Personal Data Protection Policy

“Personal Data” means digital or other information that identifies or assists the identification of an individual, or is otherwise defined as personal data under applicable laws.

1.1 Basic Personal Data

Name; job title and employer; business email, phone, and mailing address; country of residence; preferred language; account credentials (when you sign in with Google Workspace SSO: name, email, profile photo, group membership); device and connection data (IP address, browser type, OS, referrer, pages viewed, timestamps, error logs); marketing preferences; correspondence with Beaverly; billing information of authorized account contacts.

1.2 Customer-routed engineering metadata

When a customer connects its engineering tools (currently GitHub and Linear, with additional integrations planned), Beaverly ingests, on the customer’s instruction, commit metadata, pull/merge request metadata, ticket and issue metadata, code-change metadata, timestamps, and author identifiers including developer names, business email addresses, usernames, and avatars.

1.3 Sensitive Personal Data

Beaverly does not knowingly process political or religious opinions, health data, racial or ethnic origin, genetic or biometric data, data concerning sex life or sexual orientation, criminal-record data, payment-card numbers, or special-category data under GDPR Art. 9. Payment-card data is processed by Beaverly’s payment processor; Beaverly does not store full card numbers.

Unless otherwise agreed in writing, Beaverly may process Personal Data for one or more of the following purposes (each a “Purpose”):

2.1 Legal compliance. To comply with applicable laws, regulations, official requests, and orders of competent authorities in Canada, Vietnam, and any other jurisdiction where Beaverly operates, including tax, regulatory, and law-enforcement requirements.

2.2 Service delivery and account management. To evaluate, approve, and enter into customer agreements; to provision and operate the Services; to authenticate users; to ingest engineering metadata and generate audit-ready R&D evidence; to provide customer support; to issue invoices and manage billing; and to resolve obligations after termination.

2.3 Security, risk, and abuse prevention. To monitor infrastructure, detect anomalies, prevent fraud and abuse, conduct access reviews and internal audits, and respond to security incidents in accordance with our incident-response plan.

2.4 Product research and improvement. To conduct research, statistical analysis, and model evaluation using aggregated or de-identified data, in order to improve the accuracy, security, and quality of the Services.

2.5 Business communications. To send service notices, security advisories, product updates, and — where lawful — marketing communications to business contacts, who may opt out at any time.

2.6 Other purposes agreed in writing between the Partner / Data Subject and Beaverly.

3.1. For the Purposes above, Beaverly may collect, analyze, aggregate, encrypt, decrypt, edit, delete, destroy, de-identify, provide, disclose, transfer, or take other related actions on Personal Data.

3.2. Beaverly, its sub-processors, or authorized third parties may process Personal Data through automated means, manual review, or any combination thereof, consistent with applicable law and Beaverly’s internal regulations.

3.3. Beaverly commits to the following principles:

• Lawfulness, fairness, and transparency under applicable Canadian, EU, UK, US, and Vietnamese law;
• Collection limited to specific, clear, and lawful Purposes;
• Continuous application and updating of technical and organizational measures — encryption in transit and at rest, pseudonymization prior to AI processing, role-based access control, continuous logging, vulnerability scanning — to protect against unauthorized access, destruction, loss, or damage of Personal Data;
• Storage only for as long as necessary for the Purpose and for any applicable legal-retention period;
• Specific protections for children's data — the Services are not directed to anyone under 16, and Beaverly does not knowingly process such data.

Beaverly may process Personal Data obtained directly or indirectly, including but not limited to:

• Information you provide when you request a demo, sign a contract, create an account, sign in via Google Workspace SSO, submit a support request, or otherwise communicate with us;
• Information ingested from a customer's connected engineering tools (GitHub, GitLab, Bitbucket, Linear, Jira) on the customer's documented instruction and through read-only API access;
• Information from publicly available business sources, including company websites, electronic news sites, and professional networking sites (e.g., LinkedIn) used for sales prospecting;
• Information collected automatically when you access beaverly.ai or the Beaverly application, through cookies, pixels, plug-ins, and similar tracking technologies (see Section 6);
• Information lawfully received from competent Canadian, Vietnamese, or foreign authorities;
• Information from Beaverly's affiliates, suppliers, service providers, sub-processors, and commercial partners — including identity providers, payment processors, infrastructure providers, fraud-prevention vendors, and aggregators;
• Other sources where the Partner has consented to sharing, or where collection is required or permitted by law.

Beaverly shares only the Personal Data necessary for each Purpose with the following categories of recipient (each a “Third Party”):

• Beaverly personnel who require access to perform their duties;
• Affiliates, subsidiaries, and group entities of Beaverly;
• Sub-processors providing infrastructure, identity, model-inference, communications, and compliance services on Beaverly’s behalf. Our current sub-processors are listed below.

• The customer’s own authorized users — content generated from a customer’s connected tools is accessible to that customer’s workspace users;
• Professional advisors (legal, accounting, audit) under duties of confidentiality;
• Competent authorities, regulators, courts, and law-enforcement agencies where Beaverly is permitted or required to disclose Personal Data under applicable law or under contract;
• Successors in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to equivalent protections;
• Other Third Parties that the Data Subject has consented to, or for whom Beaverly has a lawful basis.

6.1. Cookies are small files stored on your device. Beaverly uses cookies and similar technologies (pixels, web beacons, local storage) to operate the Services, remember preferences, secure your session, and measure aggregate usage.

6.2. Categories of cookies and similar technologies used:

• Strictly necessary — authenticate users, maintain session state, prevent CSRF. These cannot be disabled.
• Functional — remember preferences such as language and UI settings.
• Analytics — measure aggregate usage to improve product performance. Beaverly uses privacy-respecting analytics and does not build advertising profiles.

Beaverly does not use third-party advertising cookies or cross-site behavioural-advertising trackers.

6.3. Beaverly may use additional technologies such as web beacons and pixel tags to monitor service quality and detect abuse.

6.4. You may control cookies through your browser settings. Beaverly honours Global Privacy Control (GPC) signals as a valid opt-out under the CCPA / CPRA.

6.5. Beaverly’s web pages may embed content from third parties (e.g., embedded videos, social-network buttons). Those third parties may set their own cookies, which Beaverly does not control.

7.1. Beaverly is headquartered in Canada. Some sub-processors are located in the United States, the European Economic Area, and other jurisdictions; some Personal Data processed by Beaverly’s Vietnam office may be accessed from Vietnam.

7.2. Where Personal Data of individuals in the EEA, the United Kingdom, or Switzerland is transferred outside those regions, Beaverly relies on (i) the European Commission’s adequacy decision for Canada (commercial activities under PIPEDA); (ii) the Standard Contractual Clauses (EU 2021/914) and the UK International Data Transfer Addendum, supplemented by technical safeguards including encryption in transit, encryption at rest, and pseudonymization of identifiers before AI processing.

7.3. Personal Data of Vietnamese citizens processed outside the territory of Vietnam is handled in accordance with Vietnam’s Personal Data Protection regulations as they apply to Beaverly’s Vietnam operations.

A copy of relevant transfer mechanisms is available on request at security@beaverly.ai.

8.1. Personal Data is retained only as long as necessary for the Purposes set out in this Policy or as required by law:

8.2. Beaverly may continue to retain Personal Data to fulfill legal obligations and remains responsible for protecting that Personal Data in accordance with applicable law.

9.1. Subject to applicable law, as a Data Subject you have the rights to: (i) be informed; (ii) give consent; (iii) withdraw consent; (iv) access your Personal Data; (v) rectify or request rectification; (vi) request a portable copy; (vii) request erasure; (viii) restrict processing; (ix) object to processing; (x) lodge complaints with a competent supervisory authority or initiate legal action; (xi) claim damages; (xii) self-protection and other rights prescribed by applicable law.

9.2. You may exercise your rights by contacting Beaverly using the details in Section 13. Beaverly responds within the statutory time limit (typically 30 days under PIPEDA / Quebec Law 25 / GDPR, extendable where permitted). Identity verification may be required. There is no fee unless your request is manifestly unfounded or excessive.

9.3. Where the exercise of your rights affects Beaverly’s ability to provide the Services — for example, erasure of data necessary to operate your account — Beaverly may need to suspend or terminate the affected account. Where required by applicable law, we will explain the likely consequences before acting on your request, and we will continue to honour the underlying right to the extent the law requires.

9.4. Jurisdiction-specific notes

• Canada — PIPEDA. Complaints may be lodged with the Office of the Privacy Commissioner of Canada (priv.gc.ca).
• Quebec — Law 25. Quebec residents have additional rights including data portability and the right to be informed of automated decision-making with legal or similar effects. Beaverly does not make automated decisions that produce legal effects on individuals. Beaverly’s Privacy Officer for Law 25 purposes is Trang Nguyen, CEO, reachable at security@beaverly.ai. Complaints may be made to the Commission d’accès à l’information du Québec (cai.gouv.qc.ca).
• EEA / UK — GDPR / UK GDPR. You may lodge a complaint with your local supervisory authority. An EU representative under GDPR Art. 27 will be appointed if and when Beaverly offers Services to EEA data subjects at material scale.
• California — CCPA / CPRA. You have the right to know, delete, correct, limit use of sensitive personal information, and to opt out of “sale” or “sharing.” Beaverly does not sell or share Personal Data for cross-context behavioural advertising and honours GPC. Beaverly will not discriminate against you for exercising any privacy right.
• Vietnam — PDPD. Personal Data of Vietnamese citizens is processed in accordance with Vietnam’s Personal Data Protection regulations to the extent they apply to Beaverly’s Vietnam operations.

10.1. Keeping your information accurate. Please provide accurate Personal Data when you sign up, contract with us, or otherwise communicate with us, and let us know when your contact details change. If you believe Beaverly holds inaccurate or out-of-date information about you, contact us at security@beaverly.ai and we will correct it.

10.2. Sharing other people’s data with Beaverly. Where you provide Personal Data of other individuals — for example, when a customer administrator invites colleagues into a Beaverly workspace or configures connectors that ingest developer identifiers — you confirm that you have the authority to do so under the laws that apply to you, and that you have provided any notice or obtained any consent those laws require. Customer obligations relating to the Personal Data of their own developers and employees are addressed in more detail in the Data Processing Addendum between Beaverly and each customer.

10.3. Account security. You are responsible for keeping your account credentials confidential. Notify Beaverly promptly at security@beaverly.ai if you suspect unauthorized access to your account.

11.1. Each party involved in processing Personal Data shall (i) process Personal Data in accordance with this Policy and applicable laws; (ii) use reasonable endeavours to protect Personal Data; and (iii) safeguard the legitimate interests of the parties involved.

11.2. Beaverly’s program includes encryption in transit (TLS 1.2+), encryption at rest (AES-256), single sign-on via Google Workspace, role-based access control, pseudonymization of direct identifiers prior to LLM processing, continuous vulnerability scanning, centralized logging, quarterly access reviews, background checks for personnel with access to Customer Data (where lawful), and a documented incident-response plan with breach-notification procedures.

11.3. Beaverly’s SOC 2 Type 1 audit is in progress (target ~June 2026), with SOC 2 Type 2 targeted by the end of 2026. Personnel are trained to process Personal Data securely and are subject to disciplinary action for failures.

12.1. What we commit to. Beaverly takes reasonable measures to protect Personal Data in accordance with applicable law and this Policy. Beaverly does not rent or sell Personal Data, and does not share Personal Data for cross-context behavioural advertising.

12.2. The limits of security. No system is perfectly secure, and no provider can promise absolute protection against every threat — hardware or software defects, newly disclosed vulnerabilities, sophisticated attacks, or insider misconduct can occur despite reasonable safeguards. Where Beaverly’s contractual liability for these events is relevant — for example, between Beaverly and a customer — it is governed by the Master Services Agreement and Data Processing Addendum. Nothing in this Policy limits any right or remedy you may have under applicable privacy law that cannot lawfully be limited.

12.3. Breach notification. In the event of a confirmed personal-data breach, Beaverly will notify affected customers, affected individuals where required, and competent authorities — including the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, and other supervisory authorities under PIPEDA, Quebec Law 25, the GDPR, the UK GDPR, the CCPA / CPRA, and Vietnam’s PDPD where applicable — within the statutory time limits, and will make best efforts to remediate the breach and minimize its consequences.

13.1. For any question about this Policy or to exercise any right under Section 9, contact Beaverly through one of the following:

• By post: Beaverly AI Inc., Attn: Privacy, 3219 Yonge Street, Suite #246, Toronto, ON M4N 2L3, Canada
• By email: security@beaverly.ai
• General inquiries: support@beaverly.ai

13.2. Some requests may require additional documentation to verify your identity. Beaverly makes its best effort to support and process requests within a reasonable time frame and in compliance with applicable law.

14.1. Disputes shall first be resolved through good-faith negotiation.

14.2. This Policy forms part of the general terms governing the relationship between you and Beaverly, including the Master Services Agreement and Data Processing Addendum where applicable.

14.3. Beaverly may amend this Policy from time to time to reflect changes in law or in our practices. Updates are published at beaverly.ai/privacy-policy and, where required, notified to account contacts by email. Continued use of the Services after the effective date of an update constitutes acceptance.

14.4. Where Beaverly provides you with Personal Data, you agree to maintain a level of protection no less than the level committed to in this Policy.

14.5. Depending on the circumstance, Beaverly may act as Personal Data Controller, Personal Data Processor, or combined Controller-cum-Processor, and shall exercise the corresponding rights and obligations under applicable law.

14.6. Capitalized terms not otherwise defined have the meanings set out in applicable Canadian privacy law (including PIPEDA and Quebec Law 25) and, where relevant, the GDPR, the UK GDPR, the CCPA / CPRA, and Vietnam’s Personal Data Protection regulations as in force from time to time.

14.7. Governing law and venue. Subject to mandatory rules of consumer-protection and privacy law that grant you rights in your place of residence, this Policy is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein. Statutory rights you have under PIPEDA, Quebec Law 25, the GDPR, the UK GDPR, the CCPA / CPRA, and other applicable privacy laws are not affected by this clause.

14.8. This Policy takes effect on 2026-05-20.