TERMS OF SERVICE

askBrIdgit.ca Limited

Effective Date: February 19, 2026
Version: 1.0
Last Reviewed: February 19, 2026
Next Review Date: February 19, 2027

Introduction and Acceptance of Terms
Definitions
Description of the Service
Eligibility and Account Terms
Acceptable Use Policy
AI-Assisted Features — Disclaimer and Terms
Intellectual Property Rights
User Content and Licensing
Data Handling and Privacy
Subscription, Billing, and Payment
Service Levels and Availability
Limitation of Liability and Warranty Disclaimer
Indemnification
Term, Termination, and Suspension
Governing Law and Dispute Resolution
General Provisions
Contact Information

1. INTRODUCTION AND ACCEPTANCE OF TERMS

1.1 Agreement to Terms

These Terms of Service (the "Terms" or "Agreement") constitute a legally binding agreement between you (the "User," "you," or "your") and askBrIdgit.ca Limited, a corporation incorporated under the laws of Canada (the "Company," "Bridgit," "we," "us," or "our"), governing your access to and use of the Bridgit Platform (the "Service" or "Platform") accessible at https://www.askbridgit.ca and any associated mobile applications, APIs, or related services.

By creating an account, accessing the Service, or using any feature of the Platform, you acknowledge that you have read, understood, and agree to be bound by these Terms, including all policies incorporated by reference, including but not limited to the Privacy Policy and Data Retention Policy. If you do not agree to these Terms, you must immediately cease all use of the Service and may not create or maintain an account.

1.2 Modifications to Terms

The Company reserves the right to modify, amend, or update these Terms at any time in its sole discretion. Material changes to these Terms will be communicated to Users via email to the registered email address associated with the User's account or through a prominent notice within the Service at least thirty (30) days prior to the effective date of such changes, except where changes are required by law, in which case they may take effect immediately.

Continued use of the Service following the effective date of amended Terms constitutes acceptance of such amendments. Users who do not agree to the amended Terms must discontinue use of the Service and may terminate their account in accordance with Section 14 (Term, Termination, and Suspension) prior to the effective date of the amendments.

1.3 Additional Terms and Policies

These Terms incorporate by reference the following policies and agreements, which are binding upon all Users:

Privacy Policy (available at https://askbridgit.ca/api/v1/legal/policies/privacy-policy)
Data Retention Policy (available at https://askbridgit.ca/api/v1/legal/policies/data-retention-policy)
Security Policy (available at https://askbridgit.ca/api/v1/legal/policies/security-policy)
Data Processing Agreement (where applicable, for organizational customers acting as Data Controllers)

In the event of a conflict between these Terms and any incorporated policy, these Terms shall prevail unless the specific policy expressly states otherwise.

1.4 Organizational Accounts

Where the User is accessing the Service on behalf of an organization, company, institution, or other legal entity (an "Organization"), the User represents and warrants that:

(a) The User is an authorized representative of the Organization with the legal authority to bind the Organization to these Terms;

(b) The Organization accepts and agrees to be bound by these Terms; and

(c) All references to "User" or "you" in these Terms shall be deemed to include both the individual user and the Organization, jointly and severally.

Organizations are responsible for the actions of all individuals who access the Service using credentials associated with the Organization's account, including employees, contractors, affiliates, and authorized third parties.

2. DEFINITIONS

For purposes of this Agreement, the following terms shall have the meanings set forth below. Additional defined terms may appear elsewhere in this Agreement and shall have the meanings ascribed to them in their respective sections.

"Account" means the user account created by or on behalf of a User to access and use the Service, including all associated credentials, settings, and data.

"Activity" or "Activity Instance" means a structured workflow unit within the Service consisting of a form-based data collection process, which may include multiple question types, conditional logic, file attachments, and AI-assisted content generation. Activities serve as the primary mechanism for capturing and managing innovation-related information within the hierarchical structure of Organizations, Innovations, and Projects.

"AI Features" or "AI-Assisted Features" means the artificial intelligence capabilities integrated into the Service, including but not limited to content generation, research summarization, context-aware drafting, and retrieval-augmented generation (RAG), powered by third-party large language model providers as specified in Section 6.

"AI Provider" means a third-party provider of large language model services integrated with the Service, including but not limited to OpenAI, Anthropic (Claude), Google (Gemini), Cohere, Mistral, Perplexity, and DeepSeek.

"Authorized User" means an individual who is authorized to access and use the Service on behalf of a subscribing Organization, including employees, contractors, affiliates, or other persons granted access by an Organization Administrator.

"Bridgit Platform" or "Platform" means the innovation management software-as-a-service platform provided by the Company, including all associated websites, applications, APIs, documentation, and related services, accessible at https://www.askbridgit.ca.

"Business Day" means any day other than a Saturday, Sunday, or statutory holiday in the Province of Ontario, Canada.

"Confidential Information" means all non-public information disclosed by one party to the other, whether orally, in writing, or by inspection of tangible objects, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure.

"Content" means any text, data, information, software, graphics, photographs, videos, audio, or other materials, whether provided by the Company, Users, or third parties.

