Trust

User data is stored on servers hosted in Canada. Backups are kept in the same jurisdiction. We do not currently replicate user data outside Canada.

• At rest: AES-256-GCM. Sensitive fields are encrypted in our database.
• In transit: TLS 1.2+ for every request between the browser, the API, and our internal AI services.
• Passwords: never stored in plain text and never visible to operators. See Password security below for the hashing algorithm and policy.
• Two-factor secrets: TOTP shared secrets are encrypted at rest with the same AES-256-GCM scheme.

• Hashing: passwords are hashed with bcrypt at cost factor 10 before storage. The plain-text password is discarded immediately after hashing and is never written to logs, backups, or analytics.
• Length policy: minimum 8 characters, maximum 128 characters. Any printable characters are accepted, including spaces and Unicode — long passphrases are encouraged over short complex passwords.
• Reset flow: password reset links are single-use, expire after 1 hour, and are sent only to the account's verified email address.
• Two-factor authentication: TOTP (Google Authenticator, 1Password, Authy, etc.) is available for every account. We strongly recommend enabling it from Settings → Security.
• Passkeys (WebAuthn): you can register one or more passkeys (Touch ID, Face ID, Windows Hello, or a hardware security key) and sign in without a password. Passkeys are phishing-resistant because the private key never leaves your device. Manage passkeys from Settings → Security. Each passkey is bound to a single domain (hivi.ca or hivi-x.ca) — if you use both, register a passkey on each.
• Refresh tokens for the Chrome extension: when you sign in via the extension we issue a refresh token so you don't have to type your password again every time the short-lived access token expires. Refresh tokens are opaque random strings; only their SHA-256 hash is stored on our servers. Each refresh rotates the token, and any attempt to reuse an older one revokes the whole token family for that device — a token theft can't survive a single legitimate refresh. Signing out of the extension or hitting Sign out everywhere on the web revokes them immediately.
• Federated sign-in: "Sign in with Google" is supported as an alternative to a password. When used, your account has no password set on our side until you choose to add one.
• What we don't do yet: we do not currently check new passwords against the Have I Been Pwned breach corpus. This is on our roadmap; in the meantime, the strongest configuration we offer is a passkey, or a unique passphrase combined with TOTP.

All AI extraction and form-mapping that touches your data runs on servers we operate. We do not send your data to OpenAI, Google, Anthropic, or any other third-party AI provider.

• Speech-to-text: an transcription model, running on our own infrastructure.
• Language model (form mapping, extraction, chat): an large language model, self-hosted on our own infrastructure.
• AI output is a draft. Every AI-suggested value is shown for you to review and confirm before it is saved or sent. See our AI Reliability Notice for details on how to review AI suggestions safely.

These are the third-party services that may receive a narrow slice of data in order for us to operate. They are not used for AI inference.

If we add a new sub-processor we will update this page. If you want a notification when this list changes, email support@hivi.ca.

• The extension is opt-in per site. It does nothing on any website until you explicitly enable it for that site from the extension popup.
• On enabled sites it reads field labels in order to suggest autofill values from your vault. It does not exfiltrate the page or send anything to a third-party service.
• How sign-in works: when you click Sign in with Hivi in the extension, we open a real hivi.ca tab so you can use any sign-in method (password, passkey, Google, 2FA). The web page then sends a short-lived access token plus a rotating refresh token to the extension via Chrome's message-passing API. The extension cannot read your password and cannot perform WebAuthn directly — it only receives the resulting tokens. Only hivi.ca and hivi-x.ca are permitted to hand off tokens to the extension (enforced both in the manifest and by an origin check inside the extension).
• You can disable a site or uninstall the extension at any time; there is no server-side state holding the extension open. Signing out of the extension revokes its refresh token on the server.

• We keep your data for as long as your account is active.
• You can delete your account from Settings → Account. Deletion removes profile data, uploaded files, and templates from our active databases.
• Encrypted backups containing deleted records are rotated out within 30 days of deletion.
• Stripe retains billing records on its side as required by tax and payment regulation; we cannot delete data Stripe is legally required to keep.
• For access, correction, export, or deletion by request, see our Data Requests page — it covers the rights you have under PIPEDA, Quebec Law 25, and GDPR, and how to exercise them.

We design with PIPEDA, PHIPA, GDPR and HIPAA principles in mind and the encryption / access patterns above are aligned with their technical safeguards. However:

We do not currently hold a third-party attestation, SOC 2 report, or formal certification against HIPAA, PHIPA, or GDPR. Until that changes, please do not treat the absence of such badges as a typo on our part.

If you represent an organisation that needs an attestation or a vendor questionnaire, email support@hivi.ca and we will be candid about what we can and can't sign.

If we discover that user data was accessed by an unauthorised party, we will:

• Notify affected users by email within 72 hours of confirming the incident.
• Publish a public post-mortem on this page (under Incident history) describing what happened, what data was involved, and what we changed afterwards.
• Notify the Office of the Privacy Commissioner of Canada when the incident meets the PIPEDA "real risk of significant harm" threshold.

No reportable incidents to date.

Privacy questions, deletion requests, sub-processor questions, and reports of suspected incidents: support@hivi.ca.

To exercise your access, correction, export, or deletion rights, see Data Requests. For the full legal text, see our Privacy Policy.