Bilbs AI
Book audit
[ Legal · Privacy Policy ]

Your data.
Our rules.

Short version: client matter data from law firms never reaches us - it lives on the Box, on the firm's own server. From the website we only collect what you actively send us (contact form, booking, optional analytics). We don't sell anything, we don't train models on you, and you can ask us to delete it any time. The long version below is written to satisfy Québec's Loi 25 and Canada's PIPEDA in plain English.

01 · Who we are

This website (bilbs.ai) and the services behind it (together, the "Services") are operated by Groupe Bilbs inc., doing business as Bilbs AI ("we", "us", "our"). We are a corporation incorporated under the laws of Québec, Canada (NEQ 1179826558). Under Québec's Act respecting the protection of personal information in the private sector (as modernised by Loi 25 - the Loi modernisant des dispositions législatives en matière de protection des renseignements personnels) and Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), Bilbs AI is the enterprise / data controller for personal information collected through this website and during our sales process.

You can reach the company at:

  • Legal name: Groupe Bilbs inc. (trading as Bilbs AI)
  • Head office: 2659 Avenue Watt #9, Québec, QC G1P 3T2, Canada
  • Phone: +1 (438) 533-4455
  • General email: info@groupebilbs.com
  • Legal & privacy email: legal@groupebilbs.com

02 · Designated Privacy Officer

Under section 3.1 of Loi 25, every enterprise must designate a person in charge of the protection of personal information. Ours is:

  • Xavier Perreault - Designated Privacy Officer / Responsable de la protection des renseignements personnels (RPRP)
  • Email: legal@groupebilbs.com
  • Phone: +1 (438) 533-4455
  • Mail: Attn: Privacy Officer, Groupe Bilbs inc., 2659 Avenue Watt #9, Québec, QC G1P 3T2, Canada

The Privacy Officer is your single point of contact for any question about this policy, any request to exercise your rights, any access or rectification request, any complaint, and any breach notification. Most requests are answered within 10 business days; the maximum statutory delay under Loi 25 is 30 days.

03 · Scope - and what we never see

Bilbs AI sells on-premise private AI infrastructure to Québec and Canadian law firms (the "Box", $29 / lawyer / month, hardware audited separately). The whole point of the product is that your client matter data never leaves your office:

  • The Box runs on the law firm's own server, behind the firm's own firewall.
  • Bilbs AI does not process client matter data in our cloud, in any hyperscaler cloud, or in any third-party LLM provider's cloud. There is no shared inference endpoint. Ever.
  • Operational telemetry from the Box is opt-in and stays inside the client firm's perimeter. If a firm chooses to share crash logs or usage metrics with us for support, that sharing is configured locally, is documented in the engagement contract, and is scrubbed of personal information before transmission.
  • No law firm's client files, no lawyer-client privileged communications, no matter records and no documents ever flow to Bilbs AI servers in the course of normal operation.

This privacy policy therefore covers only the personal information we do collect: contact-level information from prospects, IT / admin contact information from customer firms during deployment, job applicants, and website visitors. Commercial engagements are also governed by the bilingual Master Services Agreement (MSA) executed at procurement, available to prospects under NDA on request; in case of conflict between this policy and the MSA on a topic the MSA covers, the MSA controls for that customer.

04 · What personal information we collect

We collect only what we need, only for the purposes listed in section 05, and only with your knowledge. Categories:

a. Contact-form submissions

When you fill in the contact form on bilbs.ai (or write to info@groupebilbs.com), we collect: your name, email address, employer / firm name (if you provide it), your role, and the content of your message. Providing this information is voluntary; without it we can't reply.

b. Free-call booking via Cal.com

When you book the free 30-minute strategy call through our Cal.com widget, Cal.com collects on our behalf: your name, email, time zone, chosen slot, any answers to pre-call screening questions, and any notes you add. We receive a calendar event and the booking metadata. Bilbs AI does not see your Cal.com account credentials.

c. Customer-firm IT / admin contacts (deployment)

When a law firm becomes a customer and we install a Box on their premises, we collect the names, work emails, work phone numbers and roles of the IT manager, managing partner and any technical contacts designated by the firm. This is needed for deployment, support and incident escalation. The data is provided directly by the firm under the MSA.

