Privacy Policy

1.About A4B Software Solutions

A4B Software Solutions Inc. ("A4B", "we", "our", or "us") is a technology company incorporated in Ontario, Canada, with its principal place of business in Mississauga, Ontario. We develop and operate software platforms for business clients across Canada and the United States, including artificial intelligence agent systems, document processing tools, identity verification services, and communications automation.

Our registered contact for privacy matters:

2.Scope of This Policy

This Privacy Policy applies to all personal information collected, used, disclosed, or retained by A4B Software Solutions in connection with the following products and services:

• A4B AI Agents (including Sophia AI): AI-powered virtual agents that interact with end-customers on behalf of our business clients to collect contact information, schedule appointments, and manage business workflows.
• Dealership Document Scanning & OCR: Automated optical character recognition and document processing services for automotive dealerships.
• Driver's Licence Verification: Identity verification services that process government-issued photo identification documents.
• Finance Manager Dashboard: A business intelligence and management tool for dealership finance operations.

This Policy covers:

• Business clients ("Clients") who subscribe to our services under a service agreement.
• End-customers ("End-Users") of our Clients whose information is processed through our platform.
• Visitors to our website at https://a4b.ca.

This Policy does not cover Rating5 or any other A4B product not listed above. Separate policies apply to those services where applicable.

3.Applicable Laws and Regulatory Framework

A4B Software Solutions operates in compliance with the following Canadian and North American privacy laws and regulations:

3.1Canada: PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, governs our collection, use, and disclosure of personal information in the course of commercial activities across Canada. We adhere to the 10 Fair Information Principles set out in Schedule 1 of PIPEDA: Accountability, Identifying Purposes, Consent, Limiting Collection, Limiting Use / Disclosure / Retention, Accuracy, Safeguards, Openness, Individual Access, and Challenging Compliance.

3.2Canada: CASL

Canada's Anti-Spam Legislation (CASL), S.C. 2010, c. 23, governs all commercial electronic messages (CEMs) — including SMS, RCS, email, and WhatsApp messages — sent within, from, or to Canada. We obtain valid express or implied consent before sending any CEM, include required identification information in every message, and provide a functional, cost-free unsubscribe mechanism in every CEM.

3.3Provincial Privacy Laws

Where our services involve residents of Quebec, Alberta, or British Columbia, we also comply with provincial privacy statutes that have been declared substantially similar to PIPEDA: Quebec Law 25 (Act Respecting the Protection of Personal Information in the Private Sector, as amended), Alberta's Personal Information Protection Act (PIPA), and British Columbia's Personal Information Protection Act (PIPA BC). Quebec Law 25 imposes additional obligations including privacy impact assessments and heightened consent standards; we apply these standards to all Quebec residents.

3.4United States: TCPA

For communications directed to recipients in the United States, we comply with the Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227, including requirements for prior express written consent before sending automated or pre-recorded calls and text messages, and for honoring Do Not Call (DNC) registry registrations.

3.5Third-Party Platform Requirements

Our services use third-party communication and advertising platforms, each with their own requirements that we satisfy:

• Meta (Facebook Ads and WhatsApp Business Cloud API): We maintain a published, accessible Privacy Policy as required by Meta's Lead Ads Terms of Service and WhatsApp Business Policy. We obtain valid opt-in consent before initiating WhatsApp Business messages and honor all opt-out requests immediately.
• Twilio (SMS, Voice Calls, RCS): We comply with Twilio's Messaging Policy, CTIA Messaging Principles and Best Practices, and applicable carrier requirements, including STOP/opt-out keyword support and A2P 10DLC registration for US traffic.

4.Personal Information We Collect

4.1From Business Clients

• Business contact information: name, email address, phone number, job title.
• Business registration and billing details: company name, business address, payment card information (processed via PCI-compliant payment processors; A4B does not store raw card data).
• Account credentials and usage data: login credentials, IP addresses, browser/device identifiers, platform activity logs.
• Communications: support requests, email correspondence.

4.2From End-Users (via AI Agents and Client Platforms)

When our AI agents (including Sophia AI) interact with End-Users on behalf of a Client, we may collect, on that Client's behalf:

• Contact information: full name, phone number, email address.
• Appointment and scheduling data: preferred appointment dates and times, service preferences.
• Conversation data: transcripts and interaction records from AI agent sessions.
• Device and channel metadata: device type, messaging channel (WhatsApp, SMS, RCS, voice), timestamps.

4.3From Document Scanning & OCR Services

• Business documents: invoices, contracts, forms submitted by Clients for processing.
• End-User document data extracted via OCR: names, addresses, and other text appearing in processed documents.

4.4From Driver's Licence Verification

This service processes government-issued photo identification documents. We collect:

• Licence image: a photograph of the front (and where applicable, back) of the driver's licence, uploaded by the Client or End-User for verification.
• Extracted identity data: name, date of birth, address, licence number, expiry date, as extracted by AWS Rekognition.
• Verification outcome: a structured result confirming whether the document appears authentic.

4.5Sensitive Information

Government-issued identification document data (collected for Driver's Licence Verification) is treated as sensitive personal information. We apply heightened safeguards to such data, limit its use strictly to the purpose of identity verification, and do not use it for any marketing, profiling, or secondary purpose.

4.6Automated Collection via Website

• Cookies and similar tracking technologies: session cookies, analytics cookies. See Section 14 for details.
• Server logs: IP address, referring URL, browser type, pages visited, date/time of access.

5.How We Use Personal Information

We use personal information only for purposes that a reasonable person would consider appropriate in the circumstances, consistent with the purpose for which it was collected (PIPEDA Principle 5).

5.1To Provide Our Services

• Operate and maintain the A4B platform and all listed products.
• Process documents and deliver OCR results to Clients.
• Execute AI agent interactions with End-Users on behalf of Clients.
• Perform identity verification and deliver results to Clients.
• Send automated communications (appointment reminders, status updates, follow-up messages) via WhatsApp, SMS, RCS, and voice calls on behalf of Clients.

5.2To Manage Client Relationships

• Create and manage Client accounts.
• Process billing and payments.
• Provide customer support and respond to inquiries.
• Send service-related notices and platform updates (these are transactional, not marketing).

5.3For Communications and Marketing to Clients

With express consent where required by CASL, we may send Clients commercial electronic messages about new products, features, and promotions. Clients may unsubscribe at any time.

5.4For Security, Compliance, and Legal Purposes

• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Comply with applicable laws, court orders, and regulatory requirements.
• Enforce our Terms and Conditions.
• Protect the rights and safety of A4B, our Clients, and third parties.

5.5For Analytics and Service Improvement

We use aggregated or de-identified data — which is not personal information — to analyze platform performance, improve our products, and develop new features. We do not use End-User personal information for A4B's own marketing purposes.

6.Consent and Legal Basis for Processing

6.1Client Consent

Clients consent to this Privacy Policy and our Terms and Conditions when they create an account or enter into a service agreement with A4B. Clients who use our communication features (AI agents, SMS, WhatsApp) are responsible for ensuring they have obtained all required consents from their End-Users under CASL, TCPA, WhatsApp's Business Policy, and applicable privacy laws before initiating communications through our platform.

6.2End-User Consent (via AI Agents and Messaging)

Our AI agents are programmed to clearly identify themselves as automated systems acting on behalf of the Client, state the purpose of the interaction, and collect only the information necessary for that purpose. Clients are contractually required to ensure that opt-in consent has been obtained from End-Users before initiating any outbound message via our platform.

6.3Sensitive Information (Driver's Licence)

Collection of driver's licence images requires explicit, informed consent from the individual whose identification is being verified. Clients must obtain this consent directly from their End-Users prior to using our verification service and must inform End-Users of the 30-day image retention period.

