Data & Document Handling
This document explains what happens to the documents and data you submit to the Vistera platform (“Platform”). It is intended to be a plain, practical explanation: a complement to our Privacy Policy (which covers personal information broadly) and our AI-Assisted Service Consent document (which covers AI-specific processing).
Definitions include:
- Platform means the Vistera software and services.
- Vistera, we, us, or our means Vistera Technologies Corp., the legal entity operating the Platform (formerly Spraggs Group Inc., 1030 Westwood Street, Suite 202, Coquitlam, British Columbia V3C 4E4, Canada; registered extra-provincially in Ontario under the business name “Spraggs Group”).
- Client means a business registered on the Platform.
- Authorized User means an employee or contractor of a Client who has been granted access to the Platform.
- Expert means a Vistera staff member or authorized independent professional assigned to deliver services on the Platform.
- Engagement means a discrete service request created by a Client on the Platform.
- Deliverables means work product prepared and delivered to a Client by an Expert through the Platform.
1. What Documents and Data You Submit
When you use the Platform, you and your Authorized Users submit various types of content and information. Collectively, we call this your “Client Content”. It includes:
- Uploaded files: documents, contracts, financial records, correspondence, or any other files you attach to an Engagement.
- Engagement messages and communications: messages, notes, and instructions you send through the Platform as part of an Engagement thread.
- Form inputs and structured data: information you enter into Platform forms, intake questionnaires, or other structured fields when creating or updating an Engagement.
- Metadata: information automatically associated with your submissions, such as file names, upload timestamps, and file types.
Client Content does not include your account registration data (name, email, billing contact) or payment information; those are handled separately and are described in our Privacy Policy.
2. Where Your Client Content Is Stored
2.1 Primary Storage
Client Content is stored on Amazon Web Services (AWS) Simple Storage Service (S3). Vistera uses a Canadian AWS region as the primary storage location wherever this is available and technically feasible.
2.2 Fallback Storage
In circumstances where the Canadian AWS region is unavailable or technically unsuitable, Client Content may be stored in an AWS region located in the United States. Where this occurs, your Client Content is subject to the laws of the United States, including potential lawful-access requests, in addition to Canadian privacy law. Vistera remains accountable for Client Content stored with AWS regardless of region.
2.3 Encryption at Rest
All Client Content stored on AWS is encrypted at rest using industry-standard encryption. Encryption keys are managed in accordance with AWS best practices.
2.4 Access Controls
Access to stored Client Content is restricted to those with a legitimate need as described in Section 3. Storage infrastructure is not accessible to the general public or to other Clients.
3. Who Can Access Your Client Content
3.1 Experts Assigned to Your Engagement
Experts assigned to your Engagement can access the Client Content you have submitted in connection with that Engagement. Access is scoped to the specific Engagement; an Expert does not have platform-wide access to all Client Content, and an Expert working on one of your Engagements cannot access Client Content from a separate, unrelated Engagement unless they are also assigned to that Engagement.
3.2 Vistera Staff
Vistera staff may access Client Content, on a need-to-know basis and subject to confidentiality obligations, for the following purposes:
- Technical support: to investigate and resolve platform issues you report.
- Quality assurance: to review the quality and accuracy of Expert service delivery.
- Legal and compliance: to respond to lawful requests, resolve disputes, or meet professional record-keeping obligations.
All staff access to Client Content is logged. Audit logs record who accessed what content, when, and for what purpose. Where Client Content relates to a legal-advisory Engagement, staff access is handled consistently with the responsible lawyer’s duty of confidentiality and any applicable privilege.
3.3 Other Clients and Third Parties
Your Client Content is not shared with other Clients or with third parties, except as described in Section 4 (AI processing) and Section 6 (Zoom call recordings); as required by applicable law or court order; or to the extent you have expressly authorized sharing as part of delivering your Engagement. Your Client Content is never sold, licensed, or shared with any third party for marketing, advertising, or commercial purposes unrelated to delivering the services you have requested (see Section 10).
3.4 AI Systems
AI systems access Client Content as described in Section 4.
4. How AI Processes Your Client Content
This section should be read alongside our AI-Assisted Service Consent document, which provides additional detail on the AI features used on the Platform and the consent basis for that processing.
4.1 How AI Is Used
AI systems are used internally by Experts to assist with service delivery. AI may read and summarize Engagement messages and documents; extract relevant information from uploaded files; and generate first drafts of responses or Deliverables for Expert review and approval. AI tools are not used to make decisions about your Engagement. Every Deliverable you receive has been reviewed and approved by a qualified human Expert.
4.2 Client Content Is Not Altered
AI processing of your Client Content is read-only. Your original uploaded files and submissions are not modified, annotated, or overwritten as a result of AI processing. The AI-generated output (summaries, extractions, drafts) is shown to the Expert as a working reference, it is separate from and does not replace your original Client Content.
4.3 Processing Is Scoped to the Specific Engagement
AI does not access your Client Content across Engagements. Documents and messages submitted in one Engagement are not processed in the context of a different Engagement. AI processing is limited to the data within the specific Engagement to which it relates.
4.4 AI Output Is Internal Only
AI-generated output - including summaries, document extractions, and draft responses - is surfaced to Experts only. Raw AI output is never delivered to you directly. What you receive is the Expert’s approved version of any work product.
4.5 Third-Party AI Providers
AI processing is performed by third-party AI service providers engaged by Vistera. The data passed to these providers is limited to what is necessary for the specific feature being used (data minimisation). These providers are not permitted to use your Client Content to train their AI models for other customers, to the extent that their terms permit Vistera to enforce this, and Vistera actively opts out of model training where that option is available under the applicable provider agreement.
4.6 Cross-Border Processing by AI Providers
Third-party AI service providers used by Vistera may process data outside Canada, including in the United States or other jurisdictions. Where this is the case, your Client Content may be subject to the laws of those jurisdictions while it is being processed. Vistera remains accountable for your Client Content and takes reasonable contractual steps to protect it when it is processed outside Canada. If you require further information about the jurisdictions in which your Client Content may be processed, please contact us using the details in Section 11.
5. Document Lifecycle and Retention
5.1 Retention While Your Account Is Active
Client Content is retained for as long as your account remains active and for as long as is necessary to deliver the services you have requested.
5.2 Retention After Account Termination
Retention periods following account termination or Engagement closure are not yet finalized. Vistera will publish a formal retention schedule and communicate it to Clients before it takes effect. Until that schedule is published, Client Content is retained only for as long as is reasonably necessary to meet legal, professional, or operational obligations.
5.3 Requesting Deletion of Client Content
You may request deletion of your Client Content at any time by contacting us using the details in Section 11. We will process deletion requests within thirty [30] business days of receiving a valid request. Please note that some Client Content may be retained after a deletion request where retention is required to:
- comply with applicable law or a lawful order;
- meet professional record-keeping obligations (for example, where an Expert’s professional regulator requires records of advice given);
- resolve an active dispute or enforce an existing agreement; or
- fulfil any other legal obligation.
Where data is retained for these reasons, it will not be used for any other purpose.
5.4 Deletion of Individual Files
If you wish to delete a specific file or document rather than all Client Content, please contact us. We will confirm whether deletion of that file is possible given the above constraints.
6. Zoom Call Recordings
Video calls on the Platform may be conducted using Zoom. The handling of Zoom call recordings is distinct from the handling of other Client Content and is governed by a separate consent process.
6.1 Consent Required
Recording of video calls requires your explicit consent, which is requested at the time you book or start each call. You are not required to consent. If you do not consent, the call will proceed without recording and no AI summary of the call will be generated. All participants will be notified at the start of any recorded call.
6.2 Storage and Retention
Call recordings are stored by Zoom on Zoom’s infrastructure, which may include data centres outside Canada (including in the United States). Call recordings are subject to Zoom’s own retention policies. Vistera does not independently retain copies of call recordings; the call recording and any AI-generated transcript or summary produced by Zoom remain on Zoom’s systems. Please refer to https://www.zoom.com/en/trust/privacy/privacy-statement/ for details of how Zoom stores and retains call data.
6.3 Cross-Reference
For full details of how call recordings and Zoom AI summaries are processed, and for your rights in connection with call recording consent, please see our AI-Assisted Service Consent document (Section 4).
7. Security Measures
Vistera implements technical and organizational measures designed to protect your Client Content against unauthorized access, disclosure, alteration, and loss. These measures include:
- Encryption in transit: Client Content transmitted between your browser and the Platform is protected using TLS (Transport Layer Security).
- Encryption at rest: Client Content stored on Platform infrastructure is encrypted at rest using industry-standard methods.
- Role-based access controls: Access to Client Content is restricted based on job role and the specific Engagement. Users cannot access Client Content beyond their assigned scope.
- Audit logging: Access to Client Content by Vistera staff is logged, including who accessed the data, when, and for what purpose.
- Vulnerability management: The Platform undergoes periodic security assessments. Known vulnerabilities are remediated in accordance with Vistera’s internal security policies.
No security measures can guarantee absolute protection. If a security incident affects your Client Content, please see Section 9.
8. Data Portability
You have the right to request an export of your Client Content and Engagement data in a standard format.
8.1 Requesting an Export
To request a data export, contact us using the details in Section 11. Please include your account name and registered email address, and a description of the data you would like to export (for example, all Client Content associated with a specific Engagement, or all Client Content associated with your account).
8.2 Format and Timeline
We will provide exported data in a commonly used, machine-readable format where technically feasible. We will aim to fulfil export requests within thirty [30] business days of receiving a valid request, or within the timeframe required by applicable privacy law.
9. Incident Response and Breach Notification
In the event of a data breach or security incident that affects your Client Content, Vistera will:
- Investigate promptly: Vistera will investigate the incident to determine its scope and cause, and will keep records of the breach as required by applicable privacy law.
- Notify affected Clients: If the breach creates a real risk of significant harm, Vistera will notify you as soon as reasonably practicable after the breach is discovered and its scope is understood.
- Notify relevant authorities: Where required by the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation (including PIPA BC and PIPA AB), Vistera will report the breach to the relevant regulatory authority.
Breach notification will include, to the extent known at the time of notification: a description of what happened, the type of Client Content affected, the steps Vistera is taking to address the breach, and any steps you can take to protect yourself.
10. No Sale of Client Content
Your Client Content is never sold, licensed, rented, or shared with any third party for marketing, advertising, or commercial purposes unrelated to delivering the services you have requested. This applies to all Client Content; including uploaded documents, Engagement messages, and form inputs. It is an absolute restriction, not a default setting that can be overridden. This position is consistent with our AI-Assisted Service Consent document (Section 3.3).
11. Contact Information
For questions about this document, to request deletion of Client Content, to request a data export, or to exercise any privacy rights described here, please contact us at:
Vistera Technologies Corp. 1030 Westwood Street, Suite 202, Coquitlam, British Columbia V3C 4E4, Canada
Email: [email protected]
Phone: +1(778)800-8866