Privacy Policy
Last updated: 2026-02-20
Last updated: April 6, 2026
1. Introduction
BorealHost.ai (hereinafter "BorealHost", "we", "our" or "us") is a Quebec-based web hosting company integrating artificial intelligence modules. We are committed to protecting the personal information of our users, clients and visitors (hereinafter "you" or "your") in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada and the Act to modernize legislative provisions as regards the protection of personal information of Quebec (Law 25).
This privacy policy describes the personal information we collect, the purposes for which we use it, the third parties with whom we share it, and your privacy rights. By using our services, you acknowledge that you have read this policy.
2. Privacy officer
In accordance with Law 25, BorealHost has designated a privacy officer. For any questions regarding the collection, use or disclosure of your personal information, or to exercise your rights, please contact our officer:
3. Data collected
We collect the following categories of personal information in the course of providing our services:
3.1 Account information
Lors de la création de votre compte, nous collectons votre nom, votre adresse courriel, votre mot de passe (stocké sous forme de hachage cryptographique), votre langue préférée et, le cas échéant, le nom de votre entreprise. Si vous utilisez l'authentification Google OAuth, nous recevons votre nom, votre adresse courriel et votre photo de profil de Google.
3.2 Billing information
Payment processing is handled by Stripe, Inc. We never store your credit card numbers or complete banking data on our servers. We only retain a Stripe customer identifier, card type (e.g., Visa, Mastercard), the last four digits of the card, invoice history and subscription status.
3.3 Service usage data
We collect data relating to your use of our services, including: server resources consumed (CPU, memory, storage, bandwidth), domain names registered or configured, website configurations, hosted files, databases, backups and control panel activity logs.
3.4 Artificial intelligence usage data
When you use our artificial intelligence modules (AI agents, model marketplace, playground), we collect your text prompts, generated responses, tools executed by agents, tokens consumed and associated costs. This data is necessary for usage-based billing and service improvement.
3.5 Inference API and self-hosted models
BorealHost offre un service d'inférence par API permettant l'accès à des modèles de langage (LLM) hébergés sur notre propre infrastructure GPU. Concernant ce service :
- Aucune requête (prompt) ni réponse (completion) n'est utilisée pour l'entraînement de modèles.
- Aucun contenu de requête n'est journalisé en production. Seules les métadonnées de facturation (horodatage, nombre de jetons, identifiant du modèle) sont conservées.
- Les métadonnées de facturation sont purgées après 90 jours.
- Les documents transmis (PDF, images) sont traités en mémoire et ne sont pas stockés sur disque.
- L'inférence est exécutée sur des serveurs GPU dédiés. Aucun partage de ressources GPU entre clients ne permet l'accès aux données d'un autre client.
3.6 Cookies
We use cookies and similar technologies, as described in section 5 of this policy.
3.7 Server logs
Our servers automatically record certain information with each request, including: IP address, browser type and version, pages viewed, date and time of access, referral URL and operating system. These logs are used for security, debugging and statistical analysis purposes.
4. Processing purposes
We use your personal information for the following purposes:
- Service provision: create and manage your account, provision and maintain your hosting services, process your support requests.
- Billing: process payments, issue invoices, manage subscriptions and usage-based billing for AI tokens.
- Security: protect our systems and your data against unauthorized access, detect and prevent fraud, enforce our terms of use.
- Analytics: understand the usage of our services in order to improve them, produce aggregated and anonymized statistics.
- Artificial intelligence processing: execute your requests to AI models, display results and track token consumption.
- Communications: send you account-related notices, service updates, security alerts and, with your consent, promotional communications.
- Legal compliance: meet our obligations under applicable laws, respond to legal requests and cooperate with competent authorities.
5. Cookies
We use cookies and similar technologies to operate our site, improve your experience and measure the performance of our services. Cookies fall into three categories:
5.1 Essential cookies
These cookies are strictly necessary for the site to function. They include session cookies, CSRF tokens (cross-site request forgery protection), language preferences and authentication cookies. They cannot be disabled.
5.2 Analytics cookies
These cookies allow us to measure audience and understand how visitors use our site (pages visited, visit duration, bounce rate). We use Google Analytics 4 for this purpose. These cookies are set only with your consent.
5.3 Marketing cookies
These cookies are used to measure the effectiveness of our advertising campaigns and show you relevant ads. They include Meta (Facebook) pixels and Google Ads tags. These cookies are set only with your consent.
You can manage your cookie preferences at any time via our consent banner, accessible from the site footer. In accordance with Google's Consent Mode v2, no analytics or marketing cookies are set before obtaining your explicit consent.
6. Sharing with third parties
We never sell your personal information. We share certain data with trusted sub-processors, strictly to the extent necessary for the provision of our services. Here is the list of our sub-processors:
| Sub-processor | Purpose | Data shared | Location | Privacy Policy |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing | Name, email, card data, billing address | Canada (Montreal) | stripe.com/privacy |
| LeaseWeb / RunPod | GPU infrastructure for self-hosted AI inference | Inference requests (processed in memory, not stored) | Canada (Montreal) / United States | leaseweb.com/privacy |
| Google Analytics (Google LLC) | Web analytics | IP address (anonymized), pages visited, browsing data | United States | policies.google.com/privacy |
| Meta Platforms, Inc. | Marketing and ad attribution | Conversion events, IP address, browser identifiers | United States | facebook.com/privacy/policy |
| OpenAI, Inc. | Artificial intelligence processing | Text prompts, site content (if authorized by the user) | United States | openai.com/privacy |
| Anthropic, PBC | Artificial intelligence processing | Text prompts, site content (if authorized by the user) | United States | anthropic.com/privacy |
| Google AI (Google LLC) | Artificial intelligence processing (Gemini) | Text prompts, site content (if authorized by the user) | United States | policies.google.com/privacy |
| DeepSeek | Artificial intelligence processing | Text prompts, site content (if authorized by the user) | China ⚠️ | deepseek.com/privacy |
| Moonshot AI (Kimi) | Artificial intelligence processing | Text prompts, site content (if authorized by the user) | China ⚠️ | moonshot.cn/privacy |
| xAI (Grok) | Artificial intelligence processing | Text prompts, site content (if authorized by the user) | United States | x.ai/privacy |
⚠️ China-based providers — DeepSeek and Moonshot AI (Kimi) are providers based in the People's Republic of China. Data transmitted to these providers may be subject to Chinese cybersecurity and data protection laws. The use of these models in our marketplace requires your explicit and separate consent, obtained before any data transmission.
7. Use of data from Google services
BorealHost offre la possibilité de se connecter et de créer un compte à l'aide de l'authentification Google (« Se connecter avec Google »). Lorsque vous utilisez cette fonctionnalité, nous accédons aux données suivantes de votre compte Google :
- Your full name (to personalize your BorealHost account)
- Your email address (to identify your account and send you service-related communications)
- Your profile picture (to display an avatar in your dashboard)
L'utilisation et le transfert par BorealHost des informations reçues des API Google vers toute autre application respectent la Politique relative aux données utilisateur des services API Google, y compris les exigences d'utilisation limitée.
Plus précisément :
- We use Google data only for the purposes described in this privacy policy (creating and managing your account).
- We never sell data received from Google.
- We do not transfer Google data to third parties, except when necessary to provide the service, required by law, or with your explicit consent.
- We do not retain Google data beyond what is necessary (in accordance with section 9 below).
- No human reads the content of your Google data, except with your explicit consent, for security or legal compliance purposes, or when data is aggregated and anonymized for internal statistical purposes.
Vous pouvez révoquer l'accès de BorealHost à votre compte Google à tout moment depuis les paramètres de sécurité de votre compte Google. La révocation n'entraîne pas la suppression de votre compte BorealHost, mais désactivera la connexion via Google. Vous pourrez toujours accéder à votre compte en définissant un mot de passe.
8. International data transfers
Your hosting data (files, databases, backups, logs) is stored exclusively in Canada, in our data center located in Montreal, Quebec.
Notre service d'inférence auto-hébergé (modèles BorealHost) traite les requêtes sur des serveurs GPU dédiés. Ces serveurs sont situés au Canada (Montréal) lorsque nous utilisons notre infrastructure LeaseWeb, ou aux États-Unis lorsque nous utilisons une capacité GPU supplémentaire chez RunPod. Les requêtes sont traitées en mémoire et ne sont pas stockées sur disque. Aucun entraînement de modèle n'est effectué à partir de vos données.
Lorsque vous utilisez nos modules d'intelligence artificielle via des fournisseurs tiers, vos requêtes textuelles peuvent être transmises à des fournisseurs situés aux États-Unis (OpenAI, Anthropic, Google AI, xAI) ou en Chine (DeepSeek, Moonshot AI). Ces transferts sont nécessaires à l'exécution du service demandé et sont effectués conformément aux exigences de la LPRPDE et de la Loi 25.
For China-based providers, explicit and separate consent is required before any data transmission, due to the distinct legal framework of this jurisdiction regarding the protection of personal information.
We have implemented appropriate contractual measures with each of our sub-processors, including confidentiality clauses, security obligations and restrictions on the use of transmitted data.
9. Retention periods
We retain your personal information for the period necessary for the purposes for which it was collected. The applicable retention periods are as follows:
| Data type | Retention period |
|---|---|
| Account data | Duration of the contractual relationship + 30 days after account deletion |
| Billing data | 7 years (in accordance with Canadian and Quebec tax obligations) |
| Server logs | 90 days |
| Backups after deactivation | 30 days after end of service (final backup) |
| Conversations with AI agents | 90 days |
| Inference API requests (content) | Not retained (processed in memory only) |
| API billing metadata (tokens, timestamp) | 90 days |
Upon expiration of these periods, data is securely deleted or irreversibly anonymized.
10. Security measures
We implement appropriate technical and organizational security measures to protect your personal information against loss, unauthorized access, disclosure, modification or destruction. These measures include:
- TLS 1.3 encryption for all communications between your browser and our servers.
- LXC container isolation: each dedicated hosting site is isolated in its own Linux container, preventing cross-access between clients.
- Strict access controls: shared hosting sites are protected by open_basedir and per-site PHP-FPM permissions.
- Two-factor authentication (2FA): available for all accounts via TOTP codes and backup codes.
- Intrusion protection: fail2ban automatically monitors and blocks malicious access attempts.
- Encrypted backups: backups are stored securely with restricted access.
- PCI-DSS compliance: card payment processing is fully delegated to Stripe, certified PCI-DSS Level 1. No card data passes through our servers.
11. Your rights
In accordance with PIPEDA and Quebec's Law 25, you have the following rights regarding your personal information:
- Right of access — You may request a copy of the personal information we hold about you.
- Right of rectification — You may request the correction of inaccurate or incomplete information.
- Right to erasure — You may request the deletion of your personal information, subject to our legal retention obligations.
- Right to portability — You may request to receive your personal information in a structured and commonly used format.
- Right to withdraw consent — You may withdraw your consent at any time for processing based on consent, without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact our privacy officer at [email protected]. We will process your request within 30 days in accordance with PIPEDA. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada or the Quebec Commission d'accès à l'information (CAI).
12. Privacy incident notification
In accordance with Quebec's Law 25 and PIPEDA, in the event of a privacy incident involving your personal information and presenting a risk of serious harm, we commit to:
- Notify the Quebec Commission d'accès à l'information (CAI) with diligence.
- Notify the individuals whose information is affected by the incident.
- Take reasonable measures to reduce the risk of harm and prevent new incidents.
- Maintain a register of all privacy incidents, whether or not they present a risk of serious harm.
Notice to affected individuals will be sent by email as soon as possible and will contain a description of the information affected, the circumstances of the incident, the measures taken and the contact information of a resource person.
13. Minors
Our services are not intended for persons under the age of 18. In accordance with the Civil Code of Quebec, the capacity to contract is reserved for persons of full age (18 years). We do not knowingly collect personal information from minors. If we learn that a minor has provided us with personal information, we will take the necessary steps to delete it as soon as possible. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].
14. Changes to this policy
We may modify this privacy policy from time to time to reflect changes in our practices, services or applicable legal requirements. In the event of a substantial modification, we will notify you by email or by a prominent banner on our website, at least 30 days before the changes take effect.
The date of the last update is indicated at the top of this page. We encourage you to regularly review this policy to stay informed about how we protect your personal information.
15. Contact us
For any questions, concerns or requests regarding this privacy policy or the processing of your personal information, please contact us:
BorealHost.ai
Privacy officer
Email : [email protected]
165-1494 chemin de Chambly
Longueuil, QC J4J 3X3
Canada