"Controller" and "Processor" have the meanings ascribed to them under applicable data protection legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and the General Data Protection Regulation (GDPR), where applicable. In the context of this Agreement, subscribing Organizations typically function as Controllers with respect to personal data of their end users, and the Company functions as a Processor acting on behalf of such Controllers.

"Data Processing Agreement" or "DPA" means the agreement governing the processing of personal data by the Company on behalf of an Organization, which forms part of this Agreement and is incorporated by reference.

"Effective Date" means February 19, 2026, the date on which this version of the Terms becomes effective.

"Innovation" means a user-defined innovation initiative tracked within the Service, representing a research project, product development effort, process improvement, or other innovation-related endeavor managed through the Platform's hierarchical structure.

"Intellectual Property Rights" means all intellectual property rights worldwide, whether registered or unregistered, including but not limited to patents, copyrights, trademarks, service marks, trade names, trade secrets, database rights, design rights, moral rights, and all applications, renewals, extensions, and restorations thereof.

"Organization" means a legal entity (including but not limited to corporations, partnerships, universities, hospitals, research institutions, or government agencies) that subscribes to the Service and under which individual Users are granted access. Organizations function as independent tenants within the Platform's multi-tenant architecture.

"Organization Administrator" means a User who has been granted administrative privileges for a specific Organization, including the authority to manage membership, assign roles, configure organizational settings, and control access to organizational data.

"Personal Data" or "Personal Information" means any information relating to an identified or identifiable natural person, as defined under applicable privacy legislation, including PIPEDA and GDPR.

"Platform IP" means all Intellectual Property Rights in and to the Service, including all software, source code, object code, algorithms, databases, user interfaces, visual designs, documentation, trademarks, service marks, trade names, logos, and other intellectual property owned by or licensed to the Company.

"Project" means a user-defined project managed within the Service, representing a discrete body of work associated with an Innovation or Organization, and serving as a container for related Activities.

"Reference Document" or "Reference Library" means the document management system within the Service that enables Organizations to upload, categorize, search, and curate documents with configurable access controls, expert verification flags, community voting, and expiration management.

"Service" means the Bridgit Platform and all associated services, features, functionality, content, and materials provided by the Company, as described in Section 3.

"Subscription" means the User's or Organization's paid or trial access to the Service for a specified term and subscription tier, as governed by Section 10.

"Terms" or "Agreement" means these Terms of Service, including all schedules, exhibits, and policies incorporated by reference.

"User" or "you" means any individual or entity that creates an account, accesses, or uses the Service, including both individual subscribers and Authorized Users acting on behalf of Organizations.

"User Content" means all data, documents, text, images, files, innovations, projects, activities, form responses, reference materials, and other content created, uploaded, submitted, or transmitted by Users through the Service, as further described in Section 8.

3. DESCRIPTION OF THE SERVICE

3.1 Overview

The Bridgit Platform ("Service") is a business-to-business software-as-a-service ("SaaS") innovation management platform designed to assist organizations in managing healthcare and research innovation processes from ideation through commercialization. The Service is provided exclusively for business, research, and institutional purposes and is not intended for personal, consumer, or household use.

3.2 Core Functionality

The Service provides the following capabilities:

3.2.1 Innovation Tracking and Workflow Management

The Service enables organizations to create, track, and manage innovation initiatives through a structured hierarchy of organizations, innovations, projects, and activities. Users design and execute structured workflows using a configurable form builder supporting multiple question types, conditional logic, variable substitution, and version-controlled form templates. Activity instances serve as the primary unit of data collection and workflow completion across all entity types.

3.2.2 Multi-Organization Support and Role-Based Access Control

The Service operates on a multi-tenant architecture in which each subscribing organization functions as an independent tenant. Access is governed by a role-based access control framework with system-level roles (system administrator, basic user) and entity-scoped roles (organization administrator, organization member, project administrator, project member, and equivalent roles for innovations and activities). Membership, permissions, and visibility rules are enforced at each organizational level.

3.2.3 AI-Assisted Features

The Service incorporates artificial intelligence capabilities provided by third-party large language model providers (including OpenAI, Anthropic, Google, Cohere, Mistral, Perplexity, and DeepSeek) to assist users with form field content generation, research summarization, and context-aware content drafting. AI features include retrieval-augmented generation from uploaded reference documents and optional web search integration. All AI-generated content is presented as suggestions for user review and is not intended to constitute professional, medical, legal, or regulatory advice. AI-Assisted Features are subject to the specific terms and limitations set forth in Section 6.

3.2.4 Document Management and Reference Library

The Service includes a reference document library enabling organizations to upload, categorize, search, and curate documents with configurable access controls (private, internal, public, curated), expert verification flags, community voting, feedback mechanisms, and expiration management. Evidence and file attachments may be associated with projects, innovations, and activity instances.

3.2.5 Compliance and Policy Management

The Service provides tools for managing compliance controls mapped to recognized frameworks (including ISO 27001, SOC 2, GDPR, and PIPEDA), data retention policies with configurable schedules per data category, legal hold management to suspend automated data deletion during litigation or regulatory proceedings, consent management with withdrawal capability, and immutable audit logging of system actions.

