📋 Contents
Plain-language summary Quick overview Scope Where this applies Personal information we collect Why we use it AI: use, consent, and choices Legal basis by jurisdiction Retention and destruction Sharing with third parties Your rights and choices Privacy incidents / breaches ContactPlain-language summary
Solexi helps you organize and transmit your digital legacy. To provide the service, we process certain personal information (account details, content you upload, transmission settings). This policy explains what we collect, why, how long we keep it, who we share it with, and your rights.
Scope
This policy applies to our website (solexi.ai), applications, and services (collectively, the "Services"), including all requests related to transmission to heirs and mandataries.
Personal information we collect
1) Information you provide
- Account: email, username, hashed password, preferences, SSO tokens.
- Content: files (photos, videos, documents, audio) and metadata (titles, tags, relationships, notes).
- Transmission settings: designation of heirs/mandataries, access rules, trigger conditions, scheduled messages.
- Support: messages, attachments, information you provide when contacting us.
2) Information collected automatically
- Technical data: IP address, login timestamps, device type, browser, session IDs, pages viewed.
- Cookies: Essential cookies only (session, CSRF). No advertising or behavioural tracking.
- Analytics: Aggregate, anonymized metrics via privacy-focused tool. No personal identifiers stored.
3) Sensitive information
Some content may be highly sensitive (financial, legal, personal messages). We apply enhanced safeguards: AES-256 encryption at rest and strict access controls.
Why we use this information
- Provide and secure the Services (account creation, authentication, access control)
- Store and organize your content according to your explicit instructions
- Execute your transmission rules to heirs and mandataries at the time you specify
- Process your requests, complaints, and rights requests
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations under Canadian and Québec law
- Improve reliability using aggregated, anonymized data
AI: use, consent, and choices
AI-assisted features
Optional features (content structuring, vault search) may use AI. They require explicit opt-in consent. Withdraw consent anytime from account settings.
AI model training
Your vault content is not used to train public AI models. AI processing operates on your data exclusively, within your vault, subject to your permissions.
Transparency
Active AI features are clearly identified in the interface. You can see what data was processed and disable the feature. See the AI Policy tab for full details.
Legal basis by jurisdiction
Canada & Québec
- Consent: primary basis (PIPEDA; Loi 25)
- Necessity: processing required to fulfill your contract
- Legal obligation: retention/disclosure required by law
- Loi 25: PIAs for new features; incident register; 72h notification
European Union (if applicable)
- Consent (Art. 6(1)(a) GDPR) — optional features, cookies
- Contract performance (Art. 6(1)(b)) — core delivery
- Legal obligations (Art. 6(1)(c)) — mandatory retention
- Legitimate interests (Art. 6(1)(f)) — fraud, security
Retention and destruction
| Category | Retention | Basis | Deletion |
|---|---|---|---|
| Account credentials | Until deletion + 30 days | Contract | Secure delete; backups purged 90 days |
| Vault content | Until user deletes | Consent | Immediate removal; backups 90 days |
| Transmission settings | Until revoked | Consent | Same as vault |
| Security logs | 90 days rolling | Legitimate interest | Auto-rotation |
| Support messages | 3 years | Legal obligation | Secure deletion |
| Financial records | 7 years | CRA (tax law) | Encrypted archive |
| Waitlist / leads | Opt-out or 2 years | Consent | Auto-purge |
Sharing with third parties
We share data only with vendors processing on our behalf. We do not sell personal information.
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Cloud infrastructure | Compute, encrypted storage, CDN | Canada / US | DPA; AES-256; SCCs |
| Transactional email | Verification, alerts | US (SCCs) | DPA; no marketing use |
| Authentication (SSO) | OAuth 2.0 token validation | US / Canada | Minimal data; SCCs |
| Analytics | Aggregate metrics | EU / Canada | No cookies; no PII |
| Payment processor | Billing (when live) | US / Canada | PCI-DSS compliant |
Your rights and choices
- Access — receive a copy in structured format
- Correct — fix inaccurate or incomplete data
- Delete — subject to legal retention obligations
- Export — portable ZIP archive anytime
- Withdraw consent — without affecting past processing
- Object — to legitimate-interest processing
- Complain — to CAI (Québec) or applicable authority
Privacy incidents / breaches
- Notify CAI within 72 hours of confirming a serious incident (Loi 25)
- Notify affected individuals without undue delay
- Maintain confidential incident register
- Document root cause, corrective actions, outcome
Contact
Privacy Officer (RPRP)
- Name: Daniel Tanguay, CEO & Founder
- Email: Daniel@solexi.ai
- Phone: +1-514-570-3074
- Address: 527 rue Lacasse, Terrebonne, QC J6W 4Y7, Canada
Other contacts
- Security: security@solexi.ai
- General: solexi.ai/contact/
- CAI (Québec): cai.gouv.qc.ca
📋 Contents
Security principle Security controls Active / In progress / Planned Threat model 24-month roadmap Compliance & frameworks Security contact🔒 Security Principle
Trust is earned through precision, not hype. This page documents Solexi's security posture honestly — what is active, what is in progress, what is planned. We do not claim certifications we have not obtained.
🛡️ Security Controls
● Active ● In progress ● Roadmap
TLS 1.3 preferred on all endpoints. HSTS enforced (1-year max-age). Modern ciphers only (ECDHE, AES-GCM, CHACHA20).
AES-256-GCM for vault content and account data. Cloud KMS envelope encryption. Annual key rotation.
Bcrypt hashing (cost ≥ 12). Min 10 chars. TOTP MFA available. Rate-limited login. Coming: Passkey/WebAuthn (Phase 2).
Role-Based. Heir access read-only by default. Least-privilege for support staff — no vault access without explicit request.
Login, file access, permission changes, delivery triggers, admin actions. 90-day rolling retention. Export on request.
Automated daily backups. 30-day rolling history. Quarterly restore tests. Coming: Multi-region (Phase 2).
Auto dependency scanning on every push. Critical patches ≤72h. Coming: Annual pentest (Phase 2, H2 2026).
security@solexi.ai — 24h triage. Severity-based: Critical=immediate, High=24h, Medium=72h. Loi 25 notification.
⚠️ Threat Model
Solexi is purpose-built for high-sensitivity personal data. We protect against:
- Unauthorized access — MFA, RBAC, session management, rate limiting
- Data exfiltration — AES-256, TLS 1.3, audit logging, egress monitoring
- Insider threats — least privilege, no vault access without incident/request, audit trail
- Account takeover — bcrypt, TOTP MFA, login anomaly detection, recovery codes
- Supply chain — dependency scanning, vendor DPAs, sub-processor oversight
- Data loss — daily encrypted backups, 30-day retention, quarterly restore tests
🗺️ Security Roadmap (24 months)
- TLS 1.3 + AES-256 on all endpoints
- RBAC with heir/mandatary permission scoping
- TOTP MFA for all accounts
- Daily encrypted backups with quarterly restore tests
- Audit logging (90-day rolling)
- Incident response process + Loi 25 register
- Passkey / WebAuthn support
- First annual penetration test
- Multi-region backup redundancy
- SOC 2 Type I preparation
- Bug bounty program (private, curated)
- SOC 2 Type II audit
- Zero-knowledge encryption option
- Real-time threat monitoring
- Annual red team exercise
📜 Compliance & Frameworks
| Law / Standard | Status | Notes |
|---|---|---|
| Loi 25 (Québec) | ✓ Active | PIAs, incident register, 72h notification, RPRP appointed |
| PIPEDA (Canada) | ✓ Active | Consent-based collection; 10 fair information principles |
| GDPR (EU) | ○ Partial | SCCs in place; full compliance planned if EU users onboarded |
| SOC 2 | ◒ Planned | Type I preparation Phase 2; Type II in 2027 |
📬 Security Contact
Report a vulnerability
Email: security@solexi.ai
Response: Triaged within 24 hours
Responsible disclosure: We follow coordinated disclosure. We will not take legal action against good-faith security researchers.
General security inquiries
CEO/Privacy Officer: Daniel Tanguay
Email: Daniel@solexi.ai
Phone: +1-514-570-3074
Address: 527 rue Lacasse, Terrebonne, QC J6W 4Y7
🤖 AI Policy — Consent-First
Solexi uses AI responsibly, with clear boundaries. This policy covers every AI-related feature in the platform — what it does, what data it touches, and how you stay in control.
1. What AI features exist
- Content structuring assistance — suggests organization for uploaded materials (folders, tags, timelines). Processes your files locally within your vault context.
- Vault search — natural language search across your content. Indexes are scoped to your vault only.
- Memorial experience preparation — optional future feature to help create documentary foundation for AI-assisted memorial. Requires separate, explicit consent.
2. Consent model
Opt-in only
Every AI feature is off by default. You must explicitly enable each feature. You can disable any feature at any time from your account settings without affecting other services.
Granular control
Consent is per-feature, not blanket. Enabling vault search does not enable content structuring. Each feature has its own toggle and explanation.
3. Data handling
- Processing scope: AI operates on your data exclusively, within your vault boundary. No cross-user data sharing.
- No model training: Vault content is never sent to third-party AI providers for training general models.
- Third-party AI: If a third-party AI service is used for processing (e.g., an LLM for search), data is sent via encrypted API, not stored by the provider, and covered by a data processing agreement.
- Logs: AI processing events are logged in your audit trail. You can view them anytime.
4. Transparency
- When an AI feature is active, it is clearly labelled in the interface (badge, icon, or indicator).
- You can always see what data was processed by the AI and what output was generated.
- AI-generated content is never presented as human-created without clear attribution.
- We publish a changelog of AI features, models used, and data handling updates.
5. Safety controls
- Output review: AI-generated suggestions are always presented as proposals — you approve, edit, or reject before anything is saved.
- No autonomous actions: AI cannot modify your vault, send messages, or trigger transmissions without your explicit confirmation.
- Bias awareness: We document known limitations of AI models and do not claim accuracy beyond what the model can deliver.
- Incident handling: AI-related incidents follow the same process as security incidents (see Security tab).
6. Your AI rights
- Right to know: Which AI features are active, what data they process, what models are used.
- Right to disable: Turn off any AI feature at any time, per-feature.
- Right to human alternative: Every AI-powered feature has a manual alternative. AI is never required.
- Right to explanation: Request a plain-language explanation of how an AI feature processed your data.
- Right to complain: Contact Daniel@solexi.ai or the CAI (Québec).