Privacy Policy

Last updated: 18 April 2026

Effective date: 18 April 2026

Ambar Systems Inc. ("Ambar Systems", "we", "us", "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you visit ambarsystems.ca, enrol in our courses, engage our consulting services, or use the AmbarDigitalHub platform.

This policy is designed to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation (CASL), and to reflect the principles of the Office of the Privacy Commissioner of Canada.

1. Who we are

Ambar Systems Inc. is a Canadian corporation with its head office at:

1401-28 Linden Street, Toronto, Ontario M4Y 0A4, Canada

For any privacy question, access request, or complaint, contact our Privacy Officer:

• Email: privacy@ambarsystems.ca
• Post: Privacy Officer, Ambar Systems Inc., 1401-28 Linden Street, Toronto ON M4Y 0A4

2. What personal information we collect

2.1 Information you give us directly

When you register, enrol, purchase, or contact us, we may collect:

• Full name, email address, and phone number.
• Billing address and, where applicable, shipping address.
• Organization or company name and job title.
• Professional credentials and course-completion history.
• Payment details (processed by our payment providers - we do not store full card numbers).
• Course enrolment records, quiz responses, assignment submissions, and certification results.
• Information you choose to include in free-text fields such as contact forms, assessment answers, or support messages.

2.2 Information we collect automatically

When you use our website or platform, we automatically collect:

• IP address and approximate geographic location.
• Browser type, device type, and operating system.
• Pages viewed, time on page, referral source, and navigation paths.
• Cookies and similar technologies (see Section 7).

2.3 Information from third parties

If you sign in through a third-party identity provider (for example, a corporate SSO using OpenID Connect or SAML), we receive the profile information you authorize that provider to share. We also receive records from payment providers confirming the status of your transactions.

3. Why we collect it (purposes)

We use personal information only for purposes identified to you at or before the time of collection. Specifically:

• To create and manage your account, tenant profile, or engagement file.
• To process purchases, enrolments, payments, and refunds.
• To deliver courses, certifications, digital products, and consulting services.
• To provide customer support, answer enquiries, and manage our relationship with you.
• To operate AI-powered features (AIAgentStudio) that help personalize your experience.
• To send transactional messages - receipts, enrolment confirmations, certificate delivery, engagement updates, and service notices.
• To send commercial electronic messages (newsletter, product announcements) only where you have given express CASL-compliant consent, and always with a clear unsubscribe option.
• To analyze site usage so we can improve the platform, the courses, and the service.
• To comply with our legal, tax, accounting, and regulatory obligations.

4. Legal basis and consent

Under PIPEDA, we rely on your consent - express or implied depending on context - to collect, use, and disclose personal information. You may withdraw your consent at any time, subject to legal and contractual restrictions (for example, we must retain transaction records for tax purposes). Withdrawing consent may limit the services we can provide to you.

For commercial electronic messages, we rely on express consent obtained at the point of opt-in, consistent with CASL.

5. How we share personal information

We do not sell your personal information.

We share personal information only in the following circumstances:

• Payment processors. Stripe and PayPal handle your transactions under their own privacy policies. We receive only a transaction confirmation and tokenized reference.
• Service providers. Hosting (Microsoft Azure), email delivery, analytics, and customer-support tools process data strictly on our behalf and under confidentiality obligations.
• Tenant administrators. If your account belongs to an organization that administers its own tenant on AmbarDigitalHub, that tenant's administrators may access enrolment records and progress data for reporting and operational purposes.
• Integrated learning tools (LTI 1.3). When you launch an external tool from within our learning platform, limited profile data is shared as specified by the LTI 1.3 standard.
• Legal, regulatory, and safety. We may disclose information where required by law, court order, lawful subpoena, or to protect rights, property, or safety.

All service providers that process personal information on our behalf are bound by written data processing agreements that require comparable privacy safeguards.

6. Where your information is stored

Our production infrastructure is hosted on Microsoft Azure. Where possible and where service availability permits, we use Canadian Azure regions. Some services (for example, certain AI model providers and analytics services) may process data in the United States or other jurisdictions.

Where personal information is transferred outside Canada, the information may be subject to foreign laws and lawful requests by foreign authorities. We use contractual safeguards - including data processing agreements and, where applicable, Standard Contractual Clauses - to require comparable protection.

7. Cookies and similar technologies

We use cookies and similar technologies for the following purposes:

You can manage cookie preferences through your browser or through the cookie banner on our site. Disabling essential cookies may prevent certain features from working.

8. How long we keep personal information

We retain personal information only as long as necessary to fulfil the purposes for which it was collected, to meet contractual obligations, or to comply with legal and regulatory requirements. Typical retention periods are:

• Account information - retained while your account is active; deleted within 30 days of a verified deletion request, subject to legal-retention exceptions.
• Transaction and invoice records - retained for seven years to meet Canadian tax and accounting requirements.
• Course completion and certification records - retained for the validity period of the certification program, or longer if required by the issuing accreditation body.
• Website analytics - aggregated and anonymized within 24 months.
• Consulting-engagement records - retained for the duration of our contractual relationship plus seven years.

9. Your rights

Under PIPEDA, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete personal information.
• Withdraw consent for future collection, use, or disclosure (subject to legal limits).
• Be informed of how your personal information is used and who has seen it.
• Make a complaint to our Privacy Officer and, if unsatisfied, to the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, contact our Privacy Officer at privacy@ambarsystems.ca. We will respond within 30 days as required by PIPEDA.

If you are unsatisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca or by calling 1-800-282-1376.

10. Security

We take reasonable administrative, technical, and physical measures to protect personal information, including:

• TLS encryption for all data in transit.
• AES-256 encryption at rest for databases and backups.
• Role-based access controls and tenant-level data isolation.
• Regular security reviews and vulnerability assessments.
• PCI-DSS compliance through our certified payment processors (we never store full card numbers).
• Staff training on privacy, security, and responsible data handling.

No system is immune to every risk. If you become aware of a security concern involving our services, please contact security@ambarsystems.ca immediately.

11. AI features and your data

Our platform includes AI-powered features provided through AIAgentStudio. When you use those features:

• Inputs may be processed by third-party model providers to generate responses.
• We do not use your content to train public AI models without your explicit consent.
• For tenants on Enterprise plans, we can negotiate model-provider agreements that prohibit all training use of your content.
• AI-generated content is provided as-is and may contain inaccuracies. You remain responsible for reviewing and verifying any AI output you rely on.

12. Children

Our services are not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, contact us immediately and we will promptly delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes, we will provide a reasonable notice - for example, a platform notification or an email - before the change takes effect.

14. Contact

This page is provided as general information. It does not constitute legal advice. If you have a specific legal question about how your personal information is handled, consult qualified legal counsel.