PresenceCraftPresenceCraft
Privacy Impact Assessment
Cross-Border Data Transfers to the United States
Prepared in accordance with the Act to modernize legislative provisions as regards the protection of personal information (Law 25 / Bill 64)
| Organization | Metacis Inc. (d/b/a PresenceCraft) |
| Person Responsible | Maxime Beaupré, President |
| Assessment Date | March 26, 2026 |
| Status | DRAFT — For Review |
| Version | 1.0 |
| Next Review Date | 12 months from publication or upon material change |
1. Project Description
1.1 Overview
PresenceCraft is a web-based platform that allows users to create, configure, and interact with AI-powered companion bots. Users design bot personalities, chat with them through a progressive web application (PWA), and store persistent bot memory and configuration data. Bots may also interact with each other and access approved external websites via a managed proxy.
1.2 Purpose of This Assessment
This Privacy Impact Assessment (PIA) is conducted in accordance with section 17.1 of Law 25, which requires organizations to conduct a PIA before communicating personal information outside Quebec. This assessment covers two cross-border transfers of personal information from Quebec, Canada to the United States:
- Transfer 1: Storage of all platform data on Amazon Web Services (AWS) infrastructure in the us-east-1 region (US East, Virginia).
- Transfer 2: Transmission of user chat messages and bot context to Anthropic PBC's Claude API for AI processing.
1.3 Scope
This PIA covers all personal information collected, used, and disclosed by the PresenceCraft platform, with particular focus on cross-border transfers. It does not cover Stripe's independent processing of payment data, which is governed by Stripe's own PCI-DSS compliant data handling practices.
2. Personal Information Inventory
2.1 Categories of Personal Information
| Category | Data Elements | Sensitivity | Transferred To | Purpose |
|---|---|---|---|---|
| Account Information | Email address or phone number | Low–Medium | AWS (storage) | Authentication, account management |
| Chat Messages | User messages to/from bots, conversation history | High | AWS (storage), Anthropic (processing) | AI response generation, conversation persistence |
| Bot Configuration | Personality settings, custom instructions, memory data | Medium | AWS (storage), Anthropic (context for processing) | Bot personalization |
| Usage Data | Page views, feature usage, session metadata, IP addresses | Low | AWS (storage) | Analytics, security, debugging |
| Billing Metadata | Subscription status, plan type, last-4 of card, billing email | Low–Medium | AWS (storage), Stripe (processing) | Payment processing, account management |
| Server Logs | IP addresses, request timestamps, error information | Low | AWS (storage) | Security monitoring, debugging |
2.2 Special Considerations — User-Shared Content
Users may voluntarily share sensitive personal information within their bot conversations (e.g., health concerns, location, daily routines). This is user-initiated and unpredictable in nature. While PresenceCraft does not solicit or harvest this information, its presence in chat messages means it is transferred to both AWS (storage) and Anthropic (processing). This elevates the sensitivity classification of chat messages to High.
