Privacy Impact Assessment

A formal evaluation of Rilev's data processing activities, proportionality, risks, and safeguards — satisfying Quebec Law 25 requirements and PIPEDA best practices.

Privacy Officer: Keramat Saeedi · Last assessed: May 16, 2026

Personal Information Inventory

Category	Collected	Identifiable	Notes
Full name	❌	❌ No	Not collected
Email address	✅	⚠️ Yes	Optional — Pro users, account recovery only
IP addresses	❌	❌ No	Not collected by Rilev application; infrastructure providers may log
Assessment responses (raw)	❌	❌ No	Processed on-device, then deleted
Derived outcome scores	✅	❌ No	Stored under anonymous identifier
AI-generated reports	✅	❌ No	Linked to anonymous dataPointer
Goal text (user-authored)	✅	❌ No	PII-scrubbed before AI processing
Consent records	✅	❌ No	Linked to anonymous ID only
Crisis safety logs	✅	❌ No	Linked to anonymous ID only
Payment information	✅	⚠️ Yes	Via Stripe (tokenized) — Pro users only
HealthKit data (iOS)	✅	❌ No	Optional, user-authorized, anonymous ID
Professional account details	✅	⚠️ Yes	Display name, type, email

Necessity & Proportionality

Rilev's Zero-Knowledge architecture is specifically designed to minimize data collection. Raw assessment responses are never transmitted to servers — only aggregated outcome scores leave the device. Scores are stored under randomly generated anonymous identifiers, and identity and health data exist in architecturally separated systems.

This architecture exceeds the proportionality standard. Even if a breach occurred, the data cannot be linked back to a real individual through Rilev's systems.

Risk Assessment

Risk	Severity	Likelihood	Mitigation	Residual
Re-identification from scores	High	Very Low	ZK architecture — no identity linked to scores	Negligible
AI provider retains/trains on data	Medium	Low	API terms prohibit training; data is de-identified; PII scrubbed from goals	Low
Infrastructure breach exposing IP logs	Medium	Low	Rilev does not store IPs; anonymous IDs cannot be correlated with IPs	Low
Professional email exposure	Medium	Low	Stored in Firebase Auth with Google security; separate from health data plane	Low
Payment data breach	High	Very Low	Rilev never stores card data; Stripe handles PCI compliance	Negligible
Crisis log exposure	High	Very Low	Anonymous ID only; no name, email, or identity attached	Negligible
Insider threat	Medium	Very Low	ZK architecture means even Rilev cannot link identity to health data	Negligible
Cross-border data exposure	Medium	Low	Contractual safeguards with all providers; core data planned for GCP Toronto	Low

Safeguards

Encryption

TLS 1.3 in transit, AES-256 at rest (GCP-managed keys).

Zero-Knowledge Architecture

Identity plane and data plane are architecturally separated — cannot be joined through Rilev systems.

Access Controls

Data accessible only through anonymous credential held by user. No admin tools expose both planes simultaneously.

PII Screening

Regex + AI-based screening on user-authored text. Fail-closed: submissions blocked if screening unavailable.

Contractual Safeguards

DPAs with all providers handling identifiable data. AI providers receive only de-identified data.

Cross-Border Protections

Core database planned for GCP Toronto. Contractual and organizational safeguards for international transfers.

Rights of Individuals

Right of access: Users access all data through their anonymous credential

Right of rectification: Users can update goals, profile data, and settings at any time

Right of deletion: "Wipe Account" feature permanently deletes profile, scores, and reports

Right to data portability: PDF export of reports available

Right to withdraw consent: Account deletion withdraws consent; consent records retained for legal compliance

Right to be informed of automated decisions: AI Processing Disclosure in privacy policy; Decode disclaimer explains AI-generated nature

Right to de-indexation: Not applicable — anonymous accounts are not indexed by search engines

Conclusion

Rilev's processing of personal information is proportionate, necessary, and adequately safeguarded. The Zero-Knowledge architecture provides privacy protection that significantly exceeds the minimum requirements of Law 25 and PIPEDA. The risk of serious prejudice from a data breach is negligible due to the architectural impossibility of re-identifying individuals through Rilev's systems.

Data Processing Agreement Security Model Privacy Policy