Privacy Policy

1. About This Policy

ZSoftly Technologies Inc. ("ZSoftly", "we", "us", or "our") is a Canadian corporation incorporated under the laws of Canada, headquartered at 116 Albert Street, Suite 300, Ottawa, Ontario, K1P 5G3.

This Privacy Policy describes how we handle personal information in connection with ZSoftly Cloud Platform ("ZCP"), our website at zcp.zsoftly.ca, the self-service portal at cloud.zcp.zsoftly.ca, and any related services (collectively, the "Services").

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25 / Loi 25), and other applicable Canadian privacy legislation. Where Law 25 imposes stricter obligations than PIPEDA, we apply the stricter standard.

By using our Services, you acknowledge that you have read and understood this Policy.

2. Privacy Officer

We have designated a Privacy Officer who is accountable for our compliance with this Policy and applicable privacy legislation. To reach our Privacy Officer:

3. Personal Information We Collect

We collect personal information only to the extent necessary to provide our Services.

3.1 Account and Identity Information

When you register for an account, we collect your first and last name, work email address, company or organization name, and job title (optional). This information is required to create and administer your account.

3.2 Billing and Payment Information

We collect billing contact details (name, address) and payment method information to process charges for the Services. Payment card data is processed and stored by our payment processor and is not stored on ZSoftly systems. We retain records of transactions, invoices, and billing history as required for accounting and legal purposes.

3.3 Usage and Technical Data

We automatically collect data about how you interact with our Services, including IP addresses, browser type, pages visited, features used, and timestamps of portal activity. This data is used for security monitoring, abuse prevention, and service improvement.

3.4 Communications

When you contact us by email, through our contact form, or by opening a support ticket, we retain the content of those communications, your contact information, and records of our responses.

3.5 Customer Data

You may store, process, or transmit data on ZCP infrastructure as part of using the Services ("Customer Data"). Customer Data is yours. We do not access, use, or disclose Customer Data except as necessary to deliver the Services, comply with a legal obligation, or respond to your support requests. Customer Data is not used to train models or for our commercial purposes.

4. How We Use Your Information

We use personal information for the following purposes, which we identify at or before the time of collection:

• Provisioning and operating the Services you have requested
• Processing payments and issuing invoices
• Authenticating your identity and maintaining account security
• Providing technical support and responding to inquiries
• Sending transactional communications (invoices, security alerts, service notices)
• Monitoring for security incidents, fraud, and abuse
• Complying with legal and regulatory obligations
• Enforcing our Terms of Service
• Improving and developing the Services (using aggregated and anonymized data)

We will not use your personal information for purposes other than those identified above without first obtaining your consent, unless required or permitted by law.

5. Consent

We obtain your consent at or before the time of collection. By registering for the Services, you consent to the collection, use, and disclosure of your personal information as described in this Policy. You may withdraw consent at any time, subject to legal and contractual restrictions, by contacting our Privacy Officer. Withdrawal of consent may affect our ability to provide the Services to you.

For optional communications such as product announcements and newsletters, we obtain express opt-in consent and honor opt-out requests promptly.

6. Disclosure of Personal Information

We do not sell your personal information. We may disclose it only in the following circumstances:

6.1 Service Providers

We engage third-party service providers who process personal information on our behalf, including payment processing, transactional email delivery, and infrastructure tooling. Each provider is bound by contractual privacy and security obligations consistent with this Policy and applicable law. A list of our current sub-processors is available upon request.

6.2 Legal Requirements

We may disclose personal information when required by law, court order, or lawful government authority. Where legally permissible, we will notify you before complying with such a request.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal information may be transferred as part of that transaction. We will notify affected individuals and provide an opportunity to withdraw consent before personal information is subject to a materially different privacy policy.

7. Data Residency

All ZCP infrastructure is colocated in Canadian data centres. Personal information we collect and Customer Data you store on ZCP are held in Canada. We do not transfer personal information outside Canada except where a service provider operates in another jurisdiction, in which case we contractually require that provider to protect your information to a standard equivalent to Canadian law.

You may request information about where your personal information is held and the identities of any foreign service providers by contacting our Privacy Officer.

8. Retention

We retain personal information only as long as necessary for the purposes for which it was collected, or as required by law:

When Customer Data is deleted by you or following account termination, we delete it from active systems within 30 days and from backups within 90 days, unless a longer retention is required by law.

9. Security

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the personal information we hold. Our security program is aligned with ISO/IEC 27001:2022 and includes:

• Encryption of personal information in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls with principle of least privilege
• Multi-factor authentication on all administrative access
• Continuous security monitoring and intrusion detection
• Regular vulnerability assessments and penetration testing
• Formal incident response and breach notification procedures
• Employee security training and background screening
• Physical security controls at all colocation facilities

No security measure is perfect. In the event of a privacy breach that creates a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada and affected individuals as required by PIPEDA's breach reporting regulations (SOR/2018-64), and notify the Commission d'accès à l'information du Québec (CAI) as required by Law 25, within the legally prescribed timeframes.

10. Your Privacy Rights

10.1 Under PIPEDA (Federal)

You have the right to:

• Know what personal information we hold about you
• Access your personal information and receive a copy
• Challenge the accuracy and completeness of your information and have it corrected
• Know how your information has been used and to whom it has been disclosed
• Withdraw consent to the use and disclosure of your information
• Lodge a complaint with the Office of the Privacy Commissioner of Canada

10.2 Under Quebec Law 25 (Loi 25)

If you are a Quebec resident, you additionally have the right to:

• Data portability: receive your personal information in a commonly used, structured, technological format
• Deindexation: request that hyperlinks providing access to your information be deindexed, where applicable
• Automated decision review: be informed of and contest any decision made solely by automated means
• Lodge a complaint with the Commission d'accès à l'information du Québec (CAI)

To exercise any of these rights, contact our Privacy Officer at privacy@zsoftly.com. We will respond within 30 days. If we are unable to fulfill a request, we will explain why in writing.

11. Cookies and Analytics

Our marketing website uses self-hosted Umami Analytics, which collects anonymized, aggregate usage data without the use of cookies and without collecting personally identifiable information. No data is shared with third-party advertising networks.

The self-service portal may use session cookies strictly necessary for authentication and security. These cookies are not used for tracking or advertising. They expire at the end of your session or within 24 hours.

12. Children's Privacy

The Services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from anyone under 16. If we learn that we have collected such information, we will delete it promptly. Contact our Privacy Officer if you believe a minor's information has been submitted to us.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated by posting the revised Policy on this page with an updated effective date, and by email notification to registered account holders at least 30 days before the changes take effect. Continued use of the Services after the effective date constitutes acceptance of the revised Policy.

14. Filing a Complaint

We take privacy concerns seriously. If you believe we have not handled your personal information in accordance with this Policy or applicable law, please contact our Privacy Officer first. If you are not satisfied with our response, you may file a complaint with: