Northern Inference Inc. ("we", "us", "our") is a Canadian company committed to data privacy and transparency. This policy covers both our website (northerninference.ca) and our API platform. We explain what data we collect, where it goes, and what your rights are.
1. What Data We Collect
Account and identity data:
Name, email address, and password (hashed, never stored in plaintext)
Organization name and role
Billing address and payment information (processed by Stripe; we store only Stripe customer IDs)
API usage data:
API requests: model name, token counts, latency, route tier, timestamp, and a request ID
Request content (prompts and completions) is not logged or stored by Northern Inference by default. There are three narrow exceptions, all under your control: (a) the PII Substitution feature, which holds a temporary mapping (original to substitute) only for the duration of the request and then deletes it; (b) the Audit and Compliance tier, which when enabled on your account stores a redacted copy of each upstream request and response (user content text is removed; structural fields, model, and token counts are kept); and (c) Content Debug Mode, an opt-in support tool that logs full prompts and responses, described below under "Content Debug Mode."
Page views, session duration, scroll depth, and navigation events
Device type, browser, and approximate location (country/region from IP. IP address is not stored)
Referral source and UTM campaign parameters
Analytics are tied to a random visitor ID stored in your browser. not your email
Support data:
Support ticket content and correspondence
2. Route Tiers. Where Your API Data Goes
Our core product is routing inference requests to LLM providers. Where your data goes depends on the model route you select per request:
Tier
Provider
Data Location
Jurisdiction
Tier 1
Your hardware (via NI)
Your premises
Your jurisdiction
Tier 3
AWS Bedrock / Azure
Canada (ca-central-1 / Canada East)
Canada (US CLOUD Act applies to providers)
Tier 4
OpenAI, Anthropic, Google, etc.
United States
United States
What Northern Inference sees: Your prompts and completions pass through our routing infrastructure in Canada (ca-central-1) in memory only, for the duration of routing. We do not persist request content by default. Chain of custody records (entity, jurisdiction, timestamp per hop. but not content) are stored for 90 days. The only ways content is stored are the three opt-in exceptions described in section 1: PII Substitution mappings (transient), the Audit and Compliance tier (redacted exchanges), and Content Debug Mode (full content, opt-in, described below).
What providers see: Each provider you route to receives your prompt and returns a completion, subject to their own privacy policies. Tier 3 providers (AWS, Microsoft) contractually commit to not using API data for training. Note that Microsoft Azure may retain prompts and completions for up to 30 days for abuse monitoring, unless your deployment is approved by Microsoft for modified or zero abuse monitoring; AWS Bedrock does not retain your inputs or outputs after a request completes. Tier 4 routes use provider-default or non-Canadian residency; custody headers show the exact upstream provider, region, and jurisdiction for each request. Northern Inference's custody record reflects where we routed each request; once a request enters a provider, where inference runs and how the provider handles your data rests on that provider's own published documentation and commitments, which we cite per route in each model's data-use posture. We cannot independently execute inside a provider's infrastructure.
3. Sub-processors
The following third parties process data on our behalf:
Canada (Canada East) for Tier 3; data may be processed outside Canada for Tier 4.
Google Cloud
LLM inference (Vertex AI). Tier 3 (Canadian data residency).
Canada (Montreal, northamerica-northeast1)
Stripe
Payment processing
United States
Google Fonts
Font delivery (website only)
Global CDN
4. PII Substitution (Optional Feature)
When enabled on your API key or per-request, our PII Substitution feature automatically detects personal information (names, emails, phone numbers, credit card numbers, IP addresses, locations) in your prompts and replaces them with realistic fictional substitutes before the request leaves our infrastructure. The originals are restored in the response you receive.
Substitution mappings exist only for the duration of the request, then are discarded
An audit record (entity types found and count. not the original values) is stored for 90 days for compliance purposes
This feature is opt-in; it is off by default
5. Content Debug Mode (Optional Support Tool)
Content Debug Mode is an opt-in tool that lets Northern Inference support log the full content of your API prompts and responses to diagnose an issue (for example, a client configuration that makes a model misidentify itself). It is off by default and is never enabled silently.
Double opt-in: a Northern Inference administrator requests it, and it turns on only after the team owner approves using a one-time link we email. If you do nothing, nothing is logged.
What is captured: the full upstream request and response, including prompt and completion text, while the window is active.
Encryption: captured content is encrypted at the application layer (in addition to disk-level encryption) and is readable only by Northern Inference administrators and you.
Time limit: the capture window lasts 7 days, then turns off automatically. You can turn it off sooner at any time in your portal settings.
Retention: captured content is deleted 30 days after the window ends, or immediately when you choose "Delete captured content now."
Audit: every request, approval, disable, view, and purge is recorded in the audit log.
6. Data Storage and Security
All Northern Inference account and usage data is stored in AWS Canada (ca-central-1)
Data is encrypted at rest (AES-256) and in transit (TLS 1.2+)
API keys are stored as SHA-256 hashes. we cannot recover your plaintext key
BYOK (Bring Your Own Key) credentials are encrypted with Fernet symmetric encryption before storage
Database access is restricted to the application service; no public access
We do not sell, rent, or share personal data with third parties beyond the sub-processors listed above
7. Cookies and Local Storage
We do not use third-party tracking cookies. Authentication uses Secure, HttpOnly session cookies backed by server-side session records.
We use browser localStorage for:
A random anonymous visitor ID and session ID (for aggregate analytics. contains no PII)
Account data: Retained while your account is active, plus 30 days after deletion request
API request logs (metadata only. no content, except the opt-in features in sections 1, 4, and 5): 90 days, then automatically deleted
Content Debug Mode captures (opt-in only): kept while the 7-day window is active, then deleted 30 days after it is turned off, or immediately on request
PII audit records: 90 days, then automatically deleted
Chain of custody records: 90 days, then automatically deleted
Analytics events: 90 days, then automatically deleted
Billing and payment records: 7 years (required by Canadian tax law)
Support tickets: 2 years after closure
9. Your Rights (PIPEDA)
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:
Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate data
Deletion: Request deletion of your account and associated personal data (billing records retained per legal requirement)
Portability: Request an export of your data in machine-readable format
Withdraw consent: Unsubscribe from communications at any time via the unsubscribe link in any email
To exercise any of these rights, email privacy@northerninference.ca. We will respond within 30 days. For deletion requests, we will confirm deletion within 30 days of verifying your identity.
10. Contact
For questions about this privacy policy or our data practices:
We will post material changes to this policy on this page with an updated date and notify registered users by email at least 14 days before changes take effect.