FirstPass™ Privacy & Security Policy
Last Updated: June 19, 2026
Your privacy, data security, and professional compliance are core parameters of our platform architecture. This Privacy and Security Policy explains how AI Advisory Group Inc. and its FirstPass™ platform (collectively "we," "us," or "our") collect, use, process, and protect your information.
1. Information We Collect
We limit our data collection strictly to information required to provision, secure, and bill the FirstPass™ platform.
- Account Information: Name, corporate email address, and company details collected during registration.
- Payment Information: Payment details collected directly by our PCI-DSS compliant third-party processor (Stripe). We do not store or process raw credit card numbers.
- Your Content (Transient Document Data): Client documents, tax files, working papers, or general ledgers uploaded to the platform for execution.
- System Metadata & Logs: Anonymized, aggregated usage data (e.g., system latency, feature execution counts, performance metrics) to maintain security, optimize resources, and satisfy security logging standards.
2. The Stateless, Zero-Persistence Architecture
Unlike legacy platforms, FirstPass™ operates on a stateless security model.
- Zero-Persistence Cloud Execution: All document analysis is executed via our secure, isolated, private cloud environment (Google Cloud).
- Transient, Memory-Only Processing: Documents are processed transiently and not retained after processing.
- Immediate Destruction Safeguard: Upon completion of the AI analysis and delivery of the response back to your local interface, the transient container is recycled, programmatically destroying the document data.
- Model Training Prohibitions: Under no circumstances are uploaded documents, client tax data, or analytical outputs used to train, fine-tune, or reinforce our artificial intelligence models or any third-party foundation models.
3. Professional Liability & Standard of Care Boundaries
- Advisory Micro-Services Only: FirstPass™ operates strictly as a technical verification and review layer. It is not designed, marketed, or configured to perform statutory audits, comprehensive fraud detection, or systemic forensic reviews.
- Scope Protection: In alignment with the precedent established in Deloitte & Touche v. Livent Inc., our duty of care and standard of performance is strictly limited to the narrow, specialized undertaking of executing the specific automated validation rules requested by the user. No broad duty of care, fraud prevention, or financial oversight is assumed.
- Professional Reliance Disclaimer: In alignment with United States v. Arthur Young & Co., the ultimate professional standard of care, public watchdog obligation, and independent professional judgment remain exclusively with the licensed professional or CPA firm utilizing our software. FirstPass™ is a private utility and does not assume, certify, or verify financial statements for public reliance.
4. Data Retention Schedule
We enforce a multi-tiered retention schedule based on the classification of data processed:
- Document Content / Tax Data: Processed transiently and not retained after processing.
- Audit Logs & Security Metadata: Stored in a private, secure cloud database. Retained 90 days in our live system, then permanently deleted; encrypted backups expire within 98 days.
- Account & Billing Info: Retained for the active subscription plus 7 years post-inactivity, then deleted; backup copies are purged within 98 days of live-system deletion.
- Backups: Daily encrypted Firestore backups, retained up to 98 days, stored in Canada. Data deleted from live systems persists in backups until those backups expire (within 98 days).
5. Consent and Legal Basis
We process your personal account information and metadata based on your informed consent and the execution of our services.
- Withdrawal of Consent: You may withdraw your consent for us to store and process your account registration and billing information at any time by contacting our Privacy Officer.
- Operational Impact: Because registration and billing details are required to run the platform, withdrawing consent will result in the immediate suspension and termination of your active account and subscription.
6. Cookie & Storage Policy
Our platform minimizes local browser footprints to maintain an optimal security posture.
- Local & Session Storage: We utilize standard browser localStorage and sessionStorage solely to manage active application state and session authentication. No persistent tracking cookies are deployed by our first-party domain.
- Google Analytics 4 (GA4): Where enabled, we utilize anonymized GA4 cookies to measure platform performance and feature engagement. No personally identifiable financial data is shared with Google.
- Stripe Integration: Client-side functional cookies are utilized by Stripe during checkout to process payments and prevent financial fraud.
- Cloudflare Turnstile: We are rolling out bot protection on our authentication interfaces. Turnstile is a cookie-free, privacy-friendly validation mechanism designed to prevent brute-force attacks without tracking user behavior.
7. Cross-Border Data Transfers
Our secure private cloud instances are located in Canada and the United States.
- Hosting Providers: We partner with Google Cloud Platform (GCP) to host our stateless infrastructure.
- Data Safeguards: All data in transit to our cloud servers is protected via TLS 1.3 encryption. While document processing is transient and stateless, metadata and account information may be processed across these jurisdictions. We enforce structural data safeguards to ensure handling matches the rigorous standards of this policy.
8. Quebec Privacy Compliance (Law 25)
In compliance with Quebec's Law 25, the following disclosures are made:
- Privacy Officer Designated: Mike Rabinovici, President, has been appointed as the Privacy Officer. Contact: mike@aiadvisorsgroup.co.
- Automated Processing Disclosure: FirstPass™ utilizes automated algorithms to generate analytical reports and tax reviews. No automated decisions are made by our systems that produce unilateral legal or significant professional effects regarding any individual.
- Impact Assessments: We conduct Privacy Impact Assessments (PIAs) prior to deploying structural changes, integrating new third-party sub-processors, or initiating cross-border transfers.
9. California Privacy Rights (CPRA)
If you reside in California, you are entitled to specific disclosures under the CPRA:
- No Sale or Share of Personal Data: We do not sell your personal data or share it with third parties for cross-context behavioral advertising.
- Sensitive Personal Information: We do not collect or use sensitive personal information for purposes other than to provide the requested service.
- Your Rights: California residents have the right to request access, correction, deletion, or a portable copy of their collected personal account data. Requests may be directed to our Privacy Officer.
10. Your Rights (All Users)
Regardless of your location, you may request access to, correction of, or deletion of the personal information we hold about you. You may also withdraw your consent to our collection, use, or disclosure of your personal information, subject to legal, regulatory, or contractual requirements.
To exercise any of these rights, please contact our Privacy Officer using the contact information provided below. We will respond to your request within the timeframes required by applicable privacy laws, including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and other applicable privacy legislation.
11. Contact and Administration
For questions, access requests, or to exercise your statutory privacy rights, please contact our designated Privacy Officer:
AI Advisory Group Inc.71 Newport Square, Thornhill, ON L4J 7N3
Privacy Officer: Mike Rabinovici
Email: mike@aiadvisorsgroup.co
