Privacy Policy
Effective date: 15 July 2026 Last updated: 15 July 2026
Core-AI sells privacy. It would be incoherent to be vague about our own. This page describes exactly what happens to your information when you use this site — including the parts that are less than ideal, and what we’re doing about them.
Who is responsible #
Core-AI is an AI consulting and engineering practice operated by Francisco Perdigon Romero, based in Montreal, Quebec, Canada.
Under Quebec’s Law 25, an organization must designate a person responsible for the protection of personal information. That person is:
Francisco Perdigon Romero — Privacy Officer [email protected]
Write to that address for any question, access request, correction, or complaint about your personal information. A real person reads it.
What we collect #
Information you give us #
If you submit the contact form, we collect:
| Field | Required | Why |
|---|---|---|
| Name | Yes | So we can address you properly |
| Work email | Yes | So we can reply |
| Company | No | To understand your context before the call |
| Message | Yes | The substance of your enquiry |
That is the entire form. We deliberately do not ask for a phone number — we don’t need one to answer a first enquiry, so we don’t collect it.
Please don’t send confidential or sensitive information through this form. A first enquiry never needs it. Describe the problem in general terms; the specifics belong in a call, and under an NDA if appropriate.
Information collected automatically #
- Technical request data. Our site is served by Cloudflare, which processes your IP address, browser type, and request details in order to deliver the page and protect against attacks and abuse.
- Anti-spam challenge. The contact page uses Cloudflare Turnstile to tell humans from bots. When you submit the form, your IP address is sent to Cloudflare to validate the challenge. This is what lets us run a contact form without reCAPTCHA.
- Aggregate analytics. We use Cloudflare Web Analytics, which is cookieless and does not build a profile of you or follow you across other sites. We use it to count page views and referrers — nothing that identifies you individually.
Cookies #
One cookie is set: cf_clearance. Cloudflare sets it to record that your browser passed
a bot check, so you aren’t repeatedly challenged. It’s a security cookie.
Beyond that: no advertising cookies, no analytics cookies, no tracking pixels, no social media widgets, and nothing that profiles you or follows you across the web. Our fonts are served from our own domain rather than Google’s, so loading this site doesn’t tell anyone else you visited.
Why we use your information #
Only for these purposes:
- To answer your enquiry and have a conversation about whether we can help.
- To follow up about that enquiry.
- To keep the site working and secure — spam prevention, abuse mitigation.
- To understand traffic in aggregate — which pages are read.
We do not sell your information. We do not share it for advertising. We do not add you to a mailing list — if we ever wanted to, we would ask first.
Who processes your information #
We’re a small practice and we use third parties to operate. When you send the contact form, your message passes through each of these:
| Provider | Role | Location |
|---|---|---|
| Cloudflare | Hosting, CDN, security, Turnstile, analytics, and email routing | United States |
| Brevo | Renders and delivers the enquiry email | France (EU) |
| Google (Gmail) | The inbox where the enquiry is received and stored | United States |
Concretely, a form submission travels: your browser → a Cloudflare Worker (which checks the anti-spam challenge and stores nothing — we keep no database of submissions) → Brevo, which sends it as an email → Cloudflare Email Routing → our Gmail inbox, where it comes to rest.
Where your information goes #
Your information is processed outside Quebec, and outside Canada. Specifically: our hosting and inbox are in the United States, and email delivery runs through France.
We’re stating this plainly because our clients hire us precisely to keep their data inside their infrastructure, and it would be dishonest to imply we’ve achieved for our own contact form what we build for them. An enquiry about private AI is not the same thing as the regulated data a private AI system is built to protect — but you deserve to know the difference rather than have it blurred.
If you’d rather not send information through the United States, email or LinkedIn are alternatives — though note that ordinary email is not confidential either. For anything genuinely sensitive, ask us for a secure channel.
How long we keep it #
Contact enquiries: 24 months from your last contact with us. That’s long enough for a realistic B2B sales conversation and any follow-up, and no longer.
We’re a small company, and we clear enquiries by periodic manual review rather than automatic deletion — so a message may sit a little past that mark before it’s removed. We’d rather say that plainly than imply a precision we don’t have.
If you ask us to delete your information sooner, we will — see below.
Your rights #
Under Quebec’s Law 25 and Canada’s PIPEDA, you can:
- Ask what we hold about you.
- Correct anything inaccurate.
- Ask us to delete it, or withdraw your consent.
- Ask us to stop contacting you.
- Complain if you’re unhappy with how we handled it.
Write to [email protected]. We’ll respond within 30 days, which is the statutory deadline — realistically much sooner.
If our answer doesn’t satisfy you, you can complain to the regulator:
- Quebec: Commission d’accès à l’information du Québec (CAI) — cai.gouv.qc.ca
- Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
How we protect it #
- The site is HTTPS-only, with HSTS.
- Form submissions are validated server-side; API keys live in Worker secrets, never in the browser.
- We keep no database of enquiries — there is no submissions store to breach. Your message becomes an email and nothing more.
- We collect as little as we can get away with, which is the most effective protection available: data not collected cannot leak.
No system is perfectly secure, and we won’t pretend otherwise. If you believe you’ve found a vulnerability in this site, please tell us at [email protected] — we’d rather hear it from you.
Children #
This site is for business audiences and isn’t directed at children. We don’t knowingly collect information from anyone under 14.
Changes #
If we change this policy we’ll update the date at the top. If a change is significant — a new processor, a new purpose — we’ll say so plainly rather than quietly editing.
Contact #
Francisco Perdigon Romero — Privacy Officer, Core-AI [email protected] Montreal, Quebec, Canada