Privacy Policy - intrasec

00

Introduction

intrasec ("intrasec," "we," "us," or "our") operates the website intrasec.ca and provides managed IT, cybersecurity, and advisory services to businesses across Canada. We are committed to protecting the privacy of every individual whose personal information comes into our care.

This Privacy Policy explains what personal information we collect, why we collect it, how we use and disclose it, how we protect it, and what rights you have over it. It applies to information collected through our website (intrasec.ca), our client portal, our marketing communications, our service delivery activities, and any other interaction you have with us.

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial privacy legislation including Québec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), and the Canadian Anti-Spam Legislation (CASL).

Plain version: We only collect what we need, we keep it secure, we never sell it, and we tell you exactly what happens to it. This policy has the full legal detail. If you have a question not answered here, reach us through our contact page.

By using our website or engaging our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please discontinue use of our website and contact us to discuss your concerns before engaging our services.

01

Information we collect

We collect personal information only to the extent necessary to provide our services, respond to your inquiries, improve our website, and meet our legal obligations. We do not collect information beyond what is reasonably required for those purposes.

Information you provide directly

Identity information: your name, job title, and the name of your organization.
Contact information: business email address, phone number, and mailing address.
Inquiry and correspondence content: the content of any message, form submission, or email you send us, including descriptions of your IT or security environment.
Contractual and billing information: information required to enter into and administer a service agreement, including authorized signatory details and payment particulars (processed through our payment processor; we do not store full payment card numbers).
Account credentials: username and password for any client portal account you create.
Service delivery data: technical information you or your organization share with us in the course of receiving managed IT or security services, which may include network configurations, system inventory, user account lists, and incident data. This information is governed additionally by your service agreement with us.

Information collected automatically

Log data: IP address, browser type and version, operating system, referring URL, pages visited, and timestamps of your visits to our website.
Device information: device type, screen resolution, and language preferences.
Usage data: how you navigate our website, which links you click, and how long you spend on each page.
Technical data: limited server-side information such as IP address and request timestamps collected by our hosting infrastructure. See our Cookie Policy for details.

Information from third parties

Referrals: if another person or organization refers you to us, we may receive your name and contact information from them.
Publicly available sources: we may verify or supplement information about prospective business clients using publicly available sources such as company registries or LinkedIn.

We do not knowingly collect sensitive personal information (such as health information, government identification numbers, financial account credentials, or biometric data) unless it is strictly necessary for a specific service you have engaged us to deliver, and only with your explicit consent or as required by law.

02

How we collect information

We collect personal information through the following means:

Directly from you, when you fill out a contact form on our website, send us an email, book a call, sign a service agreement, or communicate with our team.
Automatically through your browser, when you visit our website, through server logs and hosting infrastructure data as described in our Cookie Policy.
Through your use of our services, including information generated during the delivery of managed IT and security services under a contractual engagement.
From third parties, including referral partners, publicly available sources, and technology vendors whose services integrate with ours, to the extent permitted by applicable law.

Where we rely on your consent to collect personal information, you have the right to withdraw that consent at any time without penalty, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent may limit or prevent us from providing certain services to you.

03

How we use your information

We use personal information only for the purposes for which it was collected or for consistent purposes that you would reasonably expect. Specifically, we use your personal information to:

Service delivery & operations

Respond to your inquiries, requests, and support tickets.
Provide, manage, monitor, and improve our managed IT and security services under a service agreement.
Administer your account, including authentication and access control.
Process payments and manage billing and invoicing.
Communicate with you about service-related matters, including maintenance windows, incidents, and renewals.
Perform security monitoring, threat detection, and incident response on systems we manage on your behalf.

Marketing & communications

Send you commercial electronic messages (such as newsletters, service updates, and promotional offers) where we have obtained your express or implied consent in accordance with CASL.
Conduct surveys or collect feedback to improve our services.
Invite you to events, webinars, or other engagements relevant to your business.

Legal & compliance

Comply with applicable laws, regulations, court orders, and governmental or regulatory requests.
Establish, exercise, or defend legal claims.
Detect, prevent, and investigate fraud, security breaches, and other potentially illegal activities.
Enforce our contractual rights and obligations.

Analytics & improvement

Analyze how our website is used to improve its design, content, and performance.
Understand service usage patterns to develop new offerings and improve existing ones.
Conduct internal research and analysis, always using aggregated or anonymized data wherever practicable.

