Privacy Policy – NORTIQ GTM OS
Last updated: January 7th, 2026

 

Who we are and scope

NORTIQ Ai Corp. (“NORTIQ”, “we”, “us”) provides the NORTIQ GTM OS platform, applications, websites, and related services (the “Services”). This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with the Services.

 

Relationship to our Terms

Your use of the Services is governed by the NORTIQ GTM OS Terms of Service (the “Terms”). If this Policy conflicts with Section 7 (Data Processing and Security) of the Terms, Section 7 controls.

 

Roles (controller vs. processor)

• Enterprise deployments (default): Your organization (“Customer”) is the controller/business for personal information in “Customer Content.” NORTIQ is the processor/service provider and processes Customer Personal Data only on Customer’s documented instructions, as described in the Terms. Customer is responsible for required notices and consents (including for any recording/monitoring it enables).

• Direct/self‑serve users (if applicable): For personal accounts not provisioned by a Customer, NORTIQ is the controller for the personal information described in this Policy.

 

Information we collect (minimal)

We collect only what you provide and what is strictly necessary to run your account:

• Customer Content (processor role for enterprise accounts): content you submit through the Service—uploads and chat messages (and, only if your admin enables it, recordings/transcripts).

– No routine human access: Customer Content is processed automatically to generate coaching outputs. Human access is disabled by default and permitted only (i) if your admin asks us to access specific items to resolve a support issue, (ii) to investigate or remediate a security incident, or (iii) if required by law. All such access is restricted and logged.

• Minimal account identifiers: the minimum needed to create and secure your workspace (for example, business email and authentication identifiers such as a password hash or SSO ID).

• Payments: billing is handled by our payment provider; we do not store full payment card numbers.

• Transient operational data: short‑lived technical data generated as the Service operates (for example, ephemeral connection metadata used for routing and abuse prevention). We design these records to be minimized and purge them on short cycles that support security and reliability.

We do not intentionally collect special‑category/sensitive personal information (for example, health, biometric, or children’s data). If a Customer enables features that could capture sensitive information, the Customer is responsible for ensuring lawful collection and use.

 

How we use information (coaching only)

We use information solely to:

• Provide, operate, and secure the Services and generate coaching outputs at your or your organization’s direction;

• Authenticate and administer accounts; prevent, detect, and investigate abuse or security incidents;

• Provide support when your admin asks us to intervene; and

• Comply with law and enforce our agreements.

No training on Customer Content by default: We do not use Customer Content to train public or shared AI models without Customer’s express agreement.

No sale/share for ads: We do not sell personal information and do not share it for cross‑context behavioral advertising.

 

AI and automated processing

The Services use automated systems (including AI models) to generate outputs from the content you provide. Outputs may be inaccurate or incomplete; users must review before relying on them. NORTIQ does not make decisions with legal or similarly significant effects about individuals based solely on automated processing. Customers must not use outputs as the sole basis for employment or other consequential decisions.

 

Recording and transcription (customer‑enabled)

If a Customer enables recording, transcription, or analysis of communications, the Customer is solely responsible for obtaining all required notices and consents (including all‑party consent where applicable) and for configuring retention. Unless the Customer configures otherwise, the default retention for recordings and transcripts is thirty (30) days.

 

How we share information

We do not sell personal information. We share information only with:

• Service providers/subprocessors we select for hosting, storage, security, support, payments, and AI inference;

• Professional advisors (legal, accounting, insurance) under confidentiality;

• Authorities when required by law or to protect rights, safety, or property; and

• Successors in a merger, acquisition, or restructuring, subject to protections consistent with this Policy.

 

Subprocessors and model/hosting choice (notice by posting; see Annex A)

NORTIQ selects its infrastructure, AI/LLM providers, and subprocessors. We maintain the current list in Annex A to this Policy. We may update Annex A from time to time; posting an updated Annex A (with a revised “Last updated” date) constitutes notice of any new or replacement subprocessor. Objections and the sole remedy are handled under the Terms.

 

International data transfers

We may process information in Canada, the United States, and other countries where we or our subprocessors operate. Where required, we implement appropriate safeguards for cross‑border transfers (for example, standard contractual clauses or analogous mechanisms).

