Legal

Privacy Policy

Effective Date: June 17, 2025 | Last Revised: June 2026

1. Overview

Keynoro (“we”, “us”, “our”) is an independent software product that provides AI-powered document review tools for individual mortgage brokers operating across Canada. Keynoro is not affiliated with any brokerage, lender, or financial network.

We are committed to protecting personal information in accordance with Canada’s federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) and all applicable provincial and territorial privacy legislation across Canada, including substantially similar provincial laws where they apply. Our privacy obligations are determined by where our users and their clients are located — not solely by our place of business in British Columbia.

This Privacy Policy covers information collected from brokers who use Keynoro (“Users”) and explains how client documents processed through the platform are handled.

2. Accountability — Privacy Officer

Keynoro has designated a Privacy Officer who is accountable for the organisation’s compliance with this Policy and with applicable Canadian privacy law across all provinces and territories.

Privacy Officer, Keynoro
Email: info@keynoro.ca

All privacy inquiries, access requests, and breach notifications are directed to this office.

3. Applicable Privacy Legislation Across Canada

Keynoro operates nationally. The following framework governs our obligations by jurisdiction:

Federal — PIPEDA

PIPEDA applies to our collection, use, and disclosure of personal information in the course of commercial activities in all provinces and territories where no substantially similar provincial law has been declared to apply. This includes Ontario, Manitoba, Saskatchewan, Nova Scotia, New Brunswick, Prince Edward Island, Newfoundland and Labrador, and all three territories (Yukon, Northwest Territories, Nunavut).

British Columbia — BC PIPA

BC’s Personal Information Protection Act (“BC PIPA”) is substantially similar to PIPEDA and governs our activities as a BC-based organisation. PIPEDA does not apply to intra-provincial activities in BC; BC PIPA does. Our practices comply with both.

Alberta — Alberta PIPA

Alberta’s Personal Information Protection Act (“Alberta PIPA”) is substantially similar to PIPEDA and governs personal information collected about Alberta residents. When a broker using Keynoro is based in Alberta, or when a client’s documents relate to an Alberta resident, Alberta PIPA applies. Breach notifications in Alberta are made to the Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta) in addition to federal requirements.

Quebec — Law 25

Quebec’s Act respecting the protection of personal information in the private sector, as modernised by Law 25 (An Act to modernize legislative provisions as regards the protection of personal information), applies when personal information about Quebec residents is collected or processed — including by organisations outside Quebec. If a broker uploads documents relating to a Quebec resident, Law 25 obligations apply. These include: stricter consent requirements, the right to data portability, the right to de-indexation, mandatory Privacy Impact Assessments (PIAs) before transferring personal information outside Quebec, and breach notification to the Commission d’accès à l’information (CAI). Brokers processing Quebec client documents through Keynoro are responsible for obtaining the additional consents required under Law 25 and for ensuring their own Law 25 compliance.

Other Provinces and Territories

In provinces and territories without substantially similar provincial legislation (Ontario, Manitoba, Saskatchewan, Nova Scotia, New Brunswick, PEI, Newfoundland and Labrador, Yukon, Northwest Territories, and Nunavut), PIPEDA applies directly to our commercial activities. We apply PIPEDA standards as the baseline for all such jurisdictions and comply with any applicable sector-specific provincial legislation that may affect how brokers in those jurisdictions handle personal information.

4. What Keynoro Collects

4.1 Broker Setup Information

To configure your personalised Keynoro instance, we collect:

  • Your name and contact information
  • Your brokerage name and licence number
  • Your Anthropic API key (for configuration only — see Section 7)

4.2 Usage and Technical Data

We may collect basic technical metadata (e.g. error logs, session activity) to diagnose issues and maintain the software. This data does not include document content or client information.

4.3 Client Documents

Keynoro processes documents on your behalf. These documents may contain sensitive personal information belonging to your clients, including government-issued identification, income documents, tax records, and bank statements.

Keynoro does not store client document content. Ever.

Documents are transmitted to Anthropic’s API for AI processing and are not retained by Keynoro after your session ends. See Section 6 for a full explanation.

5. How We Use Your Information

We use information collected during setup and operation to:

  • Configure and deliver your personalised Keynoro instance
  • Communicate with you about setup, updates, and support
  • Diagnose and resolve technical issues
  • Comply with our legal obligations under applicable federal and provincial privacy law

We do not sell, rent, or share your information or your clients’ information with any third party for commercial purposes.

6. Client Documents — No Storage, No AI Training

This is the section most brokers care about most. Here is a plain-language account of exactly what happens to your client’s documents.

When you upload a client document to Keynoro:

  • The document is transmitted over an encrypted connection (TLS) to Anthropic’s API, which is operated on servers located in the United States
  • Anthropic’s AI (Claude) reads the document to perform the requested task — classifying it, generating a filename, and producing document notes
  • The result is returned to your Keynoro session
  • The document content is not stored by Keynoro at any point in this process
  • Under Anthropic’s standard API terms, data submitted via the API is not retained by Anthropic for storage and is not used to train its AI models

Cross-border transfer notice: by uploading client documents through Keynoro, you acknowledge that those documents are transmitted to and processed by Anthropic’s infrastructure in the United States. Data processed in the United States is subject to US law, including potential access by US government authorities under applicable legislation. Brokers subject to Quebec Law 25 must conduct a Privacy Impact Assessment (PIA) before using Keynoro to process documents relating to Quebec residents, as required by that legislation. As the broker, you are responsible for obtaining your clients’ informed consent to this cross-border transfer prior to uploading their documents.

