Effective Date: December 29, 2025
Version: 1.0
Last Updated: December 29, 2025

Logilink LLC (USA)

Logilink Solutions Inc. (Canada)

UNIFIED PRIVACY POLICY

(Canada • United States • European Union • United Kingdom • Australia • New Zealand)

Version: 1.0
Effective Date: December 29, 2025

Applies To: logilinksolutions.com, logilinkstaffing.com, and related microsites, embedded forms, chat widgets, customer portals, email/newsletter programs, SMS/text messaging programs, cookies/online tracking, and any services that link to this Policy.
Entities Covered: Logilink Solutions Inc., LogiLink LLC and its Affiliates (collectively, “Logilink,” “we,” “us,” “our”).

This Policy explains how we collect, use, disclose, retain, and protect personal information across the regions above. It covers our website and marketing activities (where Logilink acts as a controller) and, separately, situations where we process personal information on behalf of our B2B clients (where Logilink acts as a processor/service provider). When we act as a processor, our use of personal information is governed by our agreements with the relevant client; this Policy continues to apply to our own websites, communications, and records.

1. WHO WE ARE & WHAT THIS POLICY COVERS

Who we are. Logilink provides logistics operations and workforce solutions (including driver/compliance document management and related services). We operate in Canada and the United States and serve customers internationally.

Role transparency.

• Controller role: For our websites, marketing, sales inquiries, newsletters, recruiting, and account administration, Logilink determines purposes and means of processing and acts as a controller (EU/UK), organization (AUS/NZ), or business (U.S. state privacy laws).
• Processor role: When our B2B clients store or submit information (e.g., driver or employee documents) within our platforms, we process that information solely on their documented instructions as a processor/service provider. Requests from individuals about data in a client account will be routed to the client, and we will assist them as required.

Contact details (global).

• Privacy Office / Privacy Officer (Canada): privacy@logilinksolutions.com
• Mail (Canada HQ): 10-4255 Sherwoodtowne Blvd, Mississauga, ON L4Z 1Y5, Canada.
• Mail (U.S. operations): 7901 4th St N #5551, St. Petersburg, FL 33702, USA
• EU/AUS/NZ inquiries: Use the Privacy Office contact above; we will route to the appropriate contact for your jurisdiction.
• For security-sensitive requests, we may ask you to verify your identity and the scope of your request.

EU/UK Representative (Article 27)

We do not currently target individuals in the EEA or UK as defined under GDPR/UK-GDPR; therefore, we are not required to appoint an EU/UK representative at this time. If this changes, we will appoint and publish the identity and contact details of our representatives before such processing begins.

Québec (Law 25) – Person in Charge of Personal Information

Our Privacy Officer is responsible for compliance with Québec Law 25 and can be reached at privacy@logilinksolutions.com. This designation is published publicly in this Policy. We do not conduct “profiling” within the meaning of Law 25. If this changes, prior notice and required controls will be provided.

2. THE INFORMATION WE COLLECT

We collect the categories of personal information below, depending on how you interact with us (website visitor, newsletter subscriber, applicant, sales contact, or user of our services). We do not require you to provide more information than is reasonably necessary for the stated purpose.

1. Identifiers & Contact Data
   Name, alias/preferred name, business/role title, company, email address, mobile/telephone number, postal address, country/region, and social/website handles. We also maintain consent status for communications (e.g., email/SMS opt-in/opt-out) with time-stamped records.

2. Professional / Employment Data (applicants & business contacts)
   Employer, department, responsibilities, professional history; for job applicants, information you provide such as CV/resume, work history, certifications, references, portfolio links, and availability. Where permitted by law and disclosed at the point of collection, we may collect limited screening information necessary to evaluate your application (e.g., eligibility to work in the relevant country). We do not request sensitive documents via general website forms and ask applicants not to include unnecessary sensitive data. For job applicants, we provide a separate Candidate Privacy Notice explaining how we collect, use, disclose, and retain recruiting information. It is available wherever job applications are collected.

3. Communications & Interaction Data (website, forms, chat, SMS, calls)
   Content of messages you send to us, form fields you submit, meeting/call scheduling details, and—in jurisdictions that allow it and with notice—call or meeting recordings for quality and training. For SMS/text messaging you opt into, we collect your mobile number, opt-in/opt-out events (e.g., STOP/HELP), delivery metadata, and timestamps. We send SMS via authorized telecommunications service providers and messaging carriers acting as our processors; message/data rates may apply; consent is not a condition of purchase. Where permitted by law, support or onboarding calls may be recorded after providing clear notice (e.g., pre-call IVR announcement or on-screen disclosure). Recordings are retained for approximately 90–180 days unless required longer for training, security, or compliance. If call recording is enabled, we announce it at the start of the call and obtain consent where required; recordings are retained per our schedule.

4. Internet / Device / Online Activity Data (Cookies & Similar Tech)
   IP address, device and browser type/version, operating system, language, referring/exit pages, general location derived from IP, session identifiers, page views, clicks, and time-on-page. We use cookies, pixels, and SDKs to operate the site and, with consent where required (e.g., EU/UK and Québec), to measure and improve performance. In strict regions (EU/UK/Québec), non-essential cookies are off by default until you opt in. In the U.S. and the rest of Canada, we display a banner with Accept / Reject / Manage and honor Global Privacy Control (GPC) where required. A persistent Cookie Settings link allows you to change choices at any time.

5. Commercial & Preference Data
   Records of products/services viewed, requested quotes, subscription choices (email/SMS preferences), campaign interactions, and your chosen cookie/privacy settings. We may also note internal attributes (e.g., account segment, plan or driver-count tier) to deliver appropriate information and services.

6. Sensitive / Special Categories (limited & purpose-bound)
   We do not intentionally collect special-category data (e.g., health, biometric, precise geolocation) via public website channels. If such data is provided inadvertently, we will handle it securely and delete or restrict it when not necessary. We do not use or disclose Sensitive Personal Information to infer characteristics; any processing is limited to essential service delivery, security/fraud prevention, or legal compliance.

7. CALIFORNIA & U.S. STATE NOTICE AT COLLECTION

The following table is provided to comply with the California Consumer Privacy Act (CPRA) and similar U.S. state privacy laws. It summarizes the categories of personal information we collect, the purposes for collection, our retention periods, and whether we “sell” or “share” personal information.

3. HOW WE COLLECT DATA

We collect personal information through the following channels and methods:

1. Directly from you

• Website and landing-page forms, chat widgets, email replies, calendar/scheduling tools, customer portals.
• SMS/text programs that you opt in to (e.g., dispatch alerts, scheduling). Opt-in/opt-out events (STOP/HELP), timestamps, and delivery metadata are recorded for compliance.
• Event registrations, webinar sign-ups, and job applications (including documents you provide).
• Business communications with our sales, operations, recruiting, or account teams.

2. Automatically (online identifiers & telemetry)

• Cookies, pixels, SDKs, and server logs collect device/browser data (IP address, user-agent, OS, language, referrer/UTM, session IDs), pages viewed, and interactions.
• In EU/UK and Québec, non-essential cookies are off by default until you give explicit consent. In the U.S. and the rest of Canada, we show a banner with Accept / Reject / Manage and honor Global Privacy Control (GPC) signals where required.
• We use IP-based region detection (and, where applicable, browser locale) to present the correct consent experience; we also provide a Cookie Settings link to revise choices anytime.

3. From third parties (as permitted by law and your settings)

• Service providers (e.g., hosting, analytics, CRM, form processors, consent platforms) acting on our instructions.
• Authorized messaging carriers and telecommunications service providers who deliver our SMS; they process limited routing/delivery metadata as our processors.
• Lead sources/partners and social platforms when you interact with our posts or ads (aggregate metrics and, where you consented, contact details).
• Referrals from customers, partners, or vendors (B2B context). We expect referrers to share only business contact details with proper notice/authority.

4. Data minimization. We only collect information that is reasonably necessary for the stated purposes and avoid unnecessary sensitive data. If sensitive data is provided inadvertently, we secure it and restrict or delete it when not needed.

5. HIPAA disclaimer. Our services are not intended to receive Protected Health Information (PHI) under HIPAA. Please do not submit PHI through public forms or support channels.

6. Biometric disclaimer. We do not collect or use biometric identifiers. If this changes, we will provide a dedicated Biometric Notice and follow all applicable consent and retention laws.

4. HOW WE USE DATA (PURPOSES)

We use personal information for the purposes below. Where required by law, we obtain your consent first (e.g., EU/UK GDPR, Québec Law 25, CASL, TCPA/CTIA).