 

Retention (short defaults)

We retain personal information only as long as needed for the purposes above or as required by law. Defaults (admins can shorten or extend within the product):

• Chat/prompt/output history: 30 days, then purged from active systems;

• Recordings/transcripts (if enabled): 30 days, then purged from active systems;

• Security/diagnostic/audit logs: up to 12 months to support security and investigations;

• Account/billing/contract records: for the subscription term and as required by law.

Encrypted backups may persist for a limited cycle before being securely deleted.

 

Security and access controls

We maintain administrative, technical, and organizational measures designed to protect information, including encryption in transit and at rest, role‑based access controls, logging/monitoring, vulnerability management, and incident response. Human access to Customer Content is disabled by default and allowed only under the narrow circumstances described above and is logged. No method of transmission or storage is perfectly secure.

 

Your rights and choices

• Enterprise deployments: Submit privacy requests (access, deletion, correction, portability, objection) to your organization (the controller). We assist the controller as described in the Terms.

• Direct/self‑serve users: Contact us using the details below. We will verify your identity and respond within applicable timelines.

• Communications: You may opt out of non‑transactional emails using the unsubscribe link.

• Do Not Sell/Share: We do not sell or share personal information for cross‑context behavioral advertising.

 

California notice at collection (summary)

Categories collected: identifiers (for example, business email), Customer Content you upload or enter in chat, and minimal operational data strictly necessary to run the Service.

Purposes: providing the Service and generating coaching outputs; securing accounts; support; legal compliance.

Retention: as stated in “Retention.”

Sharing: service providers/subprocessors; no sale or sharing for cross‑context behavioral advertising.

Sensitive personal information: not sought; if provided by the Customer, used only to provide the Service and not to infer characteristics.

 

Canada‑specific disclosures

We rely on consent or another lawful basis under PIPEDA and applicable provincial laws. For enterprise deployments, the Customer provides required notices/consents. We maintain processes to assess and, where required, notify Customers of breaches creating a real risk of significant harm. Québec Law 25: upon request, we will provide information about automated processing features and assist Customers with transfer assessments.

 

Children’s privacy

The Services are not directed to individuals under 16. We do not knowingly collect personal information from children.

 

Third‑party services and links

The Services may link to or interoperate with third‑party services. Their practices are governed by their own privacy statements.

 

Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will post the updated Policy with the “Last updated” date and, where required, provide additional notice.

 

Contact

NORTIQ Ai Corp.

2336 Awenda Drive, Oakville, ON L6H 7J7, Canada

privacy@nortiq.ai

 

Definitions

“Customer Content” means information submitted to the Services by or for a Customer (including uploads, chat messages, and—if enabled—recordings/transcripts). “Customer Personal Data” means personal information in Customer Content that we process on behalf of a Customer. “Process” and related terms follow applicable privacy law definitions.

 

Annex A – Current Subprocessors and Infrastructure Providers

 

How we update this Annex

• This Annex forms part of the NORTIQ Privacy Policy and is referenced by the Terms. Posting an updated Annex (with a new “Last updated” date below) constitutes notice of any new or replacement subprocessor.

• If your organization objects on reasonable data‑protection grounds to a newly added subprocessor, the sole remedy is to terminate the affected service or feature within thirty (30) days after this Annex is posted, as described in the Terms.

• NORTIQ selects and may change infrastructure, AI models, and subprocessors in its discretion while meeting the commitments in the Terms and this Policy. Customers cannot require specific providers or regions.

 

How to read this Annex

• “Core subprocessors” are vendors NORTIQ engages to host, store, or process Customer Content or Service Data to operate the Service.

• “Optional customer‑enabled connectors” are third‑party tools you connect (for example, identity providers, conferencing, CRM). Those are not NORTIQ subprocessors; they operate under your own agreements and privacy notices.

• “Data types processed” reflects our minimal‑collection posture: content you upload or enter in chat (and, only if enabled by your admin, recordings/transcripts), plus strictly necessary account and operational data. Human access to Customer Content is disabled by default and allowed only for support at your admin’s request, for security incidents, or if required by law, and is logged.

