InStage Privacy Policy
Last modified: October 26, 2025
Who We Are. This Privacy Policy is issued by 2618991 Ontario Inc. operating as InStage ("InStage", "we", "us", "our") and applies to our websites, products, and services (the "Services"). InStage also operates through its wholly‑owned U.S. subsidiary, InStage, Inc. Our Canadian entity (2618991 Ontario Inc. O/A InStage) is the primary organization responsible for your personal information under Canadian privacy law; InStage, Inc. supports service delivery to U.S. customers and may act as an affiliate and service provider to the Canadian entity.
What this covers: www.instage.io (the "Website") and our AI‑assisted experiential learning platform and voice‑AI features (the "Services").
1) How to read this policy
Scope. This Policy covers how the InStage collects, uses, discloses, retains, and protects personal information across our Sites and Services, including when our Canadian entity provides services directly and when our U.S. subsidiary provides services as a supporting affiliate.
Institutional deployments (most higher‑ed use): Your institution (e.g., college/university) is the controller of student education records. InStage acts as a processor/service provider, processing data on documented institutional instructions.
Website visitors & business contacts: InStage is the controller for information we collect directly on our Website or via sales/support interactions.
We designed this policy for Canadian colleges and universities first. We align with PIPEDA and support public‑sector procurement reviews (Ontario FIPPA/MFIPPA, BC FOIPPA, Québec Law 25). For U.S. institutions, we support FERPA.
2) What we collect (and what we do not collect)
We collect:
Account & profile: name, email, institution/program/role; account configurations; support communications.
Service interaction: session metadata, timestamps, usage metrics needed to provide and secure the Service.
Session content (only if enabled by your institution): recordings (audio/video) and transcripts. Students can delete their own items in‑product
Technical data: IP address, user agent, device/browser details for security & operations.
De‑identified/aggregated analytics used to maintain reliability, performance, and security; we do not try to re‑identify individuals; we do not use de‑identified analytics for advertising.
We do not collect or use: facial recognition, biometric identifiers, eye‑tracking/eye‑contact data, or motion/pose data.
3) How we use information (purposes)
We use information to:
- Provide, secure, and support the Services you or your institution request (identity & access management, troubleshooting, service notifications).
- Operate and improve the Service (including de‑identified/aggregated analytics for reliability, performance, and security).
- Comply with law and enforce agreements.
We do not sell personal information and we do not use personal information for targeted advertising.
4) Product configuration & user controls
Institutional administrators control whether audio recording, video recording, and transcript preservation are enabled and may set institution‑specific retention periods. Students can delete their own recordings and transcripts within the application (subject to institutional policy).
5) Where we Process Data
Primary locations. All customer Content and platform storage run in Canada (AWS Canada Central). Encryption keys are managed in Canada.
Web RTC Voice (core feature). Live conversation features use a Microsoft service that currently operates from East US 2 (Virginia). During a live session:
- Processing is in‑memory only (ephemeral), a few seconds at a time.
- No audio is stored, logged or recorded, and it is not used to train any models.
- Data in transit is encrypted, and processing occurs entirely within Microsoft's SOC 2 Type 2 and ISO 27001‑certified environments.
- When the session ends, temporary buffers are deleted.
This Web RTC Voice processing is part of the Service and is not disabled at the tenant level. All other AI processing (e.g., text planning, analytics, reporting) runs in Canada.
Telephony (Twilio, optional). If enabled, we use Twilio to place/receive calls. Twilio's default processing region is U.S. (US1); some sub‑features may support other Regions. We do not store call audio and do not enable Twilio call recording. Twilio maintains product‑specific retention for call metadata/recordings; institutions control whether telephony is enabled.
6) Where we store service data
Primary platform data storage: Canada (AWS Canada Central) with encryption in transit and at rest. Encryption keys are managed in Canada per our Encryption Policy.
Logging & monitoring: Security/operational logs are retained securely for at least 365 days, with centralized monitoring and alerting.
7) Cookies and similar technologies
We use cookies to run and secure the Service, remember preferences, and understand basic usage. You can block or delete cookies in your browser; some features may not work if you do.
8) Data retention & deletion
Unless your institution configures stricter timelines:
Video: Deleted automatically after 90 days by default.
Audio: Deleted automatically after 12 Months by default.
Transcripts: Deleted automatically after 12Months by default. Institutions may configure shorter retention or disable transcripts. Students can delete their own items; we also honor institution‑initiated deletion requests.
System/security logs: Retained at least 365 days for security and forensic purposes.
Backups: Backups are encrypted and rotated on a 30‑day schedule; deletions propagate upon backup expiry, with residual copies purged within 7 days thereafter
9) Security overview (what we do to protect data)
We implement administrative, technical, and physical safeguards, including: strong encryption in transit/at rest and Canadian key management; MFA and least‑privilege access controls; awareness training; change control; logging/monitoring; vulnerability & patch management; EDR/malware protection; and routine backup/DR testing.
Encryption & key management: Keys are managed in AWS Canada, with role‑based controls, monitoring, and rotation.