You should verify Anthropic’s current data handling policy independently at anthropic.com. Keynoro will update this Policy if Anthropic’s practices change in a way that affects users.

7. Your Anthropic API Key

Keynoro requires your personal Anthropic API key to function. Here is how we handle it:

  • Your API key is used solely to configure your Keynoro instance so it can communicate with Anthropic’s API on your behalf
  • Keynoro does not use your API key for any other purpose and does not share it with third parties
  • We store your API key only as long as necessary to operate your configured instance
  • You retain full ownership and control. You can revoke your API key at any time at console.anthropic.com
  • Upon termination of your Keynoro engagement, your API key will be deleted from our systems
  • All API usage charges are billed directly by Anthropic to your account. Keynoro is not involved in this billing relationship

Keynoro will never ask you to re-share your API key after initial setup. Any such request should be treated as fraudulent and reported immediately to info@keynoro.ca.

8. Data Storage and Retention

Broker setup information (name, contact, brokerage details) is retained for as long as your Keynoro engagement is active and for a reasonable period thereafter for legal and record-keeping purposes.

Client document content is not retained by Keynoro after processing. AI-generated outputs (filenames, document notes) exist only within your active session and are not stored on Keynoro’s servers.

Your API key is deleted upon termination of your engagement with Keynoro.

9. Data Security

We use encrypted transmission (TLS) for all data sent between Keynoro and Anthropic’s API. Access to broker configuration data is restricted and protected.

No security system is perfect. In the event of a privacy breach involving your personal information, Keynoro will:

  • Assess whether the breach creates a real risk of significant harm to affected individuals
  • Notify you directly as soon as feasible if such a risk exists
  • Report the breach to the applicable privacy regulator(s) as required by law — including the Office of the Privacy Commissioner of Canada (OPC) under PIPEDA, the Office of the Information and Privacy Commissioner of British Columbia (OIPC BC) under BC PIPA, the Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta) under Alberta PIPA, and the Commission d’accès à l’information (CAI) under Quebec Law 25, as applicable based on the individuals affected
  • Maintain an internal record of all breaches as required by applicable law

10. Your Obligations as a User

As a broker using Keynoro to process client documents, you have independent legal obligations under applicable federal and provincial privacy legislation. You must:

  • Obtain informed consent from your clients before uploading their documents to Keynoro
  • Disclose to clients that their documents will be processed by a third-party AI service (Anthropic) on servers located in the United States
  • Disclose to clients that their personal information will be transferred across the Canada–US border as part of this processing
  • If your clients are Quebec residents: comply with Quebec Law 25, including conducting a Privacy Impact Assessment (PIA) before using Keynoro for those clients and obtaining the heightened consent required under that legislation
  • If your clients are Alberta residents: comply with Alberta PIPA requirements applicable to your brokerage activities
  • Maintain your own compliant privacy policy that reflects your use of AI document processing tools
  • Ensure your use of Keynoro is consistent with your brokerage’s policies, your provincial licence obligations, and any requirements imposed by your brokerage network or lender relationships

Keynoro processes documents as a service provider acting on your instructions. You bear primary responsibility for privacy compliance in relation to your clients.

11. Your Rights

You may request access to, correction of, or deletion of your personal information held by Keynoro by contacting the Privacy Officer at the address below. We will respond within 30 days in accordance with PIPEDA. If your rights arise under provincial legislation (BC PIPA, Alberta PIPA, or Quebec Law 25), we will respond in accordance with the applicable timelines and procedures under that legislation.

If you are not satisfied with our response, you may escalate your complaint to the applicable privacy regulator:

  • Office of the Privacy Commissioner of Canada (OPC) — for PIPEDA matters: www.priv.gc.ca
  • Office of the Information and Privacy Commissioner of BC (OIPC BC) — for BC PIPA matters: www.oipc.bc.ca
  • Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta) — for Alberta PIPA matters: www.oipc.ab.ca
  • Commission d’accès à l’information (CAI) — for Quebec Law 25 matters: www.cai.gouv.qc.ca

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in legal requirements, applicable provincial legislation, or our practices. If changes are material — particularly any change to how document data is handled, any change to our cross-border transfer arrangements, or any change affecting obligations under provincial privacy law — we will notify you directly before the change takes effect. Continued use of Keynoro after notification constitutes acceptance of the updated Policy.

13. Contact

For privacy questions, access requests, breach reports, or concerns under any applicable federal or provincial privacy legislation:

Privacy Officer, Keynoro
Email: info@keynoro.ca

We will respond within 30 days of receiving your inquiry.

14. Governing Law

This Privacy Policy is governed by the laws of British Columbia and the federal laws of Canada applicable therein. Where provincial privacy legislation applies to a specific individual or transaction — including Alberta PIPA, Quebec Law 25, or BC PIPA — that legislation governs Keynoro’s obligations with respect to that individual or transaction to the extent of any conflict with this Policy. In all territories and provinces without substantially similar provincial legislation, PIPEDA applies as the governing federal framework.