1. Provide, operate, and improve our websites and services

• Run core site features, portals, forms, document workflows, reminder engines, and (if you opted in) SMS notification programs.
• Diagnose and fix errors, ensure availability, load-balance traffic, and secure systems.
• Conduct product research, testing, quality assurance, and usability improvements.
  Legal bases: performance of contract (EU/UK), legitimate interests (site operation, security, product improvement), or consent where required (non-essential cookies, SMS).

2. Communicate with you (B2B operations and marketing)

• Respond to inquiries, demos, quotes, onboarding, and account notices.
• Send newsletters, updates, event invitations, and offers—only with consent where required (CASL in Canada; opt-in in EU/UK) or on legitimate interests where permitted in a B2B context (with easy unsubscribe).
• SMS/text for alerts, scheduling, verification, and limited informational updates only if you opted in; message frequency varies; message/data rates may apply; STOP to opt out; HELP for help. Consent is not a condition of purchase.
  Legal bases: consent (email/SMS marketing where required), legitimate interests (B2B outreach where permitted), performance of contract (service notices).

3. Security, fraud prevention, and abuse prevention

• Authenticate users, enforce roles/permissions, detect malicious activity, and protect accounts and platforms.
• Monitor for suspicious behavior, enforce Acceptable Use, and investigate incidents.
  Legal bases: legitimate interests (security), compliance with legal obligations; vital interests in rare safety scenarios.

4. Analytics, performance measurement, and personalization

• Measure site traffic, campaign performance, and feature adoption.
• Personalize content or experiences only within the choices you set in Cookie Settings.
  Legal bases: consent where required for non-essential cookies/trackers; legitimate interests for first-party, privacy-preserving analytics where permitted.

5. Legal, regulatory, and contractual compliance

• Maintain business records, consent logs (email/SMS), and audit trails.
• Manage disputes, enforce agreements, respond to lawful requests, and comply with sectoral, telecom, privacy, or employment laws that apply to our operations.
  Legal bases: legal obligations; establishment, exercise, or defense of legal claims; legitimate interests in compliance.

6. Aggregation, de-identification, and statistics

• Create aggregated or de-identified insights (e.g., non-identifying usage trends) to improve services. We do not attempt to re-identify de-identified data.
  Legal bases: legitimate interests; where required, consent.

7. Automated decision-making

• We do not use automated decision-making that produces legal or similarly significant effects without human involvement. If we introduce such processing, we will provide required disclosures and choices in your region before activation.

8. Direct marketing & opt-out/opt-in rules (by region)

• Canada (CASL): We send commercial electronic messages with express consent or within CASL’s permitted implied-consent scenarios; every message includes an unsubscribe mechanism.
• United States (TCPA/CTIA): We send SMS only with opt-in; STOP/HELP supported; consent is not a condition of service.
• EU/UK (GDPR/PECR): Email/SMS marketing requires opt-in; you can withdraw consent anytime.
• Australia/NZ: We follow the Spam Act 2003 (AUS) and Unsolicited Electronic Messages Act 2007 (NZ) requiring consent and functional unsubscribe.
• No “sale” or “sharing” of personal information. We do not sell personal information and do not share personal information for cross-context behavioral advertising as those terms are defined by applicable U.S. state privacy laws (e.g., CPRA). If our practices change, we will update this Policy and provide any required controls (e.g., a “Do Not Sell/Share My Personal Information” link for applicable jurisdictions) before such processing begins.

9. De-Identified Data (CPRA Compliance)

Where we use or disclose de-identified data, we (i) maintain technical, administrative, and contractual measures reasonably designed to prevent re-identification; (ii) publicly commit not to attempt re-identification; and (iii) require any recipients to use such data only for de-identified purposes and not attempt re-identification.

5. EMAIL & NEWSLETTER PROGRAMS

1. Opt-in / Consent.
   We send marketing or promotional emails only: (a) with your express consent where required (e.g., CASL in Canada; EU/UK under GDPR/PECR; AUS/NZ spam laws), or (b) on legitimate interests in strictly B2B contexts were permitted by law and where you can easily opt out at any time.

2. Unsubscribe.
   You may opt out of marketing emails at any time by clicking Unsubscribe in the message or by contacting privacy@logilinksolutions.com. We may still send transactional or service messages (e.g., quotes, account notices, service changes, security, or legal notifications). We process unsubscribe requests without delay and no later than ten business days from receipt, as required by CASL. We do not charge a fee, require you to provide additional personal information beyond your email address, or require any step other than sending your choice to us. All commercial electronic messages identify Logilink and include valid contact information (mailing address and at least one of telephone number, email address, or web address) as required by CASL.

3. Preference management.
   Where available, you can use our Email Preferences link to choose specific topics or frequency. Changes take effect promptly, but please allow reasonable processing time.

4. Tracking & analytics.
   Our emails may contain a pixel or unique link to measure delivery, opens, clicks, and device or approximate location derived from your IP at open time. This helps us detect deliverability issues and improve content. If you prefer not to be tracked, you may disable images in your email client and avoid clicking links, unsubscribe, or adjust your Email Preferences.

5. Data minimization & security.
   We keep only the information necessary to operate our email programs (e.g., address, consent status, unsubscribes, topic choices) and protect it with appropriate technical and organizational safeguards.

6. Retention.
   We retain email subscription and consent/unsubscribe records for 24–36 months after your last interaction (or longer if required by law to demonstrate compliance), then delete or de-identify them.

7. No sale/share.
   We do not sell personal information and do not share it for cross-context behavioral advertising. If our practices change, we will update this Policy and provide any required controls before such processing begins.

6. SMS / TEXT MESSAGING

1. Program name.
   Logilink SMS Alerts (includes operational notifications, scheduling/dispatch updates, verification codes, compliance reminders, and limited informational messages).

2. Carrier/provider neutrality.
   We deliver messages through third-party telecommunications service providers and authorized messaging carriers acting as our processors. They may process limited routing and delivery metadata (timestamps, status, and short-term logs) solely to transmit and deliver your messages and to comply with carrier/industry rules.

3. Opt-in methods (never pre-checked).
   You may opt in by:

• Selecting an unchecked consent box next to the phone field on our forms,
• Sending a keyword (e.g., JOIN) to our program number, or
• Providing written or recorded verbal consent that we store in our systems.
  At opt-in, we display clear disclosures and links to this Policy.

4. Required disclosures (at opt-in and on this page).
   Message frequency varies. Message & data rates may apply. Consent is not a condition of purchase or service. You can opt out at any time.

5. Opt-out & help.

• Text STOP to cancel all SMS from the program (we may send one final confirmation).
• Text HELP for help information.
• Or contact support@logilinksolutions.com to request removal.
  We maintain a suppression list to ensure opt-outs are honored.

6. Permitted uses of SMS data.
   We use your mobile number and SMS interaction data to:

• Send the messages you requested/consented to receive,
• Manage opt-in/opt-out and preference records,
• Prevent fraud/abuse and ensure service integrity, and
• Satisfy telecom, legal, and carrier/industry compliance obligations (including audit requests).

7. Prohibited content & compliance.
   We do not transmit illegal, abusive, harassing, hateful, deceptive, sexually explicit, or otherwise prohibited content. We follow applicable telecom, carrier, and industry guidelines (including STOP/HELP keyword handling, consent capture, and content restrictions). Violations may result in blocking or suspension of messaging.

8. International support access (India).
   From time to time, vetted support personnel located outside your country (e.g., India) may access limited, ticket-specific SMS records solely to diagnose or resolve an issue. Such access is least-privilege, time-boxed, and logged, and only occurs where necessary and authorized. Cross-border access is protected by contractual, organizational, and technical safeguards.

9. Security.
   We protect SMS data using appropriate safeguards (e.g., encrypted transport, access controls, activity logging, and periodic reviews). SMS consent and opt-out events are recorded with timestamps for compliance.

10. Retention.
    SMS consent logs, delivery metadata, and opt-out records are retained for up to 24 months (or longer if needed for legal/regulatory purposes), then deleted or de-identified. We maintain granular consent records (date/time, source page or form, the exact disclosure text shown at the point of opt-in, IP or device identifier when applicable, and the number consented) to evidence compliance with U.S. TCPA and carrier/CTIA rules. We retain opt-in/opt-out and delivery metadata as set out in our retention schedule.

11. Children’s privacy.
    Our SMS program is not intended for children under 16. We do not knowingly collect or send SMS to children under 13 (COPPA). If we learn we have such information, we will delete it.

