How Nord Paradigm collects, uses, and protects your information. Last updated: May 3, 2026.
Nord Paradigm Inc. (“Nord Paradigm,” “we,” “us”) is committed to protecting your personal information. This policy explains what data we collect, why we collect it, how we use it, and your rights under Quebec’s Act respecting the protection of personal information in the private sector (Loi 25) and the Personal Information Protection and Electronic Documents Act (PIPEDA).
Nord Paradigm Inc. is an AI advisory and governance consultancy federally incorporated in Canada and registered in Quebec (NEQ 1181998668). Our principal place of business is at 393, rue Racine E, 4e étage, Chicoutimi, QC G7H 1T2, Canada.
In accordance with Loi 25, Nord Paradigm has designated the following person as responsible for the protection of personal information:
Dominic-André Leclerc, Founder
Nord Paradigm Inc.
Email: dominic@nordparadigm.com
You may contact this person to exercise your rights under Loi 25 or PIPEDA, ask questions about this policy, or file a privacy complaint.
We collect the company URL you submit, your email address (to deliver your report), and information inferred from publicly available sources about the company (such as industry and location). We do not store your company’s name or identifying details in our internal analytics. Reports used for internal research purposes are stripped of all business-identifying information.
In addition to the above, we collect the information you provide in the intake form: competitor names, business software you use, employee count range, and your description of current challenges. We also process payment and billing information through our payment provider (see Third-Party Services below). Your generated report is stored to allow you to re-access it.
We collect your email address to send you our newsletter. Newsletter signup is always separate from product consent. You can unsubscribe at any time.
Certain partners (marketing agencies, consultants, integrators) use Breach Pro to produce analyses on behalf of their own clients. In this flow:
We do not currently use website analytics or tracking tools. If we add analytics in the future, we will update this policy and, where required by law, request your consent before placing non-essential cookies.
Our products use artificial intelligence to analyze publicly available information about the company URL you submit and generate a written report.
In accordance with Article 12.1 of Loi 25, we inform you that:
We use the following service providers to operate our products. Each receives only the minimum data necessary to perform its function. Several are located in the United States; we have assessed the privacy implications of these transfers and have contractual safeguards in place as required by Article 17 of Loi 25.
| Service Provider | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | United States |
| Anthropic, PBC | AI model inference for report generation and visibility measurement | United States |
| OpenAI, L.L.C. | AI model inference for conversational assistant visibility measurement | United States |
| Google LLC (Gemini) | AI model inference for conversational assistant visibility measurement | United States |
| Google LLC (Places API) | Public business profile lookups for visibility analysis | United States |
| Firecrawl | Web scraping infrastructure | United States |
| Serper | Search results infrastructure | United States |
| Resend, Inc. | Transactional email delivery | United States |
| Beehiiv, Inc. | Newsletter delivery (Signal) | United States |
| Vercel, Inc. | Web hosting and content delivery | United States |
| Neon, Inc. | Database hosting | United States |
| Upstash, Inc. (QStash) | Message routing between report generation phases (no customer content transmitted) | United States |
| Cloudflare, Inc. | DNS, CDN, and tunnel infrastructure | United States |
| Google LLC (Workspace) | Business email and productivity | United States |
Important privacy commitments:
We do not sell, rent, or share your personal information with third parties for their marketing purposes.
| Data | Retention |
|---|---|
| Email address | Until deletion request |
| Intake form responses | 12 months after report generation |
| Generated reports (structured data) | 12 months after generation |
| Payment records | 6 years (Canada Revenue Agency requirement) |
| Competitor website data | Not retained after report generation |
| Newsletter subscription | Until unsubscribe |
| Server logs and error logs | 30 days |
Note on retention enforcement: The retention periods listed above are currently enforced through a manual procedure executed monthly by the person responsible for personal information protection. Automated retention enforcement is in development and will be deployed within 60 days following Breach Pro’s initial commercial launch. Any deletion request submitted under Section 28 of Law 25 is processed within 30 days, regardless of the automated enforcement schedule.
Note on generated reports: PDF reports are not stored persistently on our servers. Each PDF is regenerated on demand from the report’s structured data (JSON) held in our database. The structured data constitutes the record of reference; deleting this data deletes the report.
Under Loi 25 and PIPEDA, you have the right to:
To exercise any of these rights, email dominic@nordparadigm.com. We will respond within 30 days. If we cannot accommodate your request, we will explain why and inform you of your right to file a complaint with the CAI.
Download links: Report download links are cryptographically signed (JWT, HMAC-SHA256) and remain valid for 30 days from issuance. Anyone in possession of a valid link can access the corresponding report during that period; we recommend treating these links with the same care as a confidential file shared by email. A token revocation mechanism (allowing a link to be invalidated before the 30-day expiry, for example in cases of urgent deletion requests) is in development and will be deployed within 60 days following Breach Pro’s initial commercial launch.
We use only strictly necessary cookies required for our products to function (such as session management, security, and payment processing). These do not require consent under Loi 25 or PIPEDA.
We do not currently use analytics cookies, marketing cookies, or any other non-essential tracking. If we add such cookies in the future, we will update this policy and request your consent through a cookie banner before placing any non-essential cookie on your device.
Our Breach and Breach Pro tools analyze publicly available information from competitor websites that you identify. We access only data that any person could view in a web browser. We do not access login-protected content, scrape social media profiles, or collect personal information about individuals at competitor businesses. Competitor data is used solely within your report and is not retained after generation.
Our products are intended for businesses and adults. We do not knowingly collect personal information from individuals under 14 years of age. If you believe we have collected information from a minor, contact us immediately.
We may update this policy as our products and legal requirements evolve. The “last updated” date at the top reflects the most recent revision. For material changes, we will provide additional notice (such as a notice on our website or, where appropriate, by email).
For any questions about this policy or your personal information:
Dominic-André Leclerc
Person responsible for the protection of personal information
Nord Paradigm Inc.
393, rue Racine E, 4e étage, Chicoutimi, QC G7H 1T2, Canada
Email: dominic@nordparadigm.com
Website: nordparadigm.com