PRIVACY POLICY

SynaNoteAI.com

Effective Date: February 26, 2026

Last Updated: February 26, 2026

IMPORTANT NOTICE: THIS POLICY EXPLAINS HOW MIARTMEDIA LTD. COLLECTS, USES, DISCLOSES, AND PROTECTS INFORMATION IN CONNECTION WITH THE SYNANOTEAI PLATFORM. BY ACCESSING OR USING THE PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS POLICY.

1. ABOUT THIS POLICY AND WHO IT COVERS

1.1 Who We Are

This Privacy Policy is published by MiArtMedia Ltd. ("Company", "we", "us", or "our"), the operator of the SynaNoteAI.com platform (the "Platform"). MiArtMedia Ltd. is incorporated under the laws of Alberta, Canada, and our primary place of business is in Calgary, Alberta.

1.2 Scope

This Policy applies to information collected, processed, or stored in connection with:

- The SynaNoteAI.com web application and all related tools;

- Account registration and session management;

- AI-powered content generation features;

- Administrative dashboards and billing;

- Feedback submissions; and

- Any other interaction with our Platform.

1.3 Who This Policy Covers

This Platform is a Business-to-Business (B2B) service. The primary account holders ("Clients") are businesses operating in the automotive service industry. This Policy applies to:

- Clients — the business entities that hold a Client Account and manage access for their staff;

- Account Users — employees or contractors of a Client who access the Platform via an Account ID (e.g., technicians, service advisors, managers); and

- Visitors — individuals who visit the SynaNoteAI.com website without creating an account.

1.4 Applicable Law

We collect and process personal information in compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) (S.C. 2000, c. 5) and its Regulations, including the Privacy Breach of Security Safeguards Regulations. Where applicable, we also comply with the Alberta Personal Information Protection Act (PIPA), the British Columbia Personal Information Protection Act (BC PIPA), and Quebec's Act respecting the protection of personal information in the private sector (Law 25).

2. INFORMATION WE COLLECT

2.1 Account and Identity Information

When a Client registers for the Platform, we collect:

- Full name and/or business name;

- Email address (used as the primary authentication identifier via Supabase Auth);

- Phone number (optional, if provided);

- Business address details (city, province/state, postal code, country) as part of the billing profile; and

- Invoice and billing contact details.

2.2 Account IDs and Session Data

The Platform uses a proprietary Account Code system rather than individual user logins for day-to-day tool access. We collect and store:

- Account codes and their associated labels;

- Session tokens stored as HttpOnly, Secure cookies on your browser (cookie name: `synanote_session`). These cookies are strictly necessary for authentication and are not used for tracking or advertising. They expire automatically according to the configured session TTL;

- Session creation timestamps, expiry times, and last-seen timestamps; and

- IP address at the time of session creation (used for rate limiting and security purposes only).

2.3 Usage and AI Interaction Data

Every time an Account User submits a prompt to an AI tool, we log:

- The Account ID used;

- The AI model requested (e.g., Gemini Flash, Gemini Pro);

- Token consumption metrics: input tokens, output tokens, thinking tokens, total tokens, and token deviations;

- Estimated cost per request (used for billing and transparency);

- Request latency in milliseconds;

- Request status (success or error);

- The prompt category or tool type (e.g., "dtc\_analysis", "job\_story\_builder"); and

- Timestamps of each interaction.

We do not permanently store the full text of prompts or AI-generated outputs. User-submitted prompt content is transmitted to Google's Gemini API for processing and is subject to Google's data handling policies (see Section 5.2). We store metadata about the interaction, not the content itself, unless it is included in feedback submissions.

2.4 Feedback Submissions

If you submit feedback through the Platform, we collect:

- The feedback message (10–2,000 characters);

- The category of the feedback (e.g., bug, UX, feature request);

- The surface from which it was submitted (client dashboard or tools interface);

- Your browser's user agent string;

- Your viewport dimensions; and

- An optional screenshot, if you choose to attach one.

Feedback is linked to an Account User reference, not to individually named employees.

2.5 Billing and Financial Data

We collect the following to support invoicing and billing:

- Company legal name and display name;

- Billing email address and phone number;

- Billing address;

- Invoice prefix preferences; and

- Usage totals per billing period.

We do not currently collect or store payment card numbers or banking information directly. Payment processing, when enabled, will be handled by a certified PCI-DSS compliant third-party processor (Stripe).

2.6 Administrative and Audit Data

Our admin audit log collects the following about super-admin actions:

- Admin user ID and email;

- The action taken (e.g., client suspended, audit log read);

- The resource type and ID affected;

- A record of changes (before/after values, where applicable);

- IP address;

- Browser user agent; and

- Severity classification and timestamp.

