Privacy Policy

1. Our Role and Scope

We act in different capacities depending on the context:

• Service provider / processor

When we provide software development, hosting, configuration, and support services, we process personal information and other confidential information on behalf of those organizations according to our contracts and their instructions. In these cases, they are typically the "controller" and their privacy notices also apply.

• Controller

When we collect and use information for our own business purposes (e.g., marketing, client relationship management, internal operations), we are responsible for that information as a controller and this Privacy Policy applies directly.

2. Why We Collect, Use, and Disclose Information

We collect, use, and disclose information only for reasonable, business-related purposes, including to:

• provide, configure, operate, and support our software solutions and services;
• confirm identity and eligibility to access certain systems or environments;
• administer user accounts and permissions;
• manage projects, tickets, and service requests;
• process payments, invoices, and other transactions;
• communicate with you about products, services, updates, incidents, and support;
• conduct internal analytics, quality assurance, market research, and service improvement;
• monitor system integrity and security (including via logs and monitoring tools);
• detect, investigate, and prevent fraud, unauthorized access, or other security incidents;
• comply with legal, regulatory, tax, and reporting obligations;
• support prospective or actual business transactions (e.g., merger, acquisition);
• send marketing or informational communications (where permitted and with consent where required);
• any other purposes that we identify at the time of collection and for which we obtain your consent, where required.

If we need to use information for a new purpose that is not compatible with or reasonably related to these purposes, we will explain the new purpose and, where required, ask for your consent before proceeding.

3. Types of Information We Collect and Handle

We limit collection to what is reasonably necessary for our purposes.

3.1 Personal Information You Provide

This includes information you or your organization provide directly to us, such as:

• contact details (name, email, phone number, mailing address);
• business information (employer, job title, business address);
• user account information (usernames, role assignments, preferences);
• billing and payment information (billing address, payment details);
• content in forms, tickets, or documents you upload or send to us;
• communications with us (emails, support chats, in-app messages, etc.).

3.2 Technical and Usage Information

When you use our websites, platforms, or applications, we may automatically collect:

• IP address, device identifiers, and general location (e.g., city or region);
• browser type, operating system, and device information;
• pages viewed, links clicked, features used, and time spent on our services;
• log data and diagnostic information generated by our systems and security tools;
• cookie, pixel, and similar tracking data (see Section 12).

When accessing our services through a mobile device, we may collect device and location data where permitted by your device settings; you can typically disable location sharing from your device.

3.3 Client and Project Information We Handle on Behalf of Our Clients

Because we develop, host, and support solutions for clients, we may process sensitive and confidential information that belongs to them, including:

• Customer and end-user data, such as plan participant or employee information that our clients enter into the solutions we build and support;
• Personally Identifiable Information (PII) about those end-users, as determined by our clients (e.g., names, contact details, identification numbers, demographic and employment-related data);
• Confidential business information, such as:
  • internal policies and handbooks;
  • legal documents, contracts, meeting minutes, and internal presentations;
  • incident reports, risk assessment reports, and technical vulnerability reports;
  • company financial and banking data;
  • salary, compensation, and payroll information;
  • strategic and business plans;
  • litigation-related data;
  • logs and metrics from production systems.
• Technical information and assets, such as:
  • source code and configuration files;
  • authentication credentials (e.g., username/password, API keys, secrets, tokens, private keys);
  • infrastructure and architecture documentation.

We treat all such information as Confidential Information and process it solely to deliver and support our services, subject to our contracts and the instructions of the relevant client organization. We do not use these data sets for our own independent marketing or profiling.

3.4 Communications and Call/Chat Recordings

When you communicate with us (for example, by phone, online chat, or email), we may record or log those interactions to:

• ensure quality customer service;
• confirm your instructions and document decisions;
• resolve complaints and disputes;
• maintain accurate project and support records.

Where required by law, we will notify you if a call is being recorded.

4. How We Collect Information

We collect information through several methods, including:

• forms on our websites, platforms, and applications;
• service onboarding and implementation processes;
• email, phone, virtual meetings, and other communication channels;
• user interactions with our platforms (including logs and telemetry);
• cookies, web beacons, and analytics technologies;
• information provided by clients, partners, and other trusted third parties;
• publicly available sources, where relevant and permitted by law.

We collect personal information with your knowledge and consent, unless otherwise permitted or required by law.

