Master Privacy Policy

Welcome to Lexova ("we," "us," or "our"). We provide a secure, multi-tenant software platform designed to assist Agencies (law firms and immigration consultancies), Employers, and Individual Clients in preparing, managing, and organizing applications for Immigration, Refugees and Citizenship Canada (IRCC), Employment and Social Development Canada (ESDC), and provincial immigration authorities.

We are headquartered in Alberta, Canada, and our data practices are strictly governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta's Personal Information Protection Act (PIPA), and Quebec's Law 25.

To comply with Canadian privacy laws, it is important to understand our role in handling your data:

• Data Controller: The Authorized Representative (Agency/Agent) or Employer who invited you to the platform determines the purpose of the data collection (i.e., preparing an immigration application).
• Data Processor: Lexova acts solely as the Data Processor. We provide the secure technology infrastructure to store and organize this data on behalf of the Data Controller. We do not own, review, or use your data for our own purposes.

Because our platform facilitates government immigration applications, the Personal Information (PI) and sensitive documents uploaded may include:

• Identity & Biometrics: Names, dates of birth, marital status, passports, and national ID cards.
• Immigration & Travel History: Visa records, entry/exit logs, and current immigration status documents.
• Sensitive Personal Data: Police clearance certificates, medical examination declarations, and financial statements.
• Corporate Data (Employers): CRA Notices of Assessment, payroll records, and corporate registries.
• System Data: IP addresses, browser types, and timestamped audit logs of platform activity.

We collect only the information necessary to provide our software services. We do not use "bundled" consent.

• No Secondary Use: We will never sell, rent, or process your Personal Information or uploaded documents for secondary purposes, such as marketing, without your explicit, opt-in consent.
• Third-Party Input: If an Agent or Employer inputs data on behalf of a foreign national or family member, they represent and warrant that they have obtained legally valid, explicit consent from that individual to do so.

Your data is protected by strict cryptographic and architectural boundaries. Access is governed by your role:

• Individual Clients (Applicants): Can only view and edit their own profiles, family members, and the specific documents they have uploaded. Clients cannot see the data of any other individual, nor can they view confidential Employer corporate documents.
• Employers (Sponsors): Can only view their own corporate records and the specific application drafts associated with their business. They cannot view an Individual Client's sensitive personal documents (e.g., medical records) unless explicitly authorized for a joint application.
• Agents (Representatives): Can only view the data, documents, and application drafts of the specific Employers and Clients explicitly assigned to their caseload.
• Agencies (Tenant Admins): Have administrative oversight over their own law firm/consultancy, but are mathematically isolated from all other Agencies on the platform.

All Personal Information and uploaded documents are encrypted in transit (TLS 1.2+) and at rest (AES-256).

• Data Residency: Your data is stored securely on servers located entirely within Canada (e.g., AWS Canada-Central).
• Cross-Border Transfers: If technical support requires data to be routed outside of your province of residence (including outside of Quebec), it is done strictly in accordance with applicable provincial laws to ensure equivalent legal protection.
• Error Monitoring: We use a third-party error-monitoring service (Better Stack) to detect and diagnose technical problems. Only non-personal technical data (error messages, stack traces, and the page address) is transmitted — never client Personal Information, IP addresses, or form data — and this technical data is processed in the European Union.
• Authentication Provider: We use a third-party authentication provider (Clerk) to manage secure sign-in and user accounts. Clerk processes only basic account identifiers — your name and email address — and may store them on servers in the United States. Your case files, uploaded documents, and all other Personal Information remain stored in Canada.

Subject to statutory retention requirements, you hold the following rights regarding your data:

• Right to Access: You may view the information held about you at any time via your portal.
• Right to Portability (Data Export): You may export your data in a portable, commonly-used format (PDF and/or spreadsheet) at any time, and for 90 days after a subscription ends, before it is deleted.
• Right to Rectification: You may correct inaccurate or incomplete data.
• Right to Erasure (To Be Forgotten): You may request the permanent deletion of your account and associated documents.

If you have questions regarding this policy, wish to withdraw consent, or want to exercise your privacy rights, please contact our designated Privacy Officer:

• Title: Chief Privacy Officer
• Email: privacy@lexova.ca
• Mailing Address: Corporate Address, Alberta, Canada