The Company's infrastructure and security practices are designed to align with ISO 27001 and SOC 2 Trust Services Criteria. However, Bridgit is not currently certified under ISO 27001 or SOC 2 unless otherwise expressly stated in writing. References to these frameworks indicate design intent and best-practice alignment, not formal certification status.

3.2.6 Embedded Forms for Public Data Collection

The Service permits authorized users to publish activities as embeddable forms accessible without authentication, subject to configurable domain restrictions and rate limiting. Public submissions may be anonymous, identified by email, or named, and are tracked through session tokens.

3.2.7 Collaboration

The Service supports real-time collaborative editing of activities with automatic conflict resolution, invitation and join-request workflows, a communications center aggregating organizational interactions, and notification delivery.

3.3 Limitations and Disclaimers

3.3.1 Not a Medical Device or Clinical Tool

THE SERVICE IS AN INNOVATION MANAGEMENT AND WORKFLOW TOOL. IT IS NOT A MEDICAL DEVICE, CLINICAL DECISION SUPPORT SYSTEM, DIAGNOSTIC TOOL, ELECTRONIC HEALTH RECORD SYSTEM, OR TELEHEALTH PLATFORM.

The Service does not provide clinical recommendations, treatment planning, patient care coordination, or any functionality subject to regulation as a medical device under the Medical Devices Regulations (SOR/98-282) or equivalent legislation in any jurisdiction. The Service does not process, store, or transmit protected health information as defined under the Health Insurance Portability and Accountability Act ("HIPAA") or personal health information as defined under the Personal Information Protection and Electronic Documents Act ("PIPEDA") unless separately agreed in a Business Associate Agreement or equivalent data processing addendum.

Users are solely responsible for ensuring that their use of the Service complies with all applicable healthcare regulations, professional standards, and ethical guidelines. The Service must not be used for direct patient care, clinical diagnosis, treatment decisions, or any purpose requiring regulatory approval as a medical device.

3.3.2 AI-Generated Content Disclaimer

AI-generated content provided through the Service is produced by third-party models and is furnished on an "as-is" basis. AI output may contain inaccuracies, omissions, or content that is incomplete, outdated, or unsuitable for the User's specific circumstances. Users are solely responsible for reviewing, validating, and assuming responsibility for any AI-generated content prior to reliance, publication, or use in decision-making processes. The Company makes no representations or warranties regarding the accuracy, completeness, reliability, or suitability of AI-generated content for any particular purpose.

3.4 Service Modifications

The Company reserves the right to modify, suspend, or discontinue any aspect of the Service, including features, functionality, integrations, or supported AI providers, at any time with or without notice. The Company will make commercially reasonable efforts to provide advance notice of material changes that adversely affect core functionality, but is under no obligation to do so where changes are necessary for security, legal compliance, or operational reasons.

4. ELIGIBILITY AND ACCOUNT TERMS

4.1 Eligibility Requirements

4.1.1 Age Requirement

You must be at least eighteen (18) years of age to register for or use the Service. The Service is not directed to, and may not be used by, any individual under the age of eighteen (18). By creating an account, you represent and warrant that you meet this minimum age requirement.

4.1.2 Organizational Authorization

The Service is provided on a business-to-business basis to organizations that subscribe to the Bridgit Platform. Individual user accounts may only be created by persons who are authorized representatives, employees, contractors, or affiliates of a subscribing organization ("Authorized Users"). By registering for an account, you represent and warrant that:

(a) You are authorized by your organization to create an account and access the Service on behalf of that organization;

(b) You have the legal capacity and authority to bind your organization to these Terms of Service;

(c) Your use of the Service is within the scope of your employment, engagement, or affiliation with the subscribing organization; and

(d) Your organization has entered into a valid subscription agreement with askBrIdgit.ca Limited or is otherwise authorized to use the Service.

4.1.3 Prohibited Users

You may not create an account or use the Service if:

(a) You are under the age of eighteen (18);

(b) You have been previously suspended or terminated from the Service for violation of these Terms or any applicable policy;

(d) You are located in, or are a resident or national of, any jurisdiction subject to comprehensive sanctions administered by the Office of Foreign Assets Control of the United States Department of the Treasury, the Canadian Special Economic Measures Act, or equivalent sanctions regimes; or

(e) Your registration or use would violate any applicable law, regulation, or legal obligation.

4.2 Account Registration

4.2.1 Registration Methods

You may register for an account through one of the following methods:

(a) Google OAuth Authentication. You may authenticate using your existing Google account credentials through OAuth 2.0 protocol. By selecting this method, you authorize askBrIdgit.ca Limited to access your Google account profile information (including name and email address) solely for the purpose of account creation and authentication. Your use of Google OAuth is subject to Google's terms of service and privacy policy.

(b) Email and Password Registration. You may register by providing a valid email address and creating a password that meets the Service's security requirements. Password requirements are established to protect account security and may be updated from time to time at askBrIdgit.ca Limited's discretion.

