Trust · Privacy Policy

Last updated: 2026-04-18

Privacy Policy

Effective date: 2026-04-18

Misolla AI ("Misolla," "we," "us") is a Canadian company building an AI-native operating layer for corporate service providers, law firms, and founders. Our platform supports entity incorporation workflows, document generation, KYC and ultimate-beneficial-owner (UBO) screening, compliance monitoring, collaborative editing, and AI agents that assist users in structured legal and administrative work.

Misolla is a software provider. We are not a law firm and do not provide legal advice. Outputs generated by our platform are informational and should be reviewed by qualified counsel before being relied upon.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, how long we keep it, and the rights you have over it. It applies to our websites, applications, APIs, and related services (collectively, the "Services"). It does not apply to third-party services we do not control, even if they are linked from the Services.

Because Misolla is sold to businesses — primarily corporate service providers, law firms, accounting firms, and founders using our platform directly — our role under data protection law depends on context:

  • For account, billing, marketing, and website visitor data, Misolla generally acts as the controller (or "business" under U.S. state privacy laws).
  • For customer content and end-user data that our business customers upload, submit through our APIs, or route through our AI agents — including KYC records, identity documents, and matter files — Misolla generally acts as a processor (or "service provider") on behalf of our business customer, who is the controller. Our processing of that data is governed by the Master Services Agreement and Data Processing Addendum we have with that customer. Where those agreements conflict with this Policy, the agreement controls for the data it covers.

If you are an end user (for example, a founder completing KYC through a law firm using Misolla), please read your provider's own privacy notice first. We will honor valid data-subject requests that reach us and, where appropriate, route them to the controller.

1. Data We Collect

We organize the data we collect into the categories below. Not every category applies to every user; what we collect depends on which parts of the Services you use and how your organization has configured them.

1.1 Account and profile data

When you or your organization create an account, we collect identifiers such as name, work email, phone number, employer, role, professional credentials you choose to provide, authentication identifiers (including single sign-on identifiers), and account preferences.

1.2 Billing data

For paid plans, we collect billing contact details, tax identifiers, and transaction records. Payment card data is processed by our payment processor and is not stored by Misolla in its raw form.

1.3 Content data

Our business customers and their authorized users upload or generate content within the Services — matters, documents, templates, workflow artifacts, comments, messages, and collaboration history. Content data frequently contains personal data about third parties (for example, company directors, shareholders, signatories, or clients of a law firm).

1.4 KYC and identity data

Where the Services are used for customer onboarding, incorporation, or UBO screening, we process identity data on behalf of our business customers. This may include:

  • passport, national ID, driver's license, or equivalent government-issued identification;
  • proofs of address such as utility bills or bank statements;
  • date of birth, nationality, tax residency, and tax identification numbers;
  • beneficial ownership and control information, including ownership percentages and PEP/sanctions/adverse-media screening results returned by third-party providers;
  • selfies, liveness checks, and biometric-derived signals returned by third-party identity verification providers (where those features are enabled by the customer).

Some of this information qualifies as special-category data or sensitive personal information under applicable laws. We process it only where the law allows — typically to help our customer meet anti-money-laundering (AML), counter-terrorist-financing (CTF), and corporate registry obligations, with appropriate safeguards.

1.5 Communications and collaboration data

We process messages, threads, mentions, notifications, and activity logs generated inside the Services, including attorney–client or work-product material routed through our platform by customers who have authorized that use. We treat privileged and confidential communications with heightened access controls.

1.6 AI prompt and output data

When you use AI features, we process the prompts, files, retrieval context, intermediate tool calls, and model outputs needed to produce a response. We also record structured metadata about AI runs (model used, token counts, latency, errors, tool invocations) to operate and debug the platform.

1.7 Usage telemetry and device data

We collect logs about how the Services are used: pages visited, actions taken, IP address, browser and device characteristics, approximate location derived from IP, timestamps, performance metrics, crash reports, and referring URLs. This information supports security, reliability, product analytics, and abuse prevention.

1.8 Marketing and website data

If you visit our marketing site, sign up for a webinar, or contact sales, we collect the information you submit plus limited analytics described in Section 8 (Cookies).

1.9 Data from third parties

We receive data about you from our business customers (who invite you or upload information that references you), identity verification providers, sanctions and PEP data providers, corporate registries, enrichment providers, fraud-prevention services, and publicly available sources. We use this data only for the purpose for which it was provided.

