Privacy Policy

Effective date: April 29, 2026

Last updated: April 29, 2026

This Privacy Policy describes how InnoTech Engineering Inc. (“InnoTech”, “we”, “us”, or “our”), a Canadian corporation, collects, uses, stores, and shares personal information in connection with OT Continuum (the “Service”).

This policy applies to information we collect through the Service, our website, and our communications with you. It is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta's Personal Information Protection Act (PIPA), and other applicable privacy laws.

1. Information We Collect

1.1 Account information

We support two sign-in methods. When you create an account with email and a password, we receive:

Email address — used to identify your account and match you to authorized customer tenants.
Password — stored only as a salted hash through our authentication provider (Supabase Auth). We never see, store, or transmit your plaintext password.
Display name (optional) — used to personalize your experience.

When you sign in using Microsoft OAuth, we receive:

Email address — used to identify your account and match you to authorized customer tenants.
Display name — used to personalize your experience.
Microsoft user identifier (subject claim) — used internally to link your authenticated identity to your account.

We do not receive your Microsoft password or access your Microsoft mailbox, calendar, files, or other Microsoft 365 services.

1.2 Information you provide

When using the Service, you may provide:

Profile information — your name, role, contact details, and other information added to your profile.
Plant and operational data — assets, sites, signals, tickets, and other operational technology data you upload or generate.
Communications — messages, comments, and content you create within the Service.
Support inquiries — information you provide when contacting support.

1.3 Information collected automatically

When you use the Service, we automatically collect:

Usage data — actions you take in the Service, features used, timestamps.
Device and connection data — IP address, browser type and version, operating system, device identifiers.
Log data — server logs, error reports, performance metrics.
Cookies and similar technologies — session cookies for authentication and functional cookies for preferences. We do not use third-party advertising or tracking cookies.

1.4 Information we do not collect

We do not collect:

Payment card information (no payments are processed during early access).
Government identification numbers.
Health, biometric, or sensitive personal information beyond what is necessary for authentication.

2. How We Use Information

We use the information we collect to:

Provide the Service — authenticate users, deliver features, respond to your actions.
Operate and maintain the Service — monitor performance, diagnose issues, ensure security.
Communicate with you — send Service-related notifications, respond to inquiries, provide support.
Improve the Service — analyze usage patterns, develop new features, fix bugs.
Ensure security — detect and prevent fraud, unauthorized access, and abuse.
Comply with legal obligations — respond to lawful requests, enforce our Terms of Service, protect our rights and the rights of others.
Send marketing communications — only with your consent and only about our own products. You can withdraw consent at any time.

We do not use your personal information for purposes incompatible with those described above without your consent.

3. Legal Basis for Processing

We process your personal information based on:

Performance of a contract — to provide the Service you have signed up for.
Legitimate interests — to operate, secure, and improve the Service in ways that do not override your privacy rights.
Consent — for specific uses where consent is required (e.g., marketing emails).
Legal compliance — to comply with applicable laws and respond to lawful requests.

4. Service Providers and Third-Party Sharing

We share information with the following categories of third parties to operate the Service. We do not sell your personal information.

4.1 Infrastructure providers

Provider	Purpose	Data shared	Location
Vercel Inc.	Application hosting and content delivery	Account info, usage data, log data	United States
Supabase Inc.	Database, authentication, and backend services	Account info, plant/operational data, log data	United States
Microsoft Corporation	OAuth authentication (via Microsoft Entra)	Authentication request data; we receive verified email back	United States
Resend, Inc.	Transactional email delivery	Email address, message content for service notifications	United States
Anthropic, PBC	AI features (assistance, analysis)	Plant/operational data submitted to AI features, prompt context	United States

These providers process information on our behalf under data processing agreements that require them to protect your information and use it only for the purposes we specify.

4.2 Other disclosures

We may share information:

With your consent — when you explicitly authorize sharing.
To comply with law — in response to lawful requests, court orders, or legal processes.
To protect rights and safety — to enforce our Terms, protect against fraud or harm, or respond to security incidents.
In business transfers — in connection with a merger, acquisition, or sale of assets, with appropriate notice to you.

5. International Data Transfers

The Service is operated from Canada and uses service providers located in the United States. By using the Service, you consent to the transfer of your information to and processing in jurisdictions outside Canada, including the United States, which may have different privacy protections than your home jurisdiction.

We use service providers that have committed to appropriate safeguards for international data transfers, including standard contractual clauses where applicable.

6. Data Retention

We retain personal information only as long as necessary to:

Provide the Service to you.
Comply with our legal obligations.
Resolve disputes and enforce our agreements.

Specific retention practices:

Account information — retained while your account is active and for a reasonable period after deletion to allow recovery and address potential disputes.
Plant and operational data — retained while your tenant subscription is active. After termination, data is retained for up to 90 days to allow export, then deleted.
Log data — retained for up to 12 months for security and operational purposes.
Support communications — retained for up to 24 months.

You may request deletion of your information as described in Section 8.

7. Security

We implement reasonable technical and organizational measures to protect your information, including:

Encryption of data in transit (TLS) and at rest.
Authentication via salted password hashes (passwords never stored in plaintext) or Microsoft OAuth, depending on your chosen method.
Access controls limiting employee access to personal information on a need-to-know basis.
Logging and monitoring of access to systems containing personal information.
Regular security reviews of our infrastructure and code.

No security measure is perfect. We cannot guarantee absolute security, but we work to protect your information and will notify you of material security incidents as required by law.

If you believe your account has been compromised, contact security@otcontinuum.io immediately.

8. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal information:

Access — request a copy of the personal information we hold about you.
Correction — request that we correct inaccurate or incomplete information.
Deletion — request that we delete your personal information, subject to legal exceptions.
Withdrawal of consent — withdraw consent for processing where consent is the legal basis.
Portability — receive your personal information in a portable format.
Objection — object to certain types of processing.
Lodge a complaint — file a complaint with a privacy regulator (see Section 11).

To exercise these rights, contact privacy@otcontinuum.io. We will respond within 30 days, or notify you if we need additional time.

We may request information to verify your identity before processing requests. Requests that are excessive, repetitive, or manifestly unfounded may be subject to a reasonable fee or refusal.

9. Children

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child, we will delete it promptly. If you believe we have information about a child, contact privacy@otcontinuum.io.

10. Cookies and Tracking

We use cookies and similar technologies for:

Authentication — keeping you signed in.
Functionality — remembering your preferences within the Service.
Security — detecting and preventing unauthorized access.

We do not use cookies for third-party advertising. We do not participate in cross-site behavioral advertising.

You can control cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning properly.

11. Privacy Inquiries and Complaints

For privacy-related questions, requests, or complaints, contact:

InnoTech Engineering Inc. — Privacy
Email: privacy@otcontinuum.io

If you are not satisfied with our response, you may also contact:

Office of the Privacy Commissioner of Canada — https://www.priv.gc.ca
Office of the Information and Privacy Commissioner of Alberta — https://www.oipc.ab.ca

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:

Updating the “Last updated” date at the top of this policy.
Sending an email to your registered address (when material changes apply).
Posting a notice within the Service.

Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact

InnoTech Engineering Inc.
Email (privacy): privacy@otcontinuum.io
Email (general): hello@otcontinuum.io
Email (security): security@otcontinuum.io