4.2.2 Registration Information Accuracy

You agree to provide accurate, current, and complete information during the registration process and to maintain and promptly update your account information to keep it accurate, current, and complete. You represent and warrant that:

(a) All registration information you submit is truthful, accurate, and complete;

(b) The email address you provide is valid, actively monitored by you, and under your exclusive control;

(d) You will promptly notify askBrIdgit.ca Limited of any changes to your registration information through the account settings interface or by contacting support.

Failure to provide or maintain accurate registration information may result in suspension or termination of your account and may constitute a material breach of these Terms.

4.2.3 One Account Per Person

Each individual user may maintain only one (1) active account on the Service. You may not:

(a) Create multiple accounts for the same individual;

(b) Share your account credentials with any other person;

(d) Create an account on behalf of another individual without express authorization; or

(e) Transfer, sell, or assign your account to any other person without the prior written consent of askBrIdgit.ca Limited.

Shared accounts, duplicate accounts, and unauthorized account transfers are prohibited and may result in immediate suspension or termination of all associated accounts without notice.

4.3 Organizational Access Control

4.3.1 Organization Administrator Authority

Each subscribing organization designates one or more Organization Administrators who have authority to control membership, assign roles, and manage access permissions for that organization's tenant within the Service. Organization Administrators have the exclusive authority to:

(a) Approve or deny requests to join the organization;

(b) Invite new users to create accounts and join the organization;

(d) Remove users from the organization;

(e) Establish organizational policies governing user conduct and data management; and

(f) Configure organizational settings, including security controls and data retention policies.

4.3.2 Subordinate Administrator Roles

Organization Administrators may delegate administrative authority for specific entities within the organizational hierarchy, including:

(a) Project Administrators, who exercise administrative control over designated projects and their associated activities;

(b) Innovation Administrators, who exercise administrative control over designated innovations and their associated activities; and

Each subordinate administrator role is scoped to the specific entity for which authority has been delegated and does not extend to organization-wide administration.

4.3.3 Membership Compliance

You acknowledge and agree that your access to the Service is contingent upon your continued membership in good standing within your organization. Your organization, through its Organization Administrator, may terminate your membership at any time for any reason or no reason. Upon termination of your organizational membership:

(a) Your access to the Service will be immediately suspended or revoked;

(b) You will lose access to all organizational data, projects, innovations, and activities;

(d) You will have no claim against askBrIdgit.ca Limited arising from such termination of organizational membership.

4.4 Waitlist and Approval Process

4.4.1 Waitlist Registration

New users seeking to join an existing organization may submit a request to join through the Service's waitlist functionality. Waitlist requests require:

(a) Submission of required registration information;

(b) Specification of the organization the user seeks to join; and

4.4.2 Administrator Approval Requirement

All waitlist requests are subject to approval by an Organization Administrator of the target organization. Organization Administrators have sole discretion to approve or deny waitlist requests and are under no obligation to approve any particular request or provide reasons for denial. askBrIdgit.ca Limited exercises no control over organizational membership decisions and assumes no responsibility for approval or denial of waitlist requests.

4.4.3 Provisional Access

In certain cases, Organization Administrators may grant provisional or limited access to users pending full membership approval. Provisional access is subject to:

(a) Restrictions on permissions, roles, and data access as determined by the Organization Administrator;

(b) Time limitations established by the organization;

(d) Conversion to full membership or termination at the Organization Administrator's discretion.

4.4.4 Invitation-Based Registration

Organization Administrators may invite prospective users to join the organization by sending email invitations through the Service. Invited users may register by:

(a) Following the unique registration link provided in the invitation email;

(b) Completing the registration process within the validity period of the invitation (typically fourteen (14) days unless otherwise specified); and

Invitation links are unique, non-transferable, and may be used only by the intended recipient. Expired invitations may be reissued at the Organization Administrator's discretion.

4.5 Account Security

4.5.1 Credential Security Obligations

You are solely responsible for maintaining the confidentiality and security of your account credentials, including your password and any authentication tokens. You agree to:

(a) Create a strong password that meets or exceeds the Service's minimum security requirements;

(b) Not disclose your password to any third party;

(d) Store your credentials securely and protect them from unauthorized access;

(e) Immediately notify askBrIdgit.ca Limited of any unauthorized use of your account or any other breach of security; and

(f) Take all reasonable steps to prevent unauthorized access to your account.

4.5.2 Multi-Factor Authentication

askBrIdgit.ca Limited strongly recommends that all users enable multi-factor authentication ("MFA") for their accounts. Organization Administrators may require MFA as a condition of organizational membership. You acknowledge that failure to enable MFA may increase the risk of unauthorized access to your account.

4.5.3 Liability for Account Activity

You are responsible for all activities that occur under your account, whether or not authorized by you. You agree to immediately notify askBrIdgit.ca Limited of any unauthorized use of your account or any other security breach. askBrIdgit.ca Limited will not be liable for any loss or damage arising from your failure to maintain the security of your account credentials.