d. Job applications

If you apply to a posted role (or send us a speculative application), we collect what you send us: CV / résumé, cover letter, portfolio links, contact details, references you choose to provide, and our notes from interviews.

e. Website logs and (optional) analytics

Our hosting provider (Vercel) records standard HTTP server logs: timestamp, IP address, user-agent, requested URL, referrer, HTTP status. These are retained on a short rolling window for security and uptime monitoring. If you accept analytics cookies in our banner, a privacy-respecting analytics tool may also record aggregated, pseudonymised metrics about which pages you visit, how long you stay and your approximate region. See section 10 for cookie details. We do not run any advertising pixels, session-replay or behavioural-tracker scripts.

05 · Why we collect it (purposes & consent)

Loi 25 requires us to disclose the purposes of collection at the time we collect, and to rely on your consent (or another lawful basis recognised in Québec law) for each purpose. The mapping:

  • Contact-form data - to answer your question, send you a proposal, follow up about a possible engagement. Purpose / basis: your consent (you sent us the message) and pre-contractual measures.
  • Booking data - to host and prepare the call you scheduled, send you reminders and a follow-up. Purpose / basis: your consent.
  • Customer-firm IT contacts - to install, configure, support and update the Box at the firm's premises and meet our MSA obligations. Purpose / basis: performance of the MSA and our legitimate interest in supporting customers.
  • Job-application data - to evaluate your candidacy and (if hired) to onboard you. Purpose / basis: your consent and pre-contractual measures.
  • Server logs - to keep the site online, detect abuse, investigate security incidents. Purpose / basis: our legitimate interest in operating a secure website (and applicable Québec / Canadian law).
  • Optional analytics - to understand which pages are useful and improve them. Purpose / basis: your prior, explicit, opt-in consent given through the cookie banner.
  • Tax / accounting / regulatory - because Canadian tax and corporate law requires us to keep records of invoices, payments and contracts. Purpose / basis: legal obligation.

We do not use your information to train AI models. We do not sell your information. We do not rent it, share it with advertisers, or trade it. Ever.

Where we rely on consent, you can withdraw your consent at any time by emailing the Privacy Officer (see section 02). Withdrawal does not affect processing that already happened, and it doesn't apply to processing we must do to meet a legal obligation (e.g. retaining an invoice for tax purposes).

06 · Third-party recipients (service providers)

We rely on a small number of carefully selected service providers to operate the website and the sales process. None of them ever receive client-matter data from a law firm's Box - that data never leaves the firm. The providers are:

  • Vercel Inc. (United States) - static website hosting, edge CDN, server logs. Vercel processes data under its DPA and applicable safeguards (Standard Contractual Clauses where relevant). Receives: HTTP request metadata (IP, URL, user-agent) for every visit. Does not receive: any client-matter data.
  • Cal.com, Inc. (United States) - scheduling for the free strategy call. Receives: name, email, time-zone, screening answers and meeting notes you enter into the widget. Cal.com offers SCCs and a DPA; we have assessed both.
  • Email provider (currently Fastmail Pty Ltd, with servers in the United States) - inbox for info@groupebilbs.com and legal@groupebilbs.com. Receives: any email you send us and our reply.
  • Accounting and payment providers (Québec-based accountant; Stripe, Inc. for card payments during commercial engagements only) - invoicing, tax, payment processing. Receives: invoice metadata and payment information for customers.
  • Privacy-respecting analytics (only if you accept the analytics cookie) - aggregated page-view metrics. Receives: page URL, anonymised IP, approximate region. We do not run Google Analytics on this site.

Every service provider listed above is bound by a written contract that limits their use of personal information to the purpose for which we transmitted it, requires confidentiality, and requires them to notify us in case of a security incident. We do not authorise any of them to use your information for their own marketing or to train AI models.

We do not sell or rent your data, and we do not share it with ad networks, data brokers, or LLM providers for training.