We will not use your personal information for purposes that are materially different from those set out above without first notifying you and, where required, obtaining your consent.

04

Disclosure of information

We do not sell, rent, trade, or otherwise disclose your personal information to third parties for their own commercial purposes. We share personal information only in the following circumstances:

Service providers & processors

We engage trusted third-party service providers who process personal information on our behalf under contractual obligations of confidentiality and security that are at least as protective as this policy. These providers assist with:

Cloud infrastructure and hosting (servers located in Canada and the United States).
Payment processing (your payment card information is handled directly by our PCI-DSS-compliant payment processor; we do not receive or store full card numbers).
Email delivery and calendar scheduling.
Customer relationship management (CRM) software.
Website analytics and performance monitoring.
Cybersecurity tooling used to deliver our managed security services.

Business transfers

If intrasec is involved in a merger, acquisition, asset sale, reorganization, or financing, personal information we hold may be transferred to the relevant parties as part of that transaction. We will take reasonable steps to ensure the receiving party maintains privacy protections consistent with this policy and will notify you as required by law.

Legal requirements

We may disclose personal information if required to do so by law or in good-faith belief that such disclosure is reasonably necessary to:

Comply with a legal obligation, court order, or governmental request.
Protect and defend the rights or property of intrasec.
Prevent or investigate possible wrongdoing, fraud, or security incidents.
Protect the personal safety of users of our services or the public.

With your consent

We may share your personal information with other third parties for any other purpose with your explicit prior consent. We will clearly explain the purpose and the identity of the recipient before obtaining your consent.

05

Data retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, to comply with applicable legal obligations, to resolve disputes, and to enforce our agreements. When determining the appropriate retention period, we consider the nature and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure, and applicable legal or regulatory requirements.

General retention guidelines

Prospect and inquiry data: retained for up to 24 months from the date of last contact, after which it is deleted or anonymized unless a service relationship has been established.
Client account and contract data: retained for the duration of the service agreement and for a period of 7 years thereafter, in accordance with Canadian tax and accounting requirements.
Financial and billing records: retained for 7 years from the date of the transaction or the end of the fiscal year in which the transaction occurred, as required by applicable law.
Security and incident logs generated during service delivery: retained in accordance with the retention schedules specified in your service agreement, typically 90 days to 1 year depending on the service tier.
Website analytics data: retained in aggregated or anonymized form; individual identifiers such as IP addresses are truncated or deleted within 26 months.
Marketing consent records: retained for the duration of our marketing relationship and for 3 years after the last commercial electronic message sent, as required under CASL.

When personal information is no longer required and no legal obligation requires its continued retention, we destroy or anonymize it using secure methods. Paper records are shredded; digital records are securely deleted using industry-standard data destruction practices.

06

Your privacy rights

Subject to applicable law and limited exceptions, you have the following rights with respect to your personal information held by intrasec. We will respond to all verified requests within 30 days, or notify you if additional time is required (up to a maximum of 60 days where permitted by law).

Rights under PIPEDA (all Canadian residents)

Right of access: you may request confirmation of whether we hold personal information about you and, if so, obtain a copy of that information and an explanation of how it has been used or disclosed.
Right to correction: if you believe personal information we hold about you is inaccurate or incomplete, you may request that it be corrected or annotated with your statement of disagreement.
Right to withdraw consent: where we process your personal information based on your consent, you may withdraw that consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal will not affect the lawfulness of processing prior to the withdrawal.
Right to challenge compliance: you may challenge our compliance with this policy or applicable privacy legislation and request that we investigate and respond to your concern.

Additional rights for Québec residents (Law 25)

Right to data portability: you may request that we communicate to you, in a structured and commonly used technological format, the personal information you have provided to us that is processed by automated means.
Right to deindexation: where applicable law permits, you may request that we stop disseminating your personal information or de-index any hyperlink attached to your name that gives access to information about you.

Unsubscribing from marketing communications

Every commercial electronic message we send includes a clear and accessible unsubscribe mechanism. You may also unsubscribe at any time by contacting us through our contact page. We will process your request within 10 business days, as required by CASL.

To exercise any of the rights described above, please submit a written request through our contact page. We may ask you to verify your identity before processing your request. We will not charge a fee for reasonable access requests.