5. ACCEPTABLE USE POLICY

5.1 Permitted Uses

You may use the Bridgit Platform for the following purposes:

(a) Innovation Management: Creating, tracking, and managing healthcare and research innovation initiatives, projects, and activities through the platform's workflow management capabilities;

(b) Form Creation and Completion: Designing structured forms using the form builder, completing activity instances, and managing data collection workflows;

(c) Collaboration: Inviting team members, sharing projects and innovations within your organization, participating in real-time collaborative editing, and communicating through the platform's collaboration features;

(d) AI-Assisted Content Generation: Using AI features to draft form field content, summarize research materials, and generate context-aware suggestions, provided you review and validate all AI-generated content before relying upon it;

(e) Document Management: Uploading, organizing, categorizing, and sharing reference documents, research materials, and supporting evidence within the reference library, subject to applicable access controls;

(f) Public Data Collection: Publishing embeddable forms for external data collection, subject to appropriate domain restrictions and rate limiting configurations;

(g) Compliance Tracking: Using compliance management tools to map controls to recognized frameworks and manage organizational policies; and

(h) Policy Documentation: Generating and publishing completed policy documents through the platform's workflow features.

5.2 Prohibited Uses

You may not use the Bridgit Platform for any of the following purposes:

5.2.1 Clinical and Medical Misuse

(a) Clinical Decision Support: Using the platform as a clinical decision support system, diagnostic tool, treatment planning system, or for any direct patient care activities;

(b) Medical Device Functionality: Attempting to use the platform as a medical device, electronic health record system, telehealth platform, or patient care coordination tool;

(c) Unprotected Health Information: Uploading, storing, or transmitting protected health information as defined under HIPAA or personal health information as defined under PIPEDA without proper authorization, Business Associate Agreement, and appropriate technical and organizational safeguards.

5.2.2 Security and System Integrity

(a) Malicious Code: Uploading, transmitting, or introducing viruses, malware, ransomware, trojans, worms, logic bombs, or any other harmful or malicious code;

(b) Unauthorized Access: Attempting to bypass, circumvent, disable, or interfere with security features, access controls, authentication mechanisms, or role-based permissions;

(c) System Exploitation: Probing, scanning, or testing the vulnerability of the platform or any related systems without prior written authorization;

(d) Credential Sharing: Sharing login credentials, using shared accounts, or allowing unauthorized individuals to access the platform using your credentials;

(e) Reverse Engineering: Reverse engineering, decompiling, disassembling, or attempting to derive source code from the platform or its AI features.

5.2.3 Data Extraction and Automation

(a) Automated Access: Using robots, spiders, scrapers, crawlers, or other automated means to access, extract, or download data from the platform without express written permission;

(b) Excessive Usage: Engaging in usage patterns that place unreasonable or disproportionately large loads on the platform infrastructure;

(c) Data Mining: Systematically extracting or harvesting data for purposes unrelated to legitimate innovation management activities.

5.2.4 Content and Intellectual Property

(a) False Information: Submitting false, misleading, inaccurate, or intentionally deceptive information through forms, activities, or any platform feature;

(b) Defamatory Content: Publishing defamatory, libelous, slanderous, or otherwise unlawful content about individuals, organizations, or entities;

(c) Intellectual Property Infringement: Using AI features or any platform functionality to generate, reproduce, or distribute content that infringes upon third-party copyrights, trademarks, patents, trade secrets, or other intellectual property rights;

(d) Plagiarism: Submitting content generated by AI or other sources as original work without appropriate attribution or disclosure.

5.2.5 Legal and Regulatory Violations

(a) Unlawful Activity: Using the platform to violate any applicable federal, provincial, state, or local law, regulation, or ordinance;

(b) Export Control Violations: Using the platform in violation of Canadian or international export control laws or economic sanctions;

(c) Privacy Violations: Collecting, using, or disclosing personal information in violation of applicable privacy laws, including PIPEDA, GDPR, or provincial privacy legislation;

(d) Unauthorized Research: Conducting research involving human subjects without appropriate ethics board approval, informed consent, or institutional authorization.

5.2.6 Harmful Conduct

(a) Harassment: Harassing, threatening, intimidating, or abusing other users or platform administrators;

(b) Impersonation: Impersonating another person, organization, or entity, or falsely representing your affiliation with any person or organization;

(c) Interference: Interfering with or disrupting the platform's operation, servers, networks, or other users' access to and use of the platform.

5.3 Consequences of Violation

Violation of this Acceptable Use Policy may result in:

(a) Immediate suspension or termination of your account and access to the platform;

(b) Removal of content that violates this policy;

(d) Referral to law enforcement authorities where conduct may constitute a criminal offense;

(e) Legal action to recover damages and obtain injunctive relief.

askBrIdgit.ca Limited reserves the right to investigate suspected violations of this policy and to cooperate with law enforcement authorities in prosecuting users who violate the law.

5.4 Reporting Violations

If you become aware of any violation of this Acceptable Use Policy, please report it immediately to: hello@askbridgit.ca

6. AI-ASSISTED FEATURES — DISCLAIMER AND TERMS

6.1 Nature of AI Features

The Service integrates artificial intelligence capabilities provided by third-party large language model providers, which may include OpenAI, Anthropic (Claude), Google (Gemini), Cohere, Mistral, Perplexity, and DeepSeek (collectively, "AI Providers"). AI-assisted features are available for form field content generation, research summarization, context-aware drafting, and general workflow assistance.

