Privacy Policy

We're a security company; treating your data carefully is the product.

Draft. This policy is a working draft and has not yet been reviewed by counsel. It will be finalized before subscriptions open.

The short version: we collect what's needed to run the service — your account details, the infrastructure you register, and what our scans observe about it. We don't sell data, we don't use your findings for anything but serving you, Canadian customers' scan data stays in Canada, and you can get a copy or deletion of your data by asking.

1. What we collect

2. What we use it for

To provide the service you bought: running scans, producing recommendations, alerting you to incidents, billing, and support. Aggregated, anonymized statistics (never identifying you or your infrastructure) may be used in research such as our State of SMB Exposure reports.

3. What we never do

4. Where your data lives

Customers billed on our Canadian (.ca) properties have their account and scan data stored in Canadian data centres. Customers on .com properties are hosted in North American data centres. We tell you before any change to these locations.

5. Retention

Scan findings and reports are retained for the life of your subscription plus 12 months (so returning customers keep their history), then deleted. Account and billing records are retained as required by tax and corporate law. You can request earlier deletion of scan data at any time.

6. Your rights

You may request access to, correction of, or deletion of your personal information, and withdraw consent for optional processing, by emailing privacy@instantciso.com. We respond within 30 days. Canadian users may also contact the Office of the Privacy Commissioner of Canada; Quebec users have corresponding rights under Law 25; California users have rights under the CCPA/CPRA.

7. Breach notification

If a breach of our systems creates a real risk of significant harm to you, we notify you and the relevant authorities as required by PIPEDA, Quebec Law 25, and applicable US state law — with the same speed we'd expect from ourselves as your security provider.

8. Privacy officer

Our designated privacy officer can be reached at privacy@instantciso.com.