Sign in

Privacy Policy

Privacy Policy

Last updated: April 21, 2026
Effective date: April 21, 2026

This Privacy Policy describes how Index Web Marketing Inc., operating under the commercial name Alya (“Alya”, “we”, “our”, or “us”), collects, uses, stores, and discloses your personal information when you use our services, including the Alya platform (accessible at hub.alya.ai), the Alya Connector OAuth integration service (accessible at connectors.alya.ai), our website at alya.ai, and any related products, applications, or services (collectively, the “Services”).

By using the Services, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Services.

1. Who we are

Alya is a product of:

Index Web Marketing Inc.
2277 Ontario St E
Montreal, Quebec, Canada, H2K 1V9
Email: [email protected]
Phone: +1 514-521-6106

Index Web Marketing Inc. is a Canadian corporation registered in Quebec.

We are subject to Canadian privacy legislation including the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec’s Act respecting the protection of personal information in the private sector (Law 25, formerly Bill 64).

For users located in the European Economic Area, United Kingdom, or Switzerland, we also observe the principles of the General Data Protection Regulation (GDPR) and applicable UK/Swiss equivalents.

2. What personal information we collect

We collect the minimum information necessary to operate the Services. The categories of personal information we collect include:

2.1 Information you provide directly

  • Account identifiers: name, email address, role/title, and company name when you create an account or are invited to an organization on hub.alya.ai
  • Business contact information: when you engage Index Web Marketing Inc. for professional services
  • Communications: messages, feedback, or support requests you send us
  • Payment and billing information: when applicable, processed through our third-party payment processors (we do not store full card details on our servers)

2.2 Information from authorized third-party integrations (OAuth)

When you connect a third-party advertising, analytics, or reporting platform to Alya through OAuth (the standard protocol used to grant applications limited access on your behalf), we receive:

  • OAuth access tokens and refresh tokens issued by the third-party platform, which allow Alya to fetch data on your behalf until you revoke access
  • Account and property metadata such as advertising account IDs, account names, currency, time zone, and user role within each account
  • Performance and reporting data such as impressions, clicks, spend, conversions, revenue, keyword queries, creative content, audience definitions, campaign settings, reports, reviews, listings, analytics events, and other metrics necessary to power the dashboards and reports you configure inside Alya

The specific third-party platforms supported include (non-exhaustive): Google Ads, Google Analytics (GA4), Google Search Console, Google Business Profile, Google BigQuery, Meta (Facebook and Instagram Ads), LinkedIn Ads, Microsoft Advertising, TikTok Ads, and Shopify.

2.3 Information collected automatically

When you interact with the Services, we automatically collect:

  • Usage data: pages visited, features used, clicks, session duration, referring URL
  • Device and browser information: user agent, IP address, operating system, screen resolution, language preference
  • Cookies and similar technologies (see Section 8 on Cookies)
  • Log data: server logs recording HTTP requests, error traces, and security-relevant events

3. How we use your personal information

We use the collected personal information for the following purposes:

Purpose Legal basis (GDPR)
To provide, operate, and maintain the Services Contract performance
To authenticate users and secure accounts Legitimate interest + legal obligation
To fetch, normalize, and display data from your connected third-party advertising platforms in your Alya dashboards and reports Contract performance + your consent via OAuth
To generate aggregated analytics, recommendations, and insights within your account Contract performance
To send transactional service emails (billing, security alerts, OAuth token expiry notices) Contract performance
To send marketing communications, only where you have opted in Consent
To comply with legal, regulatory, or tax obligations Legal obligation
To investigate, prevent, or address fraud, abuse, or security incidents Legitimate interest
To improve the Services through aggregated, non-identifying usage analysis Legitimate interest

We never use your data to train machine learning models for purposes outside the context of your own account, unless you explicitly opt in to specific features that disclose such use.

4. Google API Services User Data Policy — Limited Use disclosure

Alya’s use and transfer to any other application of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, when you authorize Alya to access data from Google Ads, Google Analytics, Google Search Console, Google Business Profile, or BigQuery via OAuth:

  • We only use Google user data to provide or improve user-facing features that are prominent in the Services’ user interface (the dashboards, reports, alerts, and optimization recommendations you see inside hub.alya.ai).
  • We do not transfer Google user data to third parties except as necessary to provide the Services (such as to our cloud infrastructure providers under data-processing agreements), to comply with applicable law, or as part of a merger, acquisition, or sale of assets (with notice to affected users).
  • We do not use Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.
  • We do not allow humans to read Google user data except (a) with your affirmative agreement for specific data, (b) where necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized and is used for internal operations.
  • You retain control over your Google data and may revoke Alya’s access at any time via your Google Account settings at myaccount.google.com/permissions, or by disconnecting the integration inside Alya.

5. Third-party platform data — general provisions

The same data-handling principles described in Section 4 apply to data received from any third-party platform we integrate with, including Meta (Facebook/Instagram), LinkedIn, Microsoft Advertising, TikTok, Shopify, and others. In each case:

  • We only fetch the data needed to provide the user-facing features you configure
  • We do not sell or license this data to third parties
  • We do not use it for advertising or profiling outside the scope of your account
  • You can revoke access at any time from within the Alya interface or directly from the third-party platform’s authorized-applications settings

6. How we store and protect your personal information

6.1 Storage location

Personal information and OAuth tokens are stored on servers located primarily in Canada (for users and clients based in North America) and the European Union (for users and clients based in Europe). Our infrastructure providers include OVHcloud and Google Cloud, both of which adhere to industry-standard security certifications including ISO 27001 and SOC 2.

