Privacy Policy
Last updated: March 13, 2026
Kitsi Technologies Inc. ("Kitsi", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard your personal information when you use our website (kitsi.ca), our real estate CRM platform (the "Platform"), and related services (collectively, the "Services").
Kitsi is a Canadian company incorporated in Alberta. Your core data is stored on our own self-hosted infrastructure, with specific services (email sync, SMS, e-signatures, AI features) handled by third-party providers (see Section 5).
1. Information We Collect
1.1 Information You Provide
- Account information: Name, email address, phone number, brokerage affiliation
- Client data: Names, contact details, property information, transaction records, and notes you enter into the Platform about your clients
- Communications: Emails and SMS messages sent and received through the Platform
- Documents: Files you upload, including contracts, disclosures, and documents sent for electronic signature
- Calendar data: Events and scheduling information synced from your connected calendar
- Waitlist information: Name and phone number (if you signed up before the Platform launched)
1.2 Information Collected Automatically
- Usage data: Features used, pages visited, actions taken within the Platform
- Device information: Browser type, operating system, screen resolution
- IP address: Used for rate limiting, fraud prevention, and security only
- Log data: Server logs for error tracking and service reliability
1.3 Information from Connected Services
When you connect your email or calendar accounts (e.g., Gmail, Outlook), we access:
- Email messages in your connected inbox (to display and manage within the Platform)
- Calendar events (to sync scheduling and deadlines)
- Contact information from your address book (if you choose to import contacts)
We only access data necessary to provide the Services. We do not access accounts you have not explicitly connected.
2. How We Use Your Information
We use your information to:
- Provide the Services: Run the CRM, sync email and calendar, manage documents, and enable communication with your clients
- AI features: Generate email drafts, deadline reminders, follow-up suggestions, and workflow automation. Your data may be processed by our AI providers to deliver these features (see Section 5)
- Improve the Platform: Analyze usage patterns to fix bugs, improve features, and develop new functionality
- Communicate with you: Send service notifications, product updates, and respond to support requests
- Security and fraud prevention: Detect and prevent unauthorized access, abuse, and security threats
We do not:
- Sell your personal information to third parties
- Use your data for advertising or ad targeting
- Share your client data with other Kitsi users
- Send unsolicited marketing beyond Kitsi product updates
3. AI Data Processing
Kitsi uses artificial intelligence to power features like email drafting, deadline tracking, and workflow suggestions. When you use AI-powered features:
- Your relevant data (e.g., email content, transaction details) is sent to our AI provider for processing
- Our AI provider does not use your data to train their models
- AI-generated content is suggestions only — you review and approve before anything is sent
- You can use the Platform without AI features if you prefer
4. Data Storage and Security
- Your core data (contacts, transactions, documents, messages) is stored on our own self-hosted infrastructure in Canada. Specific services are provided by third-party providers (see Section 5)
- We use encryption in transit (TLS/SSL) and at rest
- Access to personal data is restricted to authorized personnel only
- We implement industry-standard security measures including access controls, monitoring, and regular security reviews
- Connected email credentials are handled through secure OAuth tokens — we never see or store your email password
5. Third-Party Service Providers
We use the following third-party services to operate the Platform. These providers process your data only as necessary to provide their services to us:
| Provider | Purpose | Data Processed | Country |
|---|---|---|---|
| Cloudflare | Hosting, CDN, file storage | Website and Platform delivery, uploaded files | US |
| Nylas | Email and calendar sync | Email messages, calendar events, contacts | US |
| Twilio | SMS messaging | Phone numbers, message content | US |
| DocuSign | Electronic signatures | Documents, signer names and emails | US |
| Anthropic | AI features | Content submitted to AI features (contact details, email content, transaction details) | US |
We require all third-party providers to maintain appropriate security and privacy protections. We do not share your data with any providers beyond what is listed above and what is necessary to deliver the Services.
6. Data Retention
- Active accounts: We retain your data for as long as your account is active
- Closed accounts: When you request account deletion, we begin a 30-day grace period during which you can cancel the request. After the grace period, your data is permanently deleted, unless retention is required by law
- Waitlist data: Retained until you sign up for the Platform or request deletion
- Server logs: Retained for up to 12 months for security and debugging purposes
- Backups: May persist in encrypted backups for up to 30 days after deletion
7. Your Rights
Under Canadian privacy law (PIPEDA and Alberta PIPA), you have the right to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate personal information
- Deletion: Request deletion of your personal information (subject to legal retention requirements)
- Withdrawal of consent: Withdraw consent for data collection or processing at any time (this may limit your ability to use certain features)
- Opt out of communications: Unsubscribe from product updates at any time
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
7.1 Your Client Data
You are responsible for your own compliance with privacy laws regarding the client data you enter into the Platform. Kitsi processes your client data on your behalf — you remain the controller of that data. If one of your clients requests access to or deletion of their data, you are responsible for fulfilling that request. We will assist you as needed.
8. Data Breach Notification
In the event of a data breach that poses a real risk of significant harm, we will:
- Notify affected users as soon as feasible
- Report the breach to the Office of the Privacy Commissioner of Canada and the Alberta Information and Privacy Commissioner as required by law
- Take immediate steps to contain and remediate the breach
9. International Data Transfers
Your core data is stored on our self-hosted infrastructure. Some of your data is processed in the United States by our third-party service providers (see Section 5). Where data is transferred outside Canada, we ensure appropriate safeguards are in place, including contractual protections consistent with Canadian privacy law.
10. Children's Privacy
The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a revised "last updated" date. For significant changes, we will notify you by email or through the Platform.
12. CASL Anti-Spam Compliance
Kitsi complies with Canada's Anti-Spam Legislation (CASL). We will only send you commercial electronic messages (CEMs) with your express or implied consent, as defined by CASL.
- Express consent: When you create an account or join our waitlist, we ask for your consent to send you product updates, tips, and promotional offers related to the Services. You may withdraw this consent at any time by clicking the unsubscribe link in any message or by contacting us at [email protected].
- Implied consent: We may send you CEMs based on an existing business relationship (e.g., you are a current subscriber) for up to two years after the last transaction, or an inquiry you made within the past six months. Implied consent expires as defined by CASL.
- Transactional messages: Service-related messages (account notifications, security alerts, billing confirmations) are not CEMs under CASL and do not require consent.
- Sender identification: All commercial electronic messages from Kitsi will include our business name, mailing address, and contact information as required by CASL.
- Your responsibilities: If you use the Platform to send commercial electronic messages to your clients, you are responsible for your own CASL compliance, including obtaining appropriate consent and providing unsubscribe mechanisms.
13. Contact Us
If you have questions about this Privacy Policy or our data practices:
Kitsi Technologies Inc. Email: [email protected] Privacy Officer: Anton Romankov
If you have a privacy complaint, we will acknowledge receipt within 10 business days and investigate promptly. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Information and Privacy Commissioner of Alberta.