This Privacy Policy describes how DataStealth Inc. ("DataStealth") treats information that it collects and receives related to your use of DataStealth products or services, including but not limited to DataStealth ("Solutions").
DataStealth has established an internal privacy governance framework to ensure accountability and compliance with applicable privacy laws. This framework includes designated privacy leadership, documented privacy policies and procedures, regular privacy risk assessments, employee privacy training programs, and ongoing monitoring of privacy practices. DataStealth's privacy program is designed to protect personal information throughout its lifecycle and to respond effectively to privacy incidents and data subject requests.
DataStealth is committed to compliance with applicable privacy laws based on the jurisdiction of our customers and data subjects. Depending on your location and the nature of the data processed, one or more of the following privacy frameworks may apply:
a) Personal Information Protection and Electronic Documents Act (PIPEDA) - DataStealth, as a Canadian company, complies with PIPEDA requirements for the collection, use, and disclosure of personal information in the course of commercial activities within Canada.
b) General Data Protection Regulation (GDPR) - For customers and data subjects located in the European Economic Area (EEA), United Kingdom, or Switzerland, DataStealth processes personal data in accordance with GDPR requirements, including but not limited to lawful basis for processing, data subject rights, and cross-border data transfer mechanisms.
c) California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) - For California residents, DataStealth complies with CCPA and CPRA requirements regarding the collection, sale, and disclosure of personal information, and respects consumer rights as defined under these laws.
The specific privacy law(s) applicable to your personal information will depend on factors including your location, your customers' locations, and the jurisdiction(s) in which data subjects are located. DataStealth will apply the privacy protections required by the applicable law(s) governing each specific data processing activity.
DataStealth operates in different capacities depending on the type of personal information being processed:
a) DataStealth as Data Processor - For customer data processed through DataStealth Solutions, DataStealth acts as a data processor (or service provider under CCPA/CPRA). In this capacity, DataStealth processes personal data solely on behalf of and according to the instructions of our customers, who act as the data controllers. DataStealth does not determine the purposes or means of processing such customer data and processes it only to deliver and support the Solutions as contracted.
b) DataStealth as Data Controller - For certain categories of personal information, DataStealth acts as a data controller (or business under CCPA/CPRA), determining the purposes and means of processing. This includes:
i) Business Operations Data - Personal information collected and processed for DataStealth's own internal business operations, including employee information, vendor information, and corporate administration.
ii) Billing and Payment Data - Personal information collected for invoicing, payment processing, account management, and financial recordkeeping purposes.
iii) Marketing and Sales Data - Personal information collected through marketing activities, sales interactions, website visits, event registrations, and other business development activities.
The distinction between these roles determines how DataStealth handles data subject requests, data processing obligations, and contractual relationships. When DataStealth acts as a data processor, data subject requests regarding customer data processed through Solutions should be directed to the applicable customer (data controller). When DataStealth acts as a data controller, data subject requests should be directed to DataStealth as outlined in Section 10 of this Privacy Policy.
As part of the onboarding process for DataStealth Solutions, you will be asked to provide certain information about your company for the purpose of DataStealth;
a) delivering a Solution, or
b) supporting a Solution, or
c) contacting our customers, or
d) communicating for marketing or other purposes.
Information will include, but not be limited to, personally identifiable information, billing information, payment information, and user identifiers ("Account Information"). Account Information is necessary for us to identify authorized users and to communicate with you regarding the use of DataStealth Solutions. Our primary goal in collecting information is to provide and improve our interactions with our customers.
Authentication Credentials: DataStealth employs industry-standard security practices for authentication. User credentials are protected through cryptographic hashing algorithms, encryption at rest and in transit, and secure session management. DataStealth may also integrate with federated identity providers and single sign-on (SSO) solutions to enhance security and streamline authentication. DataStealth does not store passwords in plain text and implements appropriate technical and organizational measures to protect authentication data. In addition to Account Information, DataStealth collects a number of performance and utilization metrics for DataStealth Solutions ("Usage Information"). This Usage Information may include such things as logs, number of requests, response times, CPU load, disc space, network utilization, and other information.