12. Regional rules (summary).

• Canada (CASL): express consent required for promotional SMS; functional unsubscribe.
• U.S. (TCPA/CTIA & state laws): opt-in required; STOP/HELP supported; frequency disclosure; consent not a condition.
• EU/UK (GDPR/PECR): opt-in required; right to withdraw at any time.
• AUS/NZ: consent and working unsubscribe required under local spam laws.

7. WHEN WE SHARE INFORMATION

We disclose personal information only as described below and do not allow vendors to use it for their own marketing without your consent.

1. Service providers / processors (on our instructions only)
   We engage third parties to help us operate, secure, and improve our services (e.g., hosting, storage, analytics/measurement, communications/SMS delivery, customer success tools, security/anti-fraud, email/newsletter platforms, consent/cookie management, form processors).

• They act solely as our processors/service providers, must follow our documented instructions, and must implement appropriate technical and organizational measures.
• Where required (e.g., EU/UK, Québec), we enter into data processing agreements, Standard Contractual Clauses (SCCs) or other valid transfer tools, and conduct transfer impact assessments / Law 25 cross-border assessments.
• We maintain a list of key processors and will make it available upon request (subject to confidentiality).
• We maintain a list of key sub-processors used for specific services. For enterprise clients, we will provide 30-day advance notice of material changes to sub-processors and allow reasonable opportunity to object based on legitimate privacy or security grounds.

2. Affiliates
   We may share data with our corporate Affiliates (entities we control, are controlled by, or are under common control with) for internal business, support, and compliance purposes consistent with this Policy and applicable law. If Affiliates are in other countries, we apply appropriate safeguards (see “International transfers”).

3. Professional advisors
   Law firms, auditors, accountants, or consultants under confidentiality obligations, solely for legitimate business, legal, tax, or risk-management purposes.

4. Authorities and legal requests
   We may disclose information if we in good faith believe it is necessary to: (i) comply with lawful requests, court orders, or legal process; (ii) protect the rights, safety, or property of Logilink, our users, or the public; (iii) detect, prevent, or address fraud, security, or technical issues.

• We assess each request to ensure it is valid, proportionate, and legally binding, and we limit disclosures to the minimum necessary.
• Where legally permitted, we will notify the affected customer before disclosing.

5. Business transfers
   If we engage in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred to the relevant parties, subject to this Policy and any additional required notices/consents.

6. Aggregated and de-identified data
   We may share aggregated or de-identified insights that do not identify individuals. We do not attempt to re-identify such data.

7. No sale or cross-context sharing
   We do not sell personal information and do not share personal information for cross-context behavioral advertising (as defined by U.S. state privacy laws). If our practices change, we will update this Policy and provide required controls (e.g., a “Do Not Sell/Share My Personal Information” link) before such processing begins.

8. COOKIES & ONLINE TRACKING

We use cookies and similar technologies (e.g., pixels, SDKs, local storage) to operate our sites and—with consent where required—to understand usage and improve performance.

1. Categories we use

• Strictly Necessary – Essential for core functionality, security, load-balancing, and to honor your privacy choices. (Always active; not switchable.)
• Functional – Remember preferences (e.g., language, form values) and enhance features.
• Analytics / Performance – Measure traffic, session metrics, conversions, and diagnose issues.
• Advertising / Retargeting – If/when deployed, used to deliver or measure ads and retargeting. We do not currently use cookies for cross-context behavioral advertising.

2. Regional consent model & your choices

• EU/UK & Québec (Law 25): Non-essential categories (Functional, Analytics, Advertising) are OFF by default until you give explicit consent.
• U.S. & rest of Canada: We display a banner with Accept / Reject / Manage. We honor Global Privacy Control (GPC) where required. In U.S. states that recognize universal opt-out mechanisms (UOOM), we will honor recognized signals (e.g., GPC) for applicable processing. (You already honor GPC; this extends to CO/OR rules.)
• Controls: On first visit you will see a cookie banner linking to Cookie Settings, where you can change choices at any time. You can also use browser settings to block or delete cookies. Our cookie banner provides Accept All / Reject Non-Essential / Manage Preferences with equal prominence and no pre-checked toggles.
• Equal choice: Our banner presents equally prominent options to accept or reject non-essential cookies and to manage granular preferences.
• Consent records: We store consent choices (category selections, region, timestamp, version) for compliance and honor them for at least 12 months, or as required by law, after which we may re-prompt (e.g., if vendors/purposes change).
• We do not use “dark patterns” or manipulative design practices when presenting choices about cookies, tracking technologies, or privacy preferences.

3. Pixels, SDKs, and tag behavior

• We may use pixels/SDKs (e.g., for analytics) to understand engagement such as page views, scroll depth, and link clicks.
• In strict regions, we block non-essential pixels/SDKs until you consent.
• If we later enable Advertising/retargeting pixels, we will update this Policy and provide required opt-ins/opt-outs before they run.

4. Consent mode & tag governance (implementation detail)
   We implement a consent framework that prevents firing non-essential tags until the appropriate consent signal exists (e.g., via a consent-management platform or comparable logic). For integrated tags, we use privacy-preserving consent modes (where available) to respect your selections across Analytics/Ads/Functionality/Security storage. If we deploy advertising technologies in the EU or UK, our consent banner and vendor integrations will support IAB Transparency & Consent Framework (TCF) v2.2, and such vendors will only operate after valid consent.

5. Do Not Track / GPC
   Most browsers’ Do Not Track (DNT) signals are not standardized. We therefore do not respond to DNT, but we do honor GPC signals in jurisdictions where it is required or recognized.

6. Retention & cookie list
   Cookie and tracker lifetimes vary (session to 24 months, unless otherwise required). For an up-to-date inventory of cookies/SDKs and their lifetimes, see our Cookie List page linked from Cookie Settings. We periodically review and update that list.

7. Children and tracking
   Our sites are not directed to children under 16. We do not knowingly use non-essential cookies to track children. If you believe a child has been tracked, contact us and we will take appropriate steps.

8. International transfers & third parties
   Where third-party analytics or functionality providers are located outside your jurisdiction (e.g., in the U.S. or elsewhere), transfers are protected by applicable transfer mechanisms (e.g., SCCs for EU/UK), Law 25 assessments (Québec), and contractual safeguards. Third parties are required to use data only to provide services to us and in accordance with applicable law and your chosen consent settings.

9. DATA RETENTION

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, to comply with legal/regulatory obligations, to resolve disputes, and to enforce agreements. When information is no longer needed, we delete or de-identify it in accordance with our retention schedules and industry-standard destruction practices.

1. Principles we follow

• Purpose limitation & minimization: Keep only what is reasonably necessary.
• Region-aware rules: Apply stricter requirements where they exist (e.g., EU/UK, Québec).
• Deletion vs. de-identification: When feasible, we de-identify data for analytics and service improvement and do not attempt re-identification.
• Backups: Deletion propagates to active systems promptly; immutable backups are overwritten on a scheduled rotation and are not re-processed except for disaster recovery or legal necessity.

2. Illustrative retention ranges (operationally achievable)

Actual durations may vary by system and legal requirement; where multiple obligations apply, we use the longest applicable period or archive in restricted storage.

• Website telemetry / analytics identifiers: up to 13 months (then delete or reset).
• Cookie consent records: 12–24 months (re-prompt if vendors/purposes change).
• Email marketing (opt-in/opt-out logs): 24–36 months after last marketing contact.
• SMS opt-in/opt-out logs & delivery metadata: up to 24 months.
• Sales inquiries / web forms: 12–24 months after last activity.
• Contract, billing, tax, and dispute records: 7 years (or longer where local law requires).
• Job applicant records: 24 months (longer if required by law or with consent).
• Security logs (access/auth, admin actions, audit trails): 12–24 months (longer if under investigation).
• De-identified aggregates: retained as needed for product improvement; we do not attempt to re-identify.

3. Holds & exceptions
   If a deletion request is received or a scheduled purge is due while records are subject to a legal hold, audit, dispute, or investigation, we suspend deletion until the hold is lifted, then resume purge.

4. Your choices
   You can request access, correction, deletion, or portability as described in Section 12. Where we act as a processor for a client, we will route your request to that client and assist them as required. Deleted data may remain in encrypted, immutable backups until those backups expire under our normal rotation schedule. Such data is not re-processed except for disaster recovery or legal obligations.

10. SECURITY

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the data and the risks of processing. While no system can be guaranteed 100% secure, we continuously improve our program and align to recognized frameworks.

