Privacy Policy

We collect information in three ways: (a) directly from you; (b) automatically; and (c) from third-party sources priv.gc.ca.

Context

Types of Data

Primary Purpose

Account Registration

Name, email, password, pronouns, time-zone

Provide account functions and sync preferences

Profile & Self-Assessments

ADHD/ASD traits, habit check-ins, wellness goals (optional)

Personalise guidance; generate insights

AI Chat/Coach Sessions

Chat transcripts, first name, age range, location, gender

Deliver tailored responses; improve quality; not used to train external AI models

Device & Usage Data

IP address, browser type, OS, mobile device ID, app version, clickstream

Analyse performance; prevent fraud

Demographics

Age, province/state, language

Research & Localisation

Referral Codes / Partner Promotions

Code used, partner ID

Attribute campaigns; fulfil incentives

Feedback & Support

Email, screenshots, description of issue

Resolve problems; improve services

Payment Handling

We never store full payment card numbers. Payments are processed by [Processor Name] under their PCI-DSS compliant systems. We receive only a token and billing status.

We may also collect cookies, pixels, and similar identifiers; see the Cookie section below.

Besides the purposes shown above, we use information to:

• Provide & maintain services (e.g., log-in, habit reminders).
  
  

• Send transactional messages (confirmations, subscription notices).
  
  

• Communicate—respond to inquiries, deliver newsletters or surveys (with consent).
  
  

• Run analytics & develop new features.
  
  

• Detect and prevent fraud or security incidents.
  
  

• Comply with law (PIPEDA, CCPA/CPRA, anti-spam, tax).
  
  

• Enforce our Terms of Service.

We never sell personal information. We may disclose it in these circumstances:

Recipient

Examples

Legal / Business Basis

Service Providers

Cloud hosting, email delivery, customer-support vendors

Contractual necessity

Analytics & Marketing Partners

Google Analytics, Mixpanel

Legitimate interest in audience insights.

Affiliate or Successor Entities

Corporate restructuring or acquisition

Continuity of service

Legal & Safety

Court orders, subpoenas, enforcing rights

Compliance with law

Pseudonymized Research & Commercial Use

Includes pseudonymized usage trends shared with trusted partners like wellness-focused insurers.

Legitimate interest. Pseudonymized data shared only with partners aligned to our mission.

With Your Consent

Posting to a public forum; connecting to a third-party app

Consent

Partner promotions and referral code data are also shared with the partner sponsoring the program.

Ethics and Governance

AchievaFlow is 75 percent owned by a nonprofit foundation to protect our mission. We use data only for research and service improvement that serve public interest. We do not sell data to pharmaceutical companies or any entity that may exploit user data.

Self-Service Controls

• Profile Settings – update contact info, timezone, notification preferences.
  
  

• Delete Account – in-app tool or email request.
  
  

Opt-Outs

• Marketing Emails – click “unsubscribe”.
  
  

• Mobile Push – disable via OS or in-app settings.
  
  

• Analytics/Advertising Cookies – see Cookie banner; you can opt-out of targeted ads.
  
  

Statutory Rights

• Under PIPEDA you may request access, correction, portability, or withdrawal of consent.
  
  

• We will not discriminate against you for exercising these rights.

Verification – We may require ID confirmation or use knowledge-based checks.

We use:

• Necessary & Functional Cookies – sign-in, load balancing.
  
  

• Analytics Cookies – Google Analytics, Amplitude.
  
  

• Advertising Cookies – to show relevant ads on third-party sites.
  
  

Browser settings let you refuse some cookies; doing so may impair certain features.

We employ TLS encryption in transit, AES-256 at rest, attribute-based access controls ABAC, and routine penetration testing. No method is 100 % secure, but we follow ISO 27001/ SOC 2 best practices.

Retention: we keep data only as long as needed for the purposes above, plus statutory periods for tax, contracts, or dispute resolution.

All internal access to personal/pseudonymized data is: Logged and monitored; Limited via Attribute-based policies; Subject to internal audits and purpose-binding.

Users are responsible for safeguarding their passwords; notify us immediately of any unauthorized use.

Achievaflow is incorporated in Canada, but some providers operate in the United States or other countries. When we transfer data across borders, we rely on contractual clauses and PIPEDA’s “comparable level of protection” test.

AI will be used for personalized nudges and reminders. No legally significant decisions are made automatically. Personalization is based on user-defined goals and identity, and not imposed logic.

Our apps may link to services we do not control (e.g., Spotify, Apple Health). Their privacy practices are governed by their own policies. Review those policies before sharing data.

We may update this Policy. Material changes will be announced via email or in-app notice. The “Effective” date tells you when the current version took effect.

Our services are not directed to children under 13, and teen users under 18 should have parental guidance. We do not knowingly collect their data. If you believe a child has provided us information, contact us to delete it.

Privacy Officer (PIPEDA designated):
Marcia Stipanich Martins, Achievaflow Inc.
441 Paddington Cres, Oshawa, ON, Canada
Email: info@achievaflow.com
Toll-free: [+1 647 643 5616]

• Access & Correction – Submit a written request; we will respond within 30 days as required by PIPEDA
  
  

• Withdrawal of Consent – You may withdraw consent for non-essential processing at any time; this may limit some features.
  
  

• Complaints – If unresolved, you may lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC).
  
  

Quick Reference to Key Laws & Sources

• PIPEDA overview – OPC priv.gc.ca
  
  

• PIPEDA policy template guidance – TermsFeed termsfeed.com
  
  

• PIPEDA accountability principle – OPC guide secureprivacy.ai
  
  

• CCPA statute & rights – CA OAG site oag.ca.gov
  
  

• CCPA thresholds & scope – Palo Alto Networks explainer paloaltonetworks.ca
  
  

• Cross-border transfer requirements (GDPR vs PIPEDA) – DataGuidance PDF dataguidance.com
  
  

• International transfer best practices – SecurePrivacy guide secureprivacy.ai