Privacy Policy

Your data protection rights and our commitments

Version 2.1Last Updated: May 14, 2026

1. Introduction

Digi Cosmos (A Division of Healthcart Inc.) (“Digi Cosmos,” “we,” “us,” or “our”), a Canadian Federal Corporationheadquartered in Ontario, Canada, is committed to protecting your privacy and handling your personal information responsibly.

This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our AI-powered digital health assessment platform, DigiAudit AI Engine (the “Platform”). As a Canadian company, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), the General Data Protection Regulation (GDPR) for our EU users, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) for California residents.

VOLUNTARY CONSENT: By using the DigiAudit AI Engine Platform, you voluntarily consent to the collection, processing, and use of your personal information as described in this Privacy Policy.

2. Information We Collect

2.1 Account Information

  • Name, email address, phone number
  • Company name, job title, industry
  • Account credentials (passwords are encrypted)
  • License type and subscription details
  • Consent preferences and timestamps

2.2 Audit Data

  • Responses to digital health questionnaires
  • Business information provided during assessments
  • Documents uploaded for Smart-Fill processing
  • AI-generated reports and recommendations

2.3 Technical Data

  • IP addresses and device information
  • Browser type and operating system
  • Usage patterns and feature interactions
  • Cookies and similar technologies
  • Session data and access logs

2.4 Payment Information

Payment processing is handled by Stripe. We do not store complete credit card numbers. We retain transaction records for tax and accounting purposes.

3. AI Data Processing & Privacy

AI PROCESSING DISCLOSURE: The DigiAudit AI Engine utilizes artificial intelligence to process and analyze user-submitted data. BY USING THIS PLATFORM, YOU ACKNOWLEDGE AND CONSENT THAT: (a) AI systems may process your data to generate insights, reports, and recommendations; (b) Your business data may be used to train and contextualize AI agents scoped exclusively to your account for hyper-personalized, data-driven reports — your data is never shared with or used to train models for other users or third parties; (c) Anonymized and aggregated data may be used to improve Platform performance; (d) AI-generated outputs may contain inferences or interpretations that users should independently verify; (e) Digi Cosmos is not liable for any privacy implications arising from AI processing that complies with applicable laws.

4. How We Use Your Information

  • Service Delivery: To provide digital health audits, generate reports, and deliver platform features
  • Account Management: To create and maintain your account, process payments, and provide support
  • AI Personalization: To train and contextualize our AI agents on your business data for hyper-personalized, data-driven reports; anonymized, aggregated data may also be used to improve overall Platform performance
  • Communications: To send service updates, security alerts, and marketing communications (with consent)
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes
  • Security: To detect, prevent, and address fraud, security issues, and technical problems
  • Research: To conduct research and analysis to improve our services

5. Legal Basis for Processing (GDPR)

For users in the European Union, we process personal data based on:

  • Contractual Necessity: Processing required to deliver our services (audits, reports, account management)
  • Consent: Marketing communications, optional analytics, AI personalization (contextual training on your business data for hyper-personalized reports)
  • Legitimate Interests: Security monitoring, fraud prevention, service improvement
  • Legal Obligation: Tax records, regulatory compliance, legal proceedings

6. How We Share Information

We do not sell your personal information. We may share data with:

  • Service Providers: Cloud hosting (AWS Canada), payment processing (Stripe), email services
  • AI Processing Partners: Third-party AI services for enhanced analysis (with appropriate data protection agreements)
  • Agency Partners: If you are an End Client of an Agency Partner, they may access your audit data as permitted by their agreement with you
  • Legal Requirements: When required by law, court order, or to protect our rights
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice)

7. Data Retention

Digi Cosmos (A Division of Healthcart Inc.) retains user data in accordance with the following schedule: (a) Active Account Data: Retained throughout the account lifecycle; (b) Closed Accounts: Core records retained for 7 years after closure for tax, legal, and compliance purposes; (c) Audit Data: Retained for the duration of subscription plus 7 years; (d) Payment Records: Retained for 7 years as required by tax regulations; (e) Consent Records: Retained for 7 years after consent withdrawal; (f) Server Logs: Retained for 90 days; (g) Anonymized Analytics: May be retained indefinitely. Users may request data deletion subject to legal retention requirements.

  • Active Accounts: Throughout the account lifecycle
  • Closed Accounts: 7 years after account closure
  • Audit Data: Duration of subscription + 7 years
  • Payment Records: 7 years (tax compliance)
  • Consent Records: 7 years after consent withdrawal
  • Server Logs: 90 days

8. Data Security & Breach Notification

We implement industry-standard security measures including:

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Multi-factor authentication for administrative access
  • Regular security assessments and penetration testing
  • Role-based access controls (RBAC)
  • Enterprise-grade security controls aligned with industry best practices

SECURITY DISCLAIMER: While Digi Cosmos (A Division of Healthcart Inc.) implements industry-standard security measures, no system is completely immune to data breaches. BY USING THIS PLATFORM, YOU ACKNOWLEDGE AND AGREE THAT: (a) Digi Cosmos shall not be held liable for any data breaches, unauthorized access, or security incidents resulting from factors beyond its reasonable control, including but not limited to cyberattacks, third-party service failures, or user negligence; (b) Users are responsible for maintaining the security of their own credentials and devices; (c) Any claims for damages arising from data breaches are limited to the fees paid in the 60 days preceding the incident.