DataStealth may also collect other information during the course of our relationship that does not include any personally identifiable information (“Other Information”). The DataStealth Non-Disclosure Agreement, if applicable, shall govern the use of Other Information.
DataStealth will not share Account Information, Usage Information, Confidential Information, Data or Other Information collected by DataStealth with any third parties unless you have consented to the disclosure in writing, or in the event DataStealth believes the disclosure is necessary;
a) to comply with the law or with legal process; or
b) to protect and defend our rights and property; or
c) to protect our customers or users, including from misuse or unauthorized use of Solutions; or
d) to protect the safety or property of our employees, customers, users or others.
Notwithstanding the above, DataStealth may, upon receiving the prior written consent of Licensee, disclose or transfer Account Information, Usage Information, or Other Information;
a) to business or channel partners, or
b) to corporate affiliates; or
c) to third party vendors, but only when required to provide services to DataStealth that are directly related to your use of DataStealth or Solutions; or
d) to an acquirer in connection with the sale of the business or assets of DataStealth.
DataStealth will require that any third-party entity that receives any Account Information, Usage Information, or Other Information from DataStealth to;
a) enter into a Non-Disclosure Agreement with DataStealth; and
b) limit the use and disclosure of your information to the purposes for which it was provided.
DataStealth may use the e-mail addresses listed in your Account Information to send communications about DataStealth, DataStealth Solutions, or other offers or notices that we deem pertinent or reasonable. DataStealth customers shall at all times have the right to unsubscribe from a particular email, however the choice to unsubscribe does not apply to the receipt of mandatory service communications that are considered part of certain Solutions.
DataStealth has invested considerable resources to obtain and maintain physical, electronic, cyber, and procedural safeguards to protect the loss, misuse, and/or alteration of Account Information, Usage Information, Confidential Information, Data and Other Information under our control. Account Information, Usage Information, Confidential Information, Data and Other Information that is collected by DataStealth is stored in a secure manner in secure data centers located primarily in Canada and the United States that is only accessible only by authorized DataStealth employees, and is only disclosed under the provisions of this Privacy Policy and the EULA. DataStealth limits access to Account Information, Usage Information, Confidential Information, Data and Other Information to DataStealth employees who require that information to provide service to our customers.
DataStealth processes and stores personal information primarily in Canada and the United States. Our infrastructure, cloud service providers, and business operations may involve data centers and processing facilities located in these jurisdictions.
International data transfers may occur in the following circumstances:
- When delivering and supporting DataStealth Solutions to customers located in different jurisdictions
- When utilizing cloud infrastructure and service providers with data centers in Canada and the United States
- When providing customer support, technical assistance, or account management services
- When processing billing, payment, and financial transactions through third-party payment processors
- When engaging third-party service providers for business operations, marketing, or administrative functions
When transferring personal information across borders, DataStealth implements appropriate safeguards to protect your information, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers subject to GDPR
- Data Processing Agreements (DPAs) with customers and third-party processors that include appropriate data protection obligations
- Contractual protections requiring recipients to provide a level of protection consistent with applicable privacy laws
- Technical and organizational security measures to protect data in transit and at rest
- Compliance with PIPEDA requirements for cross-border transfers of personal information
Unless otherwise specified, by using DataStealth Solutions and providing your personal information, you acknowledge and consent to the processing and storage of your information in Canada and the United States, and to international transfers as described in this Privacy Policy.
DataStealth retains personal information for different periods depending on the type of information and our role as data controller or data processor:
Customer Data (DataStealth as Data Processor): Customer data processed through DataStealth Solutions is retained for the duration of the contractual relationship with the customer, plus any additional period specified in the applicable customer agreement or Data Processing Agreement (DPA). Retention periods for customer data are determined by the customer as the data controller, and DataStealth processes and retains such data in accordance with customer instructions and contractual obligations.
Account Information, Billing Data, and Business Operations Data (DataStealth as Data Controller): DataStealth retains Account Information, billing records, payment information, and business operations data for the duration of the contractual relationship, plus a reasonable period thereafter as necessary for business, accounting, tax, and legal purposes. Billing and financial records are typically retained for a minimum of seven (7) years following contract termination to comply with financial recordkeeping requirements.
Marketing and Sales Data (DataStealth as Data Controller): Marketing and sales data is retained until you opt-out of marketing communications or request deletion, or until DataStealth determines the information is no longer necessary for legitimate business purposes.
Upon termination or expiration of a customer agreement for DataStealth Solutions:
- DataStealth will, at the customer's written request, either securely delete or return customer data processed through the Solutions, in accordance with the terms of the applicable customer agreement or DPA
- Secure deletion is performed using industry-standard data destruction methods, including cryptographic erasure, overwriting, or physical destruction of storage media, as appropriate
- If return of data is requested, DataStealth will provide the data in a commonly used, machine-readable format as specified in the customer agreement
- Following secure deletion or return, DataStealth will provide written certification of deletion upon customer request, subject to the exceptions below
Notwithstanding the above, DataStealth may retain personal information beyond the periods described above when:
- Required by applicable law, regulation, or legal process (including tax, accounting, audit, and financial reporting requirements)
- Necessary to comply with a legal obligation, court order, or government request
- Required to establish, exercise, or defend legal claims or rights
- Necessary to detect, prevent, or investigate security incidents, fraud, or other malicious or illegal activity
- Retained in backup or disaster recovery systems, provided such information is securely deleted in accordance with DataStealth's backup retention schedules and is not actively processed
Retained information subject to legal or regulatory exceptions is maintained in a secure manner with restricted access and is deleted or anonymized once the retention obligation no longer applies. Data retention practices are subject to the terms of applicable customer agreements, and in the event of any conflict between this Privacy Policy and a customer agreement, the customer agreement shall govern.
DataStealth respects the rights of individuals whose personal information we process. Depending on the applicable privacy law governing your personal information (as described in Section 2), you may have the following rights:
a) Right of Access - You have the right to request access to the personal information we hold about you, including details about how we collect, use, and disclose that information.
b) Right to Correction or Rectification - You have the right to request that we correct or update any inaccurate, incomplete, or outdated personal information we hold about you.
c) Right to Deletion or Erasure - You have the right to request that we delete your personal information in certain circumstances, such as when the information is no longer necessary for the purposes for which it was collected, or when you withdraw consent (where consent was the lawful basis for processing).
d) Right to Restriction of Processing - You have the right to request that we restrict or limit the processing of your personal information in certain circumstances, such as when you contest the accuracy of the data or object to our processing.
e) Right to Data Portability - You have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit that information to another service provider, where technically feasible.
f) Right to Object to Processing - You have the right to object to our processing of your personal information for certain purposes, including processing based on legitimate interests, direct marketing, or for research and statistical purposes.
To exercise any of these rights, please contact DataStealth using the contact information provided in Section 12 below. Your request should include sufficient detail to allow us to verify your identity and understand the nature of your request. We may request additional information to verify your identity before processing your request.
Response Timelines:
DataStealth will respond to verified data subject requests within the timeframes required by applicable privacy law:
- PIPEDA requests: within 30 days of receipt
- GDPR requests: within one month of receipt (extendable by two additional months for complex requests)
- CCPA/CPRA requests: within 45 days of receipt (extendable by an additional 45 days with notice)
DataStealth reserves the right, at our sole discretion, to change, update or modify this Privacy Policy at any time by publishing such change, update or modification on DataStealth’ website(s). Any such change, update or modification will be effective immediately upon DataStealth publishing such change. Your continued use of any DataStealth Solution, following the posting of modifications to our Privacy Policy, will mean that you have accepted those modifications.
