Get in Touch

Privacy Policy

Last updated: September 22, 2025

At‑a‑Glance

  • Who we are. Data Solutions, Inc. (“Company,” “we,” “us,” “our”).
  • What this covers. Our websites, products and services, marketing, support, and recruiting (together, the “Services”).
  • Roles. We act as a controller for our own operations (web, billing, marketing, recruiting). We act as a processor/service provider when we process personal information on a customer’s instructions to deliver the Services (see our DPA).
  • Selling/Sharing. We do not sell personal information and do not share it for cross‑context behavioral advertising. We honor Global Privacy Control (GPC) signals.
  • Cookies. Only essential cookies by default; non‑essential cookies (analytics/ads) are used only with consent where required. Manage choices in our Cookie Preferences.
  • Security & compliance. Controls include MFA, encryption, access controls, logging/monitoring, vulnerability management, vendor risk reviews, and periodic pen‑testing. If applicable, we maintain SOC 2 Type II and/or ISO/IEC 27001; see our Security Page.
  • Your rights. Depending on where you live, you may request access, correction, deletion, portability, and opt‑outs (e.g., targeted advertising/profiling). Appeals available where required.
  • Compliance. We align with GDPR/UK GDPR, PIPEDA, Quebec Law 25, and applicable U.S. state privacy laws.
  • Contact. [privacy@datasolutionsinc.ca]  |  [+1‑647-449-9073]  |  [83 Vivians Crescent, Brampton ON, L6Y 4V2]

Scope & Roles

We provide this Privacy Policy to explain how we collect, use, disclose, and protect personal information in connection with the Services.


 We act as a controller for personal information we process for our own purposes (e.g., websites, billing, account administration, marketing and recruiting) and as a processor/service provider when processing personal information on behalf of our customers pursuant to their instructions and our contracts (see our Data Processing Addendum (DPA)). When acting as a processor/service provider, we process personal information solely to provide the Services and do not use it for independent purposes.

Personal Information We Collect

We collect the following categories (examples are illustrative):

 

  • Identifiers & contact details (e.g., name, email, phone, postal address, account IDs).
  • Commercial & billing information (e.g., subscription tier, invoices, payment status; payment card data is handled by our payment processor and not stored by us).
  • Internet/network activity (e.g., device/browser type, pages viewed, referring URLs, IP address, general location (city/region), product telemetry, diagnostics, and crash logs).
  • User content & support data (e.g., messages to support, attachments you choose to upload, feedback).
  • Professional/education information (e.g., employer, title; for job applicants: CV/resume, cover letter, screening notes, references).
  • In‑product usage data (e.g., features used, configuration, performance metrics, time stamps, role/permissions).
  • Geolocation (approximate, from IP; we do not collect precise geolocation unless clearly stated and consented where required).
  • Sensitive personal information (SPI): We do not intend to collect SPI (e.g., government IDs, precise geolocation, racial/ethnic origin) through the Services unless you provide it to us for a clear purpose. If we need SPI (e.g., compliance, background checks), we will explain the purpose and legal basis and obtain consent where required.

Sources of Personal Information

  • You (when you create an account, use features, submit forms, contact support, or apply for a job).
  • Your organization (if your employer provisions your account or shares data with us as a customer).
  • Automatically from devices and our Services (cookies, SDKs, logs, analytics).
  • Third parties (payment processors, identity providers, background check providers for recruiting, publicly available sources, marketing partners, sub‑processors that support the Services).

How We Use Personal Information (Purposes)

  • Provide, operate, secure, and troubleshoot the Services.
  • Set up and manage accounts, authenticate users, and process transactions.
  • Analyze usage to improve features, quality, and performance.
  • Provide customer support and respond to inquiries.
  • Send service‑related communications (e.g., updates, security notices).
  • Send marketing communications where permitted; you can opt out any time.
  • Protect against fraud, abuse, security risks, and violations of our terms.
  • Comply with law and enforce our agreements, or with your consent for specific purposes.

Legal Bases (EEA/UK)

Where GDPR/UK GDPR applies, our processing relies on one or more of: performance of a contract, legitimate interests (e.g., securing and improving the Services, preventing fraud), consent (for non‑essential cookies/marketing where required), and legal obligation.

U.S. Notice at Collection (incl. California)

We provide the following summary of categories, purposes, retention, and whether we “sell” or “share” personal information (CPRA definitions). More detail appears throughout this Policy.

CategoryExamplesPurposesRetention (typical)Sell?Share for CCPA cross-context ads?Sensitive PI?
Identifiers & contactName, email, IP, account IDsAccount setup, service delivery, support, security, legalAccount lifetime + up to 7 years after closure (legal/accounting)NoNoNo
Commercial/billingSubscription tier, invoicesBilling, fraud prevention, accounting7 years (tax/accounting)NoNoNo
Network activityPages viewed, device info, logsOperate, secure, improve, analytics12–24 months (operational logs), aggregated thereafterNoNoNo
Usage & telemetryFeature usage, performanceImprove Services, capacity planning24 months, aggregated thereafterNoNoNo
Support contentTickets, attachmentsTroubleshooting, quality3 years from ticket close (unless longer needed for disputes/legal)NoNoMay contain SPI you choose to share
Job applicant dataCV, screening notesRecruiting, compliance3 years (or as required by law)NoNoMay include SPI with notice/consent

We do not sell personal information and do not share it for cross‑context behavioral advertising. We do not use or disclose personal information for automated decision‑making that produces legal or similarly significant effects without appropriate disclosures.

Cookies & Similar Technologies

We use cookies and similar technologies to operate the site, remember preferences, measure engagement, and personalize content.

 

  • Categories. (i) Strictly necessary (security, load balancing, session); (ii) Functional; (iii) Analytics; (iv) Advertising (used only if we begin advertising and with appropriate notices/consents).
  • Consent by region. We obtain opt‑in consent for non‑essential cookies where required (e.g., EEA/UK/Quebec). Elsewhere, we rely on opt‑out choices where permitted. If applicable, we participate in IAB TCF and honor its signals.
  • Your choices. Manage settings anytime in our Cookie Preferences Center and via browser settings.
  • Signals. We honor Global Privacy Control (GPC) signals where applicable.
  • Analytics. We use privacy‑respecting analytics configurations (e.g., IP masking where available) and do not link analytics to advertising IDs without consent.

Do We Sell or Share Personal Information?

No. We do not sell personal information and do not share it for cross‑context behavioral advertising. If this changes, we will update this Policy and provide required opt‑outs.
 If we process personal information for targeted advertising on a customer’s behalf, we do so solely as a processor/service provider under that customer’s instructions.

AI & Automated Decision‑Making

We may use automated systems to support product features (e.g., threat detection, anomaly scoring, content or ticket routing, or product analytics). We do not engage in solely automated decisions that produce legal or similarly significant effects without appropriate disclosures and safeguards. Where required, we perform data protection/privacy impact assessments and offer ways to opt out of non‑essential automated features (e.g., via in‑product settings or the Cookie Preferences center).

How We Disclose Personal Information

We disclose personal information to:

 

  • Service providers/sub‑processors that help us operate the Services (e.g., hosting, support, email delivery, analytics, payments) under contracts restricting use. See our current list: Sub‑processors List. Where contractually required, we will post updates at least 30 days before adding or replacing a sub‑processor and provide a way to subscribe to change notifications.
  • Business partners when you choose integrations or direct us to connect to third‑party services.
  • Corporate transactions (merger, acquisition, financing, or sale) subject to confidentiality and continued protections.
  • Legal, safety, and rights (to comply with law, respond to requests, protect users, prevent fraud/security incidents, or enforce terms).
     We may share aggregated or de‑identified information that cannot reasonably be used to infer an individual.

Data Retention

We keep personal information only as long as necessary for the purposes described, including to meet legal, accounting, or reporting requirements. We use objective criteria (e.g., account status, categories of data, contractual and legal obligations, and technical storage limits). Representative periods appear in the Notice at Collection table above. When retention ends, we delete or de‑identify data.

See our Retention Schedule for more detail: [https://datasolutionsinc.ca/privacy/retention].

Security

We employ administrative, technical, and physical safeguards appropriate to the risk, including:

 

  • Identity & access management: Single sign‑on (SSO), multi‑factor authentication (MFA), role‑based/least‑privilege access, regular access reviews.
  • Encryption: TLS in transit; industry‑standard encryption at rest (e.g., AES‑256 or provider‑equivalent); secrets management.
  • Network & infrastructure: Segmentation, firewalling, endpoint protection, hardened baselines, secure configuration management.
  • Monitoring & logging: Centralized logging, alerting, anomaly detection, security event monitoring.
  • Vulnerability management: Regular scanning, patching SLAs, dependency management (SBOM where applicable), and periodic penetration testing.
  • Secure SDLC: Code review, CI/CD controls, supply‑chain safeguards, change management.
  • Business continuity: Backups, disaster recovery planning, resilience testing.
  • Vendor risk: Due diligence, contractual security/privacy obligations, and ongoing assessments of sub‑processors.
  • Training & awareness: Security and privacy training for personnel.

Compliance. Where applicable, we maintain SOC 2 Type II attestation and/or ISO/IEC 27001 certification; details and scope are available on request and on our Security Page ([https://datasolutionsinc.ca/security]). No system is perfectly secure, and we cannot guarantee absolute security.

Breach Notification

If a security incident occurs that compromises personal information, we will investigate, mitigate, and notify affected individuals and authorities as required by law (timelines and content depend on the jurisdiction and nature of the incident).

International Data Transfers

If we transfer personal information internationally, we use appropriate safeguards (e.g., Standard Contractual Clauses for EU/UK transfers), conduct transfer risk assessments, and apply supplementary measures where needed. Under PIPEDA, when personal information is transferred outside Canada for processing, we remain responsible for it and use contractual and other safeguards to ensure a comparable level of protection; such information may be subject to the laws of the foreign jurisdiction. By using the Services, you understand that your information may be processed in countries with different data protection laws than your own.

Your Privacy Rights

Your rights depend on your location and the nature of our relationship with you. Subject to legal limits, you may have the right to access, correct, delete, port, restrict or object to certain processing, and to opt out of targeted advertising or certain profiling. You also may withdraw consent where processing is based on consent.

Rights by Region (summary)
RegionAccess / PortabilityCorrectionDeletionOpt-out (ads / profiling)AppealNotes
EEA / UK (GDPR)✓ / ✓✓✓Legitimate interests objection / consent withdrawaln/aAddtl. rights: restriction; lodge complaint with DPA
Canada (PIPEDA)✓ / —✓— (withdraw consent; deletion where appropriate)—Challenge complianceOPC complaint path
Quebec (Law 25)✓ / —✓✓ (subject to law)——Person in charge contact required
U.S. states (CA, CO, CT, VA, etc.)✓ / ✓✓✓✓ (targeted ads / profiling / sale / share)✓GPC honored; authorized agents (CA)

This table is a quick guide. Your exact rights and how to exercise them are described below and in local law.

EEA/UK

  • Legal bases appear above.
  • You may contact us to exercise rights.
  • You may lodge a complaint with your local authority or the UK Information Commissioner’s Office.

Canada (PIPEDA)

    • Applicability. We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) when handling personal information in the course of commercial activities in Canada, except where a substantially similar provincial law applies (e.g., Quebec Law 25, Alberta PIPA, BC PIPA; certain health‑sector laws may also apply).
    • Accountability. We are responsible for personal information under our control and designate a Privacy Officer (see Contact Us) to oversee compliance. We use contractual and other measures to ensure a comparable level of protection when information is processed for us by service providers.
    • Identifying purposes & limiting collection. We identify purposes at or before collection and limit collection to what is necessary for those purposes.
    • Consent (meaningful). We obtain meaningful consent for the collection, use, and disclosure of personal information, taking into account the sensitivity of the information and your reasonable expectations. Consent may be express or implied as appropriate. You may withdraw consent at any time, subject to legal/contractual restrictions and reasonable notice, and we will explain any implications of doing so.
    • Limiting use, disclosure & retention. We use and disclose personal information only for the purposes identified (or for purposes that are compatible with them) unless you consent otherwise or the law permits. We retain information only as long as necessary, then securely delete or de‑identify it.
    • Accuracy, safeguards, openness. We keep information accurate, implement appropriate administrative, technical, and physical safeguards, and make information about our policies and practices readily available.
    • Individual access & challenging compliance. You may request access to and correction of your personal information and may challenge our compliance with PIPEDA by contacting our Privacy Officer. If we cannot resolve the issue, you may contact the Office of the Privacy Commissioner of Canada (OPC) (see Contact Us).

Quebec (Law 25)

  • You may access and correct your information and withdraw consent where applicable.
  • Our person in charge of the protection of personal information is [Title/Name, Contact].
  • We perform privacy impact assessments for cross‑border transfers where required and provide controls to disable identification, location, or profiling functions (via Cookie Preferences and in‑product settings).

United States (CA/CO/CT/VA and others)

  • We provide this Notice at Collection and do not sell or share personal information for cross‑context behavioral advertising.
  • We honor GPC signals.
  • You may use an authorized agent (California) with appropriate authorization and identity verification.
  • You have the right to appeal a denied request; see Appeals below.

Exercising Your Rights

Submit a request via DSAR Webform, email [privacy@datasolutionsinc.ca], or call [+1647-449-9073]. We will verify your identity to a reasonable degree of certainty (e.g., account email verification, additional questions) and respond within required timelines (generally 30–45 days). If we need more time, we will tell you why and when you can expect a response. We may deny or limit requests where the law permits or requires (e.g., to maintain security, comply with law, or protect others’ rights).

Appeals (U.S. states that require it)

If we deny your request, you may appeal by emailing [appeals@datasolutionsinc.ca] or using the DSAR webform within 60 days. We will respond with our decision and the reason. If you disagree, you may contact your state attorney general.

Challenging Compliance (Canada — PIPEDA)

You may challenge our compliance with PIPEDA by contacting our Privacy Officer (see Contact Us). We will investigate and respond. If you are not satisfied, you may contact the Office of the Privacy Commissioner of Canada (OPC) (see Contact Us).

Children’s Privacy

Our Services are not directed to children under 13 and we do not knowingly collect personal information from them. If you believe a child under 13 has provided information, contact us and we will take appropriate steps to delete it. Where local law sets a higher age for consent, we follow that requirement.

Third‑Party Links & Services

The Services may link to third‑party websites or services. Their privacy practices are governed by their own policies; please review them. Where you enable an integration, we will disclose information to that third party based on your instructions and in accordance with this Policy and our contracts.

Accessibility & Languages

We are committed to providing accessible privacy information. If you need this Policy in an alternative format or language, contact us at [privacy@datasolutionsinc.ca]. Translated versions are provided for convenience; the English version controls to the extent permitted by law.

Changes to This Policy

We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and, if changes are material, provide additional notice (e.g., email, in‑product message). We maintain a simple change log below.

Change Log (examples)

  • 2025‑09‑22: Consolidated U.S. state rights, added GPC, Law 25 formalities, Notice at Collection table, and Appeals process.

Contact Us

[Company Legal Name, Inc.]
 Email: [privacy@datasolutionsinc.ca]
 Phone: [+1‑647-449-9073]
 Mail: [83 Vivians Crescent, Brampton Ontario, L6Y 4V2, Canada]

Privacy Officer (PIPEDA): [Bryan Guy, bryan@datasolutionsinc.ca]

Complaints — Canada (PIPEDA). If we are unable to resolve your concern, you may contact the Office of the Privacy Commissioner of Canada (OPC): [https://priv.gc.ca] | Mail: [30 Victoria Street, Gatineau, QC K1A 1H3].

Definitions (plain‑English)

  • Personal information/Personal data: Information that identifies, relates to, describes, or can be reasonably linked to an identified or identifiable person.
  • Sensitive personal information (SPI): Certain categories requiring extra protection (e.g., precise geolocation, government IDs, racial/ethnic origin), defined by laws like CPRA/GDPR.
  • Sell / Share: “Sell” means exchanging personal information for money or other value. “Share” (CPRA) means disclosing personal information for cross‑context behavioral advertising. We do neither.
  • Targeted advertising: Ads based on tracking a person across businesses, websites, or apps over time.
  • Controller / Processor: A controller decides “why/how” data is processed; a processor processes data on another party’s instructions.
  • De‑identified information: Data that cannot reasonably be used to identify a person, and for which we commit to maintain and not re‑identify.
  • Meaningful consent (PIPEDA): Clear, understandable information about purposes, what personal information is collected, potential impacts/benefits, who it’s shared with, and how to withdraw consent and exercise choices.
Facebook-f Instagram Linkedin-in
Get in Touch
Scroll to Top