Create privacy_policy.md

privacy_policy.md

@@ -0,0 +1,65 @@
+# Privacy Policy for Universal AI Data Analyst
+
+**Last Updated:** September 30, 2025
+
+[Your Company Name] ("we," "us," or "our") is committed to protecting the privacy and security of your information. This Privacy Policy explains how we handle information, particularly Personal Health Information (PHI), when you use our Universal AI Data Analyst application (the "Service").
+
+This policy is designed to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial health information legislation (e.g., Ontario's PHIPA).
+
+### 1. Information We Collect
+
+We collect two types of information:
+
+*   **User-Provided Information:** This includes unstructured scenario text and structured data files (.csv) that you voluntarily upload to the Service. You are responsible for ensuring you have the legal right and necessary consent to use and upload this data.
+*   **Usage Data:** We may collect non-identifiable data about your interaction with the Service (e.g., session duration, features used) for the sole purpose of improving system performance and security.
+
+### 2. The Role of AI and De-Identification
+
+Our Service uses a third-party Large Language Model (AI) provided by Cohere to perform data analysis. To protect privacy, we adhere to a strict and critical protocol:
+
+**WE DO NOT SEND PERSONAL HEALTH INFORMATION (PHI) TO THE AI MODEL.**
+
+Before any data is used for analysis by the AI, it is the **user's responsibility** to ensure that all uploaded data has been **de-identified or anonymized**. This means removing all 18 identifiers that constitute PHI under Canadian law, such as names, health card numbers, dates of birth, addresses, etc. The Service is designed to analyze de-identified datasets.
+
+### 3. Use of Your Information
+
+The information you provide is used exclusively to:
+
+*   Power the AI data analysis agent to answer the questions in your scenario.
+*   Display the results of the analysis back to you within your secure session.
+*   Store your assessment in a temporary session history, which is deleted when your session ends.
+
+We will not use your uploaded data for any other purpose, such as model training, without your separate, explicit consent.
+
+### 4. Data Security and Residency
+
+*   **Encryption:** All data is encrypted in transit (using TLS 1.2 or higher) and at rest using industry-standard encryption protocols (AES-256).
+*   **Access Controls:** Access to the underlying systems is strictly limited to authorized personnel on a need-to-know basis.
+*   **Data Residency:** All data processing and storage for the Service is conducted on servers located **exclusively within Canada**.
+
+### 5. Data Retention
+
+Data you upload for analysis is retained only for the duration of your active session. The "Assessment History" feature stores data locally in your browser session and is cleared when you close the application. We do not permanently store your uploaded data files or analysis results.
+
+### 6. Your Rights
+
+You have the right to:
+
+*   Access the information you have provided.
+*   Correct any inaccuracies in the information you control.
+*   Withdraw consent for the use of your information by ceasing to use the Service.
+
+### 7. Accountability and Contact
+
+If you have any questions or concerns about our privacy practices, please contact our Privacy Officer at:
+
+[Privacy Officer Name/Title]
+[Your Company Name]
+[Your Address]
+[Your Email Address, e.g., privacy@yourcompany.com]
+
+You also have the right to file a complaint with the Office of the Privacy Commissioner of Canada or your provincial Privacy Commissioner.
+
+### 8. Changes to This Policy
+
+We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page.