Legal · Privacy policy

Privacy policy.

This policy explains how Blankit Health Inc. ("blankit," "we," "our") collects, uses, discloses, and protects personal information under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and the Quebec Act respecting the protection of personal information in the private sector (Law 25).

Last updated: 2026-07-16

1.Who we are

Blankit Health Inc. is a Canadian company that provides software-as-a-service to independent group benefits advisors and managing general agencies in Canada. Our platform helps these firms manage client books, analyze carrier renewals, and answer plan-member coverage questions.

We are the controller of personal information about the advisors and firm staff who use our product directly. We act as a processor (on behalf of subscribing firms) for the plan-sponsor and plan-member information those firms upload into the platform.

2.Information we collect

Account data (controller).

When an advisor or firm administrator creates an account, we collect: full name, work email, hashed password, optional two-factor secret (encrypted at rest), firm name, and the IP address of authentication events. We collect this to deliver the service and protect the account.

Billing data (controller).

For paid subscriptions, we collect: billing contact name, billing email, company name, subscription tier, and payment status. Card details are handled by Stripe and never seen or stored by blankit.

Client data (processor).

Subscribing firms upload data about their plan-sponsor clients (employer names and contact details), coverage booklets, claims-experience documents, carrier quotes, and renewal analyses. We process this strictly on the firm's documented instructions, under our Data Processing Agreement. The firm — not blankit — is the controller of this data.

Plan-member data (processor).

When a firm enables the plan-member chatbot, plan members may submit messages and (in optional Critical Illness enrolment flows) contact details. The firm is the controller. The chatbot can be used without identifying yourself, and we ask for no personal information to start a conversation. Where a plan member does choose to identify themselves — asking for an advisor to follow up, or starting a Critical Illness enrolment — we record their explicit consent at that point, and it can be withdrawn at any time.

Operational and security telemetry.

We log application events (audit log entries, error traces, access patterns) for security and incident response. These may include IP address, user ID, and the action performed.

3.How we use information

We use personal information to:

  • Deliver, operate, and improve the platform.
  • Authenticate users and protect accounts.
  • Process subscription payments.
  • Send operational communications (password resets, security alerts, service announcements).
  • Run the analytical workflows that subscribing firms have configured — renewal analysis, booklet comparison, employee summaries, chatbot responses.
  • Respond to support requests.
  • Comply with legal obligations, including responses to lawful requests from Canadian authorities.

We do not sell personal information. We do not use it for third-party advertising.

4.Cookies and similar technologies

We use a small number of first-party cookies, all named with a blankit- prefix. We do not use advertising cookies, analytics cookies, or cross-site tracking cookies. There is no Google Analytics, no advertising pixel, and no ad-network or data-broker tag anywhere on our site or in our product.

Strictly necessary.

These are required to sign in and use the platform. Blocking them will prevent you from logging in. All of them are HttpOnly, Secure, and SameSite=Lax, which means they are sent only to us, only over HTTPS, and cannot be read by JavaScript in your browser.

  • Sign-in session — keeps an advisor signed in. Expires after 7 days.
  • Plan-member portal session — the equivalent for the plan-member portal. Expires after 7 days.
  • Two-factor, passkey, and re-authentication cookies — carry you through a two-factor prompt, a passkey ceremony, or a step-up check before a sensitive settings change. Each expires in 5 to 10 minutes.
  • Trusted device — set only if you ask us to remember a browser, so you are not prompted for a second factor on every sign-in. Expires after 30 days, and is revoked whenever you change your password or alter your two-factor settings.
  • Support impersonation — set only while a blankit administrator is working inside a firm's account at that firm's request, so we can return to our own account afterwards. Every such session is written to the audit log.

Functional.

  • Chatbot visitor identifier — when a firm has enabled the plan-member chatbot, we set a randomly generated identifier so the firm's advisor can see how often the assistant is used. The value is an opaque random string: it holds no name, email, or IP address, it is not shared with anyone, and it is not used to build a profile or to follow you to any other site. It lasts only until you close your browser and is not retained across visits. The chatbot tells you about it on screen before it is set.
  • Chat language preference — remembers the language you picked in the chatbot. Expires after 1 year. The same preference is also kept in your browser's local storage so it survives if the cookie is cleared.

Third parties that set their own cookies.

Three vendors we embed set cookies from their own domains when their component loads or when you interact with it. We do not control those cookies and we do not receive them:

  • Cloudflare Turnstile — bot and abuse protection on our public forms. Its cookies exist to tell a human from an automated script.
  • Calendly — the meeting-booking embed on our marketing pages.
  • Featurebase — the in-product feedback widget, where a firm has it enabled.

Each is listed in our sub-processor disclosure.

Your choices.

