Privacy policy
What we collect, why, and what you control
Every data decision is documented here. What enters the system, where it lives, who can reach it, and how you can pull it back. PIPEDA, Quebec Law 25, CASL, and CCPA/CPRA — all covered.
1. Who we are
Forismo ("we", "us", "our") is a Canadian-based SaaS communications platform that provides multi-channel messaging, conversation intelligence, and AI-powered productivity tools. Our headquarters are in Canada and our primary data infrastructure is hosted in the AWS Canada (Central) region.
Privacy Officer: For all privacy-related inquiries, contact our designated Privacy Officer at privacy@forismo.com.
2. What personal information we collect
We collect information that you provide directly and information generated through your use of our platform:
| Category | Examples | Purpose |
|---|---|---|
| Account information | Name, email address, phone number | Create and manage your account |
| Communications | Messages, emails, SMS content, voice memos | Deliver and store your conversations |
| Contact data | Names, emails, phone numbers of your contacts | Enable multi-channel messaging |
| Usage data | Features used, timestamps, device info | Improve our platform and provide support |
| Voice recordings | Audio captured during calls or voice memos | Transcription and call records (with consent) |
| AI interaction data | Search queries, AI analysis context | Power semantic search and conversation intelligence |
| Payment information | Billing address, payment method (processed by third party) | Process subscriptions |
3. Why we collect it (PIPEDA Principle 2)
We identify the purpose for collecting personal information before or at the time of collection:
- Service delivery — To provide, maintain, and improve the Forismo platform
- Communication — To send, receive, and route messages across channels
- AI features — To power semantic search, topic extraction, and conversation intelligence (requires explicit consent)
- Security — To protect your account and maintain audit trails
- Legal compliance — To meet regulatory requirements under PIPEDA, provincial privacy laws, and applicable US laws
- Product improvement — To understand usage patterns and improve the platform
4. Consent (PIPEDA Principle 3 & CASL)
We obtain meaningful consent before collecting, using, or disclosing your personal information. Given the sensitivity of communications data, we rely on explicit consent for most processing.
4.1 What requires explicit opt-in
- AI processing of your messages (semantic search, topic extraction, conversation intelligence)
- Cross-border data transfer to AI providers (Anthropic, OpenAI, Google, GitHub Models, Modulate.ai) located in the United States
- Voice recording and transcription
- Commercial electronic messages (CASL compliance)
- Marketing communications
4.2 Withdrawing consent
You can withdraw consent at any time through your account settings or by contacting privacy@forismo.com. Withdrawal may affect your ability to use certain features (e.g., AI-powered search will not function without AI processing consent).
5. Cross-border data transfers
Your primary data is stored in Canada (AWS Canada Central region via Supabase). However, certain features involve processing by service providers in the United States:
| Provider | Location | Purpose | Safeguards |
|---|---|---|---|
| Modulate.ai | United States | Voice transcription (Velma STT) | DPA, data minimization |
| xAI | United States | Grok AI summaries and server-side semantic analysis | DPA, data minimization |
| Vercel | Global (edge) | Application hosting | DPA, TLS encryption |
| Twilio | United States | SMS, MMS, and voice delivery | DPA, carrier-grade encryption |
| Resend | United States | Transactional email delivery | DPA, TLS encryption |
All cross-border transfers are protected by Data Processing Agreements (DPAs) and adequacy assessments as required by Quebec Law 25. We minimize the personal information sent to AI providers by stripping identifiers where possible.
6. Data protection
- Encryption at rest: AES-256 encryption on all stored data
- Encryption in transit: TLS 1.3 (minimum 1.2) for all connections
- Access controls: Row-level security policies, branch-scoped participant access
- Audit trail: Immutable event log for all actions on your data
- Message integrity: Original messages are locked at creation; changes are appended as timestamped addenda
7. Data retention
We retain your data only as long as necessary for the purposes identified:
| Data type | Retention period | Action on expiry |
|---|---|---|
| Conversations & messages | 7 years | Archived |
| Contacts | 5 years (inactive) | Anonymized |
| File attachments | 3 years | Deleted |
| Call recordings | 1 year | Deleted |
| Voice memos | 1 year | Deleted |
| AI processing context | 90 days | Deleted |
| Audit logs | 7 years | Archived |
Data subject to a legal hold will be retained until the hold is released, regardless of retention policy.
8. Your rights
Under PIPEDA, Quebec Law 25, CCPA/CPRA, and other applicable laws, you have the right to:
- Access — Request a copy of all personal information we hold about you
- Correction — Request correction of inaccurate personal information
- Deletion — Request deletion of your personal information (subject to legal holds)
- Portability — Receive your data in a machine-readable format (fulfilled within 30 days per Quebec Law 25)
- Opt-out — Opt out of targeted advertising or sale of personal information (we do not sell PI)
- Restrict processing — Request limits on how we process your data
- Withdraw consent — Withdraw previously given consent at any time
To exercise any of these rights, submit a request through your account settings, email privacy@forismo.com, or use our Trust Center. We will acknowledge your request within 48 hours and fulfill it within 30 days.
9. CASL compliance
For commercial electronic messages (marketing emails, promotional SMS), we comply with Canada's Anti-Spam Legislation (CASL):
- Express opt-in consent is required before sending any commercial message
- All commercial messages identify the sender and include contact information
- Every commercial message contains a functional unsubscribe mechanism
- Unsubscribe requests are honored within 10 business days
- We maintain records of all consent for audit purposes
Note: User-to-user messages sent through the Forismo platform are not commercial electronic messages and are governed by the messaging terms of service, not CASL.
10. Breach notification
In the event of a privacy breach that poses a real risk of significant harm:
- We will report the breach to the Privacy Commissioner of Canada
- We will notify affected individuals directly
- We will document the breach, root cause, and remediation steps
We maintain records of all privacy breaches, including those that do not meet the reporting threshold, as required by PIPEDA.
11. Lawyer-client communications
Forismo provides enhanced protections for legal professionals:
- End-to-end encryption option for privileged channels
- No platform access to privileged content
- Granular access controls with branch-scoped permissions
- Legal hold capabilities to prevent deletion during litigation
- eDiscovery support with search, export, and production tools
- Immutable audit trails compliant with ABA Formal Opinion 477R
12. Changes to this policy
We will update this policy as our practices evolve. Material changes will be communicated via email and in-app notification at least 30 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
13. Contact & complaints
If you have questions, concerns, or complaints about our privacy practices:
- Email: privacy@forismo.com
- Postal address: available on request from the Privacy Officer
If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner.