Privacy Policy
This Privacy Policy explains how Vistera Technologies Corp. (“Vistera,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with the Vistera platform (“Platform”). Please read this policy carefully before using the Platform.
1. Introduction
1.1 Who We Are
Vistera is a business-to-business (“B2B”) professional advisory platform operated by Vistera Technologies Corp., a company incorporated in and operating from British Columbia, Canada.
Our registered address is:
1030 Westwood Street, Suite 202, Coquitlam, British Columbia V3C 4E4, Canada
1.2 What This Policy Covers
This Privacy Policy covers personal information that Vistera collects through the Platform, including: information about individuals who use the Platform as Authorized Users of a Client Organization, individuals who appear in Client Content, and contact persons for Client Organizations. This policy does not cover:
- personal information collected by third-party websites or services that are linked to or from the Platform but are not operated by Vistera;
- the personal information handling practices of Client Organizations themselves; or
- billing and payment information, which is handled by Vistera outside the Platform.
1.3 B2B Platform
The Platform is designed for use by businesses and organizations. We primarily collect and process information about individuals in their capacity as business representatives, employees, or contractors, not as private consumers. References in this policy to “you” may refer to the Client Organization, its Authorized Users, or both, depending on context.
2. Legal Framework
2.1 Applicable Privacy Laws
Vistera is subject to Canadian privacy law. The applicable legislation depends on where a Client Organization is located and where the services are principally delivered:
- Federal, PIPEDA: The Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (“PIPEDA”) applies to Vistera’s commercial activities across Canada, including in provinces without substantially similar provincial privacy legislation (such as Ontario), and to the interprovincial and cross-border flow of personal information.
- British Columbia, PIPA BC: The Personal Information Protection Act (S.B.C. 2003, c. 63) (“PIPA BC”) applies to Client Organizations and interactions principally located in British Columbia. PIPA BC has been declared substantially similar to PIPEDA and generally governs in place of PIPEDA for BC-based commercial activities.
- Alberta, PIPA AB: The Personal Information Protection Act (S.A. 2003, c. P-6.5) (“PIPA AB”) applies similarly for Client Organizations and interactions principally located in Alberta. PIPA AB has also been declared substantially similar to PIPEDA and includes mandatory breach reporting to the Information and Privacy Commissioner of Alberta.
Even where a provincial Act governs the substance of a Client relationship, PIPEDA continues to apply to the transfer of personal information across provincial and national borders. Vistera remains accountable for personal information transferred to a service provider for processing, including providers located outside Canada (see Sections 6 and 7).
2.2 Our Commitment
All three legislative frameworks share a foundation of fair information principles: we collect only what we need, use it only for the purposes we describe, and protect it with reasonable safeguards. Where the applicable law is uncertain, we apply the most protective standard.
3. Information We Collect
We collect personal information only for purposes that a reasonable person would consider appropriate given the circumstances. The categories of information we collect are described below.
3.1 Account Registration Data
When a Client Organization registers for the Platform, we collect business name and legal entity type; the contact name, title, and business email address of the individual registering the account; the business mailing address; and other information reasonably necessary to verify the Client Organization’s identity and set up the account.
3.2 Authorized User Information
When a Client Organization grants access to the Platform to employees or contractors (“Authorized Users”), we collect the name and business email address of each Authorized User, and the role or permissions assigned within the Platform.
3.3 Client Content
Clients and Authorized Users submit documents, data, and other content through the Platform as part of requesting and receiving expert services (“Client Content”). Client Content may contain personal information about employees, contractors, or counterparties of the Client Organization; third parties referenced in legal, financial, or HR matters submitted as Engagements; or other individuals whose information is relevant to the services requested. Clients are responsible for ensuring they have the authority to submit any personal information included in Client Content under applicable privacy law. We process Client Content only to deliver the services requested and for the other purposes described in Section 4.
3.4 Usage Data and Logs
When you use the Platform, we automatically collect certain technical information, including log data (pages accessed, features used, timestamps, actions taken); device and browser type; session identifiers; and error and diagnostic data. Where possible, we anonymize or pseudonymize this data before using it for operational and analytics purposes.
3.5 Cookies and Similar Technologies
The Platform uses cookies and similar technologies that are strictly necessary to operate the Platform and to keep you signed in securely (for example, session and authentication identifiers), and functional cookies that remember your preferences. We do not use advertising or cross-site tracking cookies, and we do not use cookies to build marketing profiles. Where consent is required for any non-essential cookie, we will obtain it.
3.6 Communications Within the Platform
Messages, comments, and other communications sent through the Platform between Authorized Users and Experts are stored by Vistera. These communications form part of the Engagement record and may include personal information shared in the course of requesting or delivering services.