You can block or delete cookies in your browser settings. Blocking the strictly necessary cookies above will stop you from signing in; blocking the functional ones will not — the chatbot works normally without them, and it will simply count each visit as a new one. The chatbot visitor identifier clears itself when you close your browser, so there is nothing to opt out of across visits.

5.Automated decision-making

blankit uses artificial intelligence (Anthropic Claude models, accessed through AWS Bedrock — entry points in ca-central-1, inference routed via AWS `global.*` cross-region profiles, typically processed in a US region under the AWS DPA) to extract structured data from carrier documents and to power the plan-member chatbot.

The AI does not make decisions that have legal or similarly significant effects on individuals. It extracts information from documents the firm has uploaded and answers coverage questions. Final actuarial calculations, fair-renewal recommendations, and any communications sent to clients or carriers are produced by deterministic software and reviewed by a human advisor before they are acted on.

Under Law 25 art. 12.1, individuals subject to a decision based exclusively on automated processing have the right to be informed and to have the decision reviewed by a human. blankit does not currently operate any such decisioning, and we will update this policy if that changes.

6.Where your information is processed

The application itself, every byte of client data at rest, the database, object storage, and all backups are processed inside AWS Canada (Montreal — ca-central-1).

Three operational paths involve cross-border processing, all under contractual safeguards:

  • AWS Bedrock cross-region inference — all AI inference (Claude Haiku, Sonnet, and Opus — used for chatbot routing, renewal PDF parsing, document comparison, and bulk extraction) is invoked through AWS's global.* inference profiles, which AWS routes to a region with capacity. In practice that is a US region. As of 2026-05-15 AWS no longer accepts on-demand invocation of any Claude 4.x model from a single region, so every call routes this way. All under the AWS Customer Agreement and AWS DPA; Anthropic does not see the data.
  • Stripe (United States) processes our subscription billing. Only firm billing-contact identity is sent — never plan-sponsor or plan-member data.
  • Resend (United States) delivers transactional email such as password resets and daily firm-facing notification digests. Health information is never sent by email.

For the complete list, see our sub-processor disclosure.

7.How long we keep information

We retain personal information only as long as needed for the purpose it was collected:

  • Account data: for the life of the account, plus 30 days after closure before hard deletion.
  • Billing data: seven years after the last paid invoice, to meet Canadian tax record-keeping requirements.
  • Audit logs: seven years from the date of the logged event, then automatically deleted.
  • Marketing-site access logs: 30 days.
  • Client and plan-member data (processor): for the life of the firm's subscription, deleted within 90 days of contract termination.
  • Plan-member chatbot conversations: 12 months from the last message in the session.

8.Your rights

You have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or out-of-date information.
  • Request deletion, subject to the retention obligations above.
  • Receive a portable copy of your data in a structured, commonly used format.
  • Withdraw consent where processing is based on consent — including chatbot interactions.

To exercise any of these rights, contact our Privacy Officer at the email below. We respond within 30 days as required by PIPEDA. Identity verification is required before fulfilment.

If you are a plan member of a firm's client and want to exercise these rights with respect to data the firm has uploaded, please direct your request to that firm — it is the controller for that data.

9.Security

We protect personal information with administrative, technical, and physical safeguards proportionate to the sensitivity of the data:

  • HTTPS-only at the application load balancer (TLS 1.2 or higher).
  • Encryption at rest for the database, object storage, and secrets manager.
  • Two-factor authentication available for every advisor account; required for admin roles.
  • Tenant isolation enforced at the database query layer — a firm cannot read another firm's data even in the event of a code error.
  • Centralized audit logging on every privileged action.
  • Daily encrypted backups in the same Canadian region.

For the operational detail behind these claims, see our Trust & security page.

10.Breaches

If we identify a confidentiality incident that creates a risk of serious injury — including loss, unauthorized access, or disclosure — we will notify affected individuals and the Commission d'accès à l'information du Québec (and other applicable regulators) without delay, as required by Law 25 and PIPEDA. Subscribing firms will be notified through their billing or security contact within 72 hours of confirmation.

11.Children

The platform is not directed to children under 14 and we do not knowingly collect personal information from them. The plan-member chatbot is intended for adult plan members covered by a Canadian group benefits plan.

12.Changes to this policy

We may update this policy as the product or its sub-processors change. Material changes will be communicated by email to firm billing contacts and posted on this page at least 30 days before they take effect. The "Last updated" date at the top of the page shows the current version.

Privacy Officer

Chris Gory

Email: chris@blankit.ca

Blankit Health Inc. — Canada

If you are not satisfied with our response to a privacy concern, you may contact the Commission d'accès à l'information du Québec (cai.gouv.qc.ca) or the Office of the Privacy Commissioner of Canada (priv.gc.ca).