9. Your Privacy Rights

Under Canadian Law (PIPEDA)

  • Access your personal information
  • Request correction of inaccurate information
  • Withdraw consent for non-essential processing
  • File a complaint with the Office of the Privacy Commissioner of Canada

Additional Rights for EU Users (GDPR)

  • Right to erasure (“right to be forgotten”)
  • Right to data portability
  • Right to restrict processing
  • Right to object to processing
  • Rights related to automated decision-making and AI profiling

Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, fraud prevention, completing transactions).
  • Right to Opt-Out of Sale: We do not sell your personal information. We do not exchange personal information for monetary consideration.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
  • Right to Correct: You may request correction of inaccurate personal information we maintain about you.
  • Right to Limit Use of Sensitive Information: You may limit the use and disclosure of your sensitive personal information to what is necessary for providing the services.

To submit a CCPA/CPRA request, email [email protected] with the subject line “CCPA Request.” We will verify your identity and respond within 45 days.

To exercise your rights, contact us at [email protected]. We respond to all requests within 30 days.

10. AI & LLM Data Processing

DigiAudit AI Engine uses artificial intelligence, including Large Language Models (LLMs), to generate assessment reports, risk analyses, and governance recommendations. The following applies to AI-processed data:

  • AI Infrastructure: Your audit data is processed by AI models hosted by our infrastructure partner (Abacus.AI). All AI processing occurs via secure, encrypted API calls.
  • Contextual AI Personalization: Your business data (audit responses, uploaded documents, and company profile information) is used to train and contextualize our AI agents so they can generate hyper-personalized, data-driven reports with high precision. This training is scoped exclusively to your account — your data is never shared with or used to train models for other users or third parties. You may withdraw consent for personalized AI processing at any time via your account settings.
  • No Third-Party Model Training: Your data is not shared with our AI infrastructure partner for the purpose of training, fine-tuning, or improving their foundational AI/LLM models. Inputs and outputs transmitted to the AI provider are transient and not stored beyond the duration of each API request.
  • Human Oversight: All AI-generated outputs are presented to users for review. No automated decisions are made without user action. AI reports are advisory in nature and do not constitute professional, legal, or compliance certifications.

AI DISCLAIMER: AI-generated reports and assessments are for strategic planning and informational purposes only. They do not constitute legal, financial, or compliance advice. See our full AI Disclaimer for details.

11. International Data Transfers

Your data is primarily stored and processed in Canada (AWS ca-central-1). Canada has been granted an adequacy decision by the European Commission for commercial organizations, meaning transfers from the EU to Canada are permitted. For other international transfers, we use Standard Contractual Clauses approved by the European Commission.

FOR US-BASED USERS: Your data is processed and stored within Canadian infrastructure (AWS ca-central-1). Canada and the United States maintain robust cross-border data transfer mechanisms under PIPEDA, and Canadian privacy protections are broadly recognized as meeting or exceeding US federal privacy standards. Your data is logically scoped to the US jurisdiction for compliance alignment (e.g., CCPA/CPRA applicability, USD billing), while benefiting from Canadian data protection safeguards.

11A. Data Residency

DigiAudit AI Engine supports multi-region data residency. During account registration, users select their data residency region (Canada or United States). This selection determines:

  • Storage Location: All data is physically stored in Canada (AWS ca-central-1). Account data, audit reports, and related records are logically associated with the selected region for compliance and jurisdictional purposes. Data isolation between regions is enforced at the application layer.
  • Currency & Billing: Pricing is displayed in the currency corresponding to your selected region (CAD for Canada, USD for United States).
  • Regulatory Alignment: Canadian accounts benefit from PIPEDA protections; US accounts benefit from applicable state-level privacy laws (e.g., CCPA/CPRA for California residents). All accounts benefit from Canada's robust federal privacy framework regardless of region selection.
  • Region Lock: Your data residency region is set at registration and cannot be changed through self-service. To request a region change, contact our support team.

NOTE: All data residency regions use the same enterprise-grade security standards, encryption, and access controls. Region selection affects jurisdictional compliance alignment, not the level of security applied to your data.

12. Marketing & Communications (CASL)

We comply with Canada's Anti-Spam Legislation. By providing your contact information and opting in to communications, you expressly consent to receive: (a) Transactional emails related to your account and Platform usage; (b) Marketing communications about products, services, updates, and promotional offers from Digi Cosmos; (c) Partner communications where you have provided explicit consent; (d) Industry insights, newsletters, and educational content. You may opt out of non-essential communications at any time through your account settings or by clicking unsubscribe. Your consent for marketing is voluntary and not a condition for using the Platform.

  • Marketing emails require express opt-in consent
  • Service emails are sent based on implied consent from your service relationship
  • Every commercial email includes an unsubscribe mechanism processed within 24 hours
  • All emails clearly identify Digi Cosmos with contact information

13. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential Cookies: Required for platform functionality and security
  • Analytics Cookies: To understand usage patterns and improve the platform
  • Preference Cookies: To remember your settings and preferences

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect platform functionality.

14. Children's Privacy

DigiAudit AI Engine is a business-to-business platform and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from minors.

15. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or through the platform at least 30 days before they take effect. Continued use of the platform after changes constitutes acceptance of the updated policy.

16. Contact Us

Privacy Officer

Digi Cosmos (A Division of Healthcart Inc.)

Operating as: Digi Cosmos

Ontario, Canada

Email: [email protected]

For complaints not resolved to your satisfaction, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca

BY USING THE DIGIAUDIT AI ENGINE PLATFORM, you acknowledge that you have read and understood this Privacy Policy and voluntarily consent to the collection, processing, and use of your personal information as described herein.

Document ID: PP-2.1-2026 | Effective: May 14, 2026 | Jurisdiction: Ontario, Canada

← HomeTerms of Service →