Privacy Policy - Authentication Service

Last updated: June 17, 2025

This Privacy Policy describes how Applied-Ai Inc. ("we," "us," or "our") collects, uses, and protects information through our authentication service at https://auth.appliedlms.com ("Authentication Service"). This service handles user authentication for Applied LMS.

1. Scope

This policy applies only to our Authentication Service. For information about:

Our marketing website: See https://appliedlms.com/privacy
Our main application: See https://app.appliedlms.com/privacy

2. Information We Collect

2.1. Authentication Data

Email address
Name
Profile picture URL (if provided)
Unique user ID

2.2. OAuth Token Data

ID Tokens
Access Tokens
Refresh Tokens

2.3. Security Metadata

IP address
User agent
Timestamp
Authentication method

2.4. Google Account Data (When using Google Sign-In)

Basic profile (openid, email, profile scopes)
Your Google account email and name
Google user ID

3. How We Use Your Information

3.1. Authentication Services

Verify your identity
Issue secure JWT tokens
Maintain your authenticated session
Enable single sign-on (SSO)

3.2. Security & Fraud Prevention

Detect and prevent unauthorized access
Monitor for suspicious login patterns
Implement rate limiting and anti-brute-force measures
Maintain audit logs

3.3. Service Operations

Provide technical support
Ensure reliability
Comply with legal obligations

4. Data Storage and Security

4.1. Technical Safeguards

Encryption in Transit: TLS 1.3
Encryption at Rest: AES-256
JWT Security: RS256
Password Security: bcrypt with salt

4.2. Data Location

Primary servers: Canada
Backups: Secure cloud infrastructure
No data outside North America

4.3. Access Controls

Least-privilege access
Multi-factor authentication
Regular audits

5. Data Sharing

We do NOT:

Sell your data
Share for marketing

We ONLY share data with:

Applied LMS Platform
AWS (hosting)
Legal Authorities (with valid court orders)

6. Data Retention

Data Type	Retention Period	Purpose
Active tokens	Duration of session	Authentication
Refresh tokens	30 days	Session continuity
Authentication logs	90 days	Security monitoring
Account data	Until deletion requested	Service provision

Expired tokens are purged. Account data is deleted within 30 days of request.

7. Your Rights

Access
Correction
Deletion
Portability
Revocation

To exercise rights, contact: privacy@applied-ai.ca

8. OAuth Scopes Justification

openid
email
profile

We do not request access to your Google Drive, Gmail, etc.

9. Cookies

Session Cookie
CSRF Token
State Parameter

No tracking or marketing cookies used.

10. Children's Privacy

Not for children under 16. No data collected knowingly from minors.

11. International Users

By using the service, you consent to processing in Canada under Canadian laws.

12. Changes to This Policy

Updates will be posted with new date. Material changes notified via email.

13. Contact Information

Applied-Ai Inc.
Privacy Team
Email: privacy@applied-ai.ca
Address: 225 Rue Chabanel O, Montréal, QC, Canada H2N2C9
Security: security@applied-ai.ca

14. Legal Compliance

This service complies with PIPEDA (Canada).

By using our Authentication Service, you agree to this Privacy Policy.