1. Governance & policy

• Security program: documented policies, roles, risk assessments, and executive oversight.
• Access governance: least-privilege, role-based access control (RBAC), periodic access reviews, and multi-factor authentication (MFA) for administrative and remote access.
• Vendor risk management: due diligence, data processing agreements, regional transfer tools (e.g., SCCs for EU/UK), Law 25 transfer assessments for Québec, and ongoing monitoring.

1. Technical controls

• Encryption: TLS in transit; strong encryption at rest for data stores and backups; managed key rotation.
• Network security: firewalls/WAF, network segmentation, rate limiting, anti-DDoS.
• Endpoint & identity: hardened endpoints, MDM where applicable, enforced MFA, password/secret vaulting.
• Application security (secure SDLC): design reviews, code reviews, SAST/DAST scanning, dependency checks (SBOM where available), change management with approvals, and staged deployments.
• Logging & monitoring: centralized logs for access, administrative actions, authentication events, and security alerts; anomaly detection and alerting.
• Data isolation : logical tenant isolation ; environment separation (prod vs. non-prod).
• Data loss prevention (as applicable): restricted exports, watermarking, row-level controls for sensitive data. 

1. Operational controls

• Vulnerability management: routine scanning and timely patching by severity (e.g., critical patches prioritized within an expedited window).
• Penetration testing: periodic independent testing; remediation tracked to completion.
• Backup & disaster recovery: encrypted backups, geographically separate storage, tested restore procedures, and target RPO/RTO objectives appropriate to the service tier.
• Change & incident management: documented runbooks; segregation of duties for high-risk changes.

2. Support access & cross-border safeguards. Just-in-time, ticket-based support access (including vetted personnel located outside your country, such as India) is least-privilege, time-boxed, and logged; access is granted solely to resolve the specific issue and only with appropriate authorization.

3. Security incident & breach response

• Detection & triage: 24×7 monitoring of critical systems; escalation on defined severities.
• Containment, investigation, remediation: follow incident runbooks; preserve evidence; eradicate root cause; harden controls.
• Notifications: We will notify affected clients/individuals and/or regulators without undue delay and within time frames required by law (e.g., GDPR 72-hour supervisory authority notice where applicable; Canada/U.S. breach-notice laws as applicable). Notifications include the nature of the incident, likely consequences, actions taken, and guidance on protective measures.
• Cooperation: We cooperate with clients’ forensic and notification obligations where we act as a processor.

4. Training & awareness. Mandatory security and privacy training for personnel on hire and annually; targeted modules for engineers and support staff; simulated exercises (e.g., phishing, IR tabletop).

5. Customer responsibilities
   Security is a shared responsibility. Customers should implement strong access controls, manage authorized users, protect credentials and devices, keep their own systems patched, and review configurations and audit logs regularly. We maintain required records of processing activities (RoPA) and apply privacy-by-design and privacy-by-default principles across our systems and services. We conduct Privacy Impact Assessments (PIA/DPIA) for high-risk activities and cross-border transfer assessments (including Québec Law 25 and EU/UK transfer assessments) to identify and mitigate risks.

11. INTERNATIONAL TRANSFERS

We operate primarily in Canada and the United States and may process personal information in these and other countries where we or our service providers and authorized sub-processors are located (which may include, for example, India for limited ticket-based support). Laws in those countries may differ from those in your jurisdiction and, in some cases, may be less protective. Your information may be accessible to courts, law enforcement, and national security authorities under lawful process in those countries.

To protect your information when it is transferred across borders, we use a combination of contractual, organizational, and technical safeguards, as summarized below.

1. Our transfer frameworks & legal bases (by region)

Canada (PIPEDA & provincial laws, incl. Québec Law 25).

• We provide transparent notice of cross-border processing and ensure service providers offer comparable protection through written agreements.
• For Québec (Law 25), before communicating personal information outside Québec, we conduct a documented privacy impact assessment (PIA) / cross-border transfer assessment evaluating (i) sensitivity, (ii) purposes, (iii) safeguards, and (iv) legal regime of the destination. We implement mitigations where required and ensure contractual protections.

European Union (GDPR) & United Kingdom (UK-GDPR/PECR).

• Where personal data is transferred outside the EEA/UK to a country without an adequacy decision, we rely on EU Standard Contractual Clauses (SCCs) (Module(s) appropriate to the relationship) and, for the UK, the UK International Data Transfer Addendum (IDTA) or UK Addendum to the SCCs.
• We perform Transfer Impact Assessments (TIAs) and apply supplementary measures (see Section C) to ensure an essentially equivalent level of protection.
• Where strictly necessary and permitted, we may rely on Article 49 GDPR derogations (e.g., your explicit consent; performance of a contract at your request), but not for systematic, large-scale transfers.

United States (state privacy laws).

• We treat cross-border disclosures to our processors under service-provider contracts with purpose limitations, confidentiality, and security obligations, and we restrict onward transfers to those consistent with our instructions.

Australia (Australian Privacy Act & APPs) and New Zealand (Privacy Act 2020).

• We take reasonable steps to ensure overseas recipients do not breach the APPs (AUS) or Information Privacy Principles (NZ), including contractual obligations that mirror our privacy and security requirements.

2. Location transparency & data residency

• Storage & processing locations. Core production systems are hosted in data centers located in Canada and/or the United States; support-related access may occur from other countries (e.g., India) on a least-privilege, time-boxed, logged basis tied to a support ticket.
• Regional options. Where commercially available, we may offer regional data-hosting choices (e.g., Canada or U.S.) for certain products; if applicable to your account, your agreement or admin settings will reflect the chosen region.
• Onward disclosures. Sub-processors must obtain our prior authorization and are bound by written data-processing terms and transfer safeguards equivalent to those described here.

3. Safeguards we apply to cross-border transfers

Contractual measures

• Data Processing Agreements with processors/service providers, including purpose limitation, confidentiality, security, sub-processor flow-down, cooperation on data-subject rights, and deletion/return on termination.
• SCCs / IDTA (UK) or other valid transfer tools where required.
• Onward transfer restrictions and audit/cooperation clauses.

Organizational measures

• Access on a need-to-know basis with role-based controls and MFA.
• Training for personnel with access to personal information.
• Vendor risk management, including due diligence, TIAs/PIAs, and periodic reviews.

Technical measures

• Encryption in transit and at rest, key management, and (where feasible) application-level protections.
• Pseudonymization/minimization and logical tenant isolation.
• Logging and monitoring of administrative actions and access events.
• Data segregation between environments (production vs. non-production).
• Controls preventing non-essential cookies/trackers from loading without appropriate consent in strict regions (see Section 8).

4. Government and law-enforcement requests

We scrutinize third-party or government requests for data and respond only where legally required:

1. verify legal validity and scope;
2. require specific, targeted demands (no bulk access);
3. challenge unlawful or overbroad requests where appropriate; and
4. notify affected customers (where legally permitted) before disclosure. We disclose the minimum necessary to comply with the request.
5. We require government or law-enforcement requests to be specific and legally valid. We do not provide bulk or indiscriminate access and will challenge unlawful or overbroad requests where appropriate.

5. Your rights with respect to international transfers

Depending on your location, you may have the right to request:

• information about transfer mechanisms that apply to your data;
• a copy or summary of the relevant SCCs/IDTA or contractual protections (commercial terms may be redacted); and
• to object to or withdraw consent for certain transfers where the legal basis is consent or legitimate interests (subject to our contractual obligations when we act as a processor).

To exercise these rights, contact our Privacy Office (see Section 1). Where we act as a processor/service provider for a client, we will promptly route your request to that client and assist them as required by law and contract.

• Updates. We review our transfer mechanisms and safeguards periodically and will update this Section if we adopt new legal tools (e.g., updated SCCs/addenda) or change the list of countries involved in processing in a way that materially affects your rights or risks. Any material changes will be reflected in this Policy and, where appropriate, communicated to you.

12. YOUR PRIVACY RIGHTS

Your rights depend on where you live and how we are processing your information (as a controller/business vs. processor/service provider). Subject to applicable law, you may have the rights summarized below.

6. How to exercise your rights

• Submit a request: Email privacy@logilinksolutions.com and include your name, contact details, country/region, and a description of your request (e.g., access, correction, deletion, portability, objection, opt-out).
• Authorized agents: Where permitted, you may appoint an authorized agent. We will require evidence of the agent’s authority and may ask you to verify your identity directly with us.
• Identity verification: To protect you, we may request additional information (e.g., email or phone verification, order/account identifiers, jurisdiction) before fulfilling a request. We will only use verification data to verify and log the request.
• Timing: We will respond within the period required by law for your region (see Region-Specific Rights below). Where extensions are permitted (e.g., complex or voluminous requests), we will notify you and explain why.
• Fees: We do not charge a fee to process your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request as allowed by law.

Controller vs. Processor. If your data was provided to us by a client (e.g., your employer using our services), we act as that client’s processor/service provider. In that case, we will route your request to the client and assist them in responding as required by law and contract.

B. Your rights — by region

1) Canada (PIPEDA & provincial laws, incl. Québec Law 25)

You may have the right to access, rectify, and delete your personal information, and to obtain information about our use, disclosures, and cross-border transfers. You may withdraw consent to processing where consent is the legal basis. For Québec, you may have additional rights concerning profiling, automated decision-making, and cross-border assessments. We will respond within a reasonable time (often 30 days under PIPEDA) unless an extension is permitted.

2) United States (state privacy laws, e.g., CA/VA/CO/CT/UT/TX/OR/TN/NJ/MN/MD/IA/MT/NH/DE/NE)

Depending on your state, you may have the right to:

• Know/Access the categories and specific pieces of personal information we collected.
• Correct inaccurate personal information.
• Delete personal information we collected from you.
• Portability (obtain a portable copy).
• Opt out of: (i) sale of personal information; (ii) sharing for cross-context behavioral advertising/targeted advertising; and (iii) certain forms of profiling that produce legal or similarly significant effects.
• Limit the use and disclosure of Sensitive Personal Information (e.g., in California) to the purposes permitted by law.

How to opt out (U.S.): If we ever engage in “sale”/“share”/“targeted advertising,” we will provide a “Do Not Sell/Share My Personal Information” (or “Your Privacy Choices”) link and honor browser Global Privacy Control (GPC) signals where required.
Timing: Generally 45 days to respond (with a possible extension as allowed).
Appeals: If we deny your request, you may appeal within the timeframe set by your state; we will respond with reasons and how to contact your state regulator.

3) European Union & United Kingdom (GDPR / UK-GDPR, PECR)

You may have the right to access, rectify, erase, restrict processing, object to processing (including direct marketing), and data portability, as well as the right to withdraw consent at any time where consent is the legal basis. You may also have rights related to automated decision-making, including profiling, where it produces legal or similarly significant effects.
Timing: We generally respond within one month (extendable where permitted).
Complaints: You may lodge a complaint with an EU data protection authority or the UK ICO.

4) Australia (Australian Privacy Act & APPs) and New Zealand (Privacy Act 2020)

You may have rights to access and correct your personal information, and to complain to the relevant regulator if you are not satisfied with our response. We will respond within a reasonable period (NZ typically 20 working days for access requests). We take reasonable steps to ensure overseas recipients handle your information in accordance with local requirements (see International Transfers).

C) Direct marketing & cookies/online tracking choices

• Email marketing: You can unsubscribe any time via the link in the email or by contacting us.
• SMS/text: Reply STOP to opt out; HELP for help. Message frequency varies; message/data rates may apply; consent is not a condition of purchase.
• Cookies/Tracking: Use the Cookie Settings link (in our banner/footer) to Accept, Reject, or manage category-level preferences. In EU/UK and Québec, non-essential cookies are off by default until you consent. We honor GPC where required.

D) Automated decision-making & profiling

We do not use automated decision-making that produces legal or similarly significant effects without human involvement. If we introduce such processing, we will update this Policy and provide required disclosures and choices (e.g., the right to obtain human intervention, express your point of view, and contest a decision).

E) Non-discrimination / non-retaliation (U.S.)

We will not discriminate or retaliate against you for exercising privacy rights (e.g., by denying goods/services, charging different prices, or providing different quality levels), except as permitted by law for bona fide financial incentive programs or differential pricing with required disclosures.

F) Appeals (how to escalate)

If we deny or partly deny your request, you may appeal by replying to our decision email with “Appeal” in the subject line. We will review and respond within the timeframe required by law (e.g., 45 days in certain U.S. states) and explain the basis for our decision. You may also contact your provincial/state or national privacy regulator if you are not satisfied.

G) Consumer Financial Incentives & Non-Discrimination (U.S. States)

We do not offer programs involving price or service differences tied to personal information (“financial incentives”). If we introduce such a program, we will provide a detailed notice describing the material terms, categories of personal information involved, opt-in/opt-out instructions, and how the value of the data is calculated. We do not discriminate against individuals for exercising privacy rights.

H) Important notes

• Scope limits: Certain rights may be limited (e.g., to protect the rights of others, trade secrets, legal privilege, security, or where compliance would conflict with law).
• Multiple roles: If we process your information both as controller (e.g., website marketing) and as processor (on a client’s instructions), we will fulfill controller-role requests directly and route processor-role requests to the relevant client and assist them as required.
• Recordkeeping: We maintain logs of requests and our responses to demonstrate compliance.

13) JURISDICTION-SPECIFIC DISCLOSURES

A) Canada (PIPEDA, CASL & provincial laws incl. Québec Law 25)

• Lawful basis & consent. We rely on consent or other lawful bases recognized by Canadian law (e.g., legitimate interests for certain B2B uses, legal obligations). You may withdraw consent at any time; this may affect our ability to provide some services.
• CASL (commercial electronic messages). Marketing emails/SMS are sent only with express consent or under CASL-permitted implied consent scenarios. Every message identifies us and includes a functional unsubscribe (or STOP for SMS).
• Cross-border transparency. Personal information may be processed outside Canada and may be accessible to foreign authorities under lawful process. See International Transfers for safeguards.
• Québec Law 25 – profiling/ADM & PIAs. Before communicating personal information outside Québec, we conduct a cross-border assessment and apply contractual/technical safeguards. We do not use automated decision-making that produces legal or similarly significant effects without human involvement. If we introduce such processing, we will provide prior disclosures and rights.
• Access & correction timelines. We respond within a reasonable time (commonly 30 days) or as otherwise permitted by law (extensions allowed for complex requests).
• Regulators. If unresolved, you may contact the Office of the Privacy Commissioner of Canada (OPC) or your provincial regulator (e.g., Commission d’accès à l’information du Québec).

B) United States (Comprehensive State Privacy Laws)

(e.g., CA, VA, CO, CT, UT, TX, OR, TN, NJ, MN, MD, IA, MT, NH, DE, NE and similar laws)

• Notice at collection (California). Categories we collect appear in Section 2; purposes in Section 4; retention in Section 9. We do not sell personal information and do not share it for cross-context behavioral advertising. We do not use or disclose Sensitive Personal Information beyond purposes permitted by law (e.g., security, service provision). For California residents, our “Notice at Collection” summarizes categories, purposes, retention, and whether data is “sold” or “shared.” Sensitive Personal Information. We do not use or disclose Sensitive Personal Information for purposes other than those permitted by applicable law (e.g., performing services you request, security and integrity of our systems).
• Your rights. Depending on your state, you may have rights to access/know, correct, delete, portability, and opt-out of sale, sharing/targeted advertising, and certain profiling. See Section 12 for how to exercise rights and appeal a denial.
• Opt-out mechanisms. If we ever engage in sale/share/targeted advertising, we will provide a “Do Not Sell/Share My Personal Information” (or “Your Privacy Choices”) link and honor Global Privacy Control (GPC) signals where required (e.g., CA/CO/CT).
• Non-discrimination. We do not discriminate against you for exercising privacy rights, except as permitted for bona fide financial incentive programs with required disclosures.
• Children’s data. We do not knowingly sell/share PI of consumers under 16. If our practices change, we will obtain required opt-in for 13–15 and parental consent under COPPA for under 13.
• Nevada. Nevada consumers may submit a sale opt-out request at privacy@logilinksolutions.com (we do not sell PI as defined by Nevada law).
• Timelines. We generally respond within 45 days (extensible where permitted). Appeals handled per state timelines; regulator contact info will be provided in an appeal denial.

C) European Union (GDPR/ePrivacy)

• Controller & legal bases. For our website/marketing, Logilink acts as a controller and processes personal data based on consent, contract necessity, legitimate interests, or legal obligations (see Section 4 for details).
• Cookies/consent. Non-essential cookies are off by default until you consent. You may withdraw consent at any time via Cookie Settings without affecting the lawfulness of prior processing.
• Transfers. For transfers outside the EEA, we use SCCs and supplementary measures following a Transfer Impact Assessment (TIA) (see International Transfers).
• Your GDPR rights. Access, rectification, erasure, restriction, portability, and objection (including to direct marketing), plus the right to withdraw consent. We respond within one month (extensions permitted). You may lodge a complaint with your EU Data Protection Authority.

D) United Kingdom (UK-GDPR & PECR)

• Legal bases and cookies. Same as EU; PECR requires opt-in for non-essential cookies and for direct marketing to individuals (B2C); B2B marketing must meet legitimate interest standards with easy opt-out.
• Transfers. We rely on SCCs with the UK Addendum or the UK IDTA plus supplementary measures after a transfer assessment.
• Rights & complaints. Same as EU; complaints may be lodged with the Information Commissioner’s Office (ICO).

E) Australia (Privacy Act 1988 & Australian Privacy Principles)

• Collection & use. We collect personal information for purposes described in Section 4 and take reasonable steps to ensure information is accurate, up to date, and complete.
• Overseas disclosure. Before disclosing personal information overseas, we take reasonable steps to ensure the recipient does not breach the APPs (contractual and technical safeguards).
• Access & correction. You may request access or correction; we respond within a reasonable period. Complaints may be directed to us first and then to the Office of the Australian Information Commissioner (OAIC) if unresolved.
• Direct marketing. We will provide a simple opt-out. For electronic marketing, we comply with the Spam Act 2003.

F) New Zealand (Privacy Act 2020)

• Collection notices. We collect personal information outlined in Section 2 for the purposes in Section 4.
• Overseas disclosures. We take steps to ensure recipients are subject to comparable safeguards or contractual controls aligned with Information Privacy Principle 12.
• Access & correction. You have rights to access and correct your personal information. We endeavor to respond within 20 working days.
• Unsolicited Electronic Messages Act 2007. We obtain consent for electronic marketing and provide a functional unsubscribe.

G) Contacting regulators (by region)

If your concern remains unresolved after contacting us (privacy@logilinksolutions.com), you may contact your local regulator, for example:

• Canada: Office of the Privacy Commissioner of Canada (OPC) / provincial commissioners (e.g., Québec CAI)
• U.S.: Your state Attorney General or privacy regulator
• EU: Your national Data Protection Authority (DPA)
• UK: Information Commissioner’s Office (ICO)
• Australia: Office of the Australian Information Commissioner (OAIC)
• New Zealand: Office of the Privacy Commissioner (OPC NZ)

H) Future changes

If we expand into additional jurisdictions or our practices materially change (e.g., commence “sale/share” or deploy advertising cookies), we will update this Policy and provide any required notices/controls before such processing begins.

14) CHILDREN’S PRIVACY

A) Scope & intent
Our websites, portals, and programs are not directed to children and are intended for business and adult users. We do not knowingly collect personal information from children.

B) Age thresholds by region

• United States (COPPA): We do not knowingly collect personal information from children under 13.
• EU/UK (GDPR/UK-GDPR): Where consent is required for online services, the digital consent age varies by country (generally 16 but may be 13–16 depending on the member state). We do not offer services to children and do not knowingly process children’s data without appropriate parental authorization where legally required.
• Canada (incl. Québec Law 25), Australia, New Zealand: We treat minors’ data as sensitive and apply heightened safeguards; we do not target services to children nor knowingly collect children’s data without required parental/guardian authorization under local law.

C) No targeted advertising or sale/share of minors’ data
We do not sell personal information and do not share it for cross-context behavioral advertising. We do not knowingly use tracking for targeted advertising to minors. If our practices ever change, we will implement legally required opt-ins/opt-outs and notices before such processing begins.

D) Parental/guardian rights & how to contact us
If you believe a child has provided us personal information, or that we have inadvertently collected information from a child:

1. Contact: privacy@logilinksolutions.com with “Children’s Privacy” in the subject and details (child’s approximate age, the context/URL, and your relationship to the child).
2. Actions we take: We will promptly review, delete the information if confirmed, and terminate the related account or interaction unless a lawful basis (e.g., safety or legal obligation) requires limited retention.
3. Verification: To protect children, we may request limited information to verify the requester is a parent or legal guardian (we use any verification data only for that purpose).
4. Records: We keep minimal logs of the request and our response for compliance purposes.

E) School/organization submissions
If a school or employer uploads information about a minor (e.g., for identity verification or compliance) in a context where the school/employer is the controller and has obtained any required consents/authorizations, we process such information solely on that organization’s documented instructions (as a processor/service provider) and apply heightened protections. Individuals/guardians should submit requests to that organization; we will assist them as required.

F) Cookies & tracking for minors
We do not knowingly set non-essential cookies or similar tracking technologies for minors. Where consent is required (e.g., EU/UK, Québec), non-essential cookies are off by default until a valid consent signal is received from an adult user.

G) Profiling & automated decisions
We do not engage in profiling or automated decision-making that produces legal or similarly significant effects for children. If we ever offer youth-oriented features, we will provide prior notices, obtain required authorizations, and enable appropriate controls.

H) Updates
If laws or guidance on children’s privacy change, we will update this Section and, where appropriate, provide additional notices or obtain required consents.

15) THIRD-PARTY LINKS, EMBEDS & SERVICES

Our websites and communications may include links to or embedded features from third parties (for example: social networks, maps, fonts, videos, scheduling tools, analytics, survey forms, applicant-tracking systems, and identity providers for single sign-on). This Privacy Policy does not apply to those third-party properties or their practices. We encourage you to review the privacy policies and terms of any third party you interact with.

A) Types of third-party interactions you may encounter

• Links out to external sites (e.g., documentation, social profiles, client or partner pages).
• Embedded content or widgets (e.g., map tiles, video players, fonts, chat/scheduling iframes, social share/like buttons).
• Single Sign-On (SSO) / identity providers (if enabled) that authenticate you to our portals.
• Recruiting & forms hosted by vendors (e.g., applicant tracking, surveys, event registration).
• Payment, billing, or invoicing processors (if applicable to specific services or transactions).

B) Independent collection & tracking by third parties
When you click a link or interact with an embed, the third party may collect information independently from you and your device (e.g., IP address, user-agent, cookie identifiers, page URL, time/date, and interaction data), including through cookies, pixels, SDKs, or similar technologies. In strict regions (EU/UK/Québec), non-essential third-party embeds are blocked until you provide consent via Cookie Settings; elsewhere, you may still control them through Cookie Settings and your browser.

C) No endorsement; separate responsibilities
Links or embeds are provided for convenience and functionality. They do not imply endorsement of the third party, nor do they create any joint-controller relationship unless we explicitly say so. Third parties are responsible for their own security, privacy, and compliance obligations.

D) Controller vs. processor context

• When you leave our site and visit a third-party property, that party typically acts as a controller of your information.
• If you access a client-hosted portal from our site (e.g., your employer’s system), your employer or the portal owner is the controller, and we process data only as their processor/service provider where applicable (see Section 1 and Section 12).

E) International transfers by third parties
Third-party providers may process data in countries outside your jurisdiction. Review their policies to understand transfer mechanisms (e.g., SCCs, UK Addendum/IDTA) and safeguards.

F) Your choices & controls

• Use our Cookie Settings to manage non-essential third-party tags/embeds where available.
• Adjust your browser settings to block third-party cookies or trackers.
• Manage platform controls on social networks and identity providers (ad preferences, visibility, account settings).
• If you sign in via SSO, you can typically revoke our app’s access within your identity provider’s settings.

G) Security & incidents
We do not control—and are not responsible for—the security practices of third-party sites or services. If you believe a third party linked or embedded from our site has misused your information, contact that third party directly and notify us at privacy@logilinksolutions.com so we can assess whether additional steps are appropriate.

H) Changes to third-party usage
If we materially change which third-party services we integrate (for example, enabling new advertising pixels), we will update this Policy and, where required, seek consent or provide opt-out mechanisms before such technologies run.

16) CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or our data practices. The “Effective Date” at the top shows the most recent revision, and we maintain an archive of prior versions upon request.

A) What counts as a “material change”
We treat a change as material when it meaningfully affects how we collect, use, disclose, retain, or protect personal information, including (for example):

• Introducing new categories of personal information or new purposes of processing;
• Enabling advertising/retargeting technologies or beginning any “sale” or “share” of personal information as defined by U.S. state laws;
• Expanding international transfers to additional countries with different risk profiles;
• Changing your choices/controls (e.g., cookie categories, opt-out options) or our legal bases;
• Adopting materially different security or retention practices.

B) How we will notify you
For non-material updates (clarifications, formatting, administrative edits), we will post the updated Policy with a new Effective Date.
For material updates, we will provide prominent notice by one or more of:

• A banner or interstitial on our website/portal;
• Email or in-product notification (if we have your contact details);
• Just-in-time notices at the point of collection or within affected features.