07

Security safeguards

intrasec implements technical, administrative, and physical safeguards appropriate to the sensitivity of the personal information we hold. Given that we operate a cybersecurity practice, our internal security controls reflect professional-grade standards, including:

Encryption of personal information in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
Multi-factor authentication (MFA) enforced for all staff accessing systems that contain personal information.
Role-based access controls (RBAC) limiting access to personal information to personnel who require it to perform their job functions.
Regular security assessments and vulnerability management practices applied to our own infrastructure.
Formal incident response procedures, including breach notification protocols consistent with PIPEDA's mandatory breach of security safeguards reporting requirements.
Staff privacy and security training conducted at onboarding and annually thereafter.
Confidentiality agreements executed with all employees and contractors who handle personal information.

Breach notification

In the event of a breach of security safeguards involving personal information under our control that creates a real risk of significant harm to individuals, we will notify the Office of the Privacy Commissioner of Canada (OPC) and the affected individuals as required by PIPEDA and applicable provincial law. Notification will occur as expeditiously as possible and will include the nature of the breach, the information involved, the steps taken to mitigate harm, and our contact information for follow-up.

No method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your personal information using commercially reasonable measures, we cannot guarantee its absolute security. You assume a degree of risk when transmitting information to us electronically, and you do so at your own risk.

08

Third-party services & links

Our website and services may contain links to third-party websites, applications, or services that are not operated by us. We have no control over the privacy practices of these third parties and are not responsible for their privacy policies or content. We encourage you to review the privacy policy of every third-party website or service you visit.

Where we engage third-party service providers to process personal information on our behalf (as described in Section 04), we enter into data processing agreements that require them to handle personal information in accordance with PIPEDA and this policy, implement appropriate security safeguards, and use the information only for the purposes we specify.

Key third-party processors

Our current service providers may include providers of cloud hosting, email delivery, payment processing, customer relationship management, scheduling, and analytics. A current list of key processors is available on request through our contact page. We review our processors' security and privacy practices before engagement and on an ongoing basis.

09

Children's privacy

Our website and services are directed exclusively to businesses and business professionals. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a minor, we will take prompt steps to delete that information from our records. If you believe we have collected information from a minor, please contact us immediately through our contact page.

10

Cross-border data transfers

intrasec is headquartered in Toronto, Ontario, Canada. The personal information we collect may be stored and processed in Canada or in other countries where our service providers operate, including the United States. When personal information is transferred to or stored in a jurisdiction outside Canada, it may be accessible to the courts, law enforcement, and national security authorities of that jurisdiction under applicable local law.

We take contractual and technical measures to protect personal information transferred outside Canada, including requiring our international service providers to implement security safeguards equivalent to those required under PIPEDA. Where required by Quebec's Law 25, we conduct privacy impact assessments (PIAs) before transferring personal information outside Quebec and publish relevant information about such transfers in accordance with regulatory requirements.

For transfers to the United States, we rely on standard contractual clauses and, where applicable, data processing agreements compliant with applicable US state privacy laws.

11

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Post the updated policy on this page with a revised effective date.
Notify active clients by email or through our client portal at least 30 days before the changes take effect, where those changes materially affect how we use client personal information.
For material changes that require renewed consent, we will seek that consent before continuing to process your personal information under the new terms.

Your continued use of our website or services after the effective date of a revised policy constitutes your acceptance of the changes. We encourage you to review this policy periodically. The most current version will always be available at intrasec.ca/privacy-policy.

12

Contact & complaints

intrasec has designated a Privacy Officer who is accountable for our compliance with this policy and applicable privacy legislation.

Contact our Privacy Officer

For any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact:

Privacy Officer, intrasec
Toronto, Ontario, Canada
Contact: intrasec.ca/contact

Response time

We will acknowledge receipt of your request within 5 business days and provide a substantive response within 30 days. If we require additional time (up to 60 days where permitted by law), we will notify you and explain the reason for the delay.

Filing a complaint with a regulatory authority

If you are not satisfied with our response to a privacy concern, you have the right to file a complaint with the applicable privacy regulator:

Federal (PIPEDA): Office of the Privacy Commissioner of Canada, priv.gc.ca
Québec (Law 25): Commission d'accès à l'information du Québec, cai.gouv.qc.ca
Alberta (PIPA): Office of the Information and Privacy Commissioner of Alberta, oipc.ab.ca
British Columbia (PIPA BC): Office of the Information and Privacy Commissioner for BC, oipc.bc.ca

We are committed to resolving privacy complaints fairly and promptly. Please contact us first; most concerns can be resolved directly without involving a regulatory authority.