BG
BareGoldBack to home

Privacy Policy

Effective date: April 14, 2026

Privacy Officer

Baregold Incorporated has designated Eugene Savtchenko as its Privacy Officer, in accordance with section 3.1 of Law 25, responsible for overseeing our compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for residents of Quebec, the Act respecting the protection of personal information in the private sector (Law 25). You can reach our Privacy Officer at info@baregold.ca with the subject line "Privacy Officer" or by mail at the address shown in our Contact section.

What We Collect

We collect the information necessary to provide our compliance analysis and document generation services. This includes:

  • Account information: email address, company name and address, Health Canada company code, and your chosen UI language (English or French)
  • Regulatory contacts: senior official and Quality Assurance Person contact details as required for Product Licence Application submissions
  • Product data: product labels, ingredient lists, dosage forms, and health claims you provide for analysis, together with all documents generated by the service for your products
  • Payment information: processed securely through Stripe, which is PCI-DSS Level 1 certified. BareGold receives transaction metadata (amount, timestamp, last four digits of the card, billing country) but does not receive or store full card numbers on our servers
  • Aggregate analytics: Umami, a privacy-focused analytics service, measures page views, referrers, and approximate geography derived from IP. Umami does not set cross-site tracking cookies or build individual user profiles

How We Use Your Data

Your data is used to provide the core BareGold service: performing compliance analysis against Health Canada databases, generating Product Licence Application documents and bilingual labels, processing payments, communicating with you about your account and submissions, and meeting our legal and tax obligations. We do not sell your data, use it for advertising, or use it to train artificial intelligence models. Data sent to our AI processor (Anthropic) is processed under Anthropic's enterprise API terms, which prohibit the use of API inputs for model training.

Automated Decisions

BareGold uses artificial intelligence (Anthropic's Claude and other models) to analyze your product labels, score compliance readiness (DSR and FSR scores), and generate draft submission documents. These outputs are advisory. Every submission is reviewed, modified, and approved by you (or your regulatory consultant) before filing with Health Canada, so no final regulatory decision about your product is made exclusively by automated processing at BareGold within the meaning of section 12.1 of Law 25. If you would nonetheless like a member of our team to manually review a specific analysis — including to obtain the personal information used, the principal factors and parameters that led to the analysis, and to request a human review — contact us at info@baregold.ca with the subject line "Human Review Request."

Cross-Border Data Transfers

Several of our processors are headquartered in or host data in the United States. As a result, your personal information may be transferred to, processed in, and stored in the United States, and may become subject to U.S. law including disclosure requirements under the CLOUD Act. In accordance with section 17 of Law 25, we have assessed the privacy-protection factors associated with these transfers, and we rely on contractual safeguards and each processor's security program to protect your data in transit and at rest. Canadian residents retain all statutory rights regarding their personal information regardless of storage location; Quebec residents retain the protections of Law 25.

Third-Party Processors

We rely on the following third-party services to operate BareGold:

  • Anthropic (Claude AI) — processes product label data for compliance analysis and document generation (United States)
  • Stripe — handles payment processing, PCI-DSS Level 1 (United States / Ireland)
  • Neon — hosts our PostgreSQL database (United States)
  • Vercel — hosts the frontend application and edge functions (United States)
  • Railway — hosts the backend API (United States)
  • Umami Cloud — privacy-focused aggregate website analytics (European Union)

Each processor is bound by their own privacy and security policies and processes data only as needed to provide their respective services. We will notify users before engaging a new processor that has access to personal information in a materially different category.

Data Retention

We retain personal information only as long as necessary for the purposes for which it was collected, or as required by law. Specifically: account credentials are retained until you delete your account, then for 30 days in backup systems; product analyses and generated documents are retained for the lifetime of your account and can be deleted at any time through your account; payment records are retained for seven years to meet Canadian tax obligations; server access logs are retained for 90 days; and backups follow a 30-day rolling window. If you request account deletion, all associated data will be removed from our primary systems within 30 days and purged from backups within a further 30 days.

Data Security

We implement appropriate technical and organizational measures designed to protect your data, including transport-layer encryption (TLS) for data in transit, access controls limiting production system access to authorized personnel, and application-level enforcement of per-account data segregation. No security control is perfect; see our Breach Notification section for what happens if personal information is compromised.

Breach Notification

If we determine that a breach of security safeguards has occurred involving your personal information and creates a real risk of significant harm, we will notify you and the Office of the Privacy Commissioner of Canada without unreasonable delay, in accordance with our obligations under PIPEDA. For residents of Quebec, we will additionally notify the Commission d'accès à l'information in accordance with section 3.5 of Law 25, and we maintain a register of confidentiality incidents as required. Our notification will describe what happened, what information was involved, what we are doing in response, and what you can do to protect yourself.

Your Rights Under PIPEDA

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access the personal information we hold about you, request corrections to inaccurate data, request deletion of your data, and withdraw consent subject to legal and contractual restrictions. To exercise any of these rights, email us at info@baregold.ca. We will respond to requests within 30 days.

Additional Rights for Residents of Quebec (Law 25)

If you are a resident of Quebec, the Act respecting the protection of personal information in the private sector (as amended, "Law 25") grants you additional rights beyond PIPEDA, including: the right to data portability in a structured, commonly used technological format (section 27); the right to be informed about any decision based exclusively on automated processing that affects you, to obtain the personal information used and the principal reasons and parameters that led to the decision, and to request a human review (section 12.1); the right to be informed before any new use or disclosure of your personal information (sections 8 and 14); the right to de-indexing and cessation of dissemination in the circumstances provided by law (section 28.1); and the right to file a complaint with the Commission d'accès à l'information (section 81). Our Privacy Officer has been designated in accordance with section 3.1 of the Act. To exercise any Law 25 right, contact our Privacy Officer at info@baregold.ca.

Cookies and Local Storage

BareGold uses minimal client-side storage. On successful login we store two JSON Web Tokens (an access token and a refresh token) in localStorage for authentication purposes, and a cookie named NEXT_LOCALE with your chosen UI language (valid for one year). We use Umami, a privacy-focused analytics service, to measure aggregate site usage. Umami does not set cross-site tracking cookies and does not build individual user profiles. We do not use third-party advertising pixels.

Changes to This Policy

We may update this Privacy Policy from time to time. When material changes are made (such as engaging a new processor with access to personal information, or collecting a new category of data), we will notify you at least 30 days in advance via the email address associated with your account and by displaying an in-service notice. We encourage you to review this policy periodically.

Contact

For questions about this Privacy Policy or your data, contact us at info@baregold.ca.

Baregold Incorporated — 768-92 Caplan Ave., Barrie, Ontario L4N 9J2, Canada

Privacy Policy | NHP Compliance — BareGold