Privacy Policy

1. Introduction

Migrawise is operated by Venusian Tech Inc. ("we", "us", or "our"), a corporation incorporated under the laws of Canada with its registered office at Office 732, 145 1/2 Church Street, Unit 5, Toronto, Ontario M5B 1Y4, Canada. Venusian Tech Inc. is the data controller for personal information collected through the Migrawise platform ("Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service. It applies to all users of the Service, including immigration practitioners (firm owners and staff) and their clients who access the platform through the client portal. By using the Service, you consent to the practices described in this policy.

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Where provincial privacy laws provide stronger protections, those laws take precedence.

2. Data Collected

We collect the following categories of information:

Personal Information

• Full name, email address, phone number, and mailing address
• Professional credentials (RCIC membership number, Law Society membership details)
• Firm name and business contact information

Case and Client Data

• Immigration case details, including case type, status, and applicant information
• Documents uploaded to the platform (identification documents, supporting letters, forms)
• Questionnaire responses and intake form submissions
• Communication records between practitioners and clients within the platform
• Electronic signature records and signed documents

Financial Information

• Invoicing records and payment history
• Pre-paid AI credit balance and per-action transaction history (the type of work performed, dollar amount, case reference, timestamp)
• Stripe customer identifier and the last four digits of saved cards, where applicable. Full payment card details are handled directly by Stripe and are never stored on our servers

Usage and Technical Data

• Log data including IP address, browser type, operating system, and access times
• Device information and screen resolution
• Pages visited, features used, and actions taken within the platform
• Error logs and performance metrics

3. How Data Is Used

We use the information we collect for the following purposes:

• Service delivery: To provide, maintain, and improve the Migrawise platform, including case management, document storage, client portal access, and all core features
• Communication: To send you service-related notifications, including account updates, security alerts, billing notices, and feature announcements
• AI features: To power AI-assisted case analysis and document review. Data sent to AI services is anonymized to remove personally identifiable information
• Platform improvement: To understand how the Service is used, identify technical issues, and develop new features based on usage patterns
• Security: To detect, prevent, and respond to fraud, abuse, and security incidents
• Legal obligations: To comply with applicable laws, regulations, legal processes, or governmental requests

We do not sell your personal information to third parties. We do not use your data for advertising purposes.

4. Data Storage

We take the security of your data seriously and employ industry-standard measures to protect it:

• Location: All data is stored on servers located within Canada (AWS ca-central-1, Montreal). Application data resides on AWS Lightsail and uploaded files are stored on AWS S3, both within the same Canadian region. We do not transfer data outside of Canada without your explicit consent
• Encryption at rest: All sensitive data, including documents and personal information, is encrypted at rest using AES-256 encryption
• Encryption in transit: All data transmitted between your device and our servers is protected using TLS 1.2 or higher
• Tenant isolation: Each firm's data is logically isolated at the database level. Multi-tenant architecture ensures that no firm can access, view, or modify another firm's data
• File storage: Uploaded documents are stored outside the web-accessible directory and are accessible only through authenticated API requests with proper authorization
• Access controls: Role-based access controls ensure that users can only access data appropriate to their role within the firm

5. Third Parties

We share data with the following third-party service providers, strictly as necessary to deliver the Service:

• Stripe (payments): When you make or receive payments through the platform — including credit-balance top-ups, invoice settlements, and refunds — your payment information is processed directly by Stripe. Stripe is PCI-DSS Level 1 certified. We share only the minimum information necessary to process transactions (amount, currency, customer identifier). We do not have access to your full credit card number.
• AI infrastructure provider: AI-powered features (case audits, chat, portal autofill, questionnaire fill, and letter drafting) are processed through a third-party AI infrastructure provider operating under commercial terms that prohibit the provider from using customer submissions to train or improve their models. AI-generated outputs and prompts are not retained by the provider beyond the duration of the request. Usage measurements returned to us are used solely to compute your AI charges, which are shown in your transaction history.
• Cloudflare (security): We use Cloudflare Turnstile on login, registration, and password reset pages to protect against automated abuse and bot attacks. Cloudflare may process your IP address and browser metadata to verify that you are a legitimate user. No personal information beyond what is necessary for this verification is shared with Cloudflare.
• Amazon Web Services (infrastructure): Our servers (AWS Lightsail) and file storage (AWS S3) are hosted in the ca-central-1 (Montreal) region. All data — including uploaded documents, database backups, and application files — remains within Canadian AWS infrastructure at all times. AWS operates under data processing agreements that require compliance with PIPEDA.

We do not share your personal information with any other third parties except when required by law or with your explicit consent.

6. Your Rights Under PIPEDA

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the following rights regarding your personal information:

• Right to access: You may request a copy of the personal information we hold about you. We will respond to access requests within 30 days
• Right to correction: You may request that we correct any inaccurate or incomplete personal information. You can also update most information directly through your account settings
• Right to deletion: You may request that we delete your personal information, subject to any legal obligations that require us to retain certain data
• Right to withdraw consent: You may withdraw your consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. Withdrawal of consent may limit your ability to use certain features of the Service
• Right to complain: If you are not satisfied with how we handle your personal information, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca

To exercise any of these rights, please contact our Data Protection Officer at the email address provided in the Contact section below.

