Legal

Privacy Policy

Last Updated: May 25, 2026

Introduction

At Stratégies Nira Flow Inc., operating as Nira Flow ("us," "we," "our," or the "Company"), we value your privacy and the importance of safeguarding your personal data. This Privacy Policy (the "Policy") describes our privacy practices, including how we collect, use, store, disclose, and protect information about individuals.

In this Policy, "Personal Data" refers to any information that, on its own or in combination with other available information, can identify an individual.

Stratégies Nira Flow Inc. is a Canadian corporation registered in Quebec. Our website is www.niraflow.ai. A French version of this Policy is available at niraflow.ai/confidentialite.

We comply with applicable privacy laws including:

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
Quebec's Act respecting the protection of personal information in the private sector (Law 25)
The European Union's General Data Protection Regulation (GDPR)
The United Kingdom's Data Protection Act 2018 and UK GDPR
The California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Other applicable U.S. state privacy laws and international privacy frameworks

Designated Privacy Officer

In accordance with Quebec Law 25, the person responsible for the protection of personal information at Stratégies Nira Flow Inc. is:

Justine-Bernadette Stinvil Privacy Officer Email: privacy@niraflow.ai

You can contact the Privacy Officer to ask questions about this Policy, exercise your privacy rights, or report concerns about how your data is handled.

Scope

This Policy applies to the Stratégies Nira Flow Inc. website, web application, and services accessible through niraflow.ai.

This Policy does not apply to third-party websites, applications, or services that may be linked from our site. Such third parties have their own privacy practices, which we encourage you to review.

Personal Data We Collect

We collect only the data necessary to provide our service. Specifically:

Account Information

First and last name
Email address
Encrypted password

Billing and Payment Information

Billing address (collected via Stripe at checkout)
Payment method information (processed and stored by Stripe; Nira Flow does not store credit card numbers)
Subscription tier and billing history

User-Generated Content

Responses to our brand strategy forms (Brand Foundation, Vision/Purpose/Mission, Values/Positioning, Brand Personality, Reasons to Believe)
Generated brand playbooks and AI-produced strategic content
Notes, edits, and modifications you make to your generated content
Information about your business, products, target audience, vision, and other strategic context provided through forms

Technical and Usage Data

IP address (anonymized for analytics purposes)
Browser type and version
Device type and operating system
Login timestamps and authentication records
Pages visited and actions taken within the application
Error logs and operational data

We do not collect:

Phone numbers
Government-issued identification (SIN, driver's license, passport)
Sensitive personal data (health, biometric, sexual orientation, religious beliefs, etc.)
Children's data (our service is for users 18 and older)

How We Collect Personal Data

We collect Personal Data through:

Direct interaction. When you create an account, complete forms, make a purchase, contact our support, or subscribe to communications.

Automated collection. When you use our website and application, we automatically collect technical data through cookies and similar technologies (see "Cookies" section below).

Third-party processors. We receive limited data from third-party services we use to operate Nira Flow, such as payment confirmation from Stripe.

How We Use Personal Data

We use your Personal Data for the following purposes:

To provide and operate our service

Authenticate your account
Generate brand strategy content based on your form inputs
Display your dashboard and saved content
Generate and deliver downloadable PDF playbooks
Process subscriptions and payments

To communicate with you

Send transactional emails (account verification, billing receipts, password resets)
Respond to support inquiries
Send product updates if you have opted in to marketing communications

To improve our service

Analyze anonymized usage patterns to improve product features
Diagnose and fix technical issues
Monitor for security incidents and abuse

To comply with legal obligations

Tax reporting (Canada Revenue Agency, Revenu Québec)
Respond to lawful requests from authorities
Maintain financial records as required by law (typically 7 years)

Use of Artificial Intelligence

A core feature of Nira Flow is the AI-powered generation of brand strategy content. To deliver this feature, we rely on a third-party large language model.

The AI provider we use. We use Claude, developed by Anthropic PBC, a public benefit corporation headquartered in San Francisco, California, USA. Claude is accessed via Anthropic's API.

What data we send to Anthropic. When you complete one or more of our brand strategy forms, your form responses are transmitted to Anthropic's API to generate strategic written outputs. We do not transmit your account credentials, payment information, or any data unrelated to brand strategy generation.