This log exists solely for security, accountability, and compliance purposes. It is accessible only to authorized super-admin personnel.

2.7 Technical and Operational Data

We automatically collect certain technical data when you use the Platform, including:

- IP addresses (for rate limiting and security threat detection);

- Browser and device information (via user agent string in certain contexts);

- Health check and readiness probe request logs; and

- Server-side error logs (which may include request metadata, but never prompt content or PII beyond what is already described above).

2.8 Information We Do NOT Collect

We do not intentionally collect the following:

- Vehicle owner Personally Identifiable Information (PII): Our Terms of Service prohibit Clients from inputting customer PII into the Platform. If such data is inadvertently included in a prompt, it is transmitted to the AI processor and is not retained by us;

- Health or financial data about individuals;

- Biometric data; or

- Children's data: The Platform is not directed at persons under the age of 18 and we do not knowingly collect information from minors.

3. HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes, each grounded in a legitimate legal basis under PIPEDA:

3.1 To Provide and Operate the Platform

- Authenticate Clients and Account Users;

- Route AI generation requests to the appropriate model;

- Enforce rate limits and daily usage caps;

- Generate invoices and billing reports; and

- Maintain the Client dashboard and admin controls.

Legal basis: Performance of contract; legitimate business interest.

3.2 To Ensure Security and Prevent Fraud

- Detect and respond to unauthorized access attempts;

- Maintain the admin audit log for accountability;

- Enforce IP allowlists and MFA requirements; and

- Suspend accounts that violate the Terms of Service.

Legal basis: Legitimate business interest; compliance with legal obligations.

3.3 To Improve the Platform

- Analyse aggregated, anonymized usage patterns to understand which tools are most valuable;

- Review feedback submissions to prioritize product improvements; and

- Monitor AI model cost efficiency.

We do not use individual prompt content to train AI models. Any model improvement analysis is conducted on anonymized, aggregated metadata only.

All AI tools on the Platform are designed and instructed to generate transformative output summaries — structured narratives and standardized documentation of work described by the user — and are not designed or instructed to reproduce, extract, or republish submitted source material. MiArtMedia Ltd. does not operate as a publisher or reproducer of user-submitted content.

Legal basis: Legitimate business interest.

3.4 To Communicate With You

- Send transactional emails such as account notifications, invoice delivery, password reset links, and usage alerts;

- Respond to support requests; and

- Send marketing communications only where you have provided express consent under CASL.

Legal basis: Performance of contract; express consent (marketing only).

3.5 To Comply With Legal Obligations

- Respond to lawful government requests or court orders;

- Maintain records required under Canadian tax law; and

- Cooperate with OEM audit or compliance verification processes where required.

Legal basis: Legal obligation.

4. COOKIES AND TRACKING TECHNOLOGIES

4.1 Session Cookies (Strictly Necessary)

The Platform uses a single HttpOnly, Secure, SameSite=Strict session cookie (`synanote_session`) to maintain authenticated sessions for Account Users. This cookie:

- Is set server-side and is not accessible by JavaScript;

- Does not contain any personal information — it stores only an opaque session token;

- Expires automatically based on the configured session TTL (default: 24 hours); and

- Is cleared when a user signs out.

This cookie is strictly necessary for the Platform to function and does not require separate consent under applicable Canadian law.

4.2 No Advertising or Tracking Cookies

We currently do not use advertising cookies, cross-site tracking pixels, social media widgets, or third-party analytics scripts that set cookies. If we add product analytics (e.g., Posthog) in the future, we will update this Policy and implement an appropriate consent mechanism prior to deployment, in compliance with PIPEDA and CASL.

4.3 Third-Party Cookies

We do not embed third-party content that sets cookies on this Platform. Our AI provider (Google) operates server-side and does not set cookies in your browser through our Platform.

5. HOW WE SHARE YOUR INFORMATION

We do not sell, rent, or trade personal information. We share information only in the circumstances described below.

5.1 Within Your Organization

Clients who hold a Client Account can view usage dashboards and usage event metadata for all Account IDs under their account. Individual employees are not identified by name in usage logs — only by Account ID. Clients are responsible for ensuring their internal access policies comply with applicable privacy laws.

5.2 Sub-Processors and Third-Party Service Providers

We engage the following sub-processors. By using the Platform, you consent to the transfer of data to these providers, which may involve cross-border transfers outside Canada:

Google Gemini API: Prompts submitted to AI tools are transmitted to Google's Gemini API for processing. Google's use of this data is governed by the [Google Cloud Platform Terms of Service](https://cloud.google.com/terms) and the [Google Generative AI Additional Terms](https://policies.google.com/terms/generative-ai). As of the effective date of this Policy, Google does not use Gemini API data to train its models without separate agreement. However, once data is transmitted to Google's API, it is outside MiArtMedia Ltd.'s control and processed solely under Google's own policies and agreements. MiArtMedia Ltd. makes no representations or warranties regarding Google's data handling practices and accepts no liability for how Google processes, stores, uses, or retains transmitted data, regardless of any representations Google makes in its own policies. Clients and Account Users should not submit personal vehicle owner information, health data, or other sensitive personal information as part of prompts.

