Privacy Policy
Effective May 26, 2026 · Version 1.0
This Privacy Policy describes how 11075586 CANADA INC., operating under the trademark and brand “Aplexica” (collectively, “Aplexica,” “we,” “us”), collects, uses, and discloses personal information.
1. Who we are
Aplexica is the trademark and brand of 11075586 CANADA INC., a corporation incorporated under the Canada Business Corporations Act with headquarters in Ontario, Canada. In this Policy, “Aplexica,” “we,” “us,” and “our” refer to 11075586 CANADA INC. and its operations under the Aplexica brand. We build open-source software (the Aplexica daemon and the Aplexica portal, licensed under AGPL-3.0-or-later) and operate a commercial managed-SaaS counterpart (Aplexica Cloud).
2. Our minimum-collection posture
Aplexica is a developer tool. We collect as little personal information as we reasonably can while still operating the service.
- Open-source daemon and portal in local mode — make zero network calls to Aplexica in their default configuration. We do not see any data about You, Your agents, Your contributions, or Your machine when You use the open-source software.
- Marketing website — sets no tracking cookies and runs no third-party analytics, advertising pixels, session replay, or fingerprinting. We operate our own first-party, self-hosted, cookieless analytics (Mnemar, served from
data.aplexica.com) to understand aggregate traffic; it sets no cookies, stores nothing on Your device, and shares no data with any third party. See Section 5. - Aplexica Cloud — collects only the personal information described in Section 4 below, and operates on end-to-end-encrypted customer data that We cannot decrypt.
3. Information we collect when You contribute
When You sign Aplexica’s Individual or Corporate Contributor License Agreement by interacting with the CLA Assistant bot on a pull request in one of our open-source repositories, we collect:
- Your GitHub username and the public profile information GitHub associates with it
- The commit SHA of the CLA at the time of Your signing
- The commit SHAs of Your contributions covered by the CLA
- The timestamp of Your signing
For Corporate CLA executions, we additionally collect:
- The Corporation’s legal name, address, country, point of contact, and email
- The list of designated employees authorized to contribute under the CLA, including their GitHub usernames
This information is stored in the private GitHub repository Aplexica/cla-agreements and is retained for the lifetime of the projects to which You contribute, as a record of the rights granted under the CLA.
4. Information we collect through Aplexica Cloud
When You create an Aplexica Cloud account, sign in, or use the service, we collect:
- Account information — Your email address (for sign-in, transactional notifications, and account recovery), and Your display name if You choose to provide one.
- Billing information — Your billing address, country, and tax identifiers as applicable. We do not store payment-card numbers. Payment processing is handled by Stripe; Stripe receives the card data directly and provides Aplexica with a tokenized reference.
- Service usage telemetry — request counts, error counts, device counts, and similar aggregate metrics, used for billing accuracy, abuse detection, and operational reliability.
- Diagnostic logs — operational events (errors, retries, routing decisions) recorded by our backend. Log entries may include Your account identifier, device identifier, and timestamp.
We do not read the contents of the agent state You sync through Aplexica Cloud. Customer contribution data is end-to-end encrypted at all paid tiers; Aplexica’s servers handle only opaque ciphertext and opaque routing metadata. We cannot decrypt Your data even on our own systems.
5. Information we collect from website visitors
When You visit aplexica.com or the Aplexica Cloud portal at app.aplexica.com:
- Your IP address, user-agent string, and referrer URL may appear in CloudFront access logs processed in aggregate by us and our hosting provider for security monitoring and traffic-pattern analysis.
- We operate our own first-party, cookieless analytics (Mnemar), self-hosted at
data.aplexica.com— the same registrable domain and the same operator as the sites You are visiting, so it is not a third party. It records aggregate page-view metrics (page, referrer, approximate country derived from Your IP address, and device/browser type) from Your IP address and user-agent. It sets no cookies, stores nothing on and reads nothing from Your device, performs no cross-site or cross-session tracking, and shares no data with any third party. Within the Cloud portal it records only page/route metadata and never the contents of the agent state You sync, consistent with our end-to-end-encryption posture. Our lawful basis is our legitimate interest in understanding aggregate usage of our sites; because no information is stored on or read from Your device, no cookie-consent banner is required under the ePrivacy Directive. - We do not set advertising or analytics cookies.
- Session cookies are used only when You are signed in to Aplexica Cloud, to maintain Your session.
- Form submissions on
/contactand/contact-salesare retained for two years from submission.
6. Information we collect through direct contact
When You email us at legal@aplexica.com, privacy@aplexica.com, hello@aplexica.com, or any other Aplexica address, we receive Your email address, Your message, and any information You voluntarily include. We use this only to respond to You and to meet our legal recordkeeping obligations.
7. Why we collect this information
| Information | Purpose |
|---|---|
| Contributor signing records | Create a legally cognizable record of Your acceptance of the CLA; identify the contributor of each commit; satisfy IP-diligence requirements |
| Cloud account and billing | Provision and bill the Cloud service to You |
| Cloud usage telemetry | Bill You accurately; detect abuse; maintain operational reliability |
| Cloud diagnostic logs | Diagnose operational issues |
| Website access logs | Security monitoring; protect the site from abuse |
| Contact-form submissions | Respond to Your inquiry |
| Email correspondence | Respond to Your message |
We do not collect or use personal information for any purpose not described in this Policy.
8. Consent
By signing the CLA, You consent to the collection and use of the contributor information in Section 3 for the purposes in Section 7. By creating an Aplexica Cloud account, You consent to the collection and use of the account information in Section 4. By visiting the website or contacting us, You consent to the collection in Sections 5 and 6.
