Privacy Policy

Effective Date: April 22, 2026

Nobi AI Labs Inc. Effective Date: April 22, 2026 nobilabs.ca

Nobi AI Labs Inc. ("Nobi," "Nobi Labs," "we," "our," or "us") is committed to protecting the privacy of the individuals and organizations that use our AI-powered course authoring, learner delivery, and knowledge base platform (the "Service"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and your rights with respect to that information.

This Policy applies to all visitors to nobilabs.ca and all customers and end-users of the Nobi platform. By accessing or using our Service, you acknowledge that you have read and understood this Privacy Policy.

1. Who We Are

Nobi AI Labs Inc. is a corporation incorporated in Ontario, Canada. We operate as a data controller in respect of the personal information of our direct customers (business admins, content creators, and other platform users) and as a data processor acting on behalf of our customers in respect of the personal information of their employees and learners.

Our designated Privacy Officer and primary point of contact for all privacy matters is:

Scott Hladun Privacy Officer, Nobi AI Labs Inc. Email: scott@nobilabs.ca Website: nobilabs.ca

2. Information We Collect

We collect personal information in several categories depending on your role in relation to the Service.

2.1 Account and Organization Information

When a business registers for the Nobi platform, we collect information about the organization and its primary contact, including:

  • Business legal name and any operating name
  • Business address
  • Business phone number(s)
  • Contact name (first name, last name)
  • Business email address
  • Account settings, preferences, and onboarding state
  • Subscription plan and account status

2.2 User Profile Information

For each individual who accesses the platform (including admins, content designers, and learners), we collect:

  • First name and last name
  • Email address
  • Role within the organization (e.g., Owner, Admin, Content Manager, Learner)
  • Profile avatar image (if uploaded)
  • User preferences and settings

2.3 Learner and Training Data

As your organization uses the Nobi platform to deliver training, we collect and store data about your employees and learners, including:

  • Names and email addresses of employees entered by administrators
  • Course enrollment records, including enrollment date, due dates, and status
  • Learner group memberships and assigned learning pathways
  • Course progress percentage and last access timestamps
  • Learner interaction logs, including time-stamped records of learning activities (e.g., course started, module completed, assessment submitted, score achieved)
  • Adaptive learning states, including knowledge tracking and personalized content delivery state
  • Assessment responses and scores

2.4 Uploaded Business Documents and AI-Processed Content

When customers upload source documents for the purpose of course creation or knowledge base access, we collect and process:

  • The content of uploaded business documents (e.g., SOPs, policies, training materials)
  • Document metadata including file name, file type, file size, upload date, and uploader identity
  • AI-generated vector embeddings derived from document content, used to power semantic search and AI-assisted course generation
  • Chunked document text stored for retrieval by our knowledge base and course authoring AI features

2.5 AI Copilot and Knowledge Base Conversation Data

Our platform includes an AI Copilot for course authoring assistance and an AI-powered Knowledge Base. When users interact with these features, we collect:

  • Conversation threads including all user messages and AI-generated responses
  • Context references linking conversations to specific courses, modules, scenarios, assessments, or projects
  • Prompt and response data that may be reviewed for quality improvement and used for AI model fine-tuning (see Section 5)

2.6 Project and Content Assets

We store all content created within the platform, including:

  • Course and module content, including draft and published versions
  • Scenarios, interactive elements, and assessments
  • Uploaded project media assets (images and other files)
  • Version history for all content

2.7 Usage and Technical Data

We automatically collect usage and technical information when you interact with our platform, including:

  • Login and session data
  • Feature usage patterns and interaction events (collected via PostHog)
  • Device and browser type, IP address, and general location
  • Performance and error data

2.8 Payment Information

We use Stripe as our payment processor. Payment card details are collected directly by Stripe and never transmitted to or stored on Nobi's servers. We retain only non-sensitive billing records such as subscription status, plan type, and transaction history as provided by Stripe.

3. How We Use Your Information

We use the personal information we collect for the following purposes:

  • Service Delivery: To create and manage your account, provide access to the platform, process invitations, and deliver the core features of the Nobi Service.
  • AI Features: To power AI-assisted course authoring, adaptive learning delivery, knowledge base search, and the AI Copilot using your uploaded content and learner data.
  • Learner Progress Tracking: To record and report on learner progress, course completions, assessment performance, and pathway advancement on behalf of your organization.
  • Platform Improvement: To analyze usage patterns, identify bugs, improve existing features, and develop new features.
  • AI Model Training: Anonymized and aggregated prompt-response data from the AI Copilot may be used internally to improve our AI models. See Section 5 for more detail.
  • Communications: To send transactional emails such as invitations, password resets, and platform notifications via Resend, and where consented, product updates and announcements.
  • Billing and Account Management: To manage subscriptions, process payments through Stripe, and maintain billing records.
  • Security and Compliance: To detect and prevent unauthorized access, investigate security incidents, maintain audit logs, and comply with legal obligations.

4. Legal Basis for Processing

Where applicable privacy law requires a legal basis for processing, we rely on the following:

  • Contractual Necessity: Processing required to deliver the Service under our agreement with you (e.g., account management, learner tracking, document processing).
  • Legitimate Interests: Processing for purposes such as platform security, fraud prevention, internal analytics, and product improvement, where those interests are not overridden by your privacy rights.
  • Consent: Where we send marketing communications or use data for purposes beyond service delivery, we obtain your express consent and provide a straightforward mechanism to withdraw it.
  • Legal Obligation: Where we are required to process or retain data to comply with applicable Canadian or other law.