07 · Cross-border transfers (outside Québec)

Loi 25 (section 17) requires us to conduct a Privacy Impact Assessment (PIA / EFVP) before communicating personal information outside Québec, and to take into account the legal framework of the destination jurisdiction and the contractual safeguards in place. We have done so for each transfer:

  • Vercel hosting (USA). Bilbs AI has reviewed Vercel's security documentation, DPA and sub-processor list. Standard Contractual Clauses are in place where applicable. Risk is low because website traffic does not contain sensitive personal information beyond standard HTTP metadata.
  • Cal.com scheduling (USA). Bilbs AI has reviewed Cal.com's DPA. The information collected is limited (name, email, meeting metadata) and is necessary to provide the requested booking. SCCs apply.
  • Fastmail email (USA-hosted). Encrypted in transit (TLS) and at rest. We assessed the provider's security posture before adopting it.
  • Stripe payments (USA, applies to customers only). PCI-DSS Level 1 certified; SCCs in place.

Important: client matter data from law firms is never transferred anywhere because it never leaves the firm's own Box. The transfers above concern only prospect / customer-contact information and website metadata.

08 · How long we keep it

Loi 25 requires us to destroy or anonymise personal information once the purposes for which it was collected are fulfilled. Our retention periods:

  • Contact-form submissions and prospect emails - up to 24 months after the last meaningful contact, then deleted or anonymised. If you become a customer, contact records roll into your customer file.
  • Cal.com booking metadata - 24 months for non-customers; 7 years for customers (aligned with accounting record-keeping).
  • Customer-firm IT / admin contacts - kept for the duration of the engagement, then 24 months after termination, then deleted (subject to any longer obligation in the MSA).
  • Invoices, payment records and tax documents - 7 years, as required by Canadian and Québec tax law.
  • Job applications - 12 months from the date of application. With your explicit, written consent we can keep your file for an additional 24 months in case of future openings.
  • Server logs - 30 days, rolling.
  • Aggregated analytics - 14 months.

09 · Your rights

Under Loi 25 and PIPEDA you have the following rights over the personal information we hold about you. To exercise any of them, email legal@groupebilbs.com from the address on file (or write to the Privacy Officer at the postal address in section 02). We answer within 30 days; usually the same week.

  • Right of access. You can ask for a copy of the personal information we hold about you, plus information about how we collected and use it.
  • Right of rectification. If something we hold about you is inaccurate, incomplete or out of date, you can have it corrected.
  • Right to withdraw consent. You can withdraw consent for any processing that relies on consent (subject to legal obligations we still have to meet).
  • Right to erasure / de-indexing (Loi 25). You can ask us to delete personal information that is no longer necessary for the purposes for which it was collected, or to stop disseminating it. You can also ask us to request that search engines de-index public content about you that is incomplete, equivocal or out of date.
  • Right to portability (Loi 25, since Sept 2024). Where technically feasible, you can receive the computerised personal information you provided to us in a structured, commonly used technological format - or have it transmitted to another organisation you designate.
  • Right to be informed about automated decisions and to request human review. If we ever made a decision about you based exclusively on automated processing of your personal information, you would have the right to be informed, to obtain the reasons and main factors, to submit observations and to ask a human to review the decision. See section 11.
  • Right to object / restrict. You can ask us to stop processing your information for direct marketing at any time.
  • Right to complain. If you are not satisfied with our response, you can file a complaint with Québec's Commission d'accès à l'information du Québec (CAI) or, for matters falling under federal law, with the Office of the Privacy Commissioner of Canada (OPC).

To protect your information from being disclosed to the wrong person, we may ask for proof of identity before acting on certain requests. Exercising any of these rights is free; for repetitive or manifestly unfounded requests we reserve the right to charge a reasonable fee (which we'll disclose first).

10 · Cookies and similar technologies

A cookie is a small text file that a website stores on your device. We use as few as possible. The categories we set (or may set with your consent) are:

  • Strictly necessary. Required for the site to work (language preference stored as bilbs-lang in localStorage, security tokens). No prior consent is required because they are necessary for a service you requested. Duration: until you clear your browser storage.
  • Functional. Remember your cookie-banner choice itself so we don't ask again on every page. Duration: 12 months.
  • Analytics (opt-in). Only set if you click "Accept analytics" in our cookie banner. Used to count aggregated page views with anonymised IP, no cross-site tracking. Duration: 13 months. You can revoke consent any time from the banner or by clearing storage.
  • Advertising. None. We do not run advertising cookies, retargeting pixels, or third-party ad scripts on this site.

