Privacy policy.

Blankit Health Inc. is a Canadian company that provides software-as-a-service to independent group benefits advisors and managing general agencies in Canada. Our platform helps these firms manage client books, analyze carrier renewals, and answer plan-member coverage questions.

We are the controller of personal information about the advisors and firm staff who use our product directly. We act as a processor (on behalf of subscribing firms) for the plan-sponsor and plan-member information those firms upload into the platform.

Account data (controller).

When an advisor or firm administrator creates an account, we collect: full name, work email, hashed password, optional two-factor secret (encrypted at rest), firm name, and the IP address of authentication events. We collect this to deliver the service and protect the account.

Billing data (controller).

For paid subscriptions, we collect: billing contact name, billing email, company name, subscription tier, and payment status. Card details are handled by Stripe and never seen or stored by blankit.

Client data (processor).

Subscribing firms upload data about their plan-sponsor clients (employer names and contact details), coverage booklets, claims-experience documents, carrier quotes, and renewal analyses. We process this strictly on the firm's documented instructions, under a Data Processing Agreement. The firm — not blankit — is the controller of this data.

Plan-member data (processor).

When a firm enables the plan-member chatbot, plan members may submit messages and (in optional Critical Illness enrolment flows) contact details. The firm is the controller. Consent is captured before the first message; plan members can withdraw at any time.

Operational and security telemetry.

We log application events (audit log entries, error traces, access patterns) for security and incident response. These may include IP address, user ID, and the action performed.

We use personal information to:

• Deliver, operate, and improve the platform.
• Authenticate users and protect accounts.
• Process subscription payments.
• Send operational communications (password resets, security alerts, service announcements).
• Run the analytical workflows that subscribing firms have configured — renewal analysis, booklet comparison, employee summaries, chatbot responses.
• Respond to support requests.
• Comply with legal obligations, including responses to lawful requests from Canadian authorities.

We do not sell personal information. We do not use it for third-party advertising.

blankit uses artificial intelligence (Anthropic Claude models, hosted on AWS Bedrock in Canada) to extract structured data from carrier documents and to power the plan-member chatbot.

The AI does not make decisions that have legal or similarly significant effects on individuals. It extracts information from documents the firm has uploaded and answers coverage questions. Final actuarial calculations, fair-renewal recommendations, and any communications sent to clients or carriers are produced by deterministic software and reviewed by a human advisor before they are acted on.

Under Law 25 art. 12.1, individuals subject to a decision based exclusively on automated processing have the right to be informed and to have the decision reviewed by a human. blankit does not currently operate any such decisioning, and we will update this policy if that changes.

The application itself, every byte of client data at rest, the database, object storage, and all backups are processed inside AWS Canada (Montreal — ca-central-1). Routine AI inference (Claude Haiku) also runs in ca-central-1.

Three operational paths involve cross-border processing, all under contractual safeguards:

• AWS Bedrock cross-region inference — heavier AI extraction (Claude Sonnet and Opus, used for renewal PDF parsing and document comparison) is invoked through AWS's global.* inference profiles, which AWS routes to a region with capacity. In practice that is a US region. All under the AWS Customer Agreement and AWS DPA; Anthropic does not see the data.
• Stripe (United States) processes our subscription billing. Only firm billing-contact identity is sent — never plan-sponsor or plan-member data.
• Resend (United States) delivers transactional email such as password resets and daily firm-facing notification digests. Health information is never sent by email.

For the complete list, see our sub-processor disclosure.

We retain personal information only as long as needed for the purpose it was collected:

• Account data: for the life of the account, plus 30 days after closure before hard deletion.
• Billing data: seven years after the last paid invoice, to meet Canadian tax record-keeping requirements.
• Audit logs: seven years from the date of the logged event, then automatically deleted.
• Marketing-site access logs: 30 days.
• Client and plan-member data (processor): for the life of the firm's subscription, deleted within 90 days of contract termination.
• Plan-member chatbot conversations: 12 months from the last message in the session.

You have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or out-of-date information.
• Request deletion, subject to the retention obligations above.
• Receive a portable copy of your data in a structured, commonly used format.
• Withdraw consent where processing is based on consent — including chatbot interactions.

To exercise any of these rights, contact our Privacy Officer at the email below. We respond within 30 days as required by PIPEDA. Identity verification is required before fulfilment.

If you are a plan member of a firm's client and want to exercise these rights with respect to data the firm has uploaded, please direct your request to that firm — it is the controller for that data.

We protect personal information with administrative, technical, and physical safeguards proportionate to the sensitivity of the data:

• HTTPS-only at the application load balancer (TLS 1.2 or higher).
• Encryption at rest for the database, object storage, and secrets manager.
• Two-factor authentication available for every advisor account; required for admin roles.
• Tenant isolation enforced at the database query layer — a firm cannot read another firm's data even in the event of a code error.
• Centralized audit logging on every privileged action.
• Daily encrypted backups in the same Canadian region.

For the operational detail behind these claims, see our Trust & security page.

If we identify a confidentiality incident that creates a risk of serious injury — including loss, unauthorized access, or disclosure — we will notify affected individuals and the Commission d'accès à l'information du Québec (and other applicable regulators) without delay, as required by Law 25 and PIPEDA. Subscribing firms will be notified through their billing or security contact within 72 hours of confirmation.

The platform is not directed to children under 14 and we do not knowingly collect personal information from them. The plan-member chatbot is intended for adult plan members covered by a Canadian group benefits plan.

We may update this policy as the product or its sub-processors change. Material changes will be communicated by email to firm billing contacts and posted on this page at least 30 days before they take effect. The "Last updated" date at the top of the page shows the current version.