3. Data Flow Analysis
3.1 Transfer 1: PresenceCraft → AWS (Storage)
| Recipient | Amazon Web Services, Inc. |
| Location | us-east-1 region (Northern Virginia, United States) |
| Data Transferred | All platform data: account info, chat messages, bot configs, usage data, billing metadata, server logs |
| Transfer Mechanism | TLS 1.2+ encrypted connections between application servers and AWS managed services (RDS, S3, etc.) |
| Purpose | Hosting, storage, and infrastructure for the PresenceCraft platform |
| Contractual Protections | AWS Data Processing Addendum (DPA), AWS Service Terms, SOC 2 Type II certification, ISO 27001 certification |
| Encryption at Rest | AES-256 encryption via AWS managed encryption keys |
| Access Controls | IAM role-based access, principle of least privilege, audit logging via CloudTrail |
3.2 Transfer 2: PresenceCraft → Anthropic (AI Processing)
| Recipient | Anthropic PBC |
| Location | United States (Anthropic's infrastructure) |
| Data Transferred | Chat messages (user input), bot personality/instructions/memory context, AI-generated responses |
| Transfer Mechanism | HTTPS API calls (TLS 1.2+) from PresenceCraft servers to Anthropic's Claude API |
| Purpose | Real-time AI language model processing to generate bot responses |
| Contractual Protections | Anthropic API Terms of Service — restrict Anthropic from using API inputs/outputs to train models |
| Data Retention by Anthropic | Subject to Anthropic's API data retention policy. API inputs are not used for model training under current commercial API terms. |
4. Legal Framework of Destination Jurisdiction
4.1 United States Legal Framework
The United States does not have a single comprehensive federal privacy law equivalent to PIPEDA or Law 25. However, the following legal protections apply to data transferred to the US:
| Framework / Protection | Relevance |
|---|---|
| Sector-specific laws | HIPAA (health), GLBA (financial), COPPA (children) — not directly applicable but demonstrate US capacity for data protection |
| State privacy laws | Virginia (VCDPA), California (CCPA/CPRA), and others — AWS us-east-1 is in Virginia, which has enacted comprehensive privacy legislation |
| AWS contractual protections | AWS DPA provides contractual commitments equivalent to or exceeding many regulatory requirements; SOC 2 Type II and ISO 27001 certified |
| Anthropic contractual protections | API terms restrict use of customer data; commercial API inputs not used for training |
| US government access risk | FISA Section 702, CLOUD Act — US authorities may compel disclosure in certain circumstances. Mitigated by encryption at rest, contractual protections, and low likelihood for a Canadian consumer platform |
4.2 Adequacy Assessment
While the United States has not been recognized by Quebec or Canada as providing an adequate level of privacy protection equivalent to Canadian law, the combination of contractual protections (DPAs, API terms), technical safeguards (encryption, access controls), and sector-specific regulations provides a reasonable level of protection for the personal information being transferred. The nature of the data (primarily consumer chat data for AI processing) and the limited scope of the transfers further mitigate risk.
5. Risk Assessment
| # | Risk | Likelihood | Impact | Level | Mitigation Measures | Residual |
|---|---|---|---|---|---|---|
| R1 | Unauthorized access to chat messages on AWS | Low | High | Medium | AES-256 encryption at rest, TLS in transit, IAM role-based access, CloudTrail audit logging, principle of least privilege | Low |
| R2 | Anthropic uses chat data for model training | Low | High | Medium | Contractual restriction in API terms; Anthropic's commercial API policy prohibits training on API inputs | Low |
| R3 | US government compels disclosure (FISA/CLOUD Act) | Low | Medium | Medium | Encryption at rest limits usable data; low-profile consumer platform; contractual notification obligations where legally permitted | Low |
| R4 | Data breach at AWS | Low | High | Medium | AWS SOC 2 Type II, ISO 27001; shared responsibility model; PresenceCraft implements application-level encryption and access controls | Low |
| R5 | Data breach at Anthropic | Low | High | Medium | Anthropic security practices and API terms; data transmitted is transient (API call/response); PresenceCraft does not control Anthropic's retention | Low–Medium |
| R6 | Users share highly sensitive info in chats (health, location) | Medium | Medium | Medium | Privacy Policy discloses AI processing and US transfers; express consent obtained at sign-up; users informed that chat content is processed by US-based AI | Low |
| R7 | Loss of data during cross-border transfer | Very Low | Medium | Low | TLS encryption in transit; reliable API endpoints; server-side error handling and retry logic | Low |
| R8 | Insufficient consent for cross-border transfer | Medium | High | High | Express consent mechanism at account creation specifically naming US-based services (AWS, Anthropic); link to full Privacy Policy | Low |
| R9 | Third-party sub-processor changes by AWS or Anthropic | Low | Medium | Medium | Monitor AWS and Anthropic terms for changes; annual PIA review cycle; contractual notification obligations | Low |
6. Proportionality and Necessity Assessment
6.1 Necessity of Transfer 1 (AWS)
AWS us-east-1 was selected for its reliability, performance, cost-effectiveness, and proximity to our user base. While Canadian AWS regions exist (ca-central-1 in Montreal), the us-east-1 region provides a broader range of managed services and lower latency for AI API calls to Anthropic (also US-based). The transfer is necessary to operate the platform.