DataStealth uses cookies and similar tracking technologies on our websites and within DataStealth Solutions. Cookies are small text files stored on your device that help us provide, improve, and personalize your experience. Similar technologies include web beacons, pixels, local storage, and session identifiers.
a) Strictly Necessary Cookies
Purpose: These cookies are essential for the operation of our website and Solutions. They enable core functionality such as authentication, security, network management, and session management. Without these cookies, the Services cannot function properly.
Examples: Session identifiers, authentication tokens, security cookies, load balancing cookies.
Legal Basis: These cookies are necessary for the performance of our contract with you and for our legitimate interests in providing secure and functional services.
b) Functional Cookies
Purpose: These cookies enable enhanced functionality and personalization, such as remembering your preferences, settings, language choices, and user interface customizations. They improve your user experience but are not strictly necessary for basic functionality.
Examples: Preference cookies, language settings, user interface state, customization settings.
Legal Basis: These cookies are based on your consent or our legitimate interests in providing an improved user experience.
c) Performance and Analytics Cookies
Purpose: These cookies collect information about how you use our website and Solutions, including which pages you visit, how long you spend on each page, error messages, response times, and performance metrics. This information helps us analyze and improve the performance, usability, and effectiveness of our Services.
Examples: Google Analytics cookies, performance monitoring cookies, usage tracking cookies, error logging cookies.
Legal Basis: These cookies are based on your consent or our legitimate interests in understanding and improving our Services.
d) Marketing and Advertising Cookies
Purpose: These cookies are used to deliver relevant advertisements and marketing communications to you, both on our website and on third-party platforms. They track your browsing activity across websites to build a profile of your interests and show you targeted advertising. These cookies may be set by us or by our advertising partners and data partners.
Examples: Advertising cookies, retargeting pixels, social media cookies, cross-site tracking cookies, email association cookies.
Legal Basis: These cookies require your explicit consent under GDPR and similar privacy laws.
Third-Party Cookies and Data Partners:
When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors (http://retention.com) to associate your website activities with other personal information they or others have about you, including by association with your email address. We or service providers on our behalf may then send communications and marketing to these email addresses.
Retention.com Opt-Out:
Retention.com is a third-party marketing service provider that may associate your website activity with your email address for targeted marketing purposes. If you wish to opt out of this specific data association and targeted marketing by Retention.com, you may do so by visiting (https://app.retention.com/optout) or by calling 1-(855) 306-2455. Through this opt-out mechanism, US residents can exercise their right to withdraw consent for the resale of their personal information to third parties.
Your Cookie Choices and Opt-Out Mechanisms:
For GDPR Users (EEA, UK, Switzerland): Where required by law, we will obtain your explicit consent before placing non-essential cookies (functional, analytics, and marketing cookies) on your device. You can manage your cookie preferences through our cookie consent banner when you first visit our website. You may withdraw your consent at any time by adjusting your browser settings or contacting us.
For CCPA/CPRA Users (California Residents): You have the right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising. You can exercise this right by using the cookie consent tools on our website, visiting the [Retention.com](http://Retention.com) opt-out page linked above, or contacting us using the information in Section 12.
Browser Settings: Most web browsers allow you to control cookies through their settings. You can typically:
- View and delete cookies stored on your device
- Block all cookies or only third-party cookies
- Receive notifications when cookies are set
- Delete cookies when you close your browser
Please note that blocking or deleting strictly necessary cookies may impact the functionality of our website and Solutions. Disabling other cookies may limit your ability to use certain features.
Do Not Track Signals: Some browsers support "Do Not Track" (DNT) signals. Our website does not currently respond to DNT signals, but you can use the cookie management tools described above to control tracking.
For more information or to exercise your cookie preferences, please contact us using the contact information provided in Section 12.
If you have any questions or comments regarding this Privacy Policy or our information collection practices, please contact DataStealth’s DPO by sending an e-mail to info@datastealth.io or by mail to; DataStealth Inc., 5995 Avebury Rd Suite 600, Mississauga, ON L5R 3P9.
Data Privacy Officer: Romeo Shakhawat, info@datastealth.io.
