Privacy Policy

This Privacy Policy describes how Ashta Limited Company ("Ashta," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal information in connection with the Compliance Desk platform (the "Platform"), our websites, and related services (collectively, the "Services").

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Services.

Ashta operates in two capacities depending on the nature of the data:

• Data Controller: When we collect and process information for our own business purposes (e.g., managing user accounts, billing, platform operations), we act as a data controller.
• Data Processor: When our customers (licensed agents) upload or input client information for compliance verification purposes, we act as a data processor on their behalf. The customer remains the data controller for such Client Data.

We collect information in the following categories:

Account Information

• Name, email address, phone number
• Business name and address
• Professional license information
• Password (stored in hashed form)

Identity Verification Data (for Agents)

• Government-issued ID documents
• Social Insurance Number (SIN) or Social Security Number (SSN)
• Date of birth
• Residential address
• Biometric data (facial recognition during identity verification)

Client Data (Processed on Behalf of Agents)

• Client name, email, phone number
• Client SIN/SSN (encrypted at rest)
• Client address (encrypted at rest)
• Identity documents uploaded by clients
• Verification results from third-party providers

Transaction and Billing Information

• Payment card information (we do not store full card numbers)
• Billing address
• Transaction history and invoices

Technical Information

• IP address
• Browser type and version
• Device information
• Usage data and analytics

We use the information we collect to:

• Provide, maintain, and improve the Services
• Process identity verification and compliance checks
• Process payments and manage billing
• Communicate with you about your account and the Services
• Send transactional emails (verification results, receipts, invoices)
• Ensure security and prevent fraud
• Comply with legal obligations
• Maintain audit trails for regulatory compliance
• Provide customer support

The Platform may include features that use artificial intelligence or machine learning techniques to support operational and workflow-related functionality, such as AI-assisted failure resolution.

Important: Client Data is not used to train generalized, shared, or cross-customer artificial intelligence models. AI features analyze data only to provide the specific service requested.

AI-assisted systems generate probabilistic outputs and may produce inaccurate, incomplete, or misleading results. Responsibility for reviewing, validating, and approving any outputs generated through the Platform rests solely with the customer.

We may share your information with the following categories of recipients:

Service Providers

We work with trusted third-party service providers who assist us in operating the Platform, including providers of:

• Identity verification services
• Credit verification services
• Payment processing
• Email delivery
• Cloud hosting and infrastructure
• Document storage

These providers are contractually bound to protect your information and may only use it to provide services to us.

Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Ashta, our users, or others.

Business Transfers

In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

Ashta does not sell personal information and does not share personal information for cross-context behavioral advertising purposes.

We implement appropriate technical and organizational measures to protect your information:

• Encryption at rest: Sensitive data (SIN/SSN, addresses) encrypted using industry-standard encryption
• Encryption in transit: All data transmitted via HTTPS/TLS
• Password security: Passwords securely hashed using industry-standard algorithms
• Access controls: Role-based access with admin approval workflows
• Audit logging: Immutable logs of all security-relevant actions
• Rate limiting: Protection against brute force attacks

We retain information for as long as necessary to provide the Services and comply with legal obligations:

• Client verification data: Retained for 7 years to comply with financial regulatory requirements
• Account data: Retained while your account is active and for a reasonable period thereafter
• Audit logs: Retained for 7 years for compliance purposes
• Transaction records: Retained for 7 years for tax and regulatory compliance

Information may be processed and stored in the United States where Ashta and its service providers operate. By using the Services, you consent to the transfer and processing of your information in the United States.

Depending on your jurisdiction, you may have certain rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your information (subject to legal retention requirements)
• Portability: Request a copy of your data in a portable format
• Objection: Object to certain processing activities
• Withdraw consent: Where processing is based on consent, withdraw that consent

To exercise these rights, contact us at support@ashta.ai.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt out of the sale of personal information
• Right to request deletion of personal information
• Right to non-discrimination for exercising privacy rights

Note: Ashta does not sell personal information as defined by the CCPA/CPRA.

If you are located in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation:

• Right to access personal information held by us
• Right to challenge the accuracy and completeness of your information
• Right to withdraw consent (subject to legal or contractual restrictions)
• Right to lodge a complaint with the Privacy Commissioner of Canada

We may send you marketing communications about our Services. You can opt out of marketing emails by clicking the "unsubscribe" link in any marketing email or by contacting us at support@ashta.ai.

Even if you opt out of marketing communications, we will still send you transactional emails related to your account and the Services.

The Services are not directed to children under 18 years of age, and we do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at support@ashta.ai.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Platform prior to the effective date of the changes. Your continued use of the Services after the effective date constitutes acceptance of the updated Privacy Policy.

If you have questions about this Privacy Policy or our privacy practices, please contact us: