- Plain-Language Summary
- 1. Who We Are
- 2. What This Policy Covers
- 3. What Information We Collect
- 4. Email and Document Content (as processor)
- 5. How We Use Your Information
- 6. Our Legal Bases (for users in jurisdictions that require them)
- 7. How We Share Information
- 8. Where Your Information Is Stored
- 9. Cookies and Similar Technologies
- 10. Your Rights
- 11. Security
- 12. Retention
- 13. Children
- 14. Changes to This Policy
- 15. Jurisdiction-Specific Notices
- 16. Contact Us
Privacy Policy
Version: v1.1 (2026-05-27) Effective Date: 2026-05-27
Plain-Language Summary
This summary is not legal but it's what we'd want you to walk away with.
- We operate an AI email assistant for businesses. To do that, the AI accesses your email content, documents you give us, and basic account information. Achieve IT staff don't read your emails outside of logged, ticketed support sessions, and every such session shows up in your Support History.
- We don't sell your data. We don't train Achieve's own AI on your content. On standard plans, the third-party AI model that drafts your replies may use your content as training data per the provider's own terms; a no-training tier is available at a higher price (see Section 4 and our subprocessors page).
- We keep your data inside our system only for as long as we need it to run the service, and we delete it when you leave.
- You have rights over your personal data: to see it, correct it, delete it, or take it with you. Email [email protected] and we'll make it happen.
- We're based in Canada. Our servers are in the United States. We comply with PIPEDA, and with US privacy law as it applies to us.
- If something goes wrong, we'll tell you. Incident notification is in our Master Service Agreement.
1. Who We Are
Achieve IT ("we", "us", "our") operates the Ultimate Email Management System (the "Service"). We are a Canadian business with offices at 330 5th Avenue SW, Suite 1800, Calgary, Alberta T2P 0J4, Canada.
For questions about this Privacy Policy, email [email protected].
2. What This Policy Covers
This Privacy Policy describes how we collect, use, disclose, and protect personal information when we:
- operate the Service for our customers (businesses and organizations);
- respond to inquiries from prospective customers through our website or email; and
- engage with individuals in the course of running our business (e.g., suppliers, contractors).
2.1 Two roles we play with personal data
When we operate the Service, there are two distinct relationships:
About our business customer and its authorized users: you sign up, create an account, pay invoices. For this information, we are the controller (in GDPR terms) or the organization collecting personal information (in PIPEDA terms). This Privacy Policy describes that relationship in full.
About the senders and recipients of emails in a customer's mailbox: when our customer connects their mailbox, the Service processes email content that may contain personal data about those senders and recipients. For this information, our business customer is the controller / collecting organization, and we are their processor acting under the Master Service Agreement and the Data Processing Addendum. We do not use that content for our own purposes; we handle it under the customer's instructions. The customer's own privacy notice governs how that personal data is collected and used.
This Privacy Policy focuses on the first relationship. For the second, see our Data Processing Addendum.
3. What Information We Collect
3.1 Information you give us directly
When you sign up and use the Service as a customer or an authorized user:
- Account information: name, work email, company name, role
- Billing information: billing contact, billing address, payment method (processed by our payment processor; we do not store full payment card numbers)
- Authentication information: password (hashed), MFA enrollment data (TOTP secret or passkey credentials)
- Account settings and preferences
- Communications with us: support tickets, emails, call notes
When you browse our website:
- Contact form submissions if you contact us
- Booking information when you schedule a call through Calendly or similar
3.2 Information collected automatically
- Usage data: pages viewed, actions taken, timestamps, device identifiers, used for operating and securing the Service
- Log data: IP address, browser type, referring page, approximate location derived from IP, used for security and debugging
- Cookies and similar technologies: see Section 9
3.3 Information from third parties
- Authentication providers (e.g., Google, Microsoft, Clerk): when you sign in via a third-party identity provider, we receive the minimum profile information required to identify you (typically email, name, provider user ID)
- Payment processor: confirmation of successful payment; we do not receive full payment card details
3.4 Information we do NOT collect
- We do not collect information about you from data brokers.
- We do not buy mailing lists.
- We do not run ad-tracking pixels on our sites.
4. Email and Document Content (as processor)
When you connect a mailbox to the Service, we process:
- email content (incoming and outgoing), including attachments;
- metadata (sender, recipient, timestamp, subject);
- documents you upload to the knowledge base.
We handle this content as your processor, solely to provide the Service. Our commitments on this content are in the Data Processing Addendum and the Master Service Agreement. Highlights:
- We (Achieve IT) will not train our own AI models on this content. Our per-customer learning loop, which adapts the assistant to your voice and your knowledge base, stays inside your own tenant and never improves another customer's results.