Network & operations: Segmentation, security groups/NACLs, GuardDuty/Inspector, centralized logging (CloudTrail/CloudWatch).
Secure development: Code review, environment segregation, vulnerability SLAs, incident integration.
Independent validation: In August–October 2025, a third‑party web application penetration test identified issues which were fully remediated and closed on retest (Oct 9, 2025). We can provide the executive summary during due diligence.
Institutional due‑diligence materials. For colleges and universities, we support procurement and privacy reviews. On request from an authorized institutional administrator, we provide a document‑based due‑diligence package that may include: (i) a summary of our Web RTC Voice Transfer Impact Assessment (TIA) describing ephemeral East US 2 processing with no storage, no logging of audio payloads, and no model training; (ii) our standard Order/DPA Rider — Web RTC Voice (No Storage; No Training; Notice); (iii) a Web RTC Voice Attestation; (iv) the most‑recent third‑party web‑application penetration test executive summary; and (v) our current Subprocessor Register and retention schedule. Requests: privacy@instage.io. These materials are provided under NDA and are not part of this Privacy Policy; your rights and obligations are governed by your Order Form, DPA, and Terms of Service.
10) Subprocessors & vendors
We use carefully vetted subprocessors under written agreements that include confidentiality, data‑protection terms, and security requirements. We maintain a current Subprocessor List (See our Vendor List in the Vendor Management Policy document for details.). We perform risk‑based reviews and ongoing monitoring for higher‑risk vendors.
11) International & cross‑border disclosures
Except for the ephemeral Web RTC Voice processing described in Section 5, we store and process customer content in Canada. If a specific function requires a service provider outside Canada, we contract for appropriate safeguards and require comparable protection. (Institutions may request our latest vendor regions and DPAs.)
For BC public bodies, cross‑border processing is limited to the ephemeral WebRTC Voice described above. This aligns with BC FOIPPA §33(2)(u) permitting temporary processing outside Canada with no intentional human access. Contractual riders document these limits.
12) Legal bases, FERPA & provincial expectations
Canada (PIPEDA): We collect, use, and disclose personal information with consent (including institutional consent for students where applicable) and as otherwise permitted or required by law, and we follow PIPEDA's 10 principles (accountability, identifying purposes, consent, limiting collection/use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance).
Provincial public‑sector reviews: We support procurement reviews, data‑location disclosures, vendor risk assessments, and PIAs where cross‑border processing is involved (e.g., ON FIPPA/MFIPPA, BC FOIPPA, QC Law 25).
United States (FERPA): For institutional deployments in the U.S., the institution is the FERPA controller. InStage acts as a school official with legitimate educational interest, using education records solely to provide the Services.
13) Your rights & choices
Access & correction: Request access/correction of your personal information. Students using InStage through an institution should submit requests via their institution so we can work with the controller.
Deletion: Students can delete their own recordings and transcripts in‑product. We also honor deletion requests received through institutional administrators.
Consent management: Where we rely on consent, you can withdraw it; some features may not be available after withdrawal.
14) Children & age thresholds
The Services are intended for use by or on behalf of institutions. We do not offer the Services to children under 13. Users 13 to the age of majority should use the Services with the supervision and consent of a parent/guardian or institution.
15) Breach notification & incident response
If we identify a breach of security safeguards posing a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada as soon as feasible, notify affected individuals, and maintain records of all breaches for at least 24 months. We follow our Incident Response Plan for intake, containment, investigation, and notification.
16) Changes to this policy
We will post updates here and update the "Last modified" date. Material changes will be communicated via the Website or through your institutional administrator.
17) Contact & challenging compliance
Privacy Officer: (see contact below)
Email: privacy@instage.io
Mailing Address: 2967 Dundas St W, #1435, Toronto, ON M6P 1Z2, Canada
If you have questions, requests, or concerns, contact us at the address above. For Canadian users, you may also contact your provincial regulator or the Office of the Privacy Commissioner of Canada if you are not satisfied with our response.
Appendix A — Security program references (evidence available on request)
- Information Security Policy (roles, device controls, training, phishing simulations).
- Network Security Policy (segmentation, GuardDuty/Inspector, logging).
- Access Control Policy (RBAC, onboarding/offboarding, MFA).
- Secure Development Policy (review process, vulnerability SLAs).
- Operations Security Policy (change control, DLP, patching, backups, logs).
- Encryption Policy (Canadian KMS, rotation/escrow/monitoring).
- Incident Response Plan (PIPEDA breach procedures & record‑keeping).
- Penetration Test (Aug–Oct 2025) — all findings closed on retest (Oct 9, 2025).
Appendix B — Retention summary (defaults; institution‑configurable)
Video: Deleted automatically after 90 days by default.
Audio: Deleted automatically after 12 Months by default.
Transcripts: Deleted automatically after 12 Months by default.
System/security logs: Retained at least 365 days for security and forensic purposes.
Backups: Encrypted and purged on a rolling schedule; deletions propagate upon backup expiry.
Institutions may configure shorter retention or disable retention. Students can delete their own items; we also honor institution‑initiated deletion requests.