Supabase: Supabase serves as our primary database and authentication provider. Data stored in Supabase is subject to Supabase's [Privacy Policy](https://supabase.com/privacy) and [Data Processing Agreement](https://supabase.com/legal/dpa). Supabase processes data on servers located in the United States.

Cross-Border Transfers: You acknowledge that by using the Platform, your data may be transferred to, stored, and processed in the United States and other jurisdictions outside Canada, where privacy laws may differ from those in your province or territory. We have implemented contractual safeguards (data processing agreements with sub-processors) consistent with PIPEDA requirements for cross-border transfers.

5.3 Legal Disclosures

We may disclose personal information if required by law, regulation, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to:

- Comply with a legal obligation;

- Protect and defend the rights or property of MiArtMedia Ltd.;

- Prevent or investigate possible wrongdoing in connection with the Platform; or

- Protect the personal safety of users or the public.

We will, where legally permissible, provide reasonable notice to the affected Client before complying with such a request.

5.4 Business Transfers

If MiArtMedia Ltd. is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, personal information held by us may be transferred as part of that transaction. We will provide notice via the Platform or by email before personal information is subject to a different privacy policy as a result of such a transaction.

5.5 Resellers and Authorized Partners

The Platform supports multi-client reseller accounts. If you access the Platform through an authorized reseller, that reseller may have access to your account's usage and billing data as part of their administrative role. The reseller's use of your data is governed by any agreement between you and the reseller. MiArtMedia Ltd. is not responsible for the reseller's data handling practices beyond the scope of the Platform.

6. DATA RETENTION

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

After the applicable retention period, data is deleted or anonymized. We are not a data archiving service and Clients are responsible for maintaining their own backups of all compliance-critical records (warranty narratives, RO documentation, etc.).

7. SECURITY SAFEGUARDS

We implement technical, administrative, and organizational safeguards appropriate to the sensitivity of the personal information we process. These include:

- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). All data transmitted to sub-processors uses encrypted channels.

- HttpOnly session cookies: Session tokens cannot be accessed by browser-side JavaScript, protecting against cross-site scripting (XSS) attacks.

- Row Level Security (RLS): Our Supabase database enforces row-level security policies ensuring Clients can only access their own data.

- IP allowlisting: Admin access can be restricted to specific IP addresses.

- Multi-Factor Authentication (MFA): Enforced for all super-admin accounts.

- Rate limiting: All API endpoints are rate-limited to prevent abuse.

- Audit logging: All administrative actions are logged with IP address, user agent, and change records for accountability.

- Role-based access: Clients can only see tools appropriate to their designated role.

- No PII in session tokens: Session cookies contain only opaque tokens — no personal data.

- Principle of least privilege: Service-role database keys are server-side only and never exposed to the client.

Despite these safeguards, no method of transmission or storage is 100% secure. In the event of a privacy breach that creates a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as required under PIPEDA's breach reporting obligations.

8. YOUR RIGHTS AND CHOICES

8.1 Right of Access

You have the right to request access to the personal information we hold about you, including confirmation of whether we hold information, the categories of information held, how it is used, and to whom it has been disclosed. Requests can be directed to the contact information in Section 11.

8.2 Right of Correction

You have the right to request correction of inaccurate or incomplete personal information we hold about you. Clients can update their account information and billing profile directly through the Platform dashboard.

8.3 Right of Withdrawal of Consent

Where we process personal information on the basis of consent (e.g., for marketing communications), you may withdraw consent at any time by:

- Using the unsubscribe link included in every marketing email; or

- Contacting us directly at the address in Section 11.

Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal. Withdrawal of consent to processing that is necessary to provide the Platform will result in termination of your account.

8.4 Right to Request Deletion

You may request deletion of your personal information. We will fulfil such requests subject to:

- Our legal obligations to retain certain data (e.g., tax records, audit logs during litigation hold); and

- The need to retain data to detect and prevent security incidents or fraud.

Upon account termination, Client data is retained for 30 days to allow for data export or account recovery, after which it is deleted per our retention schedule.

8.5 Right to Lodge a Complaint

If you believe we have not handled your personal information in accordance with PIPEDA or applicable provincial privacy law, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada:

- Website: [www.priv.gc.ca](https://www.priv.gc.ca)

- Telephone: 1-800-282-1376

- Mailing address: 30 Victoria Street, Gatineau, QC K1A 1H3

Residents of Alberta may also contact the Office of the Information and Privacy Commissioner of Alberta at [www.oipc.ab.ca](https://www.oipc.ab.ca).