5. AI Training Data and Model Improvement

Nobi uses Claude (developed by Anthropic) as a core AI component of its platform. Interactions with the AI Copilot and Knowledge Base features generate prompt and response data that we store internally.

We may use anonymized and aggregated versions of this data to improve the quality and performance of Nobi's own AI features through supervised fine-tuning (SFT). This data is reviewed internally under access controls before any use.

We do not sell or license your content or conversation data to third parties for AI training purposes. Your uploaded business documents are used solely to power features within your own organization's workspace and are not shared across organizations or used to train shared AI models without your explicit consent.

6. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

6.1 Service Providers (Subprocessors)

We engage trusted third-party service providers to help us deliver the Service. These providers act as data processors and are contractually bound to protect your information and use it only for the purposes we specify. Our current subprocessors include:

  • Google Cloud (API hosting, server infrastructure, Vertex AI embeddings) – United States
  • Supabase (database hosting) – United States (us-east-2)
  • Netlify (website hosting) – United States
  • Stripe (payment processing) – United States
  • Resend (transactional email delivery) – United States
  • PostHog (product analytics and usage tracking) – United States
  • Attio (customer relationship management) – United States
  • Google Workspace (internal productivity and communications) – United States
  • Anthropic / Claude API (AI language model processing) – United States
  • Slack (internal team communications) – United States

6.2 Cross-Border Data Transfers

Nobi AI Labs Inc. is based in Canada. Many of our subprocessors are located in the United States. By using our Service, you acknowledge that your personal information may be transferred to and processed in the United States, which may have different data protection laws than your jurisdiction. We take steps to ensure adequate protections are in place through data processing agreements and contractual safeguards.

6.3 Legal Requirements

We may disclose your information if required to do so by law, court order, or government authority, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Nobi, our customers, or the public.

6.4 Business Transactions

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify affected users in advance of any such transfer and of any resulting changes to this Privacy Policy.

7. Data Retention

We retain personal information for as long as necessary to provide the Service and fulfill the purposes described in this Policy, or as required by law.

  • Account and organization data is retained for the duration of your subscription and for a period of up to 90 days following account termination, after which it is deleted or anonymized.
  • Learner interaction and course progress data is retained for the duration of your organization's subscription. Customers may request earlier deletion.
  • Uploaded source documents and their derived vector embeddings are retained until deleted by the customer or until account termination.
  • AI Copilot and Knowledge Base conversation data is retained for the duration of the subscription.
  • Billing records are retained for a minimum of seven (7) years in accordance with Canadian tax and accounting requirements.
  • Audit logs and security records are retained for a minimum of twelve (12) months.

8. Security

We take the security of your data seriously and implement technical and organizational safeguards proportionate to the sensitivity of the information we process. Our security measures include:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest within our Supabase database and cloud storage
  • Row-Level Security (RLS) policies on our database ensuring organizational data is strictly isolated
  • Role-based access controls ensuring employees access only data necessary for their role
  • Multi-factor authentication required for internal system access
  • Audit logging of administrative actions and data access events
  • Separate production and development environments, with no real customer data used in development or testing

No method of electronic transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

9. Your Privacy Rights

Depending on your jurisdiction, you may have certain rights with respect to your personal information. These include:

  • Access: The right to request a copy of the personal information we hold about you.
  • Correction: The right to request that inaccurate or incomplete information be corrected.
  • Deletion: The right to request deletion of your personal information, subject to legal retention obligations.
  • Withdrawal of Consent: Where processing is based on consent, the right to withdraw that consent at any time.
  • Complaint: The right to lodge a complaint with a relevant supervisory authority. In Canada, this is the Office of the Privacy Commissioner of Canada (OPC). In the United States, relevant authorities vary by state.

To exercise any of these rights, please contact our Privacy Officer at scott@nobilabs.ca. We will respond to all requests within 30 days.

Note to business customers: where Nobi processes the personal information of your employees and learners on your behalf, you are the data controller and we are the processor. Requests from your employees regarding their data should be directed to you as the responsible organization. We will cooperate with you in fulfilling such requests.

10. Breach Notification

In the event of a privacy breach that creates a real risk of significant harm to individuals, we will notify:

  • The Office of the Privacy Commissioner of Canada (OPC) as soon as reasonably practicable;
  • All affected individuals whose information was involved in the breach;
  • Affected New York State residents, in accordance with the New York SHIELD Act, in the most expedient time possible;
  • Affected customer organizations, so that they may fulfill their own notification obligations to their employees and learners.

We maintain a breach response plan and log all privacy incidents, including those that do not meet the threshold for formal notification.

11. Cookies and Tracking Technologies

Our website and platform may use cookies and similar tracking technologies for purposes including authentication, session management, and product analytics (via PostHog). We do not use advertising cookies or sell data to advertising networks.

You may configure your browser to refuse cookies, though this may affect the functionality of certain features.

12. Children's Privacy

The Nobi platform is designed for use by businesses and their employees. It is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features of our Service. When we make material changes, we will notify you by email or by prominent notice within the platform at least 14 days before the changes take effect.

The current version of this Policy is always available at nobilabs.ca/privacy. The effective date at the top of this document indicates when the most recent version came into force.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer:

Scott Hladun, Privacy Officer Nobi AI Labs Inc. Mississauga, Ontario, Canada Email: scott@nobilabs.ca Website: https://nobilabs.ca