All AI-generated output is assistive in nature and requires human review prior to use. The Service does not autonomously execute decisions, publish content, or take action based on AI-generated output without user initiation and confirmation.

6.2 No Professional Advice

AI-generated content does not constitute, and shall not be construed as, professional, legal, medical, clinical, regulatory, financial, or any other form of expert advice. AI output is furnished on an "as-is" basis and may contain inaccuracies, omissions, or content that is incomplete, outdated, or unsuitable for the User's specific circumstances.

6.3 User Responsibility

Users are solely responsible for reviewing, verifying, and validating the accuracy, completeness, and suitability of all AI-generated content prior to reliance, publication, or incorporation into any decision-making process. The User assumes all risk associated with the use of AI-generated content.

6.4 Data Processing by AI Providers

To deliver AI-assisted functionality, the Service transmits contextual data to the selected AI Provider's application programming interface. This data may include the content of the user's prompt, form field values visible in the current workflow, entity metadata (such as project, organization, and innovation context), the content of uploaded reference documents used for retrieval-augmented generation, and web search results where the web search feature is enabled.

Bridgit's agreements with AI Providers prohibit the use of customer data submitted through the Service's API for training general-purpose models. However, Users acknowledge that data processing by AI Providers is subject to such providers' respective terms of service and data processing agreements, which Bridgit does not control. Users should review the applicable AI Provider's terms for their specific data handling practices.

6.5 Sensitive Data Restrictions

Users must not input sensitive personal data — including but not limited to protected health information ("PHI") as defined under HIPAA, patient records, social insurance numbers, financial account numbers, or other categories of data subject to heightened regulatory protection — into AI-assisted features, unless such use is expressly authorized by the User's organization under its own data governance policies and a supplementary data processing agreement is in place with Bridgit.

Bridgit disclaims all liability for any sensitive data submitted to AI Providers through the Service in violation of this Section.

6.6 AI Feature Availability

AI-assisted features depend on the availability and performance of third-party AI Providers. Such features may be temporarily unavailable, degraded, or discontinued due to AI Provider outages, rate limits, API changes, or other circumstances beyond Bridgit's reasonable control. Any such interruption does not constitute a breach of this Agreement or entitle the User to service credits unless otherwise specified in an applicable Service Level Agreement.

6.7 Administrative Controls

Organization administrators may enable, disable, or configure AI Providers and AI-assisted features at the organization level through the Service's administrative settings. The selection of AI Provider and model is configurable. The optional web search feature (powered by Tavily) may be independently enabled or disabled through the AI Services settings.

6.8 AI Interaction Data

AI interactions processed through the Service (prompts and responses) are logged for a period of thirty (30) days for the purpose of service improvement, quality assurance, and troubleshooting. After this retention period, AI interaction logs are permanently deleted from Bridgit's systems.

Conversation history displayed in the AI assistant interface is stored locally in the User's browser and may be cleared by the User at any time. Bridgit does not maintain a persistent server-side log of AI conversation history beyond the thirty-day retention period.

Bridgit reserves the right to retain anonymized, aggregated usage metrics (such as request volume, error rates, and feature adoption statistics) indefinitely for service monitoring and improvement purposes, provided such metrics cannot be used to identify individual users or reconstruct specific AI interactions.

7. INTELLECTUAL PROPERTY RIGHTS

7.1 Platform Ownership

The Service, including all software, source code, object code, algorithms, databases, user interfaces, visual designs, documentation, trademarks, service marks, trade names, logos, and all other intellectual property embodied in or associated with the platform (collectively, "Platform IP"), is and shall remain the exclusive property of askBrIdgit.ca Limited and its licensors.

All rights, title, and interest in and to the Platform IP, including all patents, copyrights, trade secrets, and other intellectual property rights, are owned by or licensed to the Company. No rights are transferred to the User except as expressly set forth in this Agreement.

7.2 License to Use the Service

Subject to the User's compliance with this Agreement, the Company grants the User a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access and use the Service during the subscription term solely for the User's internal business purposes.

This license does not permit the User to:

(a) Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Service;

(b) Copy, modify, adapt, translate, or create derivative works based on the Service;

(d) Rent, lease, sell, sublicense, distribute, or otherwise transfer rights to the Service;

(e) Use the Service to develop a competing product or service; or

(f) Access the Service for benchmarking or competitive analysis purposes.

7.3 User Content Ownership

Users and their subscribing organizations retain all ownership rights in and to any data, documents, text, images, files, innovations, projects, activities, form responses, reference materials, and other content created, uploaded, or submitted through the Service (collectively, "User Content").

The Company claims no ownership interest in User Content. Users are solely responsible for the accuracy, legality, and appropriateness of all User Content.

7.4 License to Process User Content

To operate the Service and provide the functionality described in Section 3, Users grant the Company a worldwide, non-exclusive, royalty-free license to host, store, reproduce, display, transmit, process, and perform User Content solely to the extent necessary to:

(a) Deliver the Service to the User and authorized members of the User's organization;

(b) Maintain, support, and improve the Service;

(d) Generate anonymized, aggregated analytics that do not identify the User or any individual.

This license includes the right to make archival or backup copies of User Content for disaster recovery and business continuity purposes.

7.5 Termination of Content License

The license granted in Section 7.4 terminates when the User deletes User Content from the Service or when the User's account is closed, except that:

(a) The Company may retain User Content for the duration of any applicable data retention period set forth in the User's organization's data retention policies or as required by law;

(b) User Content subject to a legal hold will be retained until the hold is lifted;

(d) Backup copies may persist in the Company's disaster recovery systems for up to ninety (90) days following deletion.

Upon expiration of all applicable retention periods, the Company will delete or anonymize User Content in accordance with the Data Retention Policy referenced in Section 9.

7.6 AI-Generated Content

Content generated through the Service's AI-assisted features (as described in Section 6) is produced by third-party AI Providers using large language models. The Company makes no claim of ownership or authorship over AI-generated content.

Users acknowledge that:

(a) AI-generated content may not be eligible for copyright protection under applicable law;

(b) AI-generated content may inadvertently resemble or incorporate third-party works, and Users assume sole responsibility for ensuring that any AI-generated content they choose to use does not infringe third-party intellectual property rights;

(c) The User is solely responsible for reviewing, validating, and assuming liability for any AI-generated content prior to publication, reliance, or distribution; and

(d) The Company provides AI-generated content on an "as-is" basis without warranty of originality, accuracy, or non-infringement.

7.7 Template Library and Compliance Frameworks

The Service includes pre-built activity templates, form structures, compliance control mappings (including ISO 27001, SOC 2, GDPR, and PIPEDA frameworks), and other reference materials provided by the Company (collectively, "Templates").

Templates are licensed to Users for use exclusively within the Service. Users may customize, duplicate, and deploy Templates within their organization's workspace on the platform.

Users may not:

(a) Extract Templates from the Service for use in external systems;

(b) Redistribute, resell, or sublicense Templates to third parties; or

Customizations and derivative works created by Users based on Templates are considered User Content and are subject to Section 7.3.

7.8 Feedback and Suggestions

If a User provides the Company with feedback, suggestions, enhancement requests, or recommendations regarding the Service ("Feedback"), the Company may use such Feedback without restriction or obligation to the User. The User hereby assigns to the Company all rights, title, and interest in and to any Feedback and waives any claims based on intellectual property rights, confidentiality, or compensation related to the Company's use of Feedback.

7.9 Third-Party Components

The Service may incorporate or depend upon third-party software components, libraries, and services, each of which is subject to its own license terms. The Company's use of such components does not transfer ownership or additional rights to Users. A list of material third-party components and their licenses is available upon request.

7.10 Trademark Usage

"Bridgit," "askBrIdgit.ca," and associated logos are trademarks of askBrIdgit.ca Limited. Users may not use the Company's trademarks without prior written consent, except as necessary to identify the Service in factual references (e.g., "powered by Bridgit" in embedded forms, if permitted under the embedding configuration).

8. USER CONTENT AND LICENSING

8.1 User Content Defined

"User Content" means all data, documents, text, images, files, innovations, projects, activities, form responses, reference materials, and other content created, uploaded, submitted, or transmitted by Users through the Service. User Content includes, but is not limited to:

(a) Form submissions and activity completions;

(b) Reference documents uploaded to the reference library;

(d) Communications and messages transmitted through the Service;

(e) Comments, annotations, and feedback; and

(f) Any other content provided by Users or generated through User interaction with the Service.

User Content does not include AI-generated content, which is addressed separately in Section 7.6.

8.2 User Responsibility for User Content

Users are solely responsible for all User Content. Users represent and warrant that:

(a) They have all necessary rights, licenses, consents, and permissions to submit User Content to the Service;

(b) User Content does not infringe or misappropriate any third-party intellectual property rights, privacy rights, publicity rights, or other proprietary rights;

(d) User Content does not contain any viruses, malware, or other harmful code;

(e) User Content does not contain any defamatory, obscene, abusive, or otherwise objectionable material; and

(f) User Content complies with this Agreement, including the Acceptable Use Policy set forth in Section 5.

8.3 Monitoring and Removal

The Company has no obligation to monitor User Content but reserves the right to review, monitor, and remove User Content that, in the Company's sole discretion:

(a) Violates this Agreement or any applicable law;

(b) Infringes third-party intellectual property rights;

(d) Is the subject of a valid takedown notice or legal demand; or

(e) Otherwise poses a risk to the Service, other users, or the Company.

The Company will make reasonable efforts to notify Users before removing User Content, except where immediate removal is necessary to address security threats, legal obligations, or violations of this Agreement.

8.4 Backup and Retention

The Company performs automated backups of User Content as part of its disaster recovery procedures. However, Users are solely responsible for maintaining their own backup copies of User Content. The Company is not liable for any loss, corruption, or deletion of User Content, whether caused by User action, system failure, or any other cause.

Upon termination of a User's account or subscription, User Content will be retained or deleted in accordance with the Data Retention Policy referenced in Section 9.