- To draft replies we send your email content to a third-party AI model provider (a Subprocessor; see Section 7 and our subprocessors page). On the standard plans, that provider may use the content you send it as training data per its own terms of service; we do not control that policy. If you need a contractual no-training guarantee, contact us about our no-training AI tier.
- We will not disclose this content except to perform the Service, to comply with law, or as you instruct.
- We will not retain this content beyond what the MSA allows (30 days raw email retention by default; style profile and knowledge base kept while your account is active; deletion within 30 days of cancellation).
- Achieve IT staff cannot read your email content without a logged, ticketed support session. Every such session is recorded in your Support History, with the actor, ticket id, reason, and timestamps. We cannot turn that audit off.
5. How We Use Your Information
We use the information described in Section 3 to:
- Operate the Service: create and manage your account, process payments, authenticate access, provide support
- Communicate with you: respond to inquiries, send service-related notices (security notifications, policy changes, incident notifications), send transactional emails (invoices, receipts)
- Secure the Service: detect, prevent, and respond to fraud, abuse, security incidents, and technical issues
- Improve the Service: analyze usage patterns (in aggregate and de-identified) to improve features and reliability
- Comply with law: meet our legal obligations, respond to lawful requests, enforce our terms
We do not use your personal information for advertising or profiling outside the Service.
6. Our Legal Bases (for users in jurisdictions that require them)
Where required by applicable law, our legal bases for processing are:
- Contract: processing is necessary to provide you the Service you signed up for.
- Legitimate interests: security, fraud prevention, operational improvement, and modest direct communications to existing customers, where not overridden by your rights.
- Consent: where we rely on consent, we make the request clear and you can withdraw consent at any time.
- Legal obligation: where processing is required by law.
7. How We Share Information
We share personal information only as described here. We do not sell personal information.
7.1 Service providers
We share information with trusted service providers who help us operate the Service, under contracts that limit their use to providing services to us:
- Hosting / infrastructure: Railway (application and database hosting), Cloudflare R2 (object storage); US-based
- Identity and authentication: Clerk (user authentication, MFA); US-based; SOC 2 Type II
- Payment processing: Stripe; PCI-compliant
- Key management: AWS KMS (encryption-key management); US-based; SOC 2, FedRAMP
- AI model provider: MiniMax (language model inference). On the standard service tier, the provider may use submitted content as training data per its own terms; see our subprocessors page and Section 4 for the no-training tier option.
- Communication: Calendly (call booking on our marketing site)
- Analytics: We do not currently use website analytics. If we add a privacy-respecting analytics provider in the future (e.g., Plausible), we will list it here and notify customers in advance.
We maintain a current list of subprocessors and material changes at [achieveit.ca/subprocessors].
7.2 Business transfers
If we are acquired, merged, or sell substantially all of our assets, your information may be transferred to the acquiring party, subject to the same or materially equivalent commitments as this Policy.
7.3 Legal and safety
We may disclose information when required by law, to enforce our agreements, to protect the rights, property, or safety of us, our customers, or others, or in connection with investigations of fraud or abuse. Where legally permitted, we will notify you before disclosing in response to a legal demand.
7.4 With your direction
When you direct us to share information with a third party (for example, exporting your data to another service), we do so at your instruction.
7.5 We do NOT
- sell personal information;
- share personal information with advertisers or data brokers;
- allow service providers to use your information for their own purposes.
8. Where Your Information Is Stored
The Service's primary hosting is in the United States (via Railway, with object storage and edge networking via Cloudflare). As a Canadian business, we rely on PIPEDA's "organization-to-organization" transfer provisions and contractual safeguards with our US service providers.
What this means for you:
- Your information may be subject to US law while stored there, including orders compelling disclosure under US legal process. We receive a small number of such requests on average; where legally permitted, we notify affected customers before disclosing.
- We require all subprocessors to implement reasonable safeguards and limit use of personal information to providing services to us.
- For customers with specific Canadian-hosting requirements (e.g., regulated industries), contact us about our Canadian-hosting option. (Planned: see hosting-research.md for the optional Canadian tier.)
9. Cookies and Similar Technologies
We use the following categories of cookies on our websites and portals:
| Type | Purpose | Opt-out |
|---|---|---|
| Essential | Session authentication, CSRF protection, load balancing; required for the service to function | Cannot be disabled (disabling means you cannot use the Service) |
| Functional | Remembering preferences like "remember this device" on MFA | Can be declined in cookie settings |
| Analytics (if enabled) | Understanding how the Service is used, in aggregate | Can be declined in cookie settings |
We do not use advertising cookies or third-party tracking pixels.
You can clear cookies in your browser settings at any time. Doing so may log you out and require re-authentication.
10. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access: request a copy of the personal information we hold about you.
- Correction: request correction of inaccurate or incomplete information.
- Deletion: request deletion of your personal information, subject to our legal obligations.
- Portability: request export of your information in a structured, machine-readable format.
- Restriction/Objection: object to certain processing, or request that we restrict processing, in specific circumstances.
- Withdraw consent: where processing is based on your consent, withdraw consent at any time (without affecting the lawfulness of prior processing).
- Complain: lodge a complaint with your data-protection authority. In Canada, the Office of the Privacy Commissioner of Canada (priv.gc.ca); in your province, your provincial privacy commissioner; in the EU/EEA/UK, your national supervisory authority.
How to exercise rights: email [email protected] with your request. We will verify your identity before responding, respond within 30 days (or the period required by your local law), and let you know if we need more time.
We will not discriminate against you for exercising your rights.
10.1 Note for business customers' end users
If you are a sender or recipient of email processed by the Service and you want to exercise rights about that email content, the customer whose mailbox the email is in is the controller. Contact that customer in the first instance. We will support our customer in responding to your request.
11. Security
We protect your information with administrative, physical, and technical safeguards reasonable for the nature of the information and the risks. Highlights:
- Encryption in transit (TLS 1.2+ everywhere)
- Encryption at rest for customer content (envelope encryption with per-user data keys wrapped by a key encryption key in a managed KMS)
- Access controls: multi-factor authentication required for privileged accounts; role-based access; audit logs for all privileged actions
- Secure development: typed contracts, input validation, dependency scanning, annual external security assessments (planned once post-MVP)
- Incident response: defined runbook with 72-hour notification commitment for incidents that affect your data
Full security documentation is available on request to business customers under NDA.
12. Retention
We retain personal information only as long as we need it for the purposes described in this Policy, or as required by law.
| Category | Retention |
|---|---|
| Account information | For the life of your account, plus a reasonable period thereafter for legal and operational purposes |
| Billing records | 7 years (tax / accounting requirements) |
| Support communications | 3 years from the close of the ticket |
| Audit logs | 7 years (security and compliance posture) |
| Website logs | 90 days |
| Raw email content (in tenants we operate) | 30 days by default; see Data Processing Addendum |
| Style profiles and knowledge-base embeddings | For the life of the customer's account; deletion within 30 days of cancellation |
When retention periods expire, we delete or anonymize the information.
13. Children
The Service is intended for businesses and their authorized users. We do not knowingly collect personal information from children under 13 (or the minimum age in your jurisdiction where higher). If you believe we have collected information from a child, contact [email protected] and we will delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' prior notice by email to your primary contact and by posting a notice on our website. The "Effective Date" at the top of this Policy identifies the current version. Archived versions are available on request.
15. Jurisdiction-Specific Notices
15.1 Residents of Quebec, Canada
Law 25 provides additional rights, including explicit consent requirements, mandatory privacy impact assessments for certain processing, and specific information-transfer assessments. We comply with Law 25 where applicable. For questions specific to Quebec Law 25, contact our Privacy Officer at [email protected].
Privacy Officer: Josh Wallace, Principal (confirm designation; Law 25 requires a named person responsible for personal-information protection)
15.2 Residents of California, USA
California residents have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"):
- Right to know what personal information we collect, use, disclose, and sell (we do not sell).
- Right to delete subject to exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing (we do not sell or share in the CCPA sense).
- Right to limit use of sensitive personal information (we do not use sensitive personal information for purposes beyond those permitted without consent).
- Right to non-discrimination for exercising rights.
To exercise these rights, email [email protected].
We have not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months.
15.3 Residents of the European Economic Area, United Kingdom, and Switzerland
If we process your personal information, you have the rights described in Section 10. Our legal bases are as described in Section 6. If you need to contact our EU/UK representative (to be appointed when we take our first EU/UK customer), instructions will be posted at [achieveit.ca/privacy/eu].
Transfers of personal information from the EEA/UK/Switzerland to us in Canada rely on the European Commission's adequacy decision for Canada (for PIPEDA-covered commercial activities). Onward transfers to our US-based subprocessors rely on Standard Contractual Clauses or equivalent valid transfer mechanisms.
16. Contact Us
Privacy inquiries: [email protected] Data rights requests: [email protected]. Include the rights you wish to exercise and enough information for us to verify your identity. Security incidents (disclosed by researchers): [email protected] Mail: Achieve IT, 330 5th Avenue SW, Suite 1800, Calgary, Alberta T2P 0J4, Canada
You may also contact the Office of the Privacy Commissioner of Canada if you believe we have not handled your personal information in accordance with PIPEDA: priv.gc.ca · 1-800-282-1376.