5. Consent and Your Choices

Your consent may be express (for example, signing a contract, checking a box, or submitting a form) or implied (for example, when the purpose is obvious and you voluntarily provide the information).

You may:

• withdraw consent to our processing of your personal information, subject to legal or contractual restrictions;
• decline to provide information, though this may limit or prevent us from delivering certain services;
• opt out of marketing communications using unsubscribe links or by contacting us.

We do not share SMS consent or phone numbers with third parties or affiliates for marketing purposes.

6. How We Share and Disclose Information

We do not sell or rent personal information. We may disclose information in these circumstances:

6.1 Service Providers and Partners

We may share information with third-party organizations that help us deliver services, including:

• hosting and cloud infrastructure providers;
• analytics and monitoring tools;
• payment processors and billing platforms;
• email, SMS, and communication providers;
• security, backup, and disaster-recovery providers;
• professional advisors (e.g., auditors, accountants, external legal counsel).

We require these service providers to:

• use the information only for the purposes we specify; and
• protect it in a manner consistent with this Privacy Policy and applicable laws.

6.2 Clients, Plan Sponsors, and Authorized Representatives

When acting as a service provider to clients, we may share relevant information with:

• the client organization and its authorized representatives;
• other benefit or service providers designated by that client;
• individuals within the client organization who administer their plans or programs.

Any such sharing is governed by our contracts and the client's own privacy obligations.

6.3 Business Transactions

We may disclose information in connection with a prospective or completed business transaction, such as a merger, acquisition, or financing, subject to confidentiality obligations.

6.4 Legal and Regulatory Requirements

We may disclose information where required or permitted by law, including:

• to comply with subpoenas, court orders, or government requests;
• to investigate or respond to suspected illegal activity, fraud, or threats to safety;
• to protect our rights, property, or the rights and safety of others.

6.5 With Your Consent

We may share information with third parties when you explicitly authorize us to do so.

7. Retention of Information

We retain personal and confidential information only as long as necessary to:

• fulfill the purposes described in this policy;
• meet legal, regulatory, or contractual requirements;
• resolve disputes and enforce agreements.

For data we process on behalf of clients, we apply the retention periods and deletion instructions set out in our contracts with them.

Once information is no longer required, it is securely deleted, destroyed, or anonymized. Personally Identifiable Information (PII) is deleted or anonymized as soon as it no longer has a business use.

8. Security Measures and Safeguards

We use physical, technical, and administrative measures to protect information against unauthorized access, loss, misuse, or alteration, taking into account the sensitivity of the information and the risks involved. These measures include:

• encryption of data in transit and at rest where appropriate;
• access controls, role-based permissions, and authentication procedures;
• secure development and deployment practices;
• system logs, monitoring tools, and incident-response procedures;
• network security measures and vulnerability management;
• policies and procedures governing classification and handling of restricted, public, and confidential information;
• regular security and privacy training for staff;
• confidentiality agreements with employees and contractors;
• secure disposal or anonymization of information when no longer needed.

Each employee is expected to handle personal and confidential information only for legitimate business purposes, take reasonable steps to protect it, and seek guidance when uncertain about whether information should be disclosed.

Despite our efforts, no method of transmission or storage is completely secure. We cannot guarantee absolute security but strive to maintain safeguards that meet or exceed industry standards.

9. Privacy Management Program

Territorial Creative Inc. maintains a comprehensive Privacy Management Program (PMP) designed to ensure the responsible, secure, and compliant handling of personal information and confidential client data throughout its lifecycle. Our PMP reflects the expectations of Canadian privacy legislation—including PIPEDA and British Columbia's PIPA—as well as industry best practices for organizations that develop, operate, and support software systems on behalf of clients.

Our Privacy Management Program includes the following core components:

1. Governance and Accountability

• We have appointed a Privacy Officer responsible for overseeing compliance with this Privacy Policy, applicable privacy legislation, and our contractual obligations as a service provider.
• The Privacy Officer supervises internal privacy practices, conducts compliance monitoring, and coordinates responses to privacy-related inquiries, incidents, and regulatory requests.
• Roles and responsibilities for employees, contractors, and leadership are defined to ensure appropriate handling of personal and confidential information.

2. Policies, Procedures, and Documentation

• We maintain written privacy and security policies that govern how personal information is collected, used, stored, accessed, disclosed, retained, and destroyed.
• Internal procedures guide employees in secure data handling, classification of confidential information, incident response, encryption standards, and least-privilege access protocols.
• We maintain documentation to demonstrate compliance, including access logs, incident-response reports, audit records, training records, and data-processing agreements where applicable.