8.5 Public Submissions via Embedded Forms

Users may publish activities as embeddable forms accessible to the public without authentication. Content submitted through such embedded forms ("Public Submissions") is subject to the following:

(a) Public Submissions are considered User Content of the Organization that published the embedded form;

(b) The publishing Organization is responsible for ensuring that the embedded form complies with applicable privacy laws and includes appropriate notices regarding data collection and use;

(d) The Company processes Public Submissions on behalf of the publishing Organization as a Data Processor; and

(e) The publishing Organization must implement appropriate domain restrictions and rate limiting to prevent abuse.

9. DATA HANDLING AND PRIVACY

9.1 Data Processing Roles

The Company acts as a Data Processor with respect to personal data submitted to the Service by organizational customers. Each subscribing organization functions as the Data Controller for personal data relating to its end users, project participants, and innovation stakeholders. The organization determines the purposes and means of processing such personal data through its use of the Service.

The Company processes personal data solely on behalf of and in accordance with documented instructions from the Data Controller, as set forth in this Agreement and any applicable Data Processing Agreement ("DPA").

9.2 Data Processing Agreement

Data processing is governed by the Company's standard Data Processing Agreement, which forms part of this Agreement and is incorporated by reference. The DPA sets forth the parties' respective obligations regarding the processing of personal data, including the scope, nature, purpose, and duration of processing; the types of personal data and categories of data subjects; and the rights and obligations of the Data Controller and Data Processor.

Organizations requiring execution of a separate DPA to satisfy regulatory or contractual requirements may request such agreement through their account administrator.

9.3 Applicable Privacy Laws

The Company processes personal data in accordance with the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation in Canada. Where the Service processes personal data of individuals located in the European Economic Area, the United Kingdom, or other jurisdictions subject to the General Data Protection Regulation ("GDPR"), the Company complies with GDPR requirements as a Data Processor, including adherence to standard contractual clauses or other approved transfer mechanisms where applicable.

9.4 Data Residency

Personal data submitted to the Service is stored in Canadian data centres operated by Google Cloud Platform, specifically the northamerica-northeast1 region (Montréal, Québec), unless otherwise specified in a separate service agreement. Data may be temporarily processed in other jurisdictions for purposes of service delivery, backup, disaster recovery, or support operations, subject to appropriate safeguards.

9.5 Security Measures

The Company implements technical and organizational security measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. Such measures include, but are not limited to:

(a) Encryption of data in transit using Transport Layer Security (TLS 1.2 or higher);

(b) Encryption of data at rest using AES-256 or equivalent encryption standards;

(d) Multi-factor authentication (MFA) for administrative accounts;

(e) Comprehensive audit logging of system access and data operations;

(f) Regular security assessments, vulnerability scanning, and penetration testing;

(g) Incident response and breach notification procedures; and

(h) Employee background checks, confidentiality agreements, and security awareness training.

A detailed description of the Company's security controls is available in the Security Policy, accessible at https://askbridgit.ca/api/v1/legal/policies/security-policy.

9.6 Data Subject Rights

Users may exercise rights under applicable privacy laws, including the right to access, rectify, erase, restrict processing of, object to processing of, and request portability of their personal data. Requests to exercise such rights should be submitted through the mechanisms described in the Privacy Policy or by contacting the Company's privacy officer at the contact information provided in Section 17 (Contact Information).

The Company will respond to verified requests within the timeframes required by applicable law. Where the Company acts as Data Processor, certain requests may be redirected to the relevant Data Controller for fulfillment.

9.7 Data Retention and Deletion

Personal data is retained in accordance with the Company's Data Retention Policy, available at https://askbridgit.ca/api/v1/legal/policies/data-retention-policy. Retention periods vary by data category and are determined based on legal, regulatory, operational, and business requirements.

Upon termination of a User account or organizational subscription, personal data associated with the account is subject to a thirty (30) day grace period during which the account may be reactivated. Following expiration of the grace period, personal data is permanently deleted or anonymized in accordance with the Data Retention Policy, unless retention is required by law or a valid legal hold is in effect.

9.8 Legal Holds

The Company may temporarily suspend automated data deletion where required to comply with a legal hold, litigation hold, regulatory investigation, court order, or other legal obligation. During the pendency of a legal hold, affected data will be preserved in a secure, immutable state and will not be subject to routine deletion schedules. Users will be notified of legal holds to the extent permitted by law.

9.9 Cross-References

For complete information regarding the Company's data handling practices, Users should consult:

(a) The Privacy Policy, which describes how personal data is collected, used, disclosed, and protected;

(b) The Data Retention Policy, which specifies retention periods and deletion procedures for each category of data; and

These policies are accessible through the Service or at the URLs specified herein and are incorporated into this Agreement by reference.

10. SUBSCRIPTION, BILLING, AND PAYMENT

10.1 Subscription Access

Access to the Service is provided on a subscription basis as specified in the applicable order form, purchase agreement, or as displayed during the subscription activation process. Subscription tiers, features, and limitations are defined at the time of purchase and may be modified by the Company with advance notice as provided herein.