Supabase
ca-central-1 (Toronto)
Role · Database, authentication, file storage
All customer data sits here. Row-Level Security enforced at the database layer so users can only access their own rows.
PIPEDA-aligned data processing addendum
Privacy · v1.0 · Effective May 2026
What we collect,where it lives,and who can see it.
Eunosa is built for consultants who own a deliverable and answer for what is in it. That demands a privacy posture you can defend to a client, an employer, or a tribunal. Below is exactly what we collect, where it lives, who can see it, and the rights you have over it under Canadian law.
Plain-language summary · last reviewed May 2026
Section 01 · How your data flows
End-to-end, on the record.
Every /ask query takes the same path through the same systems under the same contracts. The diagram below traces it.
- 01
You submit a query.
Your query — and any case context you pass in — leaves your browser over a TLS-encrypted connection.
- 02
Eunosa receives it in our Canadian region.
The query lands in Supabase Toronto (ca-central-1). It is associated with your account, scoped by Row-Level Security so no other customer can access it. Auto-redaction runs at ingest to scrub obvious identifying patterns.
- 03
Anthropic processes the query under zero-data-retention terms.
Eunosa relays the query to Anthropic for language-model processing. Under our Zero-Data-Retention contract, Anthropic does not retain the content, does not use it for training, and does not have access to your account or other queries.
- 04
The cited answer comes back, with verifiable citations.
Citations resolve to real published studies in our curated 697-study corpus. The corpus is selected and graded by Eunosa; only studies in the corpus can appear in citations.
- 05
The query and answer are stored for 90 days, then auto-deleted.
During that window, the data is retained only to support conversation context, to investigate incidents you report, and to monitor retrieval quality. It is never used for marketing, training, or analytics. After 90 days, it is purged from the live database. Backups follow the same purge schedule on a 30-day lag.
Section 02 · What we collect
Every field has a documented purpose.
Each row below maps to an actual table or field in our production database. Every column is a commitment: what we collect, why, how long, where, and how sensitive we treat it.
| Category | Fields | Purpose | Retention | Location | Sensitivity |
|---|---|---|---|---|---|
| Account information | Email · full name · country · plan tier | Authentication, account access, billing tier enforcement | Account lifetime; deleted within 30 days of account closure | Supabase Toronto (Canadian region) | Medium |
| Case context | Case title · client identifier (consultant-supplied) · situation type · jurisdiction · uploaded documents | Generate cited research and case-intelligence outputs for the consultant | Stored per case until the consultant deletes the case or closes the account | Supabase Toronto (Canadian region) | High |
| Conversation history | Queries you ask · cited responses · model metadata · feedback (thumbs / comments) | Maintain conversation context, evaluate retrieval quality, improve citation accuracy | 90 days, then automatically deleted | Supabase Toronto (Canadian region) | High |
| Deliverable drafts | Memos, summaries, briefs you generate — including citations | Make drafts available for editing, export, and re-use across sessions | Stored per case until the consultant deletes the deliverable or closes the account | Supabase Toronto (Canadian region) | High |
| Billing | Stripe customer ID · subscription status · invoice history (held by Stripe) | Process payments, manage subscriptions, generate receipts | For the term of the subscription plus the period required by Canadian tax law (7 years) | Stripe (United States, under Canadian PIPEDA-aligned data-transfer terms) | Medium |
| Usage logs | Server access logs · authentication events · query timestamps · anonymized error reports | Security monitoring, incident investigation, reliability | 90 days for application logs, 30 days for security logs | Supabase Toronto + Vercel edge (anonymized only) | Low |
What we deliberately do not collect.
- Marketing analytics pixels (Google Analytics, Facebook Pixel, LinkedIn Insight, etc.) — none on the marketing site or in the app
- Third-party advertising trackers
- Behavioral profiles or cross-site browsing history
- Medical diagnoses or clinical records (the platform is decision-support only — never collects diagnosis as a data input)
- Employment decisions made about a worker (termination, discipline, hiring)
- Personal data of individual workers without the supervising consultant’s case-context relationship
Where it lives — sub-processors.
Six services support Eunosa. Each has a narrow, documented role.
Anthropic
United States
Role · Language model API for cited research retrieval
Your queries are sent to Anthropic for processing. Anthropic operates under zero-data-retention terms — your case content is not used to train their models and is not retained beyond the processing window.
Anthropic Zero-Data-Retention agreement (effective 2025)
Voyage AI
United States
Role · Embedding generation for retrieval
Receives chunked corpus text for embedding generation. No personally identifiable customer data is sent.
Standard API terms with no-training clause
Stripe
United States
Role · Payment processing
Receives billing information directly via Stripe Elements. Eunosa stores only the Stripe customer ID — Stripe holds the cardholder data.