3. Employee Training and Awareness

• All employees and contractors complete privacy and security training as part of onboarding and at regular intervals thereafter.
• Training covers topics such as:
  • secure handling of personal and confidential data
  • phishing and cybersecurity awareness
  • proper use of company systems
  • incident reporting
  • obligations under Canadian privacy law and client contracts
• Employees sign confidentiality agreements and are required to follow privacy and security policies at all times.

4. Risk Management, Monitoring, and Auditing

• We regularly assess privacy and security risks associated with our systems, internal processes, and client projects.
• System activity, access events, and operational logs are monitored to detect unauthorized access, misuse, or anomalies.
• Periodic audits and reviews of our policies, controls, and technical safeguards ensure ongoing compliance and effectiveness.

5. Vendor and Third-Party Oversight

• We conduct due diligence on service providers that handle personal, confidential, or operational data on our behalf.
• Third-party providers must meet contractual privacy and security requirements consistent with this policy and applicable laws.
• Where appropriate, we ensure that data transferred outside Canada is protected by adequate safeguards.

6. Incident Response and Breach Management

• We maintain an established Incident Response Plan that outlines steps for identifying, containing, investigating, and mitigating suspected or actual privacy or security incidents.
• In the event of a breach involving personal information, we will:
  • notify affected clients and/or individuals as required
  • cooperate with relevant authorities
  • document the incident and remediation actions
  • take steps to prevent similar incidents in the future
• As a processor/service provider, we notify clients promptly in accordance with contractual and legal requirements.

7. Data Retention and Secure Disposal

• We retain personal information only for as long as necessary to fulfill the purposes for which it was collected or as required by law or contract.
• When data is no longer needed, we securely delete, anonymize, or destroy it using methods appropriate to its sensitivity.
• For data processed on behalf of clients, we follow their retention, return, or destruction instructions.

8. Continuous Improvement

• Our Privacy Management Program is reviewed regularly to ensure it remains effective, up to date with legal requirements, and aligned with industry standards.
• We incorporate lessons learned from audits, incidents, client feedback, and regulatory updates.

10. Your Rights

Subject to applicable law, you have the right to:

• access the personal information we hold about you;
• request corrections to inaccurate or incomplete information;
• request deletion of your personal information, subject to legal and contractual retention obligations;
• object to certain types of processing;
• withdraw consent to processing, where consent is the legal basis;
• request a copy of certain information in a structured, commonly used format (where portability rights apply).

Please email our privacy officer regarding these requests. We may need to verify your identity before fulfilling requests. If we process your information on behalf of a client, we may direct you to contact that organization, and we will support them in responding to your request where required.

11. International Data Transfers

Some of our service providers or systems may be located outside of Canada (for example, in the United States or other jurisdictions). When personal information is transferred outside Canada, it may be subject to the laws of that jurisdiction.

We take steps to ensure that such transfers are made in compliance with applicable laws and that appropriate safeguards are in place.

12. Cookies, Analytics, and Tracking Technologies

We use cookies, pixels, and similar technologies to:

• operate and secure our websites and platforms;
• remember your preferences and improve user experience;
• understand how our sites and services are used;
• support analytics and, where permitted, marketing activities.

We may use tools such as Google Analytics to measure and understand website traffic and usage patterns. This aggregated data is stored and accessed only by our website administrators through their secured portals. To learn how you can opt out of Google Analytics, please visit:

https://tools.google.com/dlpage/gaoptout/

You can manage cookies via your browser settings. Disabling certain cookies may affect the functionality of our sites.

Our websites and services may link to third-party sites. Their privacy practices are not governed by this policy, and we encourage you to review their privacy statements.

13. Children's Privacy

Our services are not directed to children under the age of 13 (or the age of majority in their jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us so we can take appropriate steps.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. We will post the updated version on our website and update the "Last Updated" date.

If we make material changes, we will take reasonable steps to notify you (for example, through our website, by email, or within our platforms), as required by law.

15. Contact and Complaints

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer:

Privacy Officer

Flavio Ishii

Email: privacy@territorial.ca

We will investigate and respond within the timelines required by applicable privacy laws. If you are not satisfied with our response, you may contact the appropriate privacy regulator, such as:

• Office of the Privacy Commissioner of Canada
• Office of the Information and Privacy Commissioner for British Columbia