You may withdraw consent for future processing at any time by contacting our Privacy Officer (Section 13), subject to legal and contractual restrictions (for example, we cannot retroactively withdraw the CLA license grant from contributions already accepted).
9. What we never do
- We never sell or rent Your personal information.
- We never share it with third parties for advertising.
- We never read the contents of the agent state You sync through Aplexica Cloud — it is end-to-end encrypted and we cannot decrypt it.
10. Sub-processors
We use a small number of third-party service providers to operate our service. Major sub-processors:
| Sub-processor | Purpose | Data |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and storage | Account information, encrypted customer data, diagnostic logs |
| Amazon Simple Email Service (SES) | Transactional email delivery | Your email address and the contents of the email we send You |
| Stripe, Inc. | Payment processing | Billing address, payment card details (provided to Stripe directly, never to Aplexica), tax IDs |
| hCaptcha | Spam protection on web forms | Network metadata required for bot detection |
| GitHub, Inc. | OSS repository hosting, CLA-signing workflow, CLA-signatures storage | GitHub username and the information You provide GitHub directly |
| CloudFront (AWS) | Static website delivery and access logging | IP address, user-agent, referrer URL |
A current list of sub-processors will be maintained at /sub-processors. Each sub-processor is contractually required to handle personal information consistently with this Policy and with applicable Canadian, U.S., and EU/UK law.
11. Disclosure to third parties
Beyond the sub-processors listed in Section 10, personal information may be disclosed:
- To comply with legal requirements — a valid court order, subpoena, search warrant, or other legal process, or to protect Aplexica’s rights, property, or safety, or that of Our users or the public.
- In a business transfer — in a merger, acquisition, sale of all or substantially all of our assets, corporate reorganization, or change of control, the acquirer will inherit personal information subject to this Policy.
12. Retention
| Category | Retention |
|---|---|
| Contributor signing records | Lifetime of the projects to which You contributed |
| Cloud account information | Lifetime of Your account, plus 90 days after deletion for recovery |
| Cloud billing records | 7 years (Canadian tax recordkeeping requirement) |
| Cloud diagnostic logs | 90 days maximum |
| Cloud usage telemetry | 13 months (rolling) |
| Website access logs | 90 days maximum |
| Contact-form submissions | 2 years |
| Email correspondence | As long as needed to respond to Your message, plus retention as required by law |
13. Safeguards
We maintain administrative, technical, and physical safeguards appropriate to the sensitivity of the information we hold:
- Restricting access to personal information to personnel with a need to know
- Storing CLA-signing records in a private GitHub repository accessible only to Aplexica maintainers and the CLA Assistant bot
- Encrypting customer contribution data end-to-end at all paid Cloud tiers, such that Aplexica cannot read the contents of customer data even on our own systems
- Regular review of access controls and security practices
No system is perfectly secure. If we become aware of a personal-data breach that affects You, we will notify You consistent with applicable law (PIPEDA’s mandatory breach notification, GDPR Articles 33/34, or analogous obligations).
14. Your rights
You have the right to:
- Access the personal information we hold about You
- Correct inaccurate information
- Delete information we hold about You, subject to legal and contractual constraints (we cannot delete the historical record of a CLA You signed, but we can correct or annotate it)
- Export Your data in a portable format where applicable
- Withdraw consent for future processing (with future effect, subject to legal/contractual constraints)
- Object to certain processing
- Lodge a complaint with the Office of the Privacy Commissioner of Canada (
https://www.priv.gc.ca) if You are dissatisfied with our handling of Your information
If You are in the European Union, European Economic Area, or United Kingdom, You also have rights under the GDPR / UK GDPR, including erasure and restriction of processing. The legal bases on which we process Your personal information are Your consent (where consent applies), the performance of a contract with You (for Cloud service), our legitimate interests in operating and securing our services, and compliance with legal obligations. Customers in the EU/EEA/UK can request a Data Processing Agreement that incorporates Standard Contractual Clauses for transfers to the United States.
If You are a resident of California, You have rights under the California Consumer Privacy Act / California Privacy Rights Act, including the right to know, the right to delete, the right to correct, and the right to opt-out of “sale” or “sharing” of personal information. Aplexica does not sell or share personal information as those terms are defined under California law.
To exercise any right, contact our Privacy Officer at the address in Section 15. We respond within 30 days.
15. Privacy Officer and contact
For all privacy questions, requests, or complaints:
11075586 CANADA INC. (operating as Aplexica) — Privacy Officer Email: privacy@aplexica.com
If You are dissatisfied with our response, You may lodge a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca, or with Your local supervisory authority if You are in the EU, EEA, or UK.
16. International transfers
Aplexica is headquartered in Ontario, Canada, and our primary infrastructure is hosted in the United States. Personal information You provide may be transferred to, stored in, and processed in Canada and the United States.
Canada has been recognized by the European Commission as providing an adequate level of data protection for personal data transferred from the EU. For transfers from the EU/EEA/UK to the United States, we rely on Standard Contractual Clauses incorporated into our agreements with U.S. sub-processors. EU/EEA/UK customers may request a Data Processing Agreement that documents this directly.
17. Children’s privacy
Aplexica is a developer tool and is not directed at children. We do not knowingly collect personal information from children under the age of 16. If we learn we have collected personal information from a child under 16, we will delete it. If You believe we have collected information from a child, please contact our Privacy Officer.
18. Changes to this Policy
We may update this Policy from time to time. The “Effective” date at the top of this Policy reflects the most recent revision. Material changes will be announced on the Aplexica blog at least 30 days before they take effect, where reasonable.