Privacy Policy

Devy ("we," "us," or "our") is an AI-powered informational support platform for parents, caregivers, clinicians, and teachers supporting children with special needs. This Privacy Policy governs the collection, use, and disclosure of personal information in connection with the Devy platform.

Devy operates in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law. The platform is also designed with the principles of Ontario's Personal Health Information Protection Act (PHIPA) in mind, recognizing that some users may discuss health-related topics in the context of supporting children.

Devy is operated as a centralized platform with a single global administrator managing the shared knowledge base. The organization responsible for this platform is the data controller for all personal information collected through Devy.

All data is stored in Canada (ca-central-1 region) to meet PIPEDA data residency expectations and to facilitate PHIPA-aligned data governance for Ontario users.

For all privacy-related inquiries, contact: privacy@devy.ca

We collect the following categories of personal information:

Account information

• Name and email address (provided at signup)
• Account type (parent, caregiver, clinician, teacher, or other)
• Password (hashed and managed by Supabase Auth — we never see plaintext passwords)
• Account creation timestamp and last sign-in time

Child/client profiles (optional)

• First name of the child or client
• Date of birth (optional — age is derived client-side and not stored on the server)
• User-defined descriptive labels (e.g. learning style preferences, interests, routines)
• Free-form notes you choose to enter

Conversations and messages

• The text of messages you send to the Devy AI assistant
• AI responses and citations (knowledge base sources and PubMed references)
• Conversation titles and metadata (timestamps, associated child profile if selected)

Usage and technical data

• Authentication logs managed by Supabase (IP address, timestamps)
• Consent records (timestamp and version of policy accepted)
• Privacy audit events (data export requests, deletion requests)

We use your personal information only for the following purposes:

• Providing the service: Generating AI-powered responses relevant to the child profiles and questions you provide.
• Account management: Authentication, session management, account recovery, and role-based access control.
• Service improvement: Aggregated, de-identified analytics to understand how the platform is used. We do not use individual conversation content for this purpose.
• Safety and abuse prevention: Rate limiting, fraud detection, and enforcement of our terms of service.
• Legal compliance: Meeting our obligations under PIPEDA, PHIPA, and applicable Canadian law, including breach notification requirements.
• Privacy audit trail: Recording consent events and data subject requests for accountability and compliance purposes.

We do not use your conversation content or child profile data to train AI models. Conversations are processed in real-time through the OpenAI API under a data processing agreement and are not retained by OpenAI for training purposes under our agreement.

Devy does not sell, rent, trade, or otherwise transfer your personal information to third parties for commercial purposes. This applies to all personal information, including child profile information and conversation content.

We share information with third parties only in the following limited circumstances:

• Supabase Inc.: Database hosting, authentication, and file storage. Data is stored in the ca-central-1 AWS region (Canada). Supabase acts as a data processor under our data processing agreement.
• OpenAI: Chat message content is transmitted to OpenAI's API to generate responses. OpenAI processes this data as a data processor under our agreement and does not use it for model training. Refer to OpenAI's enterprise data usage policies for details.
• National Center for Biotechnology Information (NCBI/PubMed): Anonymized search queries may be sent to the PubMed API to retrieve research citations. No personal information is transmitted.
• Legal requirements: We may disclose information if required by law, court order, or to protect the safety of individuals.

Devy uses OpenAI's GPT-4o model to generate responses. When you send a message:

• Your message text and, if selected, the child's name and descriptive labels from their profile are transmitted to OpenAI's API.
• Relevant excerpts from Devy's knowledge base and/or PubMed research are included as context.
• The AI response is returned and stored in your conversation history on our servers (in Canada).

We recommend avoiding the inclusion of highly sensitive personal health identifiers (e.g., full legal names combined with specific diagnoses) in message content. Use the child profile descriptive labels sparingly and only as needed to improve response relevance.

If you are an Ontario health information custodian (as defined under PHIPA — e.g., a physician, registered nurse, or regulated health professional), you should be aware of the following:

• Devy is not a health information custodian. It is an informational support tool.
• We do not store personal health information (PHI) as defined under PHIPA in structured clinical records.
• Child profiles are designed to hold organizational labels and notes, not clinical records. We strongly recommend against entering formal diagnoses, clinical assessments, or treatment plans.
• If you are subject to PHIPA obligations, you should assess whether and how Devy fits within your privacy management framework before use.

We maintain an internal incident log and are committed to notifying affected individuals and reporting to the applicable Commissioner (OPC for PIPEDA; IPC for PHIPA) in the event of a breach that presents a real risk of significant harm, as required by law.

We retain your information for as long as your account is active or as needed to provide services. Specific retention periods:

• Account information: Retained until account deletion, plus 30 days for backup purge cycles.
• Child profiles: Deleted when you delete the profile or when your account is deleted.
• Conversations and messages: Retained until you delete the conversation or your account. You may delete individual conversations at any time from the chat interface.
• Privacy audit log: Retained for 7 years for compliance accountability. This log is anonymized upon account deletion (user_id set to NULL, personal identifiers removed).
• Authentication logs: Managed by Supabase Auth per their retention policies (generally 90 days).

Under PIPEDA, you have the right to:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate personal information.
• Withdrawal of consent: Withdraw your consent to processing (this may affect your ability to use the platform).
• Deletion (erasure): Request deletion of your account and all associated personal data. You can initiate this from Settings → Privacy & Data.
• Data export: Request a portable copy of your data in a structured format. Available from Settings → Privacy & Data.
• Complaint: Lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca or, for Ontario health privacy matters, the Information and Privacy Commissioner of Ontario (IPC) at ipc.on.ca.

To exercise any of these rights, use the tools in Settings → Privacy & Data or contact us at privacy@devy.ca. We will respond within 30 days.

We implement technical and organizational measures to protect your personal information:

• All data is encrypted in transit (TLS) and at rest (AES-256 via Supabase/AWS).
• Row-level security policies ensure users can only access their own records.
• Admin access to user data requires separate privileged authentication.
• API keys and service credentials are never exposed to the browser or client-side code.
• Rate limiting is applied to all public-facing API endpoints to prevent abuse.
• We maintain an internal security incident log and follow a documented breach response procedure.

Despite these measures, no system is completely secure. If you discover a security vulnerability, please report it responsibly to security@devy.ca.

Devy is a platform for adults (parents, caregivers, clinicians, and teachers). We do not knowingly collect personal information directly from children under 13. Children do not have accounts on Devy — only the adult caregivers and professionals supporting them do.

Child profile information entered by adult users is subject to this Privacy Policy. We encourage entering only the minimum information needed to generate relevant AI guidance.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the version identifier and effective date at the top of this page.
• Require all users to re-read and re-consent to the updated policy before accessing the platform.
• Record the new consent event in your privacy audit log.

Non-material changes (typos, clarifications, formatting) will not require re-consent but will be documented with an updated version number.

For all privacy-related inquiries, requests, or complaints: