Privacy Policy

Last updated: May 2026

Databi Private Limited (UEN 202441517N, Singapore) operates the HPO Canada project (“HPO Canada”, “we”, “our”, or “us”). HPO Canada operations are led from Ottawa, Canada, serving Canadian enterprise, government, and healthcare customers. This policy describes how we collect, use, disclose, and protect personal information in accordance with Singapore’s Personal Data Protection Act (PDPA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and — for European Union and United Kingdom users — the General Data Protection Regulation (GDPR) and UK GDPR.

1. Who we are

Databi Private Limited is incorporated in Singapore (UEN 202441517N, Founded October 2024). HPO Canada is an operating project of Databi Private Limited led from Ottawa, Canada. For privacy-related inquiries, contact our Privacy Officer at gurbachan@hpocanada.com.

2. What information we collect

2.1 Information you provide directly

• Contact information — name, work email, organisation name, role, when you request a pilot, contact sales, or subscribe to communications.
• Pilot and customer data — documents, policies, procedures, and other content you upload to our Knowledge Management System for processing.
• Account credentials — username, hashed password, and SSO identity federation metadata (Azure AD, Okta, Google Workspace).
• Billing information — company billing address, tax identifiers; payment card details are processed by our payment processor and are never stored on HPO Canada systems.

2.2 Information collected automatically

• Usage logs — queries performed, documents retrieved, timestamps, user identifiers, access level. Retained for audit, security, and compliance purposes.
• Technical data — IP address, browser type, operating system, device identifiers, pages visited on hpocan.com.
• Cookies — strictly necessary cookies for session management. We do not use advertising cookies. See Section 9.

3. How we use your information

• Provide and operate the HPO Canada KMS platform.
• Process documents you upload into a searchable, AI-powered knowledge layer.
• Enforce access controls (Permission-Aware Management) so users only retrieve content they are authorised to see.
• Maintain immutable audit logs for security and compliance review.
• Respond to pilot requests, sales inquiries, and support tickets.
• Send service announcements and, with your consent, product updates.
• Comply with legal, regulatory, and law-enforcement obligations.

4. Legal basis for processing (GDPR / UK GDPR users)

• Performance of a contract — operating the KMS for paying customers and pilot participants.
• Legitimate interests — product improvement, security monitoring, fraud prevention.
• Consent — marketing communications, optional analytics (where used).
• Legal obligation — retention of records required by Canadian or EU law.

5. How we share information

We do not sell personal information. We share it only with:

• Cloud infrastructure providers — Amazon Web Services (AWS) and Google Cloud, acting as data processors under signed Data Processing Agreements. Customer data may be processed in the region selected at pilot onboarding (Canada, United States, or European Union).
• AI model providers — Amazon Bedrock (Nova, Titan, Claude), Google Vertex AI (Gemini, text-embedding), and optionally client-hosted local models. No customer document content is used to train third-party foundation models.
• Sub-processors — Pinecone (vector indexing) and other infrastructure providers listed in our current sub-processor registry, available on request.
• Legal recipients — law enforcement, courts, or regulators when compelled by a valid legal process.

6. Data location and sovereignty

By default, Canadian customer data is stored and processed in Canadian cloud regions. Enterprise and government customers may require all data, including AI model inference, to remain entirely within Canada or on-premises. We support fully sovereign deployments via AWS Canada, Google Cloud Montreal / Toronto, and client-hosted local LLMs.

7. How we protect your information

• Encryption at rest — AES-256 via AWS KMS or Google Cloud KMS customer-managed keys.
• Encryption in transit — TLS 1.3 on all network traffic.
• Access control — zero-trust, role-based and attribute-based access policies enforced at query time.
• Audit logging — every query, retrieval, and answer logged in tamper-evident storage.
• Compliance posture — Singapore PDPA compliant; Canadian PIPEDA compliant; GDPR compliant; ISO 27001 aligned; SOC 2 Type II and Government of Canada PBMM in progress.

8. Retention

We retain personal information only as long as necessary to deliver the service, meet legal obligations, or resolve disputes. Customer-uploaded documents are retained for the duration of the active subscription plus a short wind-down window defined in the customer agreement; they are then securely deleted or returned at the customer’s option. Audit logs are retained for seven (7) years where required by regulation.

9. Cookies

hpocan.com uses strictly necessary cookies for session management and security. We do not use third-party advertising cookies. If we introduce optional analytics cookies in future, we will request consent via a cookie banner.

10. Your rights

Subject to applicable law, you have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate or incomplete information.
• Request deletion (“right to be forgotten” under GDPR).
• Restrict or object to processing.
• Receive your data in a portable, machine-readable format.
• Withdraw consent at any time.
• Lodge a complaint with the Office of the Privacy Commissioner of Canada or an EU Data Protection Authority.

To exercise any of these rights, email gurbachan@hpocanada.com. We respond within 30 days.

11. International transfers

Where personal information is transferred outside Canada or the European Economic Area, we use appropriate safeguards including Standard Contractual Clauses (SCCs) and rely on adequacy decisions where they exist.

12. Children

HPO Canada’s services are for enterprise and institutional customers. We do not knowingly collect personal information from children under 16.

13. Changes to this policy

We will post any changes on this page and update the “Last updated” date at the top. Material changes affecting your rights will be communicated by email to active customers.

14. Contact

Privacy Officer — HPO Canada
Databi Private Limited (UEN 202441517N)
Incorporation: Singapore
Operations: Ottawa, Canada
gurbachan@hpocanada.com