Anthropic's data practices. Anthropic processes API customer data in accordance with their commercial terms:

Anthropic does not use API customer data to train its models
Data is processed primarily in the United States
Anthropic retains data temporarily for abuse and safety monitoring, then deletes it according to their published retention schedule
Anthropic's full privacy policy is available at anthropic.com/privacy

Where your data is stored. Generated outputs and form responses are stored in our database (hosted by Supabase) to populate your dashboard, generate your downloadable playbook, and allow you to revisit and refine your content over time.

Automated decision-making disclosure (Quebec Law 25). The strategic content in your playbook is generated by an AI system based on your inputs and is not reviewed by a human before delivery. We make our best efforts to design prompts that produce high-quality, useful output, but we cannot guarantee that AI-generated content is free from errors, omissions, or inaccuracies. We recommend you review your playbook critically before applying its recommendations to your business.

If you would like a human review of your generated content or want to understand how the AI generated specific output, please contact us at privacy@niraflow.ai.

Google User Data

Nira Flow integrates with Google Calendar to provide event-aware content generation as an optional feature. This section describes how we handle Google user data in compliance with Google's API Services User Data Policy.

Data we access. When you connect your Google Calendar, we access read-only event data including event titles, start and end times, and descriptions for events on your primary calendar within a 14-day window. We use the https://www.googleapis.com/auth/calendar.readonly scope, which provides read-only access. Nira Flow cannot create, modify, or delete any of your calendar data.

Why we access this data. Calendar events are surfaced as optional context within our content generation flow. When you tag a piece of content to a calendar event (for example, an upcoming product launch), the AI uses the event details to produce more relevant and timely content. Connecting your calendar is entirely optional.

Retention. We do not cache or store calendar events in our database. Events are fetched live from Google's API when you interact with the event picker. We store an encrypted refresh token (AES-256-GCM) so your connection persists across sessions until you disconnect.

Third-party flow. When you tag a piece of content to a specific event, only the details of that single tagged event are passed to Anthropic's Claude API as part of the content generation request. No other event data is transmitted, and no calendar data is shared with any third party other than what is required to generate the content you requested.

User control. You can disconnect your Google Calendar at any time via Settings → Calendar sync → Disconnect. Disconnecting deletes our stored access and refresh tokens immediately and revokes our access at Google. You can also revoke our access directly from your Google Account at https://myaccount.google.com/permissions.

Limited Use compliance. Nira Flow's use of Google user data complies with Google's Limited Use requirements for Workspace API user data. Specifically:

We use Google user data only to provide the user-facing features described above
We do not use Google user data for serving advertisements
We do not allow humans to read your Google user data, except (a) with your explicit affirmative consent for specific messages, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) for internal operations where the data has been aggregated and anonymized
We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets

For more information on Google's Limited Use policy, see the Google API Services User Data Policy at https://developers.google.com/terms/api-services-user-data-policy.

Third-Party Service Providers

We use the following third-party services to operate Nira Flow. Each has its own privacy practices that supplement (and do not replace) this Policy:

Service	Purpose	Location
Supabase	Database hosting, user authentication	United States
Vercel	Web application hosting	United States (with global edge network)
Anthropic	AI content generation (Claude API)	United States
Google (Calendar API)	Optional event-aware content generation	United States
Stripe	Payment processing, subscription billing	United States
Resend	Transactional email delivery	United States
PostHog	Privacy-first analytics (anonymized)	European Union
Zoho Mail	Domain email hosting (privacy@niraflow.ai)	United States / India

We have signed Data Processing Agreements or equivalent contractual safeguards (including Standard Contractual Clauses where applicable) with each of these providers to ensure your data is handled in compliance with applicable privacy laws.

International Data Transfers

Stratégies Nira Flow Inc. is based in Quebec, Canada. Your Personal Data may be transferred to and processed in jurisdictions outside of Canada, including the United States and the European Union, where our service providers operate.

For transfers of EU/UK Personal Data to jurisdictions not deemed "adequate" by the European Commission, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. The SCCs are available at https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32021D0914.

For transfers of Quebec residents' data outside Quebec, we conduct privacy impact assessments and ensure adequate safeguards as required by Quebec Law 25.

Cookies and Similar Technologies

We use a limited number of cookies and similar technologies. We do not use advertising or remarketing cookies.

Cookie	Purpose	Duration	Provider
Authentication session	Keeps you logged in	Session-based	Supabase
Analytics (anonymized)	Counts visitors and improves the product	Up to 1 year	PostHog
Preferences	Remembers your settings	Up to 1 year	Nira Flow

You can disable cookies in your browser settings. Note that disabling strictly necessary cookies may prevent you from using core features such as authentication.

