Privacy Policy

Navisa is operated by NovaCore Systems Inc., a company incorporated in British Columbia, Canada. We provide an AI-powered immigration case management platform (“Navisa” or “the Platform”) available at navisa.io, designed for licensed immigration consultants (RCICs), immigration lawyers, and authorized representatives (“Firms”).

This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and your rights under applicable Canadian privacy law.

We collect information in the following categories:

• ·Firm account information: Business name, business address, contact name, and work email address of the firm owner and any invited consultants.
• ·Client case data: Names, dates of birth, passport numbers, employment history, educational records, language test scores, immigration history, and other immigration-relevant personal data entered or uploaded by Firms on behalf of their clients.
• ·Uploaded documents: Passports, employment letters, IELTS results, police certificates, bank statements, and other files uploaded for OCR extraction and AI analysis.
• ·Billing information: Payment method details are collected and stored by Stripe. We receive only a tokenized reference and the last four digits of the card — we do not store full payment card numbers.
• ·Usage analytics: Log data, IP addresses, browser type, pages visited, feature usage, and session duration, collected automatically when you use the Platform.
• ·Communications: Support requests, feedback, and any messages you send to Navisa staff.

• ·Providing, operating, and improving the Navisa platform and its features.
• ·Processing documents via OCR and AI analysis to generate eligibility assessments, consistency checks, and draft documents on behalf of Firms.
• ·Sending transactional emails — document request notifications, case status updates, and system alerts relevant to your firm’s cases.
• ·Billing and subscription management, including charging overage fees for cases beyond the plan allowance.
• ·Detecting and preventing fraud, abuse, and security incidents.
• ·Complying with applicable legal and regulatory obligations.
• ·We do not sell your data or your clients’ data to any third party.

Navisa processes client documents and case data using large language models (LLMs) provided by Anthropic (Claude) for eligibility analysis, document extraction, cross-document consistency checking, letter drafting, and AI coaching. Text embeddings for policy search are generated using OpenAI models.

Both Anthropic and OpenAI are engaged under enterprise data processing agreements that prohibit them from using submitted data to train or improve their models. Customer data sent to these services is processed transiently and is not retained by the AI provider beyond the duration of the API call.

AI-generated outputs — including eligibility analyses, letters of explanation, and form data — are tools to assist licensed professionals. All outputs must be reviewed by the responsible consultant before being used or communicated to any client.

We use the following third-party service providers to operate the Platform. Each processes data only as necessary to provide the service and is bound by appropriate data processing agreements:

• ·Vercel — Frontend hosting and edge delivery (North America).
• ·Xano — Backend database and API infrastructure (North America).
• ·Cloudflare R2 — Encrypted document storage (North America).
• ·Anthropic — Claude AI models for document analysis and content generation. Enterprise data agreement in place; no model training on customer data.
• ·OpenAI — Text embeddings for IRCC policy search. Enterprise data agreement in place; no model training on customer data.
• ·Pinecone — Vector database for IRCC policy search (contains only public policy content, not client data).
• ·Stripe — Payment processing. Stripe is PCI-DSS Level 1 certified. Payment card data is stored and processed entirely by Stripe.
• ·SendGrid — Transactional email delivery (verification, notifications, document requests).
• ·n8n — Workflow automation for background processing tasks (OCR pipeline, analysis triggers, scheduled jobs).

We do not sell, rent, or trade personal information to third parties for commercial purposes.

We share data with the third-party service providers listed in Section 5 solely to operate the Platform and deliver the services you have subscribed to. We may also disclose data:

• ·When required by applicable law, court order, or lawful government request.
• ·To protect the rights, property, or safety of NovaCore Systems Inc., our users, or the public.
• ·In connection with a merger, acquisition, or sale of substantially all assets, with prior notice to affected Firms.

All data is hosted on infrastructure located in North America. We implement industry-standard security measures including:

• ·TLS encryption for all data in transit.
• ·Encryption at rest for all stored documents and database records.
• ·Logical data isolation at the database level — no Firm can access another Firm’s data.
• ·Role-based access controls limiting internal access to data on a need-to-know basis.
• ·Regular security reviews of third-party service provider agreements.

No method of transmission or storage is 100% secure. In the event of a data breach affecting your personal information, we will notify affected Firms as required by applicable Canadian privacy law.

Case data and associated documents are retained for as long as your firm’s account remains active. On account deletion or termination, all case data is deleted within 30 days, except where a longer retention period is required by applicable law (such as billing records, which are retained as required by Canadian tax law).

You may request deletion of your firm’s data at any time by contacting privacy@navisa.io. Deletion requests will be fulfilled to the extent permitted by applicable legal obligations.

Navisa provides a client-facing document upload portal accessible via a secure magic link sent by the consultant. When immigration applicants (“clients”) upload documents through the portal, their data is associated with the consultant’s firm account.

Clients do not create separate Navisa accounts. The consultant’s firm is the data controller responsible for obtaining appropriate consent from clients before inviting them to the portal and uploading their personal information to the Platform.

Navisa uses a single HTTP-only authentication cookie (immios_token) to maintain your logged-in session. This cookie is set at login and expires after 8 hours.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that share data with external advertising networks. No cross-site tracking of any kind.

As a Canadian company, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Under PIPEDA, you have the right to:

• ·Know what personal information we hold about you and how it is used.
• ·Access the personal information we hold about you.
• ·Request correction of inaccurate or incomplete information.
• ·Withdraw consent to the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions).
• ·Request deletion of your personal information.
• ·Lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) if you believe your privacy rights have been violated.

To exercise any of these rights, contact our Privacy Officer at privacy@navisa.io. We will respond to written requests within 30 days.

We may update this Privacy Policy from time to time. We will notify Firm administrators via email of any material changes at least 30 days before they take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

Questions about this Privacy Policy or our data practices? Contact our Privacy Officer:

• ·Email: privacy@navisa.io
• ·Company: NovaCore Systems Inc.
• ·Province: British Columbia, Canada