3.7 Zoom Call Data
If a Client Organization consents to video call recording through Zoom, we may collect audio and/or video recordings of the call; AI-generated call summaries and transcripts produced by Zoom’s AI features; and metadata associated with the call (date, time, participants, duration). Consent to call recording and AI summarization is requested separately at the time of the call. See Section 5 for further details on how Zoom AI summaries are used.
3.8 Expert Calendar Integration via Nylas
The Platform uses Nylas to manage consultation scheduling on behalf of Experts. Where an Expert has connected their Google or Microsoft calendar account, Nylas is used to query the Expert’s free/busy availability so that Clients can see bookable time slots; create a calendar event in the Expert’s calendar when a Client books a consultation (including event title, start/end time, and the Client’s email address as an attendee); and update or delete that calendar event when a consultation is rescheduled or cancelled. No email content is accessed or stored. The only personal information passed to Nylas in the context of event creation is the Expert’s calendar grant credentials (held by Nylas), the consultation time, and the attendee email address of the Client booking the call.
3.9 Authentication Session Data
The Platform uses BetterAuth to manage user authentication. We collect hashed credentials (passwords are never stored in plain text); session tokens and identifiers; and multi-factor authentication status where applicable. This data is used solely to authenticate users and maintain session security.
4. How We Use Information
We use personal information only for the purposes for which it was collected or for purposes consistent with those, as described below.
4.1 Delivering Expert Services
We use the information we collect including; account data, Client Content, call recordings, and communications - primarily to assign Engagements to appropriate Experts; facilitate communication between Clients and Experts; allow Experts to review, analyze, and respond to Engagement requests; deliver work product and advice to Clients; and maintain a record of the services provided.
4.2 AI-Assisted Processing
Documents, Engagement content, and communications may be processed using AI tools to assist Experts in delivering services. This processing is described in detail in Section 5. AI-generated output is never delivered directly to Clients; it is always reviewed by a qualified Expert before any client-facing communication.
4.3 Operating and Improving the Platform
We use usage data, error logs, and aggregated or anonymized information about how the Platform is used to diagnose technical problems and improve Platform reliability; develop and test new features; and understand how Clients interact with the Platform at a high level. We do not use identifiable personal information to build user profiles for marketing or advertising purposes.
4.4 Transactional and Commercial Electronic Messages
We use account registration data and contact information to send account setup and verification emails; notifications about Engagement status and activity; service updates and policy change notices; and security alerts related to your account. We send commercial electronic messages in compliance with Canada’s Anti-Spam Legislation (CASL): such messages identify Vistera as the sender and include an unsubscribe mechanism where required. We do not send marketing emails to Clients without the consent required by CASL, and we do not share email addresses with third parties for marketing purposes.
4.5 Security and Fraud Prevention
We use account and usage data to detect and prevent unauthorized access to the Platform; investigate and respond to security incidents; and enforce our Terms of Service.
4.6 Legal Compliance
We may use or disclose personal information where required to do so by applicable Canadian law, court order, or regulatory authority, or where Vistera reasonably determines disclosure is necessary to protect its legal rights or the safety of any person.
5. AI and Automated Processing
5.1 How AI Is Used on the Platform
Vistera uses artificial intelligence tools internally to help Experts deliver services more effectively. AI may be used to summarize documents uploaded as Client Content; generate notes or summaries of Engagement threads and communications; produce first-draft responses or work product for Expert review; and summarize video call recordings (where call recording consent has been given, see Section 5.3).
5.2 Human Review of All Client-Facing Content
AI-generated output is used only as an internal working tool for Experts. No AI-generated content is delivered to Clients without prior review and approval by a qualified Expert. All advice, recommendations, documents, and responses that Clients receive through the Platform are reviewed, edited as appropriate, and approved by a human Expert before delivery.
5.3 Zoom AI Call Summaries
If a Client Organization has consented to call recording, Zoom’s AI features may generate an automated summary or transcript of the call. This AI summary is surfaced to the assigned Expert as a working reference. It is not delivered to the Client as-is. Consent to call recording and AI summarization is requested separately at the time of each call; it is not assumed from general consent to use the Platform.
5.4 No Automated Decision-Making That Affects You
Vistera does not use automated decision-making processes that produce legal effects or similarly significant effects on Clients or Authorized Users. All decisions relating to the services delivered through the Platform are made by qualified human Experts.
5.5 AI Providers
AI processing may be performed in part by third-party AI service providers engaged by Vistera. Each provider operates under its own terms of service. Where those terms permit model training on customer data, Vistera will opt out of such use to the extent the provider’s terms allow. Details of our third-party processors are in Section 6.
6. Third-Party Service Providers
We engage third-party service providers (“data processors”) to operate certain aspects of the Platform. Each provider operates under its own standard terms of service and privacy policy, links to which are provided below. We take reasonable steps to select providers with appropriate privacy and security standards and limit the personal information shared with each provider to what is necessary for its function.
6.1 AWS S3
Client-uploaded files and generated documents are stored in Amazon Web Services (AWS) S3. We use the AWS Canada (Central) region where possible to keep data resident in Canada. In some cases, redundancy or failover configurations may involve US AWS regions. Documents stored in AWS are encrypted at rest.
6.2 Zoom
Video consultations between Clients and Experts are conducted through Zoom. Where call recording and AI summarization are enabled with Client consent, Zoom processes audio/video recordings and generates AI summaries. Zoom operates data centres in multiple regions, including the United States. Clients should be aware that call recordings and transcripts may be processed on Zoom’s infrastructure outside Canada. Further information is available in https://www.zoom.com/en/trust/privacy/privacy-statement/.
6.3 Nylas
Consultation scheduling is facilitated through Nylas. When an Expert connects their Google or Microsoft calendar account, Nylas processes the Expert’s calendar grant credentials and free/busy availability data on our behalf. When a Client books a consultation, Nylas creates a calendar event in the Expert’s calendar containing the event title, time, and the Client’s email address as an attendee, and updates or deletes that event when a consultation is rescheduled or cancelled. Nylas’s default infrastructure is located in the United States. No email content is accessed or stored through this integration. Further information is available in https://www.nylas.com/privacy-policy/.
6.4 Resend
Transactional emails (such as account notifications and Engagement updates) are delivered through Resend. Resend processes the email addresses of Authorized Users and the notification content necessary to deliver these messages. Resend may process data in the United States.
6.5 Upstash QStash
We use Upstash QStash as an internal asynchronous event queue to coordinate background processing tasks on the Platform. Event payloads passed through QStash do not contain personally identifiable information at rest. QStash is used solely for internal system coordination.
6.6 Sentry
We use Sentry for application error monitoring and, on the client side, session replay to help diagnose errors. Sentry is configured to suppress automatic capture of IP addresses, cookies, and request headers. User identity is passed to Sentry as an opaque internal identifier only; email addresses and usernames are never sent. Session replay captures anonymized screen recordings; text content is masked and media is blocked by default. Sentry may process data in the United States. Further information is available in https://sentry.io/privacy/.
6.7 Stripe
Payment processing services are provided by Stripe. When a Client processes a payment or an Expert sets up a payout account, Stripe collects and processes payment card details, bank account information, transaction data, and relevant identity verification details directly. This data is handled in accordance with Stripe’s own security standards, including Payment Card Industry Data Security Standard (PCI-DSS) compliance. Stripe processes data globally, including on infrastructure located in the United States. Further information is available in https://stripe.com/privacy.
7. Data Residency and Cross-Border Transfers
7.1 Canada-First Approach
Vistera stores personal information in Canada where this is feasible. Our primary document storage uses the AWS Canada (Central) region, and our Platform infrastructure is operated with Canada as the preferred data residency location.
7.2 Transfers to the United States
Some of our third-party service providers (including Zoom, Nylas, Resend, and Sentry) may process personal information on infrastructure located in the United States. While personal information is in the United States, it may be subject to access by US authorities under US law, which does not provide protections equivalent to PIPEDA or the applicable provincial legislation. Vistera remains accountable for personal information transferred to these providers and takes reasonable steps to protect it through:
- limiting the personal information shared with each processor to what is necessary for that processor’s function;
- selecting processors with recognized privacy and security certifications where available; and
- relying on each processor’s contractual and published privacy and security commitments.
Where Client Content includes information that may be subject to solicitor-client privilege, Clients should review the privilege considerations described in the Expert Services Disclaimer (Section 2.3) before submitting it.
7.3 No Transfers for Marketing
We do not sell, rent, or share personal information with third parties for advertising or marketing purposes, whether in Canada or internationally.
8. Data Retention
8.1 Retention Schedule
We retain personal information only for as long as necessary to fulfill the purposes for which it was collected and to meet our legal, regulatory, contractual, and professional record-keeping obligations. A formal data retention schedule is being finalized and will be published as part of this Privacy Policy or as a separate Data Retention Policy before the Platform exits its early access phase.
8.2 General Principles
Until specific retention periods are published, we apply the following general principles:
- Personal information is retained for as long as necessary to deliver the services for which it was collected and to fulfill any legal, regulatory, contractual, or professional obligations.
- Engagement records, including Client Content, communications, and work product, are retained for a period sufficient to support any follow-up questions, disputes, or regulatory and professional record-keeping requirements relevant to the services delivered.
- Account information is retained for the duration of the Client relationship and for a reasonable period thereafter.
8.3 Deletion
Clients may request deletion of their Client Content and associated personal information by contacting us at the address in Section 13. We will respond within a reasonable time and process compliant requests subject to our legal obligations to retain records under applicable Canadian law; professional record-keeping obligations; any outstanding Engagement or unresolved dispute; and technical limitations inherent in secure deletion from backup systems, which may result in a delay before data is fully purged. Where data is retained for these reasons, it will not be used for any other purpose. We will not sell or share personal information with third parties for marketing purposes, regardless of retention period.
9. Your Privacy Rights
Under PIPEDA, PIPA BC, and PIPA AB, individuals have the following rights with respect to their personal information held by Vistera.
9.1 Right to Access
You have the right to request access to the personal information we hold about you, including information about the purposes for which it is used, the categories of information held, and with whom it has been shared. We will respond to access requests within 30 days (or as required by applicable law).
9.2 Right to Correct Inaccurate Information
You have the right to request correction of personal information that you believe is inaccurate, incomplete, or outdated. Where we agree the information should be corrected, we will update it and, where appropriate, notify any third parties to whom the information was disclosed.
9.3 Right to Withdraw Consent
Where our processing of personal information is based on your consent (or the consent of your Client Organization), you may withdraw that consent at any time, subject to legal or contractual restrictions and reasonable notice. Please note that withdrawal of consent may limit our ability to deliver some or all of the services requested; that withdrawal does not affect the lawfulness of processing that occurred before the withdrawal; and that some processing may continue on grounds other than consent (for example, legal obligation or legitimate business necessity). Consent to call recording and AI summarization (Section 5.3) may be withdrawn at any time without affecting other aspects of Platform use.
9.4 Right to Request Deletion
As described in Section 8.3, you may request deletion of your personal information. We will honour deletion requests subject to applicable legal and professional retention obligations and technical limitations. Canadian privacy law does not provide an unconditional right of erasure; deletion is processed to the extent we are not required or permitted to retain the information.
9.5 Exercising Your Rights
To exercise any of the rights described above, please contact us at the address in Section 13. We may need to verify your identity before processing your request. We will not charge a fee for a first access request within any 12-month period. If your request is complex or voluminous, we will notify you of any applicable fee before proceeding.
9.6 No Automated Refusals
Vistera will not refuse to provide service solely because an individual exercises a privacy right, except where the right to refuse is expressly permitted under applicable law.
10. Security
10.1 Technical and Organizational Safeguards
Vistera implements technical and organizational measures designed to protect personal information against unauthorized access, use, disclosure, loss, or destruction. These measures include encryption at rest for Client Content and account data stored in AWS S3; encryption in transit using TLS; role-based access controls restricting access to Experts and staff who need it; authentication managed through BetterAuth with hashed credential storage and multi-factor authentication for certain accounts; and monitoring through Sentry (configured with anonymized identifiers, as described in Section 6.6).
10.2 No Absolute Guarantee and Breach Notification
No security system is impenetrable. While we take reasonable steps to protect personal information, we cannot guarantee that unauthorized third parties will never defeat our security measures. We maintain records of security incidents involving personal information. In the event of a breach that creates a real risk of significant harm to individuals, we will notify affected individuals and the appropriate privacy authority (and keep records of the breach) as required by PIPEDA and applicable provincial privacy legislation.
10.3 Your Responsibility
You are responsible for maintaining the confidentiality of your account credentials and for notifying us promptly if you suspect unauthorized access to your account.
11. Children
The Platform is designed for business use only and is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from an individual under 18, we will take steps to delete that information as promptly as possible. If you believe we may have inadvertently collected information from a minor, please contact us at the address in Section 13.
12. Changes to This Policy
Vistera may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. When we make material changes, we will notify you by email or through the Platform at least thirty (30) days before the changes take effect, unless a shorter notice period is required by law. Your continued use of the Platform after the effective date of any changes constitutes your acknowledgement of the updated policy. If you do not agree to the updated policy, you may close your account and stop using the Platform. The “Last updated” date at the top of this document reflects the most recent revision.
13. Contact Information and Complaints
13.1 Contact Us
For questions, concerns, or requests related to this Privacy Policy, or to exercise your privacy rights as described in Section 9, please contact us at:
Vistera Technologies Corp. — Privacy Office 1030 Westwood Street, Suite 202, Coquitlam, British Columbia V3C 4E4, Canada
Email: [email protected]
Phone: +1(778)800-8866
We will acknowledge your inquiry within five [5] business days and respond substantively within the timeframe required by applicable law.
14. Governing Law
14.1 Canadian Law
This Privacy Policy is governed by and construed in accordance with the laws of Canada and, depending on where your Client Organization is located or where the services are principally delivered, the applicable provincial law of British Columbia, Alberta, or Ontario. Where there is uncertainty about which provincial law applies, the laws of British Columbia will govern, as Vistera’s principal place of business is in Coquitlam, British Columbia.
14.2 Language
This Privacy Policy is written in the English language only. No French translation is provided or required.