Residents of British Columbia may also contact the Office of the Information and Privacy Commissioner for British Columbia at [www.oipc.bc.ca](https://www.oipc.bc.ca).

We ask that you contact us first to attempt to resolve any concerns before escalating to a regulatory authority (see Section 11).

9. CLIENT RESPONSIBILITIES

As a B2B platform, a significant portion of any personal information that flows through the Platform is submitted by Clients and Account Users, not collected directly by us. In this regard:

9.1 You Are the Data Controller for User-Submitted Content

Clients are responsible for ensuring that:

- Any personal information submitted as part of AI prompts (e.g., customer names, vehicle VINs linked to identifiable individuals) is handled in compliance with PIPEDA and any applicable provincial privacy law;

- Their employees and contractors using the Platform are informed that their Account ID usage activity is logged; and

- They have obtained any necessary consents from their customers before submitting customer-related information to the Platform.

Clients are also solely and entirely responsible for all content submitted as prompts to any AI tool on the Platform. MiArtMedia Ltd. has no ability to screen, moderate, or assess prompt content for accuracy, legality, third-party IP compliance, confidentiality obligations, or any other consideration prior to transmission. All consequences — legal, regulatory, contractual, or otherwise — arising from the content of prompts submitted by Clients or Account Users are the Client's sole responsibility.

9.2 Prohibition on Sensitive Personal Information

Clients agree not to submit the following categories of data to AI tools on the Platform:

- Social Insurance Numbers or government-issued identification numbers;

- Health records or medical information;

- Financial account numbers or payment card data;

- Passwords or authentication credentials; or

- Any personal information about children under the age of 18.

9.3 Prohibition on Unauthorized Third-Party Content and Prompt Responsibility

Clients agree not to submit to the Platform any content that infringes the intellectual property rights of a third party or that they do not have the legal right to submit for AI processing. This includes, without limitation, excerpts from proprietary OEM manuals, technical service bulletins obtained under restricted licence, DMS-exported data subject to a vendor's terms of service, content from subscription databases (including ALLDATA, Mitchell1, Identifix, or equivalent services), or any other materials protected by copyright, trade secret, or confidentiality agreement.

The Platform's transient processing model — in which user-submitted content is transmitted to Google's Gemini API in real time and is not permanently stored by MiArtMedia Ltd. — does not constitute reproduction, publication, or redistribution of that content by MiArtMedia Ltd. MiArtMedia Ltd. has no practical ability to screen prompt content for third-party IP compliance in real time. Clients are solely responsible for ensuring that all content submitted as prompts complies with all applicable copyright laws, licence agreements, and third-party terms of service. MiArtMedia Ltd. accepts no liability for any claim arising from a Client's or Account User's submission of third-party proprietary or restricted content to the Platform.

9.3 Reseller Obligations

Clients acting as resellers who manage sub-accounts on behalf of other businesses are solely responsible for ensuring those downstream businesses are informed of the data practices described in this Policy.

10. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes to our practices, legal requirements, or the features of the Platform. When we make material changes, we will:

- Update the "Last Updated" date at the top of this Policy;

- Post a notice on the Platform; and/or

- Send an email notification to the primary account email on file.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the revised Policy. If you do not agree to the revised Policy, you must stop using the Platform and request account deletion.

11. CONTACT INFORMATION AND PRIVACY OFFICER

For questions, access requests, correction requests, deletion requests, or complaints related to this Privacy Policy, please contact:

MiArtMedia Ltd.

Attn: Privacy Officer

Email: [email protected]

Phone: 403-990-9070

Website: https://synanoteai.com/

We will acknowledge receipt of your request within 10 business days and respond substantively within 30 days, or notify you if additional time is required pursuant to PIPEDA.

12. DEFINITIONS

For clarity, the following definitions apply throughout this Policy:

- "Account ID" means a unique identifier code issued to a Client that grants access to the Platform's tools.

- "Account User" means any individual who accesses the Platform using an Account ID issued by a Client.

- "AI Content" means any text, analysis, or other output generated by an AI model in response to a user prompt.

- "Client" means the business entity holding a Client Account with MiArtMedia Ltd.

- "Personal Information" has the meaning given under PIPEDA: any information about an identifiable individual.

- "Platform" means the SynaNoteAI.com application, including all associated APIs, dashboards, and tools.

- "Prompt" means any text or structured data submitted by an Account User to an AI tool on the Platform.

- "Sub-Processor" means a third-party service provider engaged by MiArtMedia Ltd. to process personal information on its behalf.

*SynaNoteAI Privacy Policy · MiArtMedia Ltd. · Effective February 26, 2026*