You can change your cookie preferences at any time by clicking the "Cookie preferences" link in the footer banner (when shown) or by clearing your browser storage for bilbs.ai. Cal.com may set cookies inside its booking widget when you open it; those are governed by Cal.com's own cookie notice.

11 · Automated decision-making and profiling

Automated decisions. Bilbs AI does not use exclusively automated decision-making on visitors or prospects. Every consequential decision about you - whether we reply, propose, hire, deploy, terminate - is made by a human at Bilbs AI.

Profiling. Bilbs AI does not use observation, recording or analysis technology to construct behavioural profiles of website visitors. We do not score leads with AI, we do not run identity-resolution tools, we do not use session replay.

The AI models that run inside a customer's Box do, of course, generate outputs - but those outputs are about the firm's own documents and queries, the firm controls how they are used, and the data never reaches Bilbs AI. That product behaviour is described in the MSA, not in this policy.

12 · Children

Bilbs AI sells to law firms. The Services and this website are not directed at children under the age of 14, and we do not knowingly collect personal information from children. If you believe a child has submitted personal information through our website, please contact the Privacy Officer and we will delete it promptly.

13 · Security and breach notification

We protect personal information with measures proportionate to its sensitivity:

  • Encryption in transit (TLS 1.3) on all public endpoints.
  • Encryption at rest wherever our providers support it.
  • Role-based access control on internal systems and hardware-backed multi-factor authentication on every administrator account.
  • Data minimisation by default - we collect only what we need, and we delete on the schedule in section 08.
  • Annual review of provider security postures and our internal access lists.

Breach notification. If a confidentiality incident occurs (loss, unauthorised access, communication or use of personal information) and it presents a risk of serious injury, we will, in accordance with Loi 25 sections 3.5-3.8 and PIPEDA: (i) take reasonable measures to reduce the risk and prevent recurrence; (ii) notify the Commission d'accès à l'information du Québec (CAI) - and, if applicable, the Office of the Privacy Commissioner of Canada - with reasonable diligence; (iii) notify the affected persons; and (iv) keep a register of confidentiality incidents for at least five years, as required by law.

14 · Privacy Impact Assessments (PIA / EFVP)

Loi 25 section 3.3 requires enterprises to conduct a Privacy Impact Assessment (évaluation des facteurs relatifs à la vie privée, EFVP) before any acquisition, development or overhaul of an information system or electronic service involving personal information, and before any communication of personal information outside Québec. Bilbs AI maintains a written PIA process: the Privacy Officer reviews every new tool, sub-processor or data flow against a documented checklist (necessity, proportionality, lawful basis, retention, security, cross-border safeguards, individual rights), records the assessment, and signs off (or refuses) the change. We're happy to discuss our PIA approach with customers under NDA.

15 · Changes to this policy

We may update this policy from time to time, for example to reflect new sub-processors, regulatory updates or product changes. When we make a material change we will: (i) update the "Last updated" date at the top of this page; (ii) for active customers, send an email to the designated contact at least 30 days before the change takes effect; and (iii) for material changes affecting prospects, post a clearly visible banner on bilbs.ai. Continued use of the website after a non-material update means you accept the change. Archived versions of this policy are available on request.

16 · Contact, requests and complaints

For any privacy question, request to exercise your rights, breach notification or complaint, please contact our Privacy Officer:

Xavier Perreault - Designated Privacy Officer (RPRP)
Groupe Bilbs inc. (Bilbs AI)
2659 Avenue Watt #9
Québec, QC G1P 3T2, Canada
Email: legal@groupebilbs.com
Phone: +1 (438) 533-4455

If, after contacting us, you are not satisfied with our response, you may file a complaint with the Commission d'accès à l'information du Québec (CAI) at cai.gouv.qc.ca, or, where applicable, with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

This page describes how Bilbs AI processes personal information collected through bilbs.ai and during the sales process. It is not legal advice. For commercial engagements, the bilingual Master Services Agreement (MSA) and any Data Processing Addendum signed at procurement govern the specifics of that engagement and prevail in case of conflict on a topic the MSA covers.

Effective date: 19 May 2026. Last updated: 19 May 2026.

Still reading? Let's talk instead.

Book 30-min strategy call Read the Terms