Privacy Policy

Effective date: March 2026 • Contact: [email protected]

1. Scope

This Privacy Policy explains how VXSec ("we," "us," or "our") collects, uses, stores, and shares personal information when you visit vaultxsec.com, book a scoping call, engage us for audit or implementation services, or contact us by email.

We are based in Ontario, Canada and operate under applicable Canadian privacy law, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

2. Information We Collect

We do not sell personal information. We collect only what is necessary to deliver our services:

Information you provide directly

Contact information: name, email address, company name, job title, phone number (optional)
Engagement details: tool names, user counts, cloud spend ranges, and other information shared during scoping calls or email exchanges
System access credentials: read-only or least-privilege access credentials provided to perform audits — stored only for the duration of the engagement and deleted immediately upon completion

Information collected automatically

Technical data: IP address, browser type and version, operating system, pages viewed, time spent on pages, referring URL, and timestamps
Cookies: We use only essential cookies required for the website to function. We do not use advertising cookies, tracking pixels, or third-party analytics beyond what is described in this policy.

3. How We Use Your Information

We use personal information only for the following purposes:

To deliver audit and implementation services you have engaged us for
To communicate with you about your engagement, deliver reports and action plans, and respond to questions
To schedule and conduct scoping calls and follow-up meetings
To process payments and maintain billing and tax records
To improve our services and understand how our website is used
To comply with applicable legal obligations

We do not use your information for marketing to third parties, targeted advertising, or any purpose not listed above.

4. How We Share Your Information

We share personal information only in the following limited circumstances:

Payment processing: Stripe, Inc. — for invoicing and payment collection. Stripe's privacy policy governs their handling of payment data.
Scheduling: Calendly — for booking scoping calls. Calendly's privacy policy governs their handling of scheduling data.
Communication: Google Workspace — for email and calendar. Google's privacy policy governs their handling of communication data.
Legal requirements: We may disclose information if required by law, court order, or to protect the rights, property, or safety of VXSec or others.

We do not sell, rent, or share personal information with advertisers, data brokers, or any third party for commercial purposes.

5. System Access and Credentials

When you provide us with access credentials (e.g., a read-only admin account for Microsoft 365 or AWS) to perform an audit:

Credentials are stored securely and accessed only by the lead consultant performing your engagement
We use least-privilege access — we request only the permissions necessary for the audit
Access is revoked and credentials are permanently deleted within 3 business days of delivering the audit report, unless you have separately engaged us for implementation services
For implementation engagements, access is maintained only for the duration of implementation and deleted within 3 business days of completion
You may request credential deletion at any time by emailing [email protected]

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

Encryption in transit (HTTPS/TLS) for all website and email communications
Access controls and least-privilege principles for all systems we use
Secure storage of credentials and engagement data
Immediate deletion of access credentials upon engagement completion

No method of electronic storage or transmission is 100% secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security. In the event of a security incident affecting your personal information, we will notify you as required by applicable law.

7. Data Retention

We retain personal information only as long as necessary for the purposes for which it was collected:

Contact and billing records: Retained for the period required by applicable tax and financial regulations (typically 7 years)
Audit reports and deliverables: Retained for 12 months for quality assurance and reference purposes, then deleted — unless you request earlier deletion
System access credentials: Deleted within 3 business days of engagement completion or upon your request, whichever is earlier
Email correspondence: Retained for the duration of the business relationship and for a reasonable period thereafter for reference and legal purposes
Website analytics logs: Retained for up to 12 months, then aggregated or deleted

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

Access: Request a copy of the personal information we hold about you
Correction: Request that we correct inaccurate or incomplete information
Deletion: Request that we delete your personal information, subject to legal retention requirements
Restriction: Request that we restrict processing of your information in certain circumstances
Portability: Request your information in a machine-readable format where applicable
Withdrawal of consent: Withdraw consent where processing is based on consent

To exercise any of these rights, email [email protected] with your request. We will verify your identity and respond within 30 days.

Canadian residents: You have rights under PIPEDA and applicable provincial privacy legislation. You may also file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

California and US residents: VXSec acts as a service provider to our clients. We do not sell personal information and do not share personal information for cross-context behavioral advertising.

EU and UK residents: If you are located in the EU or UK, you may have rights under the General Data Protection Regulation (GDPR) or UK GDPR. You may lodge a complaint with your local data protection supervisory authority.

9. Cookies and Tracking

Our website uses only essential cookies required for basic functionality. We do not use advertising cookies, retargeting pixels, or invasive tracking technologies. You can control or disable cookies through your browser settings; note that disabling cookies may affect certain website functionality.

We may use basic, privacy-respecting analytics (such as aggregated page view counts) to understand how our website is used. We do not use Google Analytics or other third-party analytics platforms that track individual users across the web.

10. International Transfers

VXSec is based in Canada. Some of our service providers (such as Stripe, Calendly, and Google Workspace) may process data in countries other than Canada. Where data is transferred internationally, we rely on our service providers' compliance with applicable data protection frameworks and standard contractual clauses where required.

11. Children

Our services are intended for businesses and professionals. We do not knowingly collect personal information from anyone under the age of 16. If we become aware that we have collected personal information from someone under 16, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will post the updated policy on this page with a revised effective date. For material changes, we will provide more prominent notice. Continued use of our services after changes are posted constitutes acceptance of the updated policy.

13. Contact

For privacy questions, requests, or concerns, contact us at:

VXSec
Ontario, Canada
[email protected]

We will respond to privacy inquiries within 30 days.