Privacy Policy

MastGuard Inc. (“we,” “our,” or “us”) is a Canadian company headquartered in Calgary, Alberta. We provide an AI governance, security, and compliance platform (the “Service”) that helps organizations monitor, audit, and govern the behavior of artificial-intelligence agents operating inside their systems.

This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and the rights you have over it. It applies to our website, our Service, our SDKs, our APIs, and any communication between you and us.

We take this seriously. Your data is the product our customers rely on us to protect — we apply the same standard to your data.

• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
• Quebec's Act respecting the protection of personal information in the private sector (“Law 25”)
• Alberta's Personal Information Protection Act (PIPA)
• British Columbia's Personal Information Protection Act (PIPA)
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Where applicable, the EU General Data Protection Regulation (GDPR) and the UK GDPR
• HIPAA (for Enterprise HIPAA-tier customers only, governed by a separate Business Associate Agreement)

If the law in your jurisdiction gives you rights stronger than those set out here, those rights apply to you.

We collect only what we need. We group it into four categories.

a) Information you give us directly. When you create an account, book a demo, contact support, or subscribe to communications, you provide information such as your name, work email, job title, company name, phone number, and billing details.

b) Information generated by your use of the Service. This includes account activity logs, feature usage, preference settings, policy rules you create, reviewer decisions you make, and IP address and device data. We also process the metadata of AI agent actions your organization routes through our Service — we call this “Customer Data.”

c) Customer Data. Customer Data is the data your organization sends to our Service for governance and audit purposes. You (the customer) are the controller of Customer Data. We are the processor. We handle it according to your instructions and our Data Processing Addendum.

d) Information we receive automatically. When you visit our website, we collect standard web analytics data — pages visited, referral source, browser type, and aggregated session information — using cookies and similar technologies. See our Cookie Policy for detail.

• We do not buy personal information from data brokers.
• We do not use Customer Data to train shared AI models.
• We do not sell your personal information. Full stop.
• We do not knowingly collect information from individuals under 18.
• We do not collect biometric identifiers, facial recognition data, or government-issued IDs unless explicitly required for a Know-Your-Customer check you have consented to.

We process personal information for the following purposes, and only for as long as necessary for each purpose:

• To provide and operate the Service — Contract performance; legitimate interest
• To communicate with you about your account, incidents, and product updates — Contract performance
• To process payments and manage billing — Contract performance
• To respond to support requests — Legitimate interest
• To improve and secure the Service — Legitimate interest
• To comply with legal, tax, and regulatory obligations — Legal obligation
• To send marketing communications (only with your consent; you can withdraw it any time) — Consent
• To generate aggregated, anonymized analytics that cannot identify any individual — Legitimate interest

Under PIPEDA and Law 25, we obtain meaningful consent for any use of personal information that a reasonable person would consider appropriate in the circumstances. For sensitive uses — particularly anything involving automated decision-making about you — we obtain explicit, informed consent separately.

We share personal information only in the following situations:

Service providers we trust. Our platform runs on Microsoft Azure. Payment processing is handled by Stripe. Each of these providers is bound by contracts requiring them to meet or exceed our privacy and security standards, and to process your information only as we direct.

Enterprise customers' designated recipients. If you are an end user whose organization uses our Service, we share relevant information with that organization in accordance with their instructions and your relationship with them.

Legal compliance. We may disclose information when required by a valid court order, subpoena, or law enforcement request — but only after verifying the request and, where legally permissible, notifying the affected organization.

Business transfers. If we are acquired or merge with another company, your information may transfer as part of that transaction. You will be notified, and the new entity will be bound by this policy or a policy at least as protective.

We do not sell, rent, or trade personal information to third parties for their own marketing purposes.

By default, we store Customer Data in Azure Canada Central (Calgary). Enterprise customers can elect a specific region — including Azure Canada East, US East, or EU West — as part of their service agreement.

We are a Canadian company operating primarily within Canadian data residency boundaries. However, some service providers we rely on (for example, Stripe for payment processing) may process limited information outside Canada. When data crosses a border, we apply the safeguards required by the applicable law — contractual protections, encryption, and where relevant, Standard Contractual Clauses.

Because our infrastructure vendor (Microsoft) is a US-headquartered company, Customer Data processed in Canadian Azure regions may be subject to the US CLOUD Act. We disclose this openly. Enterprise customers concerned about CLOUD Act exposure can discuss sovereign hosting options with our team.

• Account information: for the duration of your account, plus 90 days after account closure.
• Billing records: 7 years, as required by Canadian tax law.
• Customer Data (audit records): for the retention period specified in your contract (typically 90 days to 7 years, depending on your tier and regulatory profile).
• Marketing communications data: until you unsubscribe, or 2 years of inactivity, whichever comes first.
• Support tickets: 3 years after resolution.

When the retention period ends, we either delete the information or irreversibly anonymize it.

Security is not a feature. It's the product. Our safeguards include:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256-GCM).
• Secrets management via Azure Key Vault — no credentials in code, environment files, or configuration repositories.
• Multi-factor authentication enforced for all administrative accounts.
• Role-based access controls so that employees can see only what they need to do their jobs.
• Immutable audit logs of access to Customer Data.
• Continuous monitoring via Azure Sentinel and Azure Application Insights.
• Annual penetration tests and continuous dependency scanning.
• SOC 2 Type I in progress; SOC 2 Type II targeted for 2027.

No system is perfectly secure. If we ever experience a breach that creates a real risk of significant harm to you, we will notify you and the Office of the Privacy Commissioner of Canada (and any other applicable regulator) in accordance with the law — within 72 hours where that's the requirement.

Depending on where you live, you have some or all of the following rights:

• Access. You can ask us what personal information we hold about you, and we will provide it.
• Correction. You can ask us to fix information that is wrong or incomplete.
• Deletion. You can ask us to delete your personal information, subject to legal retention obligations.
• Portability. You can ask us to provide your personal information in a structured, machine-readable format.
• Withdrawal of consent. Where processing relies on consent, you can withdraw that consent at any time.
• Object to processing. You can object to certain uses of your information — including marketing and profiling.
• No automated decisions without human review. You have the right to request human review of any significant decision made about you solely by an automated system.
• Complain to a regulator. You can lodge a complaint with the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information (Quebec), your provincial regulator, or any other competent authority.

To exercise any of these rights, email our Privacy Officer at privacy@mastguard.com. We will respond within 30 days, as required by Canadian law.

Our website uses cookies to keep you logged in, remember your preferences, measure how our site is used, and (only with your consent) deliver marketing measurement. You can manage cookie preferences at any time through the consent banner or your browser settings. Full detail lives in our separate Cookie Policy.

Our Service is designed for businesses and is not directed to children. We do not knowingly collect personal information from anyone under 18. If we learn we have collected it, we will delete it.

Privacy Officer
MastGuard Inc.
Calgary, Alberta, Canada
Email: privacy@mastguard.com

We'll update this policy when the law changes, when we add new products, or when we change how we handle your information. We post updates here and, for material changes, we'll email active account holders at least 30 days before the change takes effect.