6.4Withdrawal of Consent

Any individual may withdraw consent to the collection, use, or disclosure of their personal information at any time, subject to legal and contractual restrictions, by contacting us at privacy@a4b.ca. Withdrawal of consent may affect our ability to provide certain services. Withdrawal does not apply retroactively to information already processed lawfully.

7.Messaging Communications: Opt-In and Opt-Out

7.1WhatsApp Business (via Meta's Cloud API)

We use the WhatsApp Business Cloud API to send messages on behalf of Clients to End-Users. The following rules apply:

• Opt-In Requirement: Before any business-initiated WhatsApp message is sent, the End-User must have provided opt-in consent. This consent may be obtained via web form, in-person sign-up, SMS, or another channel, provided the method clearly identifies the sending business, states that the user will receive WhatsApp messages, and complies with applicable local law (including CASL for Canada).
• Message Templates: All business-initiated messages use Meta-approved message templates. Template categories include Utility (transactional/service updates), Marketing (promotional content), and Authentication.
• Opt-Out: End-Users may opt out of WhatsApp communications at any time by replying STOP or UNSUBSCRIBE, or by blocking the business number. Opt-out requests are honoured immediately and the End-User will not receive further business-initiated messages unless they proactively re-engage. A4B and its Clients must respect all opt-out requests as required by WhatsApp's Business Policy.
• Data Restriction: Data obtained through WhatsApp interactions is used only for the messaging purpose for which it was collected and is not shared with third parties for unrelated purposes.

7.2SMS and RCS (via Twilio)

We use Twilio's Programmable Messaging platform to send SMS and RCS messages on behalf of Clients.

• Opt-In Requirement (Canada — CASL): Express consent is required before sending any commercial SMS or RCS message. Consent must identify the sender, describe the type of messages to be sent, and inform the recipient how to unsubscribe.
• Opt-In Requirement (USA — TCPA): Prior express written consent is required before sending automated or marketing text messages. Consent must be clear, affirmative, and documented.
• Initial Message Disclosure: The first message sent to a recipient must include opt-out instructions, e.g., "Reply STOP to unsubscribe. Reply HELP for assistance."
• Opt-Out Keywords: Recipients may opt out at any time by replying: STOP, STOPALL, UNSUBSCRIBE, OPTOUT, CANCEL, END, REVOKE, or QUIT. Upon receipt of an opt-out keyword, no further messages will be sent except a single confirmation message acknowledging the opt-out.
• Quiet Hours: For US recipients, no non-essential messages are sent between 9:00 PM and 8:00 AM in the recipient's local time zone, in accordance with TCPA and FCC requirements.
• A2P 10DLC Registration: All US A2P (Application-to-Person) messaging traffic is registered under the A2P 10DLC framework as required by US carriers and Twilio's policies.
• Re-Subscribe: Recipients who have opted out may re-subscribe at any time by texting START or by providing fresh express consent through another channel.

7.3Voice Calls (via Twilio)

• For marketing or automated outbound calls, prior express consent is obtained as required by TCPA (USA) and applicable Canadian telecommunications regulations.
• Recipients are informed of the purpose of the call and provided with an opt-out mechanism during or after the call.
• Calls are not placed to numbers registered on the National Do Not Call List (Canada) or the National Do Not Call Registry (USA) without required prior express consent.

7.4Facebook / Meta Lead Ads

When A4B or our Clients use Meta Lead Ads or Facebook advertising to collect leads:

• A working, accessible link to this Privacy Policy is included in every Lead Ad form, as required by Meta's Lead Ads Terms of Service.
• Data collected through Lead Ad forms (name, email, phone number) is used only for the purpose stated in the campaign, in accordance with Meta's October 2025 Lead Ads policy update requiring purpose-specific use of lead data.
• Users who submit their information via a Lead Ad form consent to being contacted by A4B or the relevant Client. If the follow-up communication is a CEM under CASL, express consent is recorded and stored.
• Lead data is not repurposed for different marketing campaigns without obtaining new consent.