6.2 Necessity of Transfer 2 (Anthropic)
Anthropic's Claude API is the core AI engine powering PresenceCraft's bot functionality. There is no Canadian-hosted alternative that provides equivalent capability. The transfer of chat messages to Anthropic is essential for the Service to function. The data transferred is limited to what is necessary for AI processing: the current message, relevant conversation history, and bot configuration context.
6.3 Data Minimization
PresenceCraft applies the following data minimization practices:
- Only the minimum necessary conversation context is sent to Anthropic per API call (not the entire chat history).
- Bot configuration data sent to Anthropic is limited to what is needed for response generation.
- No account metadata (email, phone, billing) is transmitted to Anthropic.
- Server logs and usage analytics are stored on AWS only and are not shared with Anthropic.
7. Consent Mechanism
In accordance with Law 25's requirement for express consent before communicating personal information outside Quebec, PresenceCraft implements the following consent mechanism:
7.1 Account Creation Consent
At account creation, users are presented with the following (or substantially similar) consent statement:
“By creating an account, you agree to our Terms of Use and Privacy Policy, and you expressly consent to having your data stored and processed by services located in the United States, including Amazon Web Services (cloud infrastructure) and Anthropic (AI processing). For full details on how your data is handled, please review our Privacy Policy.”
Users must affirmatively check a consent box before account creation can proceed. This consent is recorded with a timestamp.
7.2 Ongoing Transparency
The Privacy Policy is accessible at all times from within the application. Material changes to data processing practices trigger a re-consent flow with 30 days' notice.
8. Recommendations and Action Items
| # | Priority | Action | Owner | Target Date |
|---|---|---|---|---|
| 1 | Critical | Implement express consent checkbox at account creation with specific language about US transfers | Product / Engineering | Before launch |
| 2 | Critical | Verify Anthropic's current security certifications and update Section 3.2 of this PIA | Privacy Officer | Before launch |
| 3 | High | Evaluate feasibility of migrating primary storage to AWS ca-central-1 (Montreal) | Engineering / Infra | Within 6 months |
| 4 | High | Implement consent timestamp recording and audit trail | Engineering | Before launch |
| 5 | Medium | Establish annual PIA review cycle and assign review responsibility | Privacy Officer | Upon publication |
| 6 | Medium | Monitor Anthropic and AWS terms of service for material changes | Privacy Officer | Ongoing |
| 7 | Medium | Document data minimization practices for Anthropic API calls (context window limits, etc.) | Engineering | Within 3 months |
| 8 | Low | Explore end-to-end encryption options for chat messages at rest | Engineering | Within 12 months |
9. Conclusion
This Privacy Impact Assessment concludes that the cross-border transfers of personal information from PresenceCraft to services in the United States (AWS for storage, Anthropic for AI processing) are necessary for the operation of the Service and are proportionate to the purposes for which the data is collected.
While the United States does not provide an equivalent level of privacy protection to Quebec, the combination of contractual protections, technical safeguards, data minimization practices, and express user consent provides an adequate level of protection for the personal information being transferred.
The identified risks are mitigable and the residual risk levels are acceptable, provided the recommended action items are implemented. This assessment should be reviewed annually and upon any material change to data processing practices, third-party service providers, or applicable legislation.
Approval
| Role | Name | Signature / Date |
|---|---|---|
| Person Responsible for Privacy | Maxime Beaupré, President | ____________________ |
| Legal Counsel (if applicable) | ____________________ |
Disclaimer: This PIA is a draft prepared for internal review. It should be reviewed by qualified legal counsel before being finalized. This document does not constitute legal advice.
See also: Privacy Policy · Terms of Use