Privacy Policy
Effective: June 16, 2025
Last updated: June 16, 2025
Northern Serendib (“Northern Serendib,“ “we,“ “our,“ or “us“) is an Ontario-registered solo proprietorship headquartered in Ottawa, Canada. We design and host custom web solutions for Canadian businesses. This Policy explains how we collect, use, disclose, and retain personal information when you interact with northernserendib.ca/.com/.io.
1. Personal information we collect
| Touch-point | What we collect | Purpose | Retention |
|---|---|---|---|
| Free 15-Minute Consult form |
| Schedule the call, send confirmation email, and prepare for the meeting | 30 days, then automatic deletion |
| Quotation Request form |
| Generate and email an estimate, follow-up on your project | 30 days, then automatic deletion |
| Rate-limit / security audit |
| Detect abusive or automated requests, prevent brute-force attacks, and block malicious IPs | 7 days, then automatic deletion |
Encryption & hashing. We use AES-256 encryption for all at-rest copies of personal data and SHA-256 for one-way hashes.
2. How we use your information
- Service delivery: To confirm consultations, create quotations, and otherwise respond to your requests.
- Security & fraud prevention: To enforce rate-limits, investigate suspicious activity, and protect our site and infrastructure.
- Business Operations: To maintain records, improve our services, and comply with legal or regulatory obligations.
3. Legal basis for processing
Because we operate in Canada, we follow the Personal Information Protection and Electronic Documents Act (PIPEDA). We rely on:
- Your consent when you voluntarily submit a form; and
- Our legitimate interests in maintaining the security and integrity of our systems.
If you are located in the EEA/UK, we also rely on GDPR Articles 6(1)(a), (c) and (f).
4. Where we store and process data
All primary systems (databases, backups, and automated email services) run in Canadian data centres (Azure Canada Central or DigitalOcean TOR1). Limited third-party providers (e.g., email relay, analytics) may process data outside Canada; where they do, we require contractual commitments to safeguard it to Canadian-equivalent standards.
5. How we safeguard information
- Data-at-rest encryption (AES-256)
- Data-in-transit encryption (TLS 1.2+)
- Principle-of-least-privilege access controls
- Automated 30-day / 7-day purge jobs verified nightly
- Web-application firewalls and rate-limiting on all public endpoints
6. Your choices & rights
Under PIPEDA (and GDPR where applicable) you may:
- Access & correct your personal information
- Withdraw consent at any time (this will not affect processing already performed)
- Request deletion before the automatic purge dates
- Complain to the Office of the Privacy Commissioner of Canada (or your local regulator)
Contact us using the details in Section 9 to exercise these rights.
7. Cookies & analytics
We use essential first-party cookies to maintain session security and remember form progress. We currently do not use third-party tracking or behavioural-advertising cookies. Any future analytics tools will honour “Do Not Track” and be disclosed in this Policy.
8. Disclosure of information
We share personal information only with:
- Service providers who host our infrastructure or send transactional emails (bound by contract to keep data confidential)
- Law-enforcement authorities if legally required
- Successors to our business (e.g., in a merger), provided they honour this Policy
9. Contact us
10. Changes to this Policy
We may update this Policy to reflect new features or legal requirements. When we do, the “Effective Date” above will change. Material changes will be highlighted on our site or emailed to affected users at least 14 days before taking effect.