Data Retention

We retain Personal Data only as long as necessary for the purposes described in this Policy:

Data type	Retention period
Account information	Active for the life of your account, deleted within 30 days of account deletion
Form responses and generated playbooks	Active for the life of your account, deleted within 30 days of account deletion
Payment records	7 years after last transaction (required by Canadian tax law)
Email logs	30-90 days
Analytics data	Up to 12 months, then anonymized or deleted
Support correspondence	Up to 24 months

If you delete your account, we delete or anonymize your data within 30 days, except where we are required by law to retain certain records (such as financial records for tax purposes).

Sharing and Disclosure

We share Personal Data only as described in this Policy:

With service providers listed above, who process data on our behalf under contractual safeguards.

To comply with legal obligations, including responding to lawful requests from public authorities, court orders, or as required to protect our legal rights.

In connection with a corporate transaction such as a merger, acquisition, or sale of assets. In such cases, we will notify you in advance and any successor entity will be bound by this Policy.

We do not sell your Personal Data. We do not share data with advertising networks or use your data for targeted advertising.

How We Keep Your Data Safe

We use organizational and technical safeguards to protect your Personal Data, including:

Encrypted connections (HTTPS/TLS) for all data transmission
Encrypted storage of sensitive data
Multi-factor authentication for administrative access
Access controls limiting who at Nira Flow can view user data
Regular security reviews of our infrastructure and third-party providers
Incident response procedures in the event of a data breach

In the event of a Personal Data breach affecting your data, we will notify you and applicable regulatory authorities (such as the Commission d'accès à l'information du Québec) within the timelines required by law.

Children's Privacy

Nira Flow is intended for users 18 years of age or older. We do not knowingly collect Personal Data from individuals under 18. If we become aware that we have collected Personal Data from a person under 18, we will delete it promptly. If you believe a child has provided us with Personal Data, please contact us at privacy@niraflow.ai.

Your Rights

Depending on your location, you have rights under applicable privacy laws. These include:

Right to access. Request a copy of the Personal Data we hold about you (PIPEDA, Quebec Law 25, GDPR Art. 15, CCPA/CPRA, and others).

Right to rectification. Correct inaccurate or incomplete data (PIPEDA, Quebec Law 25, GDPR Art. 16, CCPA/CPRA).

Right to deletion (right to be forgotten). Request deletion of your data, subject to legal retention requirements (Quebec Law 25, GDPR Art. 17, CCPA/CPRA).

Right to data portability. Receive a copy of your data in a structured, machine-readable format (Quebec Law 25, GDPR Art. 20, CCPA/CPRA).

Right to restriction of processing. Request that we limit how we process your data in certain circumstances (GDPR Art. 18).

Right to object to processing. Object to processing based on our legitimate interests, including direct marketing (GDPR Art. 21).

Right to withdraw consent. Withdraw your consent for processing at any time, where consent is the legal basis (Quebec Law 25, GDPR Art. 7).

Right to opt out of automated decision-making. Quebec Law 25 gives you the right to be informed about and contest automated decisions made about you. While Nira Flow uses AI to generate strategic content based on your inputs, this content is advisory and is not used to make decisions affecting your legal rights or significant interests. If you have concerns about AI-generated content in your account, contact privacy@niraflow.ai.

Right to file a complaint. You have the right to file a complaint with a data protection authority:

Quebec residents: Commission d'accès à l'information du Québec (cai.gouv.qc.ca)
Federal Canadian residents: Office of the Privacy Commissioner of Canada (priv.gc.ca)
EU/UK residents: Your local data protection authority (a list is available at edpb.europa.eu)

How to Exercise Your Rights

To exercise any of the rights above, contact us at privacy@niraflow.ai or use the data request form on our website.

For your security, we may need to verify your identity before processing your request. We will respond within 30 days of receiving your verified request, or sooner where required by law.

Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will:

Update the "Last Updated" date at the top of the Policy
Post a notice on our website
Notify registered users by email if the changes materially affect your rights

Your continued use of Nira Flow after we publish changes constitutes acceptance of the updated Policy.

Contact Us

To exercise your rights, ask questions, or report concerns:

Email: privacy@niraflow.ai

Mail: Stratégies Nira Flow Inc. Attn: Privacy Officer (Justine-Bernadette Stinvil) 365 Sainte-Catherine Street East, Unit #184 Montréal, Quebec H2X 3X2, Canada

Submit a Privacy Request: niraflow.ai/contact-privacy

← Back to home