Privacy Policy
Last updated: December 15, 2025
Introduction
Cothon ("we", "us", or "our") is committed to protecting your privacy in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). This Privacy Policy explains how we collect, use, disclose, and protect your personal information.
Information We Collect
Account Information
When you register, we collect your email address, name, and password. If you connect third-party integrations, we also collect profile information from those services.
Usage Data
We collect information about how you use our platform, including bid analyses performed, documents uploaded, and features accessed. This helps us improve our services.
Integration Data
When you connect Google, Microsoft Teams, or Slack, we collect profile information and workspace identifiers. OAuth tokens are encrypted and stored securely.
How We Use Your Information
We use your personal information for the following purposes:
- To provide and maintain our procurement analysis and proposal generation services
- To send you important updates about your account and our services
- To protect against unauthorized access and ensure platform security
- To comply with legal obligations and respond to lawful requests
Third-Party Data Sharing
We share your data with the following service providers to deliver our platform. All third parties are bound by data processing agreements and PIPEDA-compliant privacy practices.
Stores your account data, documents, and analyses. Data is encrypted at rest and in transit. Located in US data centers with GDPR/SOC2 compliance.
Collects anonymized error reports to improve platform stability. We have disabled PII collection and implemented data scrubbing. No personal information is sent.
Google Gemini and OpenAI process your documents for analysis. Content is not used to train their models. Data is transmitted securely and not retained after processing.
Sends transactional emails (password resets, notifications). Only receives email addresses necessary for delivery. Does not use data for marketing.
Google, Microsoft, and Slack provide authentication and workspace integration. We only request necessary scopes and store tokens encrypted. You can revoke access at any time.
Hosts our application infrastructure. Access logs may contain IP addresses, which are retained for security purposes and deleted after 90 days.
Data Retention
We retain your personal information only as long as necessary to provide our services and comply with legal obligations. Account data is kept until you delete your account. Activity logs are anonymized after 90 days. Consent records are kept for 7 years for legal compliance.
Your Rights Under PIPEDA
Under PIPEDA, you have the following rights regarding your personal information:
- Access: Request a copy of all personal information we hold about you
- Correction: Request corrections to inaccurate personal information
- Deletion: Request deletion of your personal information and account
- Portability: Export your data in a machine-readable format (JSON)
- Withdraw Consent: Withdraw consent for optional data processing at any time
Cookies & Local Storage
We use essential cookies for authentication and session management. Analytics cookies are only set with your explicit consent. You can manage cookie preferences through the cookie consent banner or your browser settings.
Data Security
We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, OAuth token encryption, regular security audits, and access controls. We follow secure development practices and monitor for vulnerabilities.
Cross-Border Data Transfers
Your data may be processed in countries outside Canada (primarily the United States) where our service providers are located. These transfers are protected by contractual safeguards ensuring PIPEDA-equivalent protection.
Contact Us
For privacy-related questions, data requests, or to file a complaint, contact our Privacy Officer:
privacy@cothon.caChanges to This Policy
We may update this Privacy Policy periodically. When we make material changes, we will notify you via email and require re-acceptance of updated terms. The date at the top indicates the last revision.