Legal, v1.3, Ottawa

Privacy Policy.

Quebec Law 25, PIPEDA, GDPR, CCPA, and COPPA aligned. Word-for-word the same disclosures we ship in our iOS privacy manifest.

Effective: 8 May 2026 Last updated: 12 June 2026 Version: 1.3 Apple manifest: 1:1

BrandsAI ("BrandsAI", "we", "us", "our") is the fashion-intelligence service of PulsarOS Intelligence Inc. (Corp #17777191, BN 730610631RC0001), a federal Canadian corporation under the Canada Business Corporations Act with offices at 638 Center Street, Suite 408, Ottawa, Ontario. PulsarOS Intelligence Inc. is the entity responsible for your personal information under this policy while BrandsAI Inc., the dedicated operating company (70 percent held by PulsarOS Intelligence Inc.), completes its federal incorporation; on completion, BrandsAI Inc. assumes this policy without interruption. We operate the BrandsAI service, an AI-powered fashion, wardrobe, and social brand intelligence platform.

This policy applies to the BrandsAI iOS application (bundle identifier com.brandsai.app), the BrandsAI website, and any administrative or web counterpart operated under the BrandsAI name.

It is written to satisfy Quebec's Act respecting the protection of personal information in the private sector (as modernized by Law 25), the federal Personal Information Protection and Electronic Documents Act (PIPEDA), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA / CPRA). It also matches the disclosures we publish in the Apple App Store privacy nutrition label and in the iOS privacy manifest shipped with our application.

This is an operational document. If a sentence here ever conflicts with a product feature, the policy wins until we revise it.

1, Who to contact

You can reach us about anything in this policy at the addresses below.

  • Privacy and access requests: privacy@brandsai.ca
  • Data Protection Officer: privacy@brandsai.ca, attention "Privacy Officer". The same individual serves as our Quebec Person in Charge of the Protection of Personal Information under Law 25, our PIPEDA accountability officer, and our GDPR DPO for users in the EEA, the UK, and Switzerland.
  • Postal address: BrandsAI, c/o PulsarOS Intelligence Inc., 638 Center Street, Suite 408, Ottawa, Ontario, K1K 5A6, Canada.
  • Legal and DMCA matters: legal@brandsai.ca, copyright@brandsai.ca.

We respond to verified privacy requests within thirty (30) calendar days, in line with Law 25, PIPEDA, GDPR Article 12, and CCPA Section 1798.130. We may extend this once for unusually complex requests and will tell you why before the original deadline expires.

2, The personal information we collect

We deliberately collect a small surface of personal information. The list below mirrors, one to one, the data types declared in our iOS privacy manifest (NSPrivacyCollectedDataTypes in apps/mobile/app.json). If a category is not listed below, we do not collect it.

2.1 Name (NSPrivacyCollectedDataTypeName)

We collect the name you provide at sign up or that Apple provides through Sign in with Apple. We use it to address you in the application, to personalize style and wardrobe recommendations, and to identify your account in support correspondence.

  • Linked to your identity: yes.
  • Used for tracking across apps and websites you do not own: no.
  • Purposes: App Functionality, Product Personalization.

2.2 Email address (NSPrivacyCollectedDataTypeEmailAddress)

We collect the email address you provide at sign up or the relay email address Apple issues through Sign in with Apple. We use it to send transactional account messages, security alerts, password and access recovery flows, and replies to support and privacy requests. We do not send marketing email unless you have explicitly opted in, and you can opt out at any time.

  • Linked to your identity: yes.
  • Used for tracking across apps and websites you do not own: no.
  • Purposes: App Functionality, Account Management.

2.3 Photos or videos (NSPrivacyCollectedDataTypePhotosorVideos)

When you photograph a wardrobe item, scan an outfit, or upload a picture from your photo library, we receive the image and any embedded metadata that you choose to send. The image is processed by our AI features so we can recognize the garment, suggest outfits, build your wardrobe graph, and generate brand intelligence outputs. We do not access your photo library beyond the items you explicitly select or capture.

  • Linked to your identity: yes.
  • Used for tracking across apps and websites you do not own: no.
  • Purposes: App Functionality.

2.4 User identifier (NSPrivacyCollectedDataTypeUserID)

We assign every account a server side user identifier and we receive the Apple user identifier returned by Sign in with Apple. The identifier is the primary key for your account record, your wardrobe graph, your subscription state, and any audit log entries we keep for security and abuse prevention.

  • Linked to your identity: yes.
  • Used for tracking across apps and websites you do not own: no.
  • Purposes: App Functionality, Account Management.

2.5 What we do not collect

We do not collect precise location, contacts, browsing or search history outside the application, sensitive identifiers (race, religion, health, sexual orientation, biometric templates, exact geolocation), advertising identifiers used for cross-context behavioural advertising, or any other category not listed above. The iOS permission strings for camera, photo library, microphone, location, and motion describe the platform-level access the application can request. They are not categories of personal information that flow to our servers unless they fall inside the four data types listed above. If you decline an iOS permission, the corresponding feature is disabled locally on your device and nothing leaves it.

We do not knowingly collect any personal information from children. See section 12.

2.6 Marketing form submissions (waitlist, contact, investor leads, newsletter)

If you submit your email through one of the public forms on our marketing site, including the Coming Soon waitlist on app.brandsai.ca/signin, the contact form on brandsai.ca/contact, the investor lead form on brandsai.ca/invest, or the newsletter form, we record: the email address you provided, the form type, the locale of your browser, the IP address of the request, and the user agent string. This is collected on the lawful basis of your consent (Quebec Law 25 article 12, GDPR Article 6(1)(a), PIPEDA implied consent, CASL implied consent for transactional notification).

  • Linked to your identity: yes (email).
  • Used for tracking across apps and websites you do not own: no.
  • Purposes: for the waitlist, a single transactional notification when BrandsAI launches on the App Store. For contact and investor leads, a one-to-one reply from us. For the newsletter, ongoing product updates that you can unsubscribe from at any time. We do not send marketing email from the waitlist. We do not sell, rent, or share these lists. We do not enrich them with third-party data. We do not use them for behavioural targeting or advertising.
  • Retention: the waitlist is held until BrandsAI launches on the App Store, the launch notification is sent, plus thirty (30) days for delivery confirmation, after which the row is deleted unless you have already created an account (in which case the email merges into your account record under section 2.2). Contact submissions are held for twelve (12) months. Investor leads are held until the lead is closed or twenty-four (24) months. Newsletter subscriptions are held until you unsubscribe plus thirty (30) days.
  • Right to withdraw and right to be forgotten: email privacy@brandsai.ca from the address you submitted, and we will delete the row within thirty (30) days. The launch notification email itself includes a one-click unsubscribe link.
  • Storage location: sovereign Postgres on OVHcloud Beauharnois, Quebec. The form endpoint is rate-limited at the nginx edge and at the application layer.
  • Storage at rest: the email is currently stored as plaintext inside the Postgres column form_submissions.email, protected by access controls (sovereign Canadian server, restricted Postgres role, encrypted backups under sovereign age key custody). A column-level encryption migration to XChaCha20-Poly1305 is planned for a near-term hardening cycle and this section will be updated when it ships.
  • No automated decisions. Submitting a form does not enroll you in any automated profiling. Marketing emails, when they exist, go to the entire opt-in segment.

3, How we use your personal information (purposes and lawful basis)

We use personal information only for the three purposes declared in our privacy manifest and disclosed in our Apple App Store privacy label.

PurposeWhat it coversGDPR lawful basis
App FunctionalityAuthenticating you, running the wardrobe and outfit features, generating AI suggestions on photos you submit, syncing across your iOS device and the web counterpart, processing in-app purchases, providing customer support.Performance of a contract with you (Article 6(1)(b)).
Account ManagementCreating and maintaining your account, recovering access, sending transactional and security messages, enforcing the Terms of Service, resolving disputes.Performance of a contract (Article 6(1)(b)) and our legitimate interest in account security (Article 6(1)(f)).
Product PersonalizationTailoring style suggestions, brand intelligence outputs, and recommendations to the wardrobe and preferences you have built inside the application.Performance of a contract (Article 6(1)(b)) where personalization is a core feature, and consent (Article 6(1)(a)) for any optional personalization layer that you can switch off.