C) When consent or re-consent is required
If a change requires consent (e.g., enabling non-essential cookies in EU/UK/Québec; starting new marketing uses; enabling “sale/share/targeted advertising” in certain U.S. states), we will seek fresh consent before that processing begins. For cookies/trackers, we will re-prompt the banner/preferences and block non-essential tags until consent is captured.

D) Region-specific notice expectations

• EU/UK (GDPR/PECR): We will provide clear notice and obtain new opt-in where required (e.g., new non-essential cookies/purposes).
• Canada (incl. Québec Law 25): We will provide meaningful notice of significant changes and obtain new consent where the change is material to the purpose or adds new cross-border risks.
• United States (state privacy laws): If we begin a sale/share/targeted advertising, we will update this Policy and provide required controls (e.g., “Do Not Sell/Share”) before such activities start.
• Australia / New Zealand: We will give reasonable notice of significant changes and obtain consent where required by law.

E) Versioning & archive
We keep internal records of Policy versions (content, Effective Date, and change summary). On request, we can provide the prior version most relevant to your interaction period, subject to confidentiality where applicable.

F) Your continued use
Where legally permitted, your continued use of our websites or services after the Effective Date constitutes your acknowledgment of the updated Policy. This does not waive rights to withdraw consent, opt out, or exercise other rights at any time (see Section 12).

G) How to ask questions about changes
If you have questions about an update, contact our Privacy Office at privacy@logilinksolutions.com. If a change materially impacts your rights and you disagree, you may choose to adjust your preferences (e.g., Cookie Settings) or exercise applicable rights under Section 12.

17) CONTACT US

If you have questions or concerns about this Privacy Policy or our data practices—or if you wish to exercise your privacy rights—please contact us using one of the methods below.

Primary contact (Privacy Office / Privacy Officer – Canada):

• Email: privacy@logilinksolutions.com
• Mail (Canada HQ): Logilink Solutions Inc., 10-4255 Sherwoodtowne Blvd, Mississauga, ON L4Z 1Y5, Canada
• Mail (U.S. operations): Logilink Solutions Inc., 7901 4th St N #5551, St. Petersburg, FL 33702, USA

Security & incident reporting (vulnerabilities or suspected misuse):

• Email: privacy@logilinksolutions.com
  Please do not include sensitive information beyond what is necessary to describe the issue.

• EU/UK representative: EU/AUS/NZ inquiries: We are finalizing appointment of an EU and UK representative under Article 27 GDPR/UK-GDPR. Until announced, please contact our Privacy Office; we will route to the appropriate contact for your jurisdiction.

We will route region-specific requests to the appropriate contact and respond within the timeframes required by law (see Section 12).

What to include in your request

To help us locate your records and verify your identity, please provide:

• Your full name, email address, phone number (if you used it with us), and country/region;
• A brief description of your request (e.g., access, correction, deletion, portability, opt-out, cookie preferences);
• If you are an authorized agent, include written authorization and any information we need to verify both you and the consumer you represent.

We use any verification data only to verify and log the request (see Section 12).

Accessibility & language

Upon request, we can provide this Policy or our response in accessible formats or alternative languages where reasonably available. Contact privacy@logilinksolutions.com for assistance. We aim for WCAG 2.1 AA conformance for this Policy and our request forms. Upon request, we will provide alternative formats or assistance at no charge.

Complaints & escalation

If you believe we have not addressed your concern, you may escalate by replying to our decision email with “Appeal” in the subject (see Section 12 – Appeals). You may also contact your local privacy regulator (examples listed in Section 13 – Jurisdiction-Specific Disclosures) if your concern remains unresolved.

SMS program notes

For our SMS programs, you may opt out at any time by replying STOP to any message. For assistance, reply HELP or email privacy@logilinksolutions.com. Message frequency varies; message & data rates may apply.

Effective Date: As shown at the top of this Policy.
Versioning & prior copies: We maintain an archive of prior versions and can provide the version applicable to your interaction period upon request.

APPENDIX A — COOKIE & TRACKING DETAILS (EXAMPLARY)

* Cross-border note: Many third-party providers process data in the U.S. or other countries. See International Transfers (Section 11) for safeguards (SCCs/IDTA, TIAs/PIAs, technical measures).

CMP & Tag Governance (implementation checklist for your devs)

1. Consent Banner (geo-aware):

• EU/UK/Québec: Non-essential OFF by default. Buttons: Accept All / Reject All / Manage (equal prominence).
• U.S./Rest of Canada: Banner + Manage; honor GPC where required.
• Permanent Cookie Settings link in footer.

2. Consent Mode v2 (GTM):

• Respect and set: ad_storage, analytics_storage, functionality_storage, security_storage, personalization_storage.
• Block non-essential tags until consent. Fire ads/analytics only on allowed states.

3. GPC & Opt-Out:

• If you ever enable ad “share/targeted advertising,” add “Do Not Sell/Share” link for U.S. visitors and honor GPC.

4. Re-Prompt Rules:

• Re-prompt on vendor/purpose changes or after 12 months. Store consent version + timestamp.

5. Recordkeeping:

• Log: region, choices, banner version, and time. Retain 12–24 months (see Section 9).

Version Control & Ownership

• Owner: Privacy Office + Web Engineering.
• Review cadence: Quarterly, or on any vendor change.
• Change log: Record date, what changed (cookie added/removed), new lifetimes, and consent category.

APPENDIX B — DATA SUBJECT REQUEST (DSR) PROCESS (SUMMARY)

Use this operational checklist internally; publish the high-level version if desired. It aligns with PIPEDA/Québec Law 25, GDPR/UK-GDPR, U.S. state privacy laws, AUS APPs, and NZ Privacy Act 2020.

1) Intake & Logging

• Channels: privacy@logilinksolutions.com, web form, or postal mail (see Section 17).
• Ticketing: Assign unique request ID; record date/time, requester identity, jurisdiction (if provided), request type(s) (access, correction, deletion, portability, objection/opt-out, restriction, appeal).
• Acknowledgment: Confirm receipt and target timeline for the requester’s region.

2) Identity Verification (and Agent Authorization)

• Match email/phone to known records; use one-time verification (email link or SMS code) when appropriate.
• For authorized agents, require signed authorization and, where required by law, direct verification by the consumer.
• Minimize data collected for verification and use it only for that purpose. Log verification result.

3) Controller vs. Processor Routing

• Determine whether the request concerns data where Logilink is controller (e.g., website, marketing, recruiting) or processor/service provider (client data in our platforms).
• If processor, route to the client controller promptly and assist under the DPA/SCCs/IDTA (do not act beyond instructions). Log the hand-off and client acknowledgment.

4) Scoping & Collection

• Identify relevant systems (CRM, marketing, email, SMS logs, support, product databases, backups/archives).
• Exclude data that is not subject to disclosure (e.g., trade secrets, proprietary security logs) or is out of scope.
• Minimize exposure of third-party data (redact others’ identifiers in free-text fields).

5) Fulfillment by Request Type

• Access/Know: Provide a copy or summary of personal data, collection sources, purposes, categories, recipients, transfers, and retention periods.
• Correction/Rectification: Correct inaccurate data; if contested, note the dispute as required.
• Deletion/Erasure: Delete data from active systems; place suppression flags to prevent re-ingestion; allow for lawful exceptions (e.g., legal obligations, security incidents, billing/tax). Ensure deletion propagates to derivatives where feasible; allow backup delay until rotation.
• Portability: Provide data in a structured, commonly used, machine-readable format (e.g., CSV/JSON).
• Restriction/Objection (EU/UK): Implement restriction flags where applicable; cease direct marketing upon objection.
• Opt-Outs (U.S. states): If ever applicable, process opt-outs of sale, sharing/targeted advertising, and certain profiling; honor GPC signals where required.

6) Timelines (by region)

• EU/UK: 1 month to respond (extendable where permitted).
• Canada (PIPEDA/Québec): Respond within a reasonable time (often ~30 days), extensions allowed.
• U.S. state laws: Generally, 45 days (extendable as permitted); include appeal instructions on denial.
• Australia/NZ: Respond within a reasonable period; NZ access requests typically 20 working days.

7) Denials & Exceptions

• Clearly document the basis (e.g., inability to verify identity, request excessive/unfounded, legal privilege, rights of others, security/fraud prevention, contractual constraints where we are processor).
• Provide a brief explanation, appeal instructions (see below), and regulator contact details where required.

