AI Media Agent app icon
AI Media Agent
by True North Automation Inc.

Privacy Policy

Effective Date: April 30, 2026

1. Introduction

True North Automation Inc. ("we", "us", "our") operates the AI Media Agent platform and the connected Customer Cockpit at ai-media-agent.vercel.app (the "Service"). This policy explains what information we collect, how we use it, how we store and protect it, and your rights under PIPEDA and applicable provincial regulations.

2. Information We Collect

  • Contact information: name, email address, phone number, mailing address
  • Business information: company name, industry, service requirements
  • Communication records: phone call recordings, transcripts, emails, chat messages
  • Service data: quotes, invoices, order history, payment records (payment method only, NOT financial account details)
  • Website data: IP address, browser type, pages visited, cookies
  • Social-media data: content performance metrics, engagement data
  • AI Secretary data: call recordings, transcripts, caller information
  • Google account integrations (when explicitly connected by you): email address, calendar events, business profile content (see Section 7 below)

3. How We Use Your Information

  • To provide and improve our services (AI marketing, content creation, ad management)
  • To create and send quotes, invoices, and order confirmations on your behalf
  • To communicate with you about your account and services
  • To send marketing communications (only with your consent)
  • To analyze and improve our AI systems and service quality
  • To comply with legal obligations

4. How We Protect Your Information

  • Data stored on encrypted, secure cloud infrastructure (Supabase, Vercel)
  • Access restricted to authorized personnel only
  • Regular security reviews and updates
  • We do NOT store credit card numbers, bank account details, or financial credentials
  • API keys, passwords, and OAuth refresh tokens are encrypted with AES-256-GCM before being written to our database; access tokens are likewise encrypted at rest and never appear in application logs

5. Sharing Your Information

  • We do NOT sell your personal information
  • We share data only with the third-party services you explicitly connect (Meta, Google, LinkedIn, TikTok, Pinterest, Stripe) and the infrastructure providers required to run the Service (Supabase, Vercel, Resend, Anthropic)
  • We may disclose information if required by law or to protect our rights

6. Your Rights Under PIPEDA

  • Right to access your personal information
  • Right to correct inaccurate information
  • Right to withdraw consent for marketing communications
  • Right to request deletion of your data
  • Right to file a complaint with the Office of the Privacy Commissioner of Canada

7. Google Account Integrations

When you choose to connect a Google account to our platform we use Google's OAuth 2.0 flow and request only the minimum scopes required to deliver the feature you enabled. Each scope is requested in a separate, opt-in flow that you initiate from the dashboard.

Google Calendar (scope: calendar.events).When you click "Connect Google Calendar" on the Calendar page, we receive permission to view and edit events on your primary calendar. We use this access to (a) automatically create a Google Calendar event for every appointment booked through our platform — manually by you or automatically by the AI phone secretary, (b) update events when appointments change in our system, (c) delete events when appointments are cancelled, and (d) check free/busy windows before suggesting new booking times to your callers. We do not read, export, or share any other event data.

Google Business Profile. Used solely to publish posts you have authored or approved through our platform to your business listing.

YouTube (scope: youtube.upload). Used solely to upload videos you have authored or approved through our platform to your channel.

Token storage and rotation.The OAuth refresh tokens that allow long-lived access to your Google account are encrypted with AES-256-GCM before being written to our database. The encryption key lives in our hosting provider's secrets vault, separate from the database. Access tokens are short-lived (≈1 hour) and refreshed only when needed.

Disconnecting and deletion.You can disconnect any Google account at any time using the "Disconnect" button on the relevant connection page in the dashboard. Disconnecting both revokes our access at Google and deletes the encrypted tokens from our database. To request a full data deletion (including any cached calendar event identifiers, business profile posts, uploaded videos, and call recordings), email info@truenorthautomation.ai with the subject line "Data Deletion Request" and we will action it within 30 days.

Limited Use compliance. Use of information received from Google APIs adheres to Google's API Services User Data Policy, including the Limited Use requirements. Specifically: data accessed through Google APIs is never sold, never used for advertising, never used to train generalized AI models, and never read by humans except where necessary for security, fraud, abuse, or debugging at your explicit request, or where required by law.

8. Phone Call Recording

  • Calls to our AI phone system may be recorded for quality assurance and service delivery
  • Callers are informed at the beginning of each call
  • Recordings are stored securely and retained for 12 months
  • You may request deletion of your call recordings at any time

9. Marketing Communications (CASL Compliance)

  • We only send marketing emails with your express or implied consent
  • Every marketing email includes an unsubscribe link
  • Transactional emails (invoices, quotes, order confirmations) do not require consent
  • You can unsubscribe at any time by clicking the link in any email or contacting us

10. Cookies

Our website uses cookies to improve user experience. You can disable cookies in your browser settings; essential cookies are required for the website to function.

11. Data Retention

  • Client data retained for 3 years after last interaction
  • Call recordings retained for 12 months
  • Marketing data retained until consent is withdrawn
  • Financial records (invoices) retained for 7 years as required by Canadian tax law
  • OAuth refresh tokens deleted immediately on disconnection or account deletion

12. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of our services constitutes acceptance of the revised policy.

13. Contact Us

For privacy questions, data access requests, or to file a complaint:
True North Automation Inc.
Email: info@truenorthautomation.ai
Website: truenorthautomation.ai