Privacy Policy
Last Updated: May 31, 2026 · Version 2.0
Summary: We respect your privacy. We collect only what we need to operate our products, protect what we collect on Canadian infrastructure, and never sell your personal information to third parties. Your data is subject to Canadian law — not the US CLOUD Act.
01 Introduction
Fortress Technologies Hub Inc. ("we," "our," or "us") is a federally incorporated Canadian technology company based in Toronto, Ontario. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our websites, products, and services — including CoreMind (coremindx.ai) and API Fortress (api-fortress.fortresstechnologieshub.com), as well as our corporate website at fortresstechnologieshub.com (collectively, the "Services").
By accessing or using our Services, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our Services.
This Privacy Policy applies to all users of our Services, including visitors, registered users, subscribers, and enterprise clients. It does not apply to third-party websites or services linked to or integrated with our Services.
02 Canadian Data Sovereignty
Data Location: Fortress Technologies Hub is proudly built and operated in Canada. All user data, account information, and product data across our Services is stored and processed on servers located exclusively within Canada.
No CLOUD Act Exposure: As a Canadian company operating on Canadian-owned infrastructure, your data is not subject to the US CLOUD Act or any foreign surveillance legislation. The US government cannot compel us to hand over data stored on our systems.
Canadian Jurisdiction: Your data is governed by Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.
Infrastructure: Our primary hosting, including AI model inference, databases, voice processing, embeddings, and all core product data, runs on Canadian-owned servers located in Canada. Our commitment to Canadian data sovereignty drives every infrastructure decision we make.
Limited Third-Party Processing: Certain narrow third-party services may process limited data in other jurisdictions. Specifically, payment processing for CoreMind subscriptions is handled by Stripe (which may process payment data in the United States), and image and video generation requests on CoreMind are processed by third-party AI generation providers operating under their own privacy policies. These are the only exceptions, and they are fully disclosed in Section 6 of this Policy.
03 Information We Collect
3.1 Corporate Website Visitors
When you visit fortresstechnologieshub.com, we automatically collect basic usage data including browser type, device type, pages visited, time spent, and referring URLs. We use self-hosted analytics on Canadian infrastructure. We do not use third-party advertising trackers or cross-site tracking cookies.
3.2 CoreMind Users
- Account Information: Name, email address, and password (securely hashed) when you register
- Google Sign-In: If you use Google Sign-In, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password
- Profile and Preferences: Settings, customizations, and preferences you configure
- User Content: Prompts, messages, uploaded files, and any content you create using the Service
- Payment Information: Processed securely through Stripe. We store only payment confirmation, subscription status, billing history, and the last four digits of your card. We do not store full card details on our servers
- Usage Data: Features used, actions taken, time spent, and interaction patterns
- Device and Log Data: IP address, browser type, operating system, access times, and referring URLs
3.3 API Fortress Enterprise Clients
API Fortress is a B2B enterprise API security platform. It does not process, store, or handle your end users' personal data. The only information we collect from enterprise clients is what is necessary to operate the security service:
- Company Name: The name of your organization
- Point of Contact Email: The email address of your company representative
- Backend API URL: Your company's public-facing API endpoint submitted for protection and scanning
- Security Data: WAF logs, RASP events, pentest results, behavior analysis, and endpoint scan reports generated by the platform — stored in your dashboard on our Canadian infrastructure
Security scan data (WAF logs, RASP events, endpoint reports) consists of technical security metadata — not personal data. This data is stored exclusively on our Canadian servers and is accessible only to your authorized team through your dashboard.
API Fortress does not collect, access, or process the personal data of your end users. It operates at the API layer to detect and block threats, not to inspect or retain underlying business data passing through your APIs.
Payment: API Fortress is a B2B service billed via bank transfer or e-transfer directly to Fortress Technologies Hub. No third-party payment processor is involved.
04 How We Use Your Information
We use the information we collect only for the following purposes:
- Provide, maintain, and improve our Services
- Create and manage your account or enterprise client profile
- Process transactions and manage subscriptions or service agreements
- Personalize your experience where applicable (CoreMind)
- Send technical notices, security alerts, service updates, and support communications
- Respond to your inquiries and provide customer support
- Monitor and analyze usage to improve product performance and reliability
- Detect, prevent, and address fraud, abuse, and security threats
- Enforce our Terms of Service and other policies
- Comply with applicable Canadian legal obligations
We do not use your data for advertising, profiling for sale to third parties, or any purpose not listed above.
05 AI Memory and Personalization (CoreMind)
CoreMind may use conversation history and context to provide personalized responses and remember information across sessions ("Memory"). This feature is designed to improve your experience by remembering your preferences, providing contextually relevant responses, and reducing the need to repeat information.
Your Control Over Memory:
- You can enable or disable Memory in your Privacy Settings at any time
- You can view all stored memories from your account
- You can delete specific memories or all memories at any time
- Disabling Memory does not delete previously stored data unless you explicitly delete it
No AI Training on Your Data: We do not use your conversations, prompts, or outputs to train our AI models without your explicit consent. Your data is used solely to provide the Service to you.
06 Data Sharing and Disclosure
We do not sell your personal data. We may share your information only in the following limited circumstances:
6.1 Service Providers
- Stripe — Payment processing for CoreMind subscriptions. Stripe may process payment data in the United States and operates under its own privacy policy. We share only what is necessary to process your payment
- Canadian cloud and infrastructure providers — For hosting, storage, and compute. All on Canadian soil
- Email service providers — For transactional communications such as account verification and billing receipts
- Third-party AI generation providers — For CoreMind image and video generation requests only. When you request image or video generation, the prompt or input is sent to third-party providers who process it under their own privacy policies. These providers do not receive your account information or conversation history. This applies only to image and video generation
6.2 Legal Requirements
We may disclose your information if required to do so by Canadian law, or in response to valid requests by Canadian public authorities, including to meet national security or law enforcement requirements. As a Canadian company on Canadian infrastructure, we are not subject to US government data requests.
6.3 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.
6.4 With Your Consent
We may share your information with third parties when you have given us your explicit consent to do so.
07 Data Storage and Security
Data Location: All user data across our Services is stored on secure servers located exclusively in Canada. We do not store personal data outside of Canada, with the narrow exception of payment processing via Stripe as disclosed in Section 6.
Security Measures: We implement industry-standard security measures to protect your data, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Field-level encryption for sensitive data (chat messages, memories) on CoreMind
- Secure password hashing using bcrypt
- Access controls and authentication requirements
- Rate limiting on authentication endpoints
- Regular security monitoring and audits
- Secure development practices
No Guarantee: While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
08 Data Retention
We retain your personal data for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements.
Retention Periods:
- CoreMind account data: Retained while your account is active
- CoreMind conversation history: Retained until you delete it or your account
- CoreMind billing records: Retained for 7 years for tax and legal compliance
- API Fortress client account data: Retained for the duration of the service agreement and up to 2 years after termination
- API Fortress security logs and scan data: Retained for the duration of your active service
- Security and system logs: Retained for up to 2 years
Account Deletion (CoreMind): When you delete your account using the "Forget Me" feature, your personal data will be permanently deleted within 30 days, except where retention is required by law.
09 Cookies and Tracking Technologies
We use cookies and similar technologies on our websites for the following purposes:
- Essential Cookies: Required for authentication and session management
- Preference Cookies: Remember your settings and preferences
- Analytics: We use self-hosted analytics on Canadian infrastructure to understand how users interact with our Services
We do not use third-party advertising cookies, cross-site tracking cookies, or any analytics tools that send your data to US-based analytics providers.
Cookie Control: You can control cookies through your browser settings. Disabling essential cookies may affect your ability to use certain features of our Services.
10 Your Rights and Choices
As a Canadian company, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Under PIPEDA and applicable privacy legislation, you have the right to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your personal data
- Data Portability: Request your data in a portable format
- Withdraw Consent: Withdraw consent where processing is based on consent
- Object: Object to processing of your data in certain circumstances
- Complaint: Lodge a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca
To exercise any of these rights, please contact us at [email protected] or use the relevant features in your account settings. We will respond within 30 days, or as required by applicable law.
European Users (GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the GDPR, including the right to lodge a complaint with your local data protection authority. We process your data based on: (a) your consent, (b) performance of our contract with you, (c) compliance with legal obligations, and (d) our legitimate interests in providing and improving the Services.
California Residents (CCPA)
If you are a California resident, you have the right to know what personal information is collected, the right to delete your data, and the right to opt out of the sale of personal information. We do not sell your personal data. To exercise your rights, contact us at [email protected].
11 International Data Transfers
As a Canadian company committed to data sovereignty, we store and process all user data in Canada. The only instances where limited data may be processed outside Canada are:
- Payment processing for CoreMind subscriptions via Stripe (United States)
- Image and video generation requests on CoreMind, processed by third-party generation providers under their own privacy policies
In both cases, only the minimum data necessary for the specific function is shared. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy and applicable Canadian privacy laws.
All other data — including your account data, conversations, memories, API Fortress security data, and all core product data — never leaves Canada.
12 Children's Privacy
Our Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected]. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information as quickly as possible.
13 Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page, send an email notification to registered users where applicable, and display a prominent notice within the relevant Service.
Your continued use of our Services after any changes indicates your acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.
14 Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Fortress Technologies Hub Inc.
Suite 2500, 1 Dundas Street West
Toronto, Ontario M5G 1Z3, Canada
Privacy Inquiries: [email protected]
General: [email protected]
Phone: +1 (604) 358-1469