We do not use your personal information for advertising, for analytics that profile you across other companies' apps, for third-party data brokerage, or for sale. We do not engage in behavioural advertising and we do not enable Apple's App Tracking Transparency tracking flag on shipped builds. The presence of a tracking permission string in the project history is a developer-tooling artifact and does not represent live behaviour on production builds.

For users in Quebec, this section is also our Law 25 disclosure of the purposes for which we collect, use, and communicate personal information. For users in the European Economic Area, the United Kingdom, and Switzerland, this section is our Article 13 disclosure of purposes and lawful basis. For users in California, the categories above correspond to the CCPA categories of "Identifiers" (name, email, user ID) and "Visual or analogous information" (photos), each used for "performing services" and "internal use to improve products" only.

4, AI processing disclosure

BrandsAI uses artificial intelligence to recognize garments in your photographs, to compose outfits, to summarize brand intelligence signals, and to personalize recommendations. We are explicit about how that processing works.

  1. Your wardrobe, profile, and content are stored on sovereign Canadian infrastructure operated by BrandsAI on physical servers we control. When you use an AI feature, the specific content needed for that request (for example, a garment photo you scan or a styling prompt you send) is processed by vetted third-party AI providers through their business APIs, under contracts that prohibit the use of your content to train their models. We send the minimum necessary for the feature, and the results are returned to your account on Canadian soil.
  2. Your photographs and prompts are encrypted in transit using TLS 1.3 and at rest using AES-256-GCM, with a hardware-bound key custody posture aligned with PulsarOS Intelligence Inc. Patent 70 family on sovereign key binding, and with the high-assurance encryption profile documented in PulsarOS Patent 41 and Patent 171.
  3. We do not use your personal information, your photographs, or your prompts to train, fine-tune, or evaluate any third-party AI model. We do not sell, license, or share your content with any AI vendor for training purposes.
  4. Where we use your content to improve our own model quality, we do so under one of two regimes: anonymized aggregate signals that no longer identify you, or content you have explicitly consented to share for model improvement through an in-app toggle that defaults to off. You can withdraw that consent at any time.
  5. AI outputs can be inaccurate, incomplete, or biased. They are suggestions, not facts. They are not professional fashion, financial, medical, legal, or psychological advice, and you should not treat them as such. You retain full ownership of the photographs, prompts, and content you submit, subject only to the limited license you grant us in the Terms of Service for the purpose of operating the application and delivering the service to you.
  6. Where automated processing produces a decision that has legal or similarly significant effects on you, you have the right to request human review and to contest the decision. In practice, BrandsAI does not currently make any such decisions. AI features in the product are advisory only and do not gate access to credit, employment, housing, insurance, education, or any other consequential service.

5, Where your data lives

BrandsAI is a sovereign Canadian service. Personal information is processed and stored on servers physically in Canada, racked at OVHcloud's Beauharnois, Quebec data center, on infrastructure operated by BrandsAI under PulsarOS Intelligence Inc. governance. Encrypted backups stay on Canadian soil only. One exception applies: AI feature requests are processed by the third-party AI providers described in section 4, which may process that request data outside Canada for the duration of the request.

Beyond that, we do not transfer personal information outside Canada. The remaining exceptions are Apple Inc., which processes Sign in with Apple identity flows, and any App Store purchase transactions where a release offers them, on its own infrastructure as an independent controller, and Stripe Payments Canada Limited, which processes subscription and marketplace payments as our processor. Each is transactional and narrow. If we ever introduce another transfer, we will update this policy, identify the destination country and safeguards (Standard Contractual Clauses, adequacy decisions, equivalent Law 25 assessments), and obtain your consent where required.

6, Who we share with

We do not sell, rent, or trade personal information. We do not share it with data brokers, ad networks, or analytics vendors that profile you across other services.

The only third parties that receive personal information are, each under a written contract that restricts processing to our instructions:

  • Apple Inc. for Sign in with Apple, App Store distribution, in-app purchase, push notifications, and opted-in crash reporting (independent controller for some flows, processor for others).
  • Stripe Payments Canada Limited for subscription and marketplace payments (processor).
  • Vetted AI providers for styling, scanning, and image features (processors): each receives only the content needed to fulfil your request and is contractually prohibited from using your content to train its models.
  • OVH Hébergement Inc. as data center facility operator (no logical access to encrypted customer data).
  • PulsarOS Intelligence Inc., our group company, for shared sovereign infrastructure, security operations, and patent-pending compression and encryption stack support, under an intra-group data processing agreement limited to operating BrandsAI.
  • Professional advisors and authorities (legal counsel, auditors, regulators, courts) where legally required, where we need to defend our rights, or where you authorize disclosure. We push back on overbroad requests and notify you when the law allows.

We will notify you, and obtain consent where required, before introducing a new category of recipient.

7, How long we keep data

We keep personal information only as long as we need it for the purposes set out in this policy, plus the minimum period required by law.

CategoryRetention period
Account profile (name, email, user identifier, wardrobe graph, photographs you uploaded)For the lifetime of your account. When you delete your account in the application, your content and personal information are erased from production immediately, and thirty (30) days is the outer bound for every deletion path, except where a legal obligation forces a longer hold. Deletion cannot be reversed and deleted accounts cannot be restored.
Server-side application logs (access logs, security logs, error traces)Ninety (90) days, after which they are purged or anonymized.
Encrypted backupsUp to one (1) year on a rolling encrypted snapshot, then destroyed. Backups are restored only for disaster recovery and are not used for any other purpose.
Subscription, billing, and tax recordsSeven (7) years after the end of the fiscal year, as required by Canadian tax law.
Privacy and access request filesThree (3) years after closure, as proof of compliance.

When the retention period ends, we either destroy the data or anonymize it irreversibly so it can no longer be associated with you.

8, Your rights

You have rights over the personal information we hold about you. Where you live affects which legal regime names them, but in practice we offer the same rights to every user, with the local carve-outs that the law mandates.

  • Right of access. You can ask us for a copy of the personal information we hold about you, the purposes of processing, the recipients, the retention period, and the source of the data when we did not collect it directly from you.
  • Right of rectification. You can ask us to correct inaccurate or incomplete personal information.
  • Right of erasure / deletion. You can ask us to delete your personal information. We honour the request unless a legal obligation, an active dispute, or a fraud-prevention need requires us to retain it. Account self-deletion is also available inside the application.
  • Right to portability. You can ask for a copy of the personal information you provided to us, in a structured, commonly used, machine-readable format, and you can ask us to transmit it to another controller where technically feasible.
  • Right to restrict or object to processing. You can ask us to pause processing, or to stop processing that we base on legitimate interest, including any direct marketing.
  • Right to withdraw consent. Where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to information about and to opt out of automated decisions. As noted in section 4, BrandsAI does not currently make automated decisions that produce legal or similarly significant effects. If we ever introduce one, you will have the right to a human review.
  • California-specific rights (CCPA / CPRA). If you are a California resident, you also have the right to know the categories and specific pieces of personal information we collect, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information (we do not sell or share, so there is nothing to opt out of, but the right exists), the right to limit the use of sensitive personal information (we do not collect any), and the right not to be discriminated against for exercising any CCPA right. We will not deny service, charge a different price, or provide a different level of service because you exercised a CCPA right.
  • Quebec-specific rights (Law 25). If you live in Quebec, you also have the right to be informed of the use of automated decision systems that produce a decision based exclusively on automated processing, and the right to ask us to cease using or to de-index personal information that causes serious injury to your reputation or privacy where the legal conditions are met.
  • Right to lodge a complaint. You can complain to a supervisory authority: the Commission d'accès à l'information du Québec in Quebec, the Office of the Privacy Commissioner of Canada elsewhere in Canada, your local data protection authority in the EEA, the UK, or Switzerland, or the California Privacy Protection Agency in California. We would prefer that you contact us first.

9, How to exercise your rights

You can exercise any of the rights in section 8 in two ways:

  1. In the application. The Privacy Center inside the iOS app lets you download your data, edit it, and delete your account without contacting us.
  2. By email. Write to privacy@brandsai.ca with the subject line "Privacy request" and a short description of what you want. We will ask for enough information to verify that you are the account holder, and only what is necessary for that purpose. Verification typically uses a confirmation message to the email address on file or a sign-in challenge inside the application. We do not require a copy of any government-issued identification by default.

We respond within thirty (30) days. We do not charge a fee for honouring a privacy request unless the request is manifestly unfounded or excessive, in which case we will tell you the fee in advance and you can withdraw the request without cost. You are entitled to be told the result of the request, the reasons for any refusal, the legal basis for that refusal, and how to challenge it.

If you exercise a right through an authorized agent, the agent must provide written proof of authority, and we may also confirm directly with you.

10, Direct marketing and electronic communications

We send transactional messages (account, security, support, billing) by default. We send promotional messages only to users who have opted in. Every promotional message contains a one-click unsubscribe link, and unsubscribing takes effect immediately. This satisfies Canada's Anti-Spam Legislation (CASL), CAN-SPAM, GDPR Article 21(2), and CCPA Section 1798.135.

We do not use cookies or similar tracking technologies on the iOS application beyond a strictly necessary local session token. The web counterpart uses only first-party cookies that are strictly necessary for authentication and security; we do not deploy advertising, analytics, or social-plugin cookies.

11, Security

We protect your personal information using the following measures.

  • TLS 1.3 for every network connection between the application and our servers, with strict transport security and certificate pinning where the platform supports it.
  • AES-256-GCM encryption at rest for stored data and for backups.
  • Hardware-bound key custody on the server side, aligned with PulsarOS Intelligence Inc. Patent 70 sovereign key binding posture.
  • High-assurance encryption profiles aligned with PulsarOS Patent 41 and Patent 171 for AI inference paths.
  • Apple Sign in with Apple as the primary authentication method, which removes password management from our trust boundary.
  • Device-bound secrets stored in the iOS Keychain via expo-secure-store with Face ID gating.
  • Principle of least privilege on all internal access. Only a small named set of engineers can access production systems, every access is logged, and access is reviewed quarterly.
  • Periodic penetration testing and code review against OWASP Mobile Top 10 and OWASP API Security Top 10.
  • Incident response with notification to affected users and to the relevant authorities (Quebec Commission d'accès à l'information, Office of the Privacy Commissioner of Canada, GDPR supervisory authorities, California Attorney General) within seventy-two (72) hours of becoming aware of a breach that creates a real risk of significant harm, in line with Law 25, PIPEDA, and GDPR Article 33.

No system is perfectly secure. We commit to operating to the standard above, and to telling you the truth quickly if we ever fail.

12, Children

BrandsAI is not directed at children under the age of 13. We do not knowingly collect personal information from a child under 13, in line with the U.S. Children's Online Privacy Protection Act (COPPA). We also restrict access to users who are at least 13 in jurisdictions that follow COPPA, at least 14 in Quebec for independent consent under Law 25, at least 16 in the European Economic Area for independent consent under GDPR Article 8 (lower where local law allows), and at least the age of majority in your jurisdiction for entering into binding contractual terms. If you are below the relevant local age, you must not use the application. If we discover that we have collected personal information from a child below the threshold without verified parental consent, we will delete it without undue delay. Parents and guardians who believe we may hold information about their child can contact privacy@brandsai.ca and we will act on the request within seven (7) days.

13, Changes to this policy

We update this policy as the product changes and as the law evolves. When we make a material change, we will:

  • update the effective date and the version number at the top of this document,
  • post the new version inside the application and on our website,
  • send you an in-app notice and, where the change is material, an email,
  • give you a reasonable period to review the change before it takes effect, and
  • preserve a copy of the previous version on request.

Continuing to use BrandsAI after a change takes effect means you accept the updated policy. If you do not, you can stop using the service and delete your account.

14, Final word

If anything in this policy is unclear, please write to privacy@brandsai.ca and we will answer.

BrandsAI, c/o PulsarOS Intelligence Inc., 638 Center Street, Suite 408, Ottawa, Ontario, K1K 5A6, Canada.
privacy@brandsai.ca, legal@brandsai.ca