2. Why We Collect It and Our Legal Bases (GDPR / UK GDPR)

We process personal data only where we have a lawful basis. The principal bases we rely on are:

  • Performance of a contract (Art. 6(1)(b)) — to provide the Services to our business customer, to set up and administer your account, and to process payments.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Services; prevent fraud and abuse; maintain and improve core platform functionality; operate logs and audit trails; run limited, non-identifying product analytics; and communicate about product updates where you have an existing relationship with us. Where we rely on legitimate interests, we have balanced those interests against your rights and you may object (see Section 9).
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, corporate, AML/CTF, sanctions, and records-retention laws that apply to Misolla itself.
  • Consent (Art. 6(1)(a)) — for non-essential cookies, certain marketing communications, and any processing where the law requires consent. You may withdraw consent at any time without affecting prior processing.
  • Public interest or substantial public interest (Art. 6(1)(e), Art. 9(2)(g)) — limited cases, for example cooperation with sanctions, anti-money-laundering, and counter-terrorism frameworks.
  • Substantial public interest and other Art. 9 bases — where we process special-category data (for example, biometric signals from identity verification or information revealing nationality embedded in ID documents), we rely on the conditions set out in Art. 9(2) of the GDPR (and corresponding provisions in UK GDPR) most commonly related to AML/CTF, fraud prevention, and establishing or defending legal claims.

Where Misolla acts as processor, the controller (our business customer) is responsible for establishing the lawful basis for the underlying processing and for ensuring any required notices or consents are in place.

3. How We Use Data

We use personal data to:

  • provide, secure, maintain, and improve the Services;
  • authenticate users, prevent unauthorized access, and enforce our terms;
  • generate, render, and store documents, matters, workflow artifacts, and AI outputs;
  • run KYC, UBO, sanctions, PEP, and adverse-media checks on behalf of our customers using third-party data providers;
  • produce audit trails and records required by our customers' regulators;
  • communicate with you about your account, security issues, service changes, and support requests;
  • send marketing where permitted, which you can opt out of at any time;
  • monitor performance, diagnose errors, and debug the platform;
  • conduct fraud, abuse, and security investigations;
  • comply with legal obligations and respond to lawful requests from public authorities.

We do not sell personal data. We do not "share" personal data for cross-context behavioral advertising as defined under U.S. state privacy laws.

4. AI and Machine Learning

AI is central to our product, and we treat it with correspondingly strict data commitments.

No training on customer data by default. We do not use customer content, KYC data, documents, communications, AI prompts, AI outputs, embeddings, or derived artifacts to train, fine-tune, or otherwise improve foundation models or any machine-learning model intended for use outside of that customer's workspace. This restriction extends to derived data such as vector embeddings, fine-tuned weights, and retrieval caches.

Sub-processor obligations. We contractually require every AI sub-processor we use — including model providers, vector-store providers, inference infrastructure providers, and retrieval/search providers — to agree that customer data will not be used to train their models and to honor zero- or short-retention settings that match our commitments.

Model inputs and outputs. We send only the data needed to serve the request. Prompts, context, and outputs are processed in-transit, logged to operate and debug the Services, and retained under the timelines described in Section 7.

Customer-workspace improvements. Within a given customer's workspace, we may build features such as templates, suggestions, or retrieval indexes that learn from that workspace's own data, for the sole benefit of that workspace, and subject to the controls offered in the product.

Automated decision-making. The Services support workflow automation but are intended to assist — not replace — qualified human decision-makers. We do not make decisions that produce legal or similarly significant effects on an individual based solely on automated processing without appropriate human review, and customers are responsible for configuring their own workflows consistent with applicable law.

Accuracy. AI-generated content may be incomplete, out of date, or incorrect. Our customers remain responsible for reviewing outputs before use, and any outputs framed as legal guidance must be reviewed by qualified counsel.

5. How We Share Data

We share personal data only as described below.

5.1 Sub-processors

We use vetted sub-processors to host infrastructure, deliver email and notifications, run background jobs, provide analytics and error monitoring, deliver identity verification, perform sanctions and PEP screening, process payments, and power AI features. Each sub-processor is bound by written agreements that require confidentiality, appropriate security, purpose-limited use, and — where they are outside the jurisdiction of the data exporter — an approved transfer mechanism.

A current list of our sub-processors, updated as it changes, is available on request to our business customers and through the designated channel set out in their contract with us.

5.2 Third-party data providers

To perform KYC, UBO, sanctions, PEP, adverse-media, and corporate-registry lookups, we query third-party data providers on behalf of our customers. Results are returned into the customer's workspace and stored as part of the customer's records.

5.3 Business customers and their authorized users

Data submitted through a customer workspace is visible to users the customer has authorized within that workspace, according to roles and permissions the customer configures.

5.4 Professional advisors

We share data with our auditors, lawyers, and insurers where needed and under confidentiality obligations.

5.5 Legal, safety, and compliance

We may disclose data where we believe in good faith it is required to comply with law, to respond to valid legal process, to enforce our terms, or to protect the rights, property, or safety of Misolla, our customers, or others.

5.6 Corporate transactions

If Misolla is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal data may be transferred as part of that transaction, subject to the protections in this Policy.

6. International Data Transfers

Misolla is established in Canada and operates across multiple jurisdictions; our sub-processors may too. When we transfer personal data out of Canada, the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with transfer restrictions (including, as applicable, the UAE under the PDPL, Singapore under the PDPA, and various U.S. state regimes), we rely on one or more of the following mechanisms:

  • adequacy decisions issued by the relevant regulator;
  • the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and the Swiss addendum, as applicable;
  • the comparable level of protection assessment required under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and under Quebec's Law 25 where it applies, with contractual safeguards binding the recipient;
  • derogations permitted by law for specific, limited transfers;
  • the equivalent transfer tools recognized under other applicable regimes (for example, Standard Contractual Clauses under the UAE PDPL or Singapore PDPA cross-border transfer requirements).

We also apply supplementary technical and organizational measures — including encryption in transit and at rest, access controls, and contractual limits on government-access requests — where required by our transfer assessments.

Copies of our SCCs (with sensitive commercial terms redacted) are available to business customers on request.

7. Retention

We keep personal data only as long as we need it. Actual retention depends on the data category, the configuration chosen by our business customer, and any legal hold that applies.

  • Account and profile data: kept while the account is active and for a reasonable period afterward to handle disputes and satisfy recordkeeping obligations.
  • Billing data: kept as long as required by tax and accounting law in the jurisdictions we operate in (typically several years).
  • Content, KYC, and matter data: kept under the controller's instructions. Where Misolla is processor, our default is to retain data for the term of the customer's subscription and then delete or return it within a short, contractually defined window, subject to legal holds. Regulated customers (for example, under AML rules) frequently require longer retention — often five years or more — and can configure the Services accordingly.
  • AI prompts, outputs, and execution logs: retained in operational logs for a limited period needed to operate, debug, and secure the platform, and then deleted or aggregated.
  • Security and audit logs: retained for a period proportionate to their purpose (typically up to 24 months).
  • Marketing and website data: retained until you opt out or the data is no longer useful, whichever is earlier.

Where retention is governed by our customer's configuration, that configuration is the source of truth.

8. Cookies and Analytics

We use cookies and similar technologies on our marketing and product surfaces for three purposes:

  • Strictly necessary — to sign you in, keep your session secure, and remember minimal preferences. These cannot be turned off.
  • Performance and analytics — to understand how the Services are used in aggregate and improve them. Where required by law, we only set these cookies with your consent.
  • Limited marketing — on our marketing site, to measure campaign performance. We do not use cross-context behavioral advertising cookies inside the authenticated product.

Where a consent banner is shown, you can change your choices at any time through the banner or your browser settings. We honor Global Privacy Control ("GPC") signals where required by applicable law.

9. Your Rights

Depending on where you live, you may have the following rights, subject to legal exceptions:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete personal data.
  • Deletion / erasure — ask us to delete personal data we no longer have a basis to keep.
  • Restriction — ask us to pause certain processing.
  • Objection — object to processing based on legitimate interests or direct marketing.
  • Portability — receive your personal data in a structured, commonly used, machine-readable format.
  • Withdraw consent — where we process on the basis of consent.
  • Not be subject to decisions based solely on automated processing that have legal or similarly significant effects.
  • Non-discrimination (U.S. state laws) for exercising your rights.
  • Appeal (where required) a denial of a rights request.
  • Complain to your local data protection authority — for example, the Office of the Privacy Commissioner of Canada (OPC), the Commission d'accès à l'information du Québec, the relevant EU supervisory authority, the UK ICO, the UAE Data Office, Singapore's PDPC, or a U.S. state regulator.

To exercise any of these rights, contact us using the details in Section 13. If you are an end user of a customer workspace, we will typically forward your request to the controller and assist as required.

We may need to verify your identity before acting on a request, and we may decline or limit a request where the law permits.

10. Security

We maintain a written information security program aligned with industry-recognized standards. At a high level, controls include:

  • encryption of data in transit and at rest;
  • tenant isolation and strict role-based access;
  • least-privilege internal access with logging and review;
  • multi-factor authentication, SSO, and audit trails;
  • vendor security review and continuous monitoring;
  • vulnerability management, penetration testing, and incident response.

More detail, along with compliance reports and certifications, is available on our Trust page and by request.

No service can guarantee perfect security. If we become aware of a security incident affecting your personal data, we will notify affected parties as required by law and by our customer contracts.

11. Children

The Services are built for business use and are not directed to children. We do not knowingly collect personal data from individuals under 16. If you believe a child has provided us personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Policy from time to time. When we do, we will change the "last_updated" date at the top and, for material changes, provide reasonable advance notice — for example, by email to administrators or through an in-product notice. Your continued use of the Services after an update means you accept the updated Policy, to the extent permitted by law.

13. How to Contact Us

For privacy questions, to exercise a right, or to raise a concern:

  • Email: [email protected]
  • Mail: Misolla AI — Privacy, [registered office address to be inserted by Misolla]

If you are in the EEA or the UK and your inquiry is not resolved to your satisfaction, you may also contact the data protection authority in your country of residence.

Where Misolla acts as a processor on behalf of a business customer, please address your request first to that customer (the controller). We will support the controller in responding.

This draft is AI-generated and must be reviewed and approved by qualified privacy counsel before use.