6.2 Security measures

We implement reasonable and appropriate technical and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, or destruction, including:

  • Encryption in transit (TLS 1.2 or higher) for all data exchanged between you and our servers and between our servers and third-party APIs
  • Encryption at rest for OAuth tokens, credentials, and personally identifiable records
  • Strict access controls with role-based permissions; only authorized personnel with a need-to-know may access raw data, and all access is logged and auditable
  • Regular security assessments, dependency vulnerability scanning, and rotational review of secrets and credentials
  • Multi-factor authentication requirements for administrative accounts
  • Incident response and breach notification procedures in accordance with applicable law

No security measure is perfect. We cannot guarantee absolute security, but we continually work to improve our safeguards and respond promptly to any credible threat.

6.3 Retention

We retain personal information only as long as necessary to fulfill the purposes described in this policy:

  • OAuth tokens and third-party data: retained while your connection is active. Upon disconnection of an integration, associated tokens are revoked and data purged within 30 days from our primary operational systems. Aggregated, non-identifying analytics derived from your data may be retained in perpetuity.
  • Account information: retained while your Alya account is active. Upon account deletion, we delete or anonymize your account information within 30 days, except where retention is required to comply with legal obligations (e.g., tax records), resolve disputes, or enforce our agreements.
  • Billing records: retained for 7 years as required by Canadian tax law.
  • Security logs: retained for up to 13 months for security monitoring and incident response.

7. Who we share your personal information with

We share personal information only with:

7.1 Service providers (“processors”)

Trusted third parties who process data on our behalf under written data-processing agreements that obligate them to use the data only as we direct. Categories include:

  • Cloud hosting and infrastructure (e.g., OVHcloud, Google Cloud)
  • Email delivery and communication (e.g., Postmark, Google Workspace)
  • Customer support tools (e.g., HubSpot)
  • Analytics for the Services themselves (aggregated/anonymized only)
  • Payment processing (full card details are handled by PCI-compliant processors; Alya does not store them)

7.2 Legal and regulatory disclosures

Where we are legally required to disclose information (e.g., in response to a valid subpoena, court order, or government request), or where disclosure is necessary to protect the rights, property, or safety of Alya, our users, or the public.

7.3 Business transfers

If Index Web Marketing Inc. is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, with notice to affected users and an opportunity to object or delete data.

7.4 With your consent

For any purpose disclosed to you at the time we collect the information with your affirmative consent.

We do not sell your personal information to any third party, and we do not permit the use of your personal information for third-party advertising.

8. Cookies and similar technologies

We use a small number of cookies and similar technologies on alya.ai and hub.alya.ai:

  • Strictly necessary cookies for authentication, session management, and security (e.g., anti-CSRF tokens)
  • Preference cookies to remember your language, timezone, or interface options
  • Analytics cookies (minimal, aggregated) to help us improve the Services

We do not set advertising or cross-site tracking cookies. You may manage cookie preferences through your browser settings; disabling strictly necessary cookies may prevent core features (like signing in) from working.

9. Your rights and choices

Depending on your jurisdiction, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Delete your personal information (subject to legal retention obligations)
  • Restrict or object to certain types of processing
  • Withdraw consent at any time where processing is based on consent
  • Data portability — receive your data in a machine-readable format
  • Lodge a complaint with your local data protection authority, including the Office of the Privacy Commissioner of Canada or the Commission d’accès à l’information du Québec

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. We may ask you to verify your identity before acting on a request.

Revoking third-party integrations

You can revoke Alya’s access to any connected third-party platform at any time, either:

  • From within the Alya interface (Settings → Connections → Disconnect), which will also trigger deletion of associated data per Section 6.3
  • Directly from the third-party platform’s own settings (e.g., myaccount.google.com/permissions, facebook.com/settings?tab=business_tools, linkedin.com/psettings/permitted-services)

10. Children’s privacy

The Services are not directed to, or intended for use by, individuals under the age of majority in their jurisdiction of residence (in Quebec, 14 for most sensitive matters, 18 generally for contracts). We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us at [email protected] and we will delete it promptly.

11. International data transfers

If you access the Services from outside Canada or the European Union, your data may be transferred to, stored in, or processed in a jurisdiction other than your own. Where we transfer personal information across borders, we rely on appropriate safeguards such as:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions where available
  • Contractual commitments with service providers that meet equivalent privacy standards

By using the Services, you consent to such transfers where lawful.

12. Automated decision-making

Alya may use automated processing (including basic statistical analysis and machine-learning-generated recommendations) to produce dashboards, insights, and suggestions within your account. These processes are not “solely automated decisions with legal or similarly significant effects” within the meaning of Article 22 of the GDPR — you remain in control of any action taken based on Alya’s recommendations. If in the future we introduce any processing that would qualify as such under applicable law, we will disclose it clearly and obtain appropriate consent.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will:

  • Update the “Last updated” and “Effective date” at the top of this page
  • Post the revised policy at https://alya.ai/privacy-policy/
  • Where appropriate, notify active account holders by email or in-app message at least 30 days before the changes take effect

Your continued use of the Services after the effective date constitutes acceptance of the revised policy.

14. How to contact us

If you have any questions, concerns, or requests related to this Privacy Policy or our privacy practices, please reach out:

Alya — Index Web Marketing Inc.
Privacy Officer
2277 Ontario St E
Montreal, Quebec, Canada, H2K 1V9
Email: [email protected]
Phone: +1 514-521-6106

For security-related reports (suspected vulnerabilities, incidents): [email protected].

This Privacy Policy is governed by the laws of the Province of Quebec and applicable federal laws of Canada. Courts located in Montreal, Quebec shall have exclusive jurisdiction over any dispute arising from or related to this Privacy Policy, except where otherwise required by the mandatory privacy legislation of your jurisdiction of residence.