Privacy Policy
We're a security company; treating your data carefully is the product.
The short version: we collect what's needed to run the service — your account details, the infrastructure you register, and what our scans observe about it. We don't sell data, we don't use your findings for anything but serving you, Canadian customers' scan data stays in Canada, and you can get a copy or deletion of your data by asking.
1. What we collect
- Account information — name, work email, company, phone number (if you opt into SMS or telephone alerts), billing details (processed by our payment provider; we never store full card numbers).
- Registered infrastructure — the domains, addresses, and assets you submit, and their verification records.
- Scan findings — technical observations about your registered assets: exposed services, versions, certificates, configurations.
- Service usage — dashboard activity and communications with your expert, kept to provide continuity of advice.
2. What we use it for
To provide the service you bought: running scans, producing recommendations, alerting you to incidents, billing, and support. Aggregated, anonymized statistics (never identifying you or your infrastructure) may be used in research such as our State of SMB Exposure reports.
3. What we never do
- Sell or rent your information — to anyone, ever.
- Use your scan findings for any purpose other than serving your account.
- Disclose your findings to third parties except as required by law, in which case we notify you unless legally barred.
4. Where your data lives
Customers billed on our Canadian (.ca) properties have their account and scan data stored in Canadian data centres. Customers on .com properties are hosted in North American data centres. We tell you before any change to these locations.
5. Retention
Scan findings and reports are retained for the life of your subscription plus 12 months (so returning customers keep their history), then deleted. Account and billing records are retained as required by tax and corporate law. You can request earlier deletion of scan data at any time.
6. Your rights
You may request access to, correction of, or deletion of your personal information, and withdraw consent for optional processing, by emailing privacy@instantciso.com. We respond within 30 days. Canadian users may also contact the Office of the Privacy Commissioner of Canada; Quebec users have corresponding rights under Law 25; California users have rights under the CCPA/CPRA.
7. Breach notification
If a breach of our systems creates a real risk of significant harm to you, we notify you and the relevant authorities as required by PIPEDA, Quebec Law 25, and applicable US state law — with the same speed we'd expect from ourselves as your security provider.
8. Privacy officer
Our designated privacy officer can be reached at privacy@instantciso.com.