 

A.1 Core subprocessors and infrastructure providers (current)

 

Amazon Web Services, Inc. (AWS)

• Category/purpose: Cloud infrastructure (compute, storage, managed databases)

• Data types processed: Customer Content; Service Data (logs/metadata)

• Regions actually used: Canada (ca‑central‑1)

• Retention at vendor: Follows NORTIQ’s retention configuration for Customer Content (default 30‑day purge for chat/prompts and recordings/transcripts, unless Customer configures otherwise); logs ~30 days; automated RDS backups retained 7 days

• Training on Customer Content (public/shared models): No

• Security attestations & encryption: SOC 2; ISO 27001; encryption in transit and at rest

• NORTIQ system(s)/owner: Core platform infrastructure; primary database; vector store; document storage

 

Stripe, Inc.

• Category/purpose: Payment processing and billing

• Data types processed: Service Data (payment details, transaction metadata); no Customer Content

• Regions actually used: Stripe global infrastructure (region not pinned in application code)

• Retention at vendor: Per Stripe’s standard retention policies for financial/compliance records

• Training on Customer Content (public/shared models): No

• Security attestations & encryption: PCI‑DSS; SOC 1; SOC 2; encryption in transit and at rest

• NORTIQ system(s)/owner: Billing and subscription management

 

Twilio Inc. (SendGrid)

• Category/purpose: Transactional and notification email delivery

• Data types processed: Customer Content (email content such as OTPs and notifications); Service Data (email metadata, delivery logs)

• Regions actually used: Vendor‑hosted (region not set in application code)

• Retention at vendor: Email content generally transient; delivery logs retained per SendGrid defaults

• Training on Customer Content (public/shared models): No

• Security attestations & encryption: SOC 2; TLS encryption

• NORTIQ system(s)/owner: Authentication emails; system notifications

 

OpenAI, L.L.C.

• Category/purpose: AI inference (Responses API, embeddings)

• Data types processed: Customer Content; Service Data

• Regions actually used: OpenAI API infrastructure (no region pinning in application code)

• Retention at vendor: Transient processing per OpenAI API policies

• Training on Customer Content (public/shared models): No

• Security attestations & encryption: SOC 2; encryption in transit and at rest

• NORTIQ system(s)/owner: Coaching Agent; Lead Enrichment

 

LlamaIndex, Inc. (LlamaParse)

• Category/purpose: Document parsing for complex PDFs

• Data types processed: Customer Content; Service Data

• Regions actually used: Vendor‑hosted (region not configured in application code)

• Retention at vendor: Transient parsing only

• Training on Customer Content (public/shared models): No

• Security attestations & encryption: TLS encryption (formal attestations not recorded)

• NORTIQ system(s)/owner: Knowledge Base ingestion

 

Firecrawl

• Category/purpose: Website crawling for company and market intelligence

• Data types processed: Service Data (target URLs, crawl results); no Customer Content (public‑web only)

• Regions actually used: Vendor‑hosted (region not set)

• Retention at vendor: Per vendor defaults; not persisted in NORTIQ systems

• Training on Customer Content (public/shared models): Not applicable

• Security attestations & encryption: TLS encryption (formal attestations not recorded)

• NORTIQ system(s)/owner: Lead Enrichment

 

Google LLC (Google Custom Search)

• Category/purpose: Web search and LinkedIn discovery

• Data types processed: Service Data (search queries); no Customer Content

• Regions actually used: Google global infrastructure

• Retention at vendor: Per Google service logging policies

• Training on Customer Content (public/shared models): Not applicable

• Security attestations & encryption: SOC 2; ISO 27001; TLS encryption

• NORTIQ system(s)/owner: Lead Enrichment

 

A.2 Optional customer‑enabled connectors (examples – not NORTIQ subprocessors)

• Identity and single sign‑on (for example, Google Workspace, Microsoft Entra ID)

• Conferencing/communications (for example, Google Meet, Microsoft Teams, Zoom)

• CRM/RevOps (for example, Salesforce, HubSpot)

• Collaboration (for example, Slack)

 

A.3 Additional subprocessors (to be added as operations evolve)

• [Add vendor name] – Role/service: [hosting/storage/AI inference/email/ticketing/logging/monitoring/etc.]; Data types processed: [describe minimal]; Regions: [country/region]; Retention: [transient/period]; Training on Customer Content: [No/Not applicable]; Security attestations: [e.g., SOC 2/ISO/TLS]; NORTIQ system(s)/owner: [name]

 

A.4 Last updated

• Last updated: January 7th, 2026