Stripe Data Processing Agreement
Resend
United States
Role · Transactional email delivery
Receives recipient email and message content for transactional emails (account, billing, support). Not used for marketing.
Standard data processing terms
Vercel
Global edge network
Role · Marketing website hosting (eunosa.com)
Marketing site only — no customer data passes through Vercel. The product app at app.eunosa.com is hosted with database access restricted to the Toronto region.
Standard hosting terms
Section 03 · Who can see it
Default is you, alone.
Every data access path is documented and enforced — at the database layer where possible, and by contract everywhere else. Eunosa staff do not browse customer data ad hoc.
You (the account holder)
Can see
All data in your own account — cases, conversations, deliverables
Enforcement
Supabase Row-Level Security policies enforce this at the database layer
Other Eunosa customers
Can see
Nothing in your account
Enforcement
RLS policies make cross-account access architecturally impossible from the application layer
Eunosa staff (Meagan and authorized contractors)
Can see
Only when you grant access during a support request, or during an incident investigation. Access is logged.
Enforcement
Service-role database access is restricted to specific Cron jobs and is never used for ad-hoc inspection without a logged incident reason
Anthropic
Can see
The text of queries you submit to /ask, processed under ZDR terms and not retained
Enforcement
Anthropic Zero-Data-Retention contract is the legal mechanism
Sub-processors (Stripe, Resend, Voyage, Vercel)
Can see
Only the data required for their specific function (see the sub-processor table)
Enforcement
Contractual data-processing terms with each
Row-Level Security policies · Sub-processor data-processing agreements · Audit logs on every staff-access event
Section 04 · PHIPA-aware design
Designed to keep PHI out of the loop.
Eunosa is not a custodian of health information under PHIPA, and we do not want to become one. Eunosa is a research and drafting tool for consultants — its inputs are functional case context (job demands, supervisor capability, RTW process milestones), not clinical records.
The architecture is built to make accidental PHI exposure unlikely, recoverable, and auditable. Five controls below — each is operational today.
Pre-input warnings
Before any input field that could receive case context, Eunosa shows a banner asking you to describe the case in functional terms (e.g., "lifting restriction ≤ 5kg") rather than identifying terms (names, dates of birth, employer-identifying detail).
Auto-redaction at ingest
Common identifying patterns — Canadian SIN format, full names matching a known list, dates that look like dates of birth — are auto-redacted before the text is processed by the language model or stored in our database.
90-day query retention
All /ask queries are auto-deleted after 90 days. Queries are retained only for service-quality and incident investigation, never for marketing, training, or analytics.
Quarterly PII audit
We run a quarterly automated audit of the query log for residual identifying patterns. If PII is detected, the affected records are manually scrubbed and the incident is logged.
No clinical or employment surface
Eunosa is structurally a research-and-drafting tool. It does not generate diagnoses, recommend employment actions, score individual workers, or expose case content to any audience other than the supervising consultant.
Section 05 · Your rights
Six rights, all exercisable.
Under Canadian privacy law (PIPEDA federally, plus provincial statutes such as PHIPA in Ontario), you have specific rights over your personal information. Eunosa is designed to honour each of them.
Right to access
Request a copy of the personal information we hold about you. We will respond within 30 days at no cost.
How · Email privacy@eunosa.com
Right to correction
If any information we hold is inaccurate or incomplete, you can request a correction. We will correct it and notify any sub-processors who hold the same data.
How · Edit your profile in-app, or email privacy@eunosa.com for fields you cannot edit yourself
Right to deletion
You can delete individual cases, conversations, and deliverables from within the app at any time. You can request full account deletion at any time, which purges all personal data within 30 days.
How · Account → Settings → Delete account, or email privacy@eunosa.com
Right to portability
Export your case data, conversations, and deliverables in a machine-readable format (JSON + Markdown).
How · Account → Settings → Export my data, or email privacy@eunosa.com
Right to withdraw consent
You can withdraw consent for any non-essential processing at any time. Essential processing (delivering the service you have paid for) requires active use; withdrawing consent for essential processing typically means closing your account.
How · In-app preferences, or email privacy@eunosa.com
Right to complain
If you are not satisfied with our response to a privacy request, you can file a complaint with the Office of the Privacy Commissioner of Canada (federal jurisdiction) or the Information and Privacy Commissioner of Ontario (Ontario provincial jurisdiction).
How · priv.gc.ca or ipc.on.ca
Response timelines
We respond to all access, correction, and deletion requests within 30 days. Deletion requests are completed within 30 days for live data, plus a 30-day backup-purge lag for the same records to age out of our automated backup retention.
Send privacy requests to privacy@eunosa.com.