Back to Verified Privacy Policy

Privacy Policy

Effective Date: March 11, 2026

This Privacy Policy describes how In Good Company (Business Name: In Good Company; Business Identification Number: 1001151602) ("In Good Company", "we", "us", or "our") collects, uses, discloses, stores, retains, and protects personal information in connection with the Verified service, website, mobile application, APIs, verification workflows, attestation workflows, and related software and materials (collectively, the "Service").

For users in Ontario and elsewhere in Canada, this Privacy Policy is intended to describe our personal information handling practices in a manner consistent with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and other applicable Canadian laws.

1. Scope and Approach

The Service is designed around an on-device approach and a data-minimization objective. Our intended design objective is to avoid collecting credentials, avoid screen scraping, and keep as much processing as reasonably possible on the user's device.

That said, some workflows require data to be sent to our infrastructure in order to validate a package, issue a challenge, create an attestation record, produce a verification receipt, or return a signing artifact. Where you choose such a workflow, you direct us to process the information necessary to provide that Service.

2. Personal Information We May Collect

Depending on the workflow you use, we may collect the following categories of personal information:

2.1 Information You Submit or Direct the App to Submit

  • source documents, document files, or document bytes, where a workflow requires document submission;
  • structured verification packages, manifests, hashes, digests, receipts, cover statements, and related metadata;
  • source URLs, source hostnames, and related provenance claims;
  • transport, DNS, download, or renderer evidence submitted by your device or client application;
  • support requests, correspondence, and any information you choose to include in those communications; and
  • any other information you intentionally submit through the Service.

2.2 App, Device, and Security Information

  • app or device integrity information, including challenge identifiers, challenge hashes, app attestation data, assertion data, attestation receipts, and related metadata;
  • device identifiers, account-subject identifiers, or similar identifiers if your client application includes them in a supported workflow;
  • request timestamps, session identifiers, workflow identifiers, and audit-trail records;
  • IP address information, rate-limiting records, and security event records; and
  • technical request metadata reasonably required to operate, secure, troubleshoot, and improve the Service.

2.3 Information We Generate

  • verification results, risk flags, failure codes, and other Service outputs;
  • generated receipts, cover statements, detached signatures, and attestation artifacts; and
  • records necessary to document that a particular verification, attestation, or signing event occurred.

3. Information We Do Not Intend to Collect

The Service is not designed to ask for, receive, use, or intentionally retain:

  • banking usernames or passwords;
  • security questions or answers;
  • one-time passcodes or multi-factor authentication codes;
  • login credentials for financial institutions; or
  • credentials obtained through screen scraping.

We do not engage in screen scraping, and we do not use privileged, partner-only, or institution-side API access to banks or financial institutions on your behalf.

4. How We Collect Information

We collect personal information:

  • directly from you when you use the Service or contact us;
  • from your device or client application when it submits a package, manifest, digest, attestation request, or related evidence;
  • from technical security and operational processes that generate logs, challenge records, or workflow records; and
  • from third-party platform verification services where needed to validate supported security features, such as app or device attestation.

We do not collect your financial account credentials from banks or financial institutions through screen scraping or privileged institution access.

5. Why We Use Personal Information

We may use personal information for the following purposes:

  • to provide the Service and complete the workflow you requested;
  • to validate package structure, hashes, signatures, and provenance-related evidence;
  • to issue and verify anti-replay challenges and app or device attestation claims;
  • to create, return, and maintain receipts, signing artifacts, cover statements, and audit records;
  • to secure the Service, prevent abuse, enforce rate limits, detect fraud, and investigate misuse;
  • to troubleshoot, maintain, support, and improve the Service;
  • to respond to inquiries, support requests, legal requests, and complaints;
  • to comply with applicable legal, regulatory, contractual, or evidentiary obligations; and
  • to establish, exercise, or defend legal claims.

6. When We May Disclose Personal Information

We may disclose personal information:

  • to service providers that help us host, store, secure, operate, and support the Service;
  • to platform providers or verification counterparties where needed to validate app or device integrity features, including Apple where App Attest or related verification is used;
  • where you direct us to provide an output or complete a workflow;
  • where disclosure is required or permitted by applicable law, court order, legal process, or regulatory request;
  • where disclosure is reasonably necessary to protect our rights, users, systems, or the public; and
  • in connection with a merger, financing, reorganization, sale of assets, or similar corporate transaction, subject to appropriate safeguards where required.

We do not sell personal information as part of the Service.

7. Cross-Border Processing

We may use service providers and infrastructure providers that process or store information in Canada, the United States, or other jurisdictions in which they or their subprocessors operate. As a result, personal information may be subject to the laws of those jurisdictions and may be accessible to courts, law enforcement, regulators, or national security authorities in accordance with applicable law.

8. Retention

Our intended operating position is to minimize centralized retention and to keep as much processing as reasonably possible on device.

We do not intentionally retain user credentials such as usernames and passwords because the Service is not designed to receive them.

For workflows that can be completed without submitting source documents to our infrastructure, the relevant document may remain only on your device. For workflows in which you submit a document, package, manifest, digest, receipt request, or related evidence to the Service, you instruct us to process and, where technically required, store that material and related metadata for as long as reasonably necessary to:

  • provide the requested Service;
  • maintain a record of the verification, attestation, or signing event;
  • preserve security, anti-fraud, and anti-abuse controls;
  • troubleshoot and maintain the Service;
  • comply with legal obligations; or
  • establish, exercise, or defend legal claims.

Depending on the workflow, retained information may include challenge records, rate-limit events, attestation receipts and metadata, verification results, raw packages, submitted evidence, document hashes, generated outputs, and limited audit records.

Deletion requests may be subject to technical, security, legal, audit, backup, and evidentiary constraints. We may retain minimal information where reasonably necessary for those purposes.

9. Safeguards

We use administrative, technical, and organizational safeguards appropriate to the sensitivity of the information and the nature of the Service, including measures designed to protect against unauthorized access, use, disclosure, alteration, or destruction.

No method of transmission over the Internet, mobile network, or cloud infrastructure, and no method of electronic storage, is completely secure. Accordingly, we cannot guarantee absolute security.

If a breach of security safeguards involving personal information occurs, we will take such steps as are required by applicable Canadian law, which may include assessment, recordkeeping, notification to affected individuals, and reporting to regulators where the applicable legal threshold is met.

10. Accuracy and User Choice

We rely in significant part on the information you or your device submit to us. You are responsible for ensuring that submitted information is accurate, complete, and up to date to the extent necessary for your use of the Service.

Subject to applicable law and reasonable identity verification, you may request access to personal information we hold about you and request correction of inaccuracies. You may also withdraw consent to certain collections, uses, or disclosures, subject to legal or contractual restrictions and the fact that withdrawal may prevent us from providing some or all of the Service.

To make such a request, please contact our Privacy Officer using the contact information below.

If you are not satisfied with our response, you may have the right to make a complaint to the Office of the Privacy Commissioner of Canada.

Nothing in this Privacy Policy is intended to limit any rights you may have under applicable Canadian privacy law.

11. Children's Privacy

The Service is not intended for children. We do not knowingly design the Service for use by children who are unable to provide meaningful consent under applicable Canadian privacy law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated version with a new effective date. Your continued use of the Service after the updated policy becomes effective constitutes acknowledgement of the updated policy.

13. Privacy Officer and Contact Information

In Good Company has designated a Privacy Officer responsible for our privacy management practices.

Privacy questions, access requests, correction requests, consent withdrawal requests, and privacy complaints may be directed to:

  • Privacy Officer
  • Email: support@beingood.company

You may also use any privacy contact channel made available in the Service or on the applicable In Good Company website.