8.Disclosure of Personal Information to Third Parties

We do not sell personal information. We may disclose personal information to:

8.1Service Providers (Data Processors)

We engage trusted third-party service providers who process personal information on our behalf, subject to written agreements that restrict their use of data to the services they provide to A4B:

• Amazon Web Services (AWS): Cloud infrastructure including encrypted S3 storage (for licence image processing) and AWS Rekognition (for document data extraction). Primary region: ca-central-1 (Canada). Secondary region: us-east-1 (USA) when Canadian region is unavailable.
• Google Cloud Platform (GCP): Document AI and supplementary cloud services. Primary region: ca-central-1. Secondary: us-east-1.
• Twilio Inc.: SMS, RCS, and voice communication services.
• Meta Platforms Inc.: WhatsApp Business Cloud API and Facebook advertising platform.
• Payment processors: PCI-DSS compliant third-party processors for billing.
• n8n (workflow automation): Used for internal process automation. Hosted on our own infrastructure.

8.2Business Clients

End-User personal information collected through our platform is disclosed to the Client on whose behalf it was collected. Clients are independent data controllers for such information and are subject to their own privacy obligations. A4B is not responsible for Clients' downstream use of data, though Clients are contractually required to comply with applicable privacy law.

8.3Legal and Regulatory Authorities

We may disclose personal information when required by law, court order, or regulatory authority, or where we reasonably believe disclosure is necessary to protect the rights, safety, or property of A4B, our Clients, End-Users, or the public.

8.4Business Transfers

In the event of a merger, acquisition, or sale of substantially all of A4B's assets, personal information may be transferred as part of the transaction. Affected individuals will be notified as required by applicable law prior to any such transfer, and the acquiring party will be bound by privacy commitments substantially similar to those in this Policy.

9.Cross-Border Transfers of Personal Information

A4B's primary cloud infrastructure operates in the AWS and Google Cloud ca-central-1 region (Montréal, Canada). In limited circumstances where Canadian regional capacity is unavailable, data may be processed in the us-east-1 region (Northern Virginia, USA).

Under PIPEDA, A4B remains accountable for personal information that is transferred to third-party service providers in other jurisdictions, and has obtained contractual assurances from AWS and Google Cloud that transferred data will be protected by comparable safeguards.

Driver's licence images: AWS Rekognition processes images in the region where the service request is made. A4B configures requests to use the ca-central-1 endpoint where available. Images are deleted within 30 days as described in Section 4.4.

10.Retention of Personal Information

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law or legitimate business need. Our general retention schedules are:

• Client account data: Retained for the duration of the client relationship plus 7 years after termination (to comply with Canadian tax and commercial record-keeping requirements).
• Driver's licence images: Deleted within 30 days of upload. No exceptions.
• AI agent conversation transcripts: Retained for up to 12 months, then deleted or anonymized, unless Clients require longer retention under their own legal obligations.
• Document OCR output: Delivered to Client and purged from A4B systems within 90 days unless agreed otherwise in writing.
• Website analytics and logs: Retained for up to 12 months.
• Consent records (CASL / TCPA): Retained for a minimum of 3 years after the consent is given or last acted upon, as required for legal compliance.
• Backup data: Encrypted backups may persist in archival storage for up to 90 days after the scheduled deletion date, after which they are permanently purged.

Upon expiration of the applicable retention period, personal information is securely deleted or anonymized using industry-standard methods.

11.Security Safeguards

We protect personal information through security measures appropriate to the sensitivity of the information (PIPEDA Principle 7). Our safeguards include:

• Encryption: All data in transit is encrypted using TLS 1.2 or higher. Data at rest (including S3 storage and databases) is encrypted using AES-256.
• Access Controls: Role-based access controls (RBAC) limit access to personal information to authorized personnel who require it for their job functions. Multi-factor authentication is required for administrative access.
• Infrastructure Security: AWS and Google Cloud provide physical security, redundancy, and security certification (SOC 2, ISO 27001) for underlying infrastructure.
• Breach Response: We maintain a formal incident response plan. In the event of a breach involving real risk of significant harm to individuals, we will notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals as required by PIPEDA's breach reporting regulations within 72 hours of becoming aware of the breach.
• Employee Training: Personnel with access to personal information are trained on privacy obligations and security practices.
• Vendor Contracts: All third-party service providers that process personal information are subject to written data processing agreements with security and confidentiality requirements.

