Privacy Policy

1. Who We Are

ActiveSF Ltd. is a corporation incorporated in Nova Scotia, Canada.

For the purposes of GDPR and UK GDPR, ActiveSF acts as:

• Data Controller for account, authentication, and platform usage data
• Data Processor where users upload or input business data into our system

2. Information We Collect

We collect the following categories of information:

3. How We Use Your Information

We use personal data to:

• Provide and operate our SaaS platform
• Authenticate and secure user accounts
• Manage user roles and organisation access
• Store and display user-created content
• Provide AI-assisted functionality (via OpenAI)
• Improve system reliability and performance
• Comply with legal obligations

4. Legal Basis for Processing (GDPR / UK GDPR)

We process personal data under the following lawful bases:

• Contract – to provide the services you request
• Legitimate Interests – for security, fraud prevention, and system improvement
• Legal Obligation – where required by applicable law

Where special category data is unintentionally included in user uploads, it is processed strictly as part of providing the service at the direction of the user.

5. Data Sharing and Third Parties

We do not sell personal data.

We share data only with trusted service providers necessary to operate our platform:

• Kinde – authentication and user management
• OpenAI – AI processing
• Hetzner Cloud (EU, Germany) – infrastructure and hosting
• Umami – privacy-preserving analytics

Each provider is contractually expected to process data securely and in compliance with applicable data protection laws.

6. International Data Transfers

Although ActiveSF is based in Canada, our infrastructure is hosted within the European Union (Germany).

Where data is transferred internationally (e.g. to OpenAI), we rely on appropriate safeguards such as:

• Standard Contractual Clauses (SCCs)
• Data processing agreements with vendors

7. Data Retention

We retain personal data only as long as necessary to provide the service.

• Active accounts: retained for the duration of the account
• Deleted accounts: immediate deletion from active systems
• Backups: retained for up to 12 months for disaster recovery purposes, after which they are automatically purged

8. Data Security

We implement appropriate technical and organisational measures to protect data, including:

• Encrypted communication (HTTPS/TLS)
• Secure authentication via Kinde
• Access controls and role-based permissions
• Infrastructure hosted in secure EU data centres

9. Your Rights (GDPR / PIPEDA)

Depending on your jurisdiction, you have the right to:

• Access your personal data
• Request correction of inaccurate data
• Request deletion of your data
• Request export of your data (data portability)
• Object to certain types of processing

Requests can be made by contacting us (see Section 13). We handle requests manually where necessary.

10. Data Deletion

You may request deletion of your account and associated data at any time.

Upon deletion:

• Active data is removed immediately
• Backup copies remain for up to 12 months (disaster recovery only)

11. Cookies and Tracking

We use only strictly necessary cookies for authentication and security purposes via Kinde.

We do not use:

• advertising cookies
• tracking cookies
• behavioural profiling cookies

We use Umami for cookieless analytics.

For more details, please refer to our Cookie Policy.

12. Children’s Data

Our services are intended for business users only and are not directed at individuals under 18.

We do not knowingly collect data from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted on this page with a revised “Last updated” date.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, contact: