules: Internal data protection standards

11.3 Data Localization

Where required by law, we maintain data within specific geographic boundaries and comply with local data residency requirements.

12.1 Types of Cookies

We use various types of cookies and similar technologies:

• Essential Cookies: Necessary for basic service functionality
• Performance Cookies: Help us understand how the Service is used
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Provide insights into user behavior and service performance

12.2 Cookie Management

You can control cookies through:

• Browser settings to block or delete cookies
• In-app privacy settings for functional cookies
• Opt-out mechanisms for analytics cookies
• Third-party opt-out tools for marketing cookies

12.3 Do Not Track

We respect Do Not Track signals where technically feasible and legally required.

13.1 AI Training Data

• Consent-Based Training: We only use conversation data for AI training with your consent
• Data Anonymization: Personal identifiers removed from training datasets
• Model Improvement: Training helps improve response accuracy and relevance
• Opt-Out Options: You can opt-out of having your data used for AI training

13.2 AI Processing

• Response Generation: AI responses are not stored by third-party providers
• Quality Monitoring: AI responses may be reviewed for quality assurance

13.3 Algorithmic Transparency

• We strive to be transparent about how our AI systems work
• AI decision-making processes are designed to be fair and unbiased

14.1 Service Communications

We will send you communications necessary for the Service, including:

• Account and security notifications
• Service updates and maintenance notices
• Billing and subscription information
• Important policy changes

14.2 Marketing Communications

With your consent, we may send:

• Product updates and new feature announcements
• Educational content about labor relations
• Industry news and insights
• Promotional offers (union discounts, etc.)

14.3 Opting Out

You can opt out of marketing communications by:

• Using unsubscribe links in emails
• Updating preferences in your account settings
• Contacting us directly

Note: You cannot opt out of essential service communications

15.1 Breach Response

In the event of a data breach, we will:

• Investigate and contain the breach promptly
• Assess the risk to affected individuals
• Notify relevant authorities as required by law
• Inform affected users without undue delay

15.2 Notification Content

Breach notifications will include:

• Description of what happened
• Types of information involved
• Steps we're taking to address the breach
• Recommendations for protective actions
• Contact information for questions

16.1 Third-Party Links

Our Service may contain links to third-party websites or services. This Privacy Policy does not apply to those external services, and we encourage you to review their privacy policies.

16.2 Integrations

If you choose to integrate third-party services:

• You will be informed about data sharing before enabling integrations
• Third-party privacy policies will apply to shared data
• You can revoke integration permissions at any time
• We are not responsible for third-party privacy practices

17.1 Policy Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our data practices
• New features or services
• Legal or regulatory requirements
• Industry best practices

17.2 Notification of Changes

We will notify you of material changes through:

• Email notification to your registered address
• Prominent notice within the Service
• Updated posting with revised effective date
• For significant changes, we may request renewed consent

17.3 Continued Use

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

18.1 Privacy Inquiries

For questions about this Privacy Policy or to exercise your privacy rights:

18.2 Response Times

• We aim to respond to privacy inquiries within 30 days
• Complex requests may require additional time
• We will keep you informed of any delays
• Urgent security matters will be prioritized

18.3 Supervisory Authorities

If you believe we have not adequately addressed your privacy concerns, you may contact:

• Canada: Privacy Commissioner of Canada (priv.gc.ca)
• California: California Attorney General (oag.ca.gov)
• EU/UK: Your local data protection authority