No security system is impenetrable. While we use commercially reasonable safeguards, we cannot guarantee absolute security of personal information.

12.Rights of Individuals

Subject to applicable law and reasonable verification of identity, individuals (including End-Users) have the following rights:

• Right of Access: You may request confirmation of whether we hold personal information about you and, if so, access to that information, a description of its use, and the categories of third parties to whom it has been disclosed. (PIPEDA Principle 9)
• Right to Correction: You may request that inaccurate or incomplete personal information be corrected or annotated.
• Right to Withdraw Consent: You may withdraw consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions.
• Right to Deletion: You may request deletion of your personal information where we no longer have a legal basis for retaining it and no legal obligation requires us to keep it.
• Right to Complain: You have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca, or with the applicable provincial privacy commissioner, if you believe your privacy rights have been violated.

To exercise any of these rights, please contact us at privacy@a4b.ca. We will respond within 30 days of receiving a written request. If we are unable to fulfill a request, we will explain why in writing.

13.AI Agents (Sophia AI and Related Systems)

Our AI agent services (including Sophia AI) operate as automated systems that interact with End-Users via text or voice on behalf of Clients. The following disclosures apply:

• Identification: Our AI agents are programmed to identify themselves as automated assistants. End-Users are not misled into believing they are communicating with a human being.
• Purpose Limitation: AI agents collect only information necessary for the specific task assigned by the Client (e.g., booking an appointment, collecting contact details). They are not programmed to solicit sensitive information (financial data, health data, government ID) outside the scope of the Client's authorized service configuration.
• Data Handling: Conversation data is transmitted over encrypted channels, processed, and delivered to the Client. A4B retains transcripts for up to 12 months for quality assurance, error correction, and audit purposes.
• Human Escalation: Where technically feasible, AI agents provide End-Users with the option to speak with a human representative.
• No Autonomous Decision-Making with Legal Effect: Our AI agents do not make autonomous decisions that produce legal or similarly significant effects on individuals.

14.Cookies and Website Tracking

Our website at https://a4b.ca uses cookies and similar tracking technologies. The types of cookies we use are:

• Strictly Necessary Cookies: Required for website operation (e.g., session management, security). These cannot be disabled.
• Analytical/Performance Cookies: Used to understand how visitors use our site (e.g., pages visited, time on site). We use aggregated analytics; no individual is profiled for marketing purposes.
• Functional Cookies: Remember your preferences (e.g., language settings).

We do not use third-party advertising cookies or tracking pixels on our main website for our own advertising purposes. However, if you arrive at our site through a Facebook Lead Ad, Meta's pixel may be active on the associated landing page as disclosed to users at the time of the ad.

You may manage cookie preferences through your browser settings. Disabling strictly necessary cookies will impair website functionality. For more information about cookies, visit www.allaboutcookies.org.

15.Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that personal information has been collected from a person under 18 without verified parental consent, we will delete that information promptly. If you believe we have inadvertently collected information from a minor, please contact us at privacy@a4b.ca.

16.Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will:

• Update the "Last Updated" date at the top of this Policy.
• Post the revised Policy at https://a4b.ca/legal/policy.
• Notify registered Clients by email at least 14 days before the changes take effect, for material changes affecting their rights or obligations.

Continued use of our services after the effective date of a revised Policy constitutes acceptance of the changes. We encourage you to review this Policy periodically.

17.Contact and Complaints

For questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact:

We will acknowledge your inquiry within 5 business days and respond substantively within 30 days, or notify you if additional time is required.

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada:

Residents of Quebec may also contact the Commission d'accès à l'information du Québec (CAI) at www.cai.gouv.qc.ca.