8) Appeals

• If the requester disputes the outcome, allow an appeal via reply with “Appeal” in the subject.
• Re-review by a senior privacy lead; respond within the legally required timeframe (e.g., 45 days in certain U.S. states).
• Include regulator contact info if the appeal is denied.

9) Delivery & Security of Responses

• Deliver via the requester’s verified channel (encrypted where appropriate).
• Redact sensitive operational details (e.g., security configurations, secrets).
• For large disclosures, provide secure download with expiry.
• Do not email raw identifiers unencrypted; avoid sending to unverified addresses.

10) Recordkeeping & Retention

• Maintain a DSR log (request ID, type, date, identity verification outcome, systems searched, disposition, date closed).
• Retain DSR logs for 24–36 months (or longer if legally required) for audit/evidentiary needs.
• Store minimal data necessary for suppression lists (e.g., hashed email for marketing opt-outs).

11) Operational Controls (keep current)

• Playbooks: Up-to-date SOPs for each request type.
• Training: Annual privacy/DSR training for staff handling requests.
• Metrics: Track volume, cycle time, verification failures, and denials; review quarterly.
• Testing: Periodic tabletop exercises to validate end-to-end DSR handling.
• Change management: Update this Appendix on any new system, vendor, or jurisdictional change.

APPENDIX C — GLOSSARY

Personal Information / Personal Data
Information that identifies, relates to, describes, or can reasonably be linked to an identified or identifiable individual (natural person). Includes direct identifiers (e.g., name, email) and indirect identifiers (e.g., cookie IDs, IP address where linkable). Jurisdiction notes: “Personal data” (EU/UK), “personal information” (Canada, U.S., AUS, NZ). Excludes properly de-identified or anonymous information.

Controller / Business
The entity that determines the purposes and means of processing personal information. Called a controller (EU/UK), organization (AUS/NZ), and business (many U.S. state laws).

Joint Controllers
Two or more controllers that jointly determine purposes/means for a specific processing activity (EU/UK concept). Requires transparent allocation of responsibilities.

Processor / Service Provider
An entity that processes personal information on behalf of and under the instructions of a controller/business, pursuant to a written agreement with purpose limitations, confidentiality, security, sub-processor flow-down, assistance, and deletion/return terms. “Service provider” or “contractor” under U.S. state laws is analogous.

Sub-Processor / Sub-Contractor
A processor’s authorized downstream provider that processes personal information for the processor to deliver services to the controller/business, bound by contract with equivalent protections.

Sensitive Personal Information / Special Categories
Information that is granted heightened protection by law (definitions vary). Examples include: government ID numbers; precise geolocation; financial account credentials; biometric identifiers; union membership; health data; racial/ethnic origin; sexual orientation; religious or philosophical beliefs; contents of certain communications; data concerning children; and genetic data. We do not use Sensitive PI to infer characteristics outside permitted purposes.

De-Identified Data
Data that cannot reasonably be linked to an individual, provided reasonable measures are in place to prevent re-identification, public commitments not to attempt it, and contractual controls on recipients. (EU/UK often use “anonymized” when irreversibly de-identified.)

Anonymized Data (EU/UK sense)
Data that has been processed to irreversibly prevent identification by any party, taking into account all means reasonably likely to be used. Truly anonymized data is outside GDPR/UK-GDPR.

Pseudonymized Data
Data processed so it cannot be attributed to a specific individual without additional information kept separately and protected. Still personal information but with reduced risk.

Processing
Any operation performed on personal information (collecting, recording, organizing, structuring, storing, adapting, retrieving, using, disclosing, aligning, restricting, erasing, destroying, or transferring).

Sale (U.S. state privacy laws)
Broadly, exchange of personal information for monetary or other valuable consideration to a third party. (We state whether we “sell” in Section 4/13; if practices change, we provide opt-out.)

Share / Targeted Advertising (U.S. state laws)
Disclosure of personal information for cross-context behavioral advertising (profiling users across services to show ads). Triggers opt-out and GPC obligations in several states.

Profiling / Automated Decision-Making (ADM)
Automated processing of personal information to evaluate personal aspects (e.g., performance at work, economic situation, preferences). “ADM with legal or similarly significant effects” (EU/UK) requires special safeguards and rights (human review, contestation). We do not use ADM with such effects.

Consent
A freely given, specific, informed, and unambiguous indication of wishes (e.g., clear affirmative action) under EU/UK and many other laws. For CASL (Canada) and Spam Act 2003 (AUS)/UEMA 2007 (NZ), marketing consent must meet channel-specific standards. Consent can be withdrawn at any time.

Legitimate Interests
A lawful basis (EU/UK) where processing is necessary for a controller’s legitimate purposes (e.g., security, product improvement) balanced against the individual’s interests and rights; requires a balancing test.

Cookies / Pixels / SDKs / Local Storage
Technologies that store or access information on a device. Classified as Strictly Necessary, Functional, Analytics/Performance, and Advertising/Retargeting in our Policy and Appendix A. In EU/UK/Québec, non-essential categories are off by default until consent.

Global Privacy Control (GPC)
A browser/extension signal indicating a user’s preference to opt out of sale/sharing/targeted advertising. Honored where required by U.S. state laws.

Data Subject / Consumer / Individual
The person to whom personal information relates. Called data subject (EU/UK), individual/consumer (U.S.), individual (Canada/AUS/NZ).

Data Subject Request (DSR) / Consumer Request
A request from an individual to exercise rights (access, correction, deletion, portability, objection/restriction, opt-out). See Section 12 and Appendix C.

Data Protection Authority (DPA) / Regulator
Supervisory authority that oversees privacy laws (e.g., EU DPAs, UK ICO, Canada OPC/CAI, U.S. state AGs, AUS OAIC, NZ OPC).

Standard Contractual Clauses (SCCs) / UK IDTA or UK Addendum
Approved cross-border transfer mechanisms for exporting personal data from the EEA/UK to countries without adequacy. Often combined with supplementary measures and Transfer Impact Assessments.

Transfer Impact Assessment (TIA) / Cross-Border Assessment
A documented assessment of destination-country laws and risks, and the effectiveness of contractual/technical/organizational measures for international transfers (EU/UK; Law 25 in Québec requires a cross-border assessment).

Privacy Impact Assessment (PIA) / DPIA
An assessment of privacy risks and mitigations for processing activities, required for high-risk processing in EU/UK (DPIA) and for certain activities in Québec (Law 25) and other regions.

Acceptable Use Policy (AUP)
Rules governing permissible and prohibited behaviors when accessing our services (e.g., no malware, scraping, or unlawful content). Violations may result in suspension/termination.

Breach / Security Incident
A confirmed or reasonably suspected event that compromises confidentiality, integrity, or availability of personal information or the systems that process it. Notification duties vary by jurisdiction (e.g., GDPR 72-hour authority notice, Canadian breach reporting, U.S. state notice laws).

Children / Minors
Individuals under the applicable age threshold (e.g., under 13 in U.S. COPPA; 13–16 range for EU member states; often under 16 in our programs). We do not knowingly collect children’s data; see Section 14.

Consumer Financial Incentive (U.S.)
A program involving price or service differences related to personal information (e.g., loyalty). Requires notice of terms and an ability to opt out without discrimination.

Consent Management Platform (CMP)
A system that captures, stores, and signals users’ cookie/processing choices and prevents non-essential tags from firing until consent (critical in EU/UK/Québec).

Messaging Carriers / Telecommunications Service Providers
Third parties that deliver our SMS/text messages as processors. They handle limited metadata (timestamps, delivery status) to transmit messages and comply with telecom rules. (We remain provider-neutral.)

Suppression List
A minimal dataset (e.g., hashed email/number) retained to honor opt-out/unsubscribe requests and prevent re-contact.

Data Minimization
Collecting and retaining only what is reasonably necessary for the stated purposes, for no longer than needed.

Need-to-Know / Least Privilege
Access control principles granting personnel the minimum level of access necessary for their role, for the shortest time required.

Encryption in Transit / At Rest
Cryptographic protection for data moving between systems (e.g., TLS) and stored data (e.g., database or disk encryption with managed keys and rotation).

Role-Based Access Control (RBAC) / Multi-Factor Authentication (MFA)
Security controls that enforce who can access what based on job role, with additional authentication factors to reduce account compromise risk.

Retention Schedule
A policy that sets how long each data category is kept and how it is disposed of (deletion, de-identification), including backup rotation considerations.

This Glossary is designed to align with definitions used elsewhere in the Policy. Where a statute provides a stricter or more specific definition, that statute controls for residents of that jurisdiction.

End of Policy