7. Data Retention

We retain your data according to the following schedule:

• Active accounts: Your data is retained for as long as your account is active and you continue to use the Service
• Deleted accounts: When you delete your account or request data deletion, your data remains accessible for a 30-day grace period to allow for data export. After this period, your data is permanently purged from our systems, including all backups, within 90 days
• CICC regulatory retention: Immigration case files — including all documents, questionnaire responses, notes, and correspondence — are retained for a minimum of six (6) years after a case is closed or completed, as required by the College of Immigration and Citizenship Consultants (CICC) and IRCC regulations. Firm owners are notified before automated deletion occurs and may override the retention period to delete data earlier at their own risk and responsibility
• Billing records: Credit-balance top-ups, AI charges, refunds, and the full transaction history are retained for seven (7) years following the date of the transaction, in accordance with Canada Revenue Agency (CRA) record-keeping requirements for business records
• Legal hold: Electronically signed documents and their associated audit trails may be retained for up to seven (7) years to comply with legal requirements and to preserve the evidentiary value of signed agreements
• Anonymized data: Aggregated, anonymized usage statistics that cannot be linked to any individual may be retained indefinitely for platform improvement purposes

8. Cookies & Tracking

We use cookies minimally and only as necessary to operate the Service:

• Session cookies: Required for authentication and maintaining your login session. These cookies are essential for the Service to function and are deleted when you close your browser or log out
• Preference cookies: Used to remember your settings, such as theme preference (light/dark mode) and language selection. These cookies persist between sessions
• No third-party tracking: We do not use third-party tracking cookies, advertising pixels, or social media tracking scripts
• Optional analytics: We may collect anonymized usage analytics to understand how the platform is used and to improve the Service. This data cannot be linked to individual users

Because we use only essential cookies required for the Service to function, a separate cookie consent banner is not required under PIPEDA. However, you can configure your browser to block cookies, though this may prevent the Service from working correctly.

9. Browser Extension (Migrawise Autofill)

Migrawise offers a Chrome browser extension ("Migrawise Autofill") that assists immigration practitioners in filling IRCC portal application forms. This section explains how the extension handles data.

Data Accessed by the Extension

• Case questionnaire data: When you use the extension to fill a form, it retrieves questionnaire responses and applicant information for the selected case from your Migrawise account via our API
• IRCC form fields: The extension reads the form field structure on the current IRCC portal page (field IDs, labels, types, and options) to determine how to map your case data to the correct fields

Data Stored Locally

• Authentication token: A session token is stored in Chrome's local storage to maintain your login. This token expires after 30 days or when you log out
• Mapping cache: Field mapping results are cached locally for 30 minutes to avoid redundant AI processing on repeated page visits. The cache is automatically cleared on expiry or when you switch cases
• Selected case: Your currently selected case ID is stored to persist your selection between popup opens

Data NOT Accessed

• The extension never reads, stores, or transmits IRCC portal login credentials. Your GCKey, IRCC Secure Account, or portal passwords are never accessed by the extension
• The extension does not access browsing history, bookmarks, or data on non-IRCC websites
• The extension does not track your activity or collect analytics beyond what is described above

Data Transmission

• All communication between the extension and Migrawise servers occurs over HTTPS (TLS 1.2+)
• Data is only transmitted to migrawise.ca — no data is sent to any third-party service from the extension
• AI-powered field mapping is processed server-side using the same AI infrastructure described in the Third Parties section above, with the same anonymization practices

Permissions

The extension requests the following browser permissions, each used for a specific purpose:

• Host access to IRCC portals (*.gc.ca, *.canada.ca): Required to read form fields on IRCC application pages and fill them with your case data
• Host access to migrawise.ca: Required to communicate with the Migrawise API for authentication, case data retrieval, and field mapping
• Storage: Used to store your authentication token and mapping cache locally in your browser
• Scripting: Required to interact with IRCC portal form elements that use Angular framework controls

Uninstallation

When you uninstall the extension, all locally stored data (authentication token, mapping cache, preferences) is automatically removed by Chrome. No data persists on your device after uninstallation.

10. Data Breach Notification

In the event of a security breach that results in unauthorized access to, or disclosure of, personal information under our control, we will:

• Assess the breach to determine if it creates a real risk of significant harm to affected individuals, as required under PIPEDA's mandatory breach reporting provisions
• Notify affected users within 72 hours of confirming a breach that poses a real risk of significant harm, providing details of the breach, the type of information involved, and recommended steps to protect themselves
• Report the breach to the Office of the Privacy Commissioner of Canada (OPC) as required by law
• Maintain records of all breaches, including those that do not meet the reporting threshold, for a minimum of 24 months
• Take immediate steps to contain the breach, investigate its cause, and implement measures to prevent recurrence

11. Children's Privacy

The Migrawise platform is designed for use by immigration professionals and their adult clients. The Service is not intended for use by individuals under the age of 18.

We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18 without appropriate parental consent, we will take steps to delete that information promptly.

Note: Immigration cases may involve minor applicants. In such cases, personal information about minors is entered and managed by the authorized immigration practitioner or a parent/guardian, not by the minor directly.

12. International Transfers

Migrawise stores and processes all data within Canada. We do not transfer personal information to servers or service providers located outside of Canada.

If a future need arises to transfer data internationally (for example, to support users in other jurisdictions), we will:

• Obtain your explicit consent before any cross-border transfer
• Ensure that the receiving jurisdiction provides an adequate level of data protection
• Implement appropriate contractual safeguards, such as data processing agreements, to protect your information
• Update this Privacy Policy to reflect any changes in our data transfer practices

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

• We will provide at least thirty (30) days' advance notice via email to the address associated with your account
• The updated policy will be posted on this page with a revised "Last updated" date
• For significant changes that affect how we collect, use, or share your personal information, we will seek your renewed consent where required by PIPEDA

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how your personal information is handled, please contact our Data Protection Officer:

Venusian Tech Inc. — Migrawise Data Protection Officer
Office 732, 145 1/2 Church Street, Unit 5
Toronto, Ontario M5B 1Y4, Canada
Email: [email protected]

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada:

Office of the Privacy Commissioner of Canada
Website: www.priv.gc.ca
Phone: 1-800-282-1376