Privacy Policy

SKADI Cyber Defense Corporation
Effective Date: November 1, 2025
Last Updated: November 1, 2025

1. Introduction

SKADI Cyber Defense Corporation (“SKADI”, “we”, “us”, or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and other applicable Canadian privacy legislation.

This policy applies to:

• Our website (skadicyber.com and skadicyber.ai)
• Our Frostbow security platform and related services
• Our cybersecurity consulting and professional services
• All interactions with SKADI

By using our services or providing us with your personal information, you acknowledge that you have read and understood this Privacy Policy.

2. Privacy Officer

SKADI has appointed a Privacy Officer who is responsible for ensuring compliance with this policy and applicable privacy legislation.

Privacy Officer Contact Information:

Rachel Clark, Founder & CEO
SKADI Cyber Defense Corporation
Email: defense@skadicyber.com
Mail: 16 Dominion Street, Bracebridge, ON P1L 2A5, Canada

If you have questions, concerns, or complaints about our privacy practices, please contact our Privacy Officer using the information above.

3. What is Personal Information?

For the purposes of this policy, “personal information” means information about an identifiable individual, including but not limited to:

• Name, email address, phone number, and mailing address
• Business contact information (company name, position, business email)
• IP addresses and device identifiers
• Payment and billing information
• Technical information about your systems and networks (when using Frostbow)
• Security incident and threat data
• Communications with SKADI (emails, support tickets, chat logs)
• Website usage information (cookies, analytics data)

Personal information does not include:

• Business contact information used solely for business communications
• Aggregated or anonymized data that cannot identify individuals
• Publicly available information

4. What Personal Information We Collect

4.1 Information You Provide Directly

We collect information you voluntarily provide when you:

• Request information or demos: Name, email, phone number, company name, role
• Create an account: Name, email, password, company information
• Use Frostbow platform: Technical environment data, security configurations, user accounts
• Purchase services: Billing information, payment details, purchase history
• Contact support: Name, email, description of issues, technical details
• Subscribe to communications: Email address, communication preferences
• Apply for employment: Resume, contact information, work history (separate Recruiting Privacy Policy applies)

4.2 Information Collected Automatically

When you visit our website or use our services, we automatically collect:

• Technical information: IP address, browser type, operating system, device information
• Usage data: Pages visited, time spent, click patterns, referring websites
• Cookies and tracking technologies: As described in Section 12 below
• Security monitoring data: For fraud prevention and system security

4.3 Information from Frostbow Platform

When you deploy Frostbow in your environment, the platform collects:

• Security event data: Logs, alerts, threat indicators, network traffic metadata
• System information: Asset inventory, vulnerability data, configuration information
• User activity: Security-relevant user actions and access patterns
• Threat intelligence: Anonymized threat indicators shared within the Frostbow network

Important: Frostbow is designed with privacy-first architecture. Your security data is processed in your environment and is not accessible to SKADI except as necessary to deliver services or with your explicit authorization.

4.4 Information from Third Parties

We may receive information from:

• Business partners and MSPs: If you access Frostbow through a managed service provider
• Payment processors: Transaction confirmation and fraud prevention information
• Public sources: Publicly available business information for lead generation and research
• Technology partners: Integration data from platforms you’ve connected to Frostbow

5. How We Use Personal Information

SKADI collects and uses personal information only for identified purposes and only with your consent (express or implied), or as permitted/required by law.

5.1 Primary Purposes

We use personal information to:

Provide Services:

• Deliver and maintain the Frostbow platform
• Provide cybersecurity consulting, incident response, and professional services
• Process transactions and manage billing
• Provide customer support and respond to inquiries
• Monitor and improve service performance and security

Communication:

• Send service-related notices and updates
• Respond to your requests and communications
• Send marketing communications (with consent, and you may opt out)
• Provide security alerts and threat notifications

Business Operations:

• Analyze usage patterns to improve our services
• Conduct research and development
• Manage vendor and partner relationships
• Comply with legal and regulatory requirements

Security and Fraud Prevention:

• Protect against security threats and fraudulent activity
• Monitor and analyze security events
• Investigate and respond to security incidents

5.2 Legal Bases for Processing

We process personal information based on:

• Consent: When you explicitly agree to processing (e.g., marketing communications)
• Contract performance: To deliver services you’ve requested or purchased
• Legitimate interests: To operate our business, improve services, and maintain security
• Legal obligations: To comply with applicable laws and regulations

6. When We Disclose Personal Information

SKADI does not sell, rent, or trade your personal information. We disclose personal information only in the following circumstances:

6.1 Service Providers

We share information with trusted third-party service providers who assist us in:

• Cloud infrastructure and hosting (e.g., AWS, Azure, Google Cloud)
• Payment processing
• Email and communication services
• Analytics and marketing platforms
• Customer relationship management (CRM)

These providers are contractually obligated to:

• Use information only for specified purposes
• Implement appropriate security measures
• Comply with applicable privacy laws

6.2 Business Partners

• MSP Partners: If you access Frostbow through a managed service provider, we share necessary information with that MSP
• Technology Partners: To enable integrations you’ve configured (e.g., SIEM platforms, ticketing systems)

6.3 Legal Requirements

We may disclose information when required or permitted by law:

• To comply with court orders, warrants, or legal processes
• To respond to lawful requests from government authorities
• To protect our legal rights and interests
• To investigate fraud, security incidents, or violations of our terms
• To protect the safety of individuals or the public

6.4 Business Transfers

In the event of a merger, acquisition, sale of assets, or bankruptcy, personal information may be transferred to successor entities, subject to this Privacy Policy and applicable law.

6.5 With Your Consent

We may share information for other purposes with your explicit consent.

7. International Data Transfers

SKADI is based in Canada. However, our service providers and technology partners may process data in other countries, including the United States and European Union.

When we transfer personal information outside Canada:

• We ensure appropriate safeguards are in place (e.g., standard contractual clauses, adequacy decisions)
• We inform you of the transfer and obtain consent when required
• We ensure foreign service providers provide comparable privacy protection

Your personal information may be subject to foreign laws and accessible to foreign governments, courts, and law enforcement agencies.

8. Data Security

SKADI implements physical, technical, and organizational security measures to protect personal information against unauthorized access, use, disclosure, modification, or destruction.

8.1 Security Measures

Our security controls include:

• Encryption: Data encrypted in transit (TLS/SSL) and at rest
• Access controls: Role-based access with multi-factor authentication
• Network security: Firewalls, intrusion detection, and monitoring
• Security monitoring: Continuous monitoring for threats and anomalies (using Frostbow!)
• Incident response: Documented procedures for security incidents
• Vendor management: Security requirements for all service providers
• Employee training: Regular security and privacy awareness training
• Physical security: Secure facilities with restricted access

8.2 Data Retention

We retain personal information only as long as necessary for:

• Fulfilling the purposes for which it was collected
• Meeting legal, regulatory, or contractual requirements
• Resolving disputes and enforcing agreements

Typical retention periods:

• Account information: Duration of relationship plus 7 years
• Security event data: 13 months (or as specified in customer agreements)
• Support communications: 3 years
• Payment records: 7 years
• Marketing data: Until consent withdrawn plus 1 year

When no longer needed, we securely delete or anonymize personal information.

9. Your Privacy Rights

Under PIPEDA and applicable provincial laws, you have the following rights:

9.1 Access

You have the right to:

• Request access to your personal information we hold
• Receive information about how we use and disclose your information
• Receive a copy of your personal information in a structured, commonly used format

9.2 Correction

You may request correction of inaccurate or incomplete personal information. We will:

• Make corrections as appropriate
• Send corrected information to third parties we’ve disclosed it to (where applicable)
• Note your correction request in our records if we don’t make the change

9.3 Withdrawal of Consent

You may withdraw consent for:

• Marketing communications (use unsubscribe links or contact us)
• Optional data collection and processing
• Certain service features (may impact service delivery)

Note: Withdrawal may limit our ability to provide certain services.

9.4 Deletion

You may request deletion of your personal information, subject to:

• Legal or regulatory retention requirements
• Legitimate business needs
• Contractual obligations

9.5 Portability

You may request your personal information in a portable format to transfer to another service provider.

9.6 Object to Processing

You may object to processing based on legitimate interests, and we will stop processing unless we have compelling grounds.

9.7 Restrictions on Automated Decision-Making

You have the right to:

• Be informed of automated decision-making
• Request human review of automated decisions
• Challenge decisions that significantly affect you

10. How to Exercise Your Rights

To exercise your privacy rights:

1. Contact our Privacy Officer using the information in Section 2
2. Provide sufficient detail to identify yourself and your request
3. Specify the right you wish to exercise
4. Include verification information (we may request additional information to verify your identity)

We will respond to your request within 30 days (or as required by applicable law). If we need more time, we’ll notify you of the extension and reasons.

There is no fee for requests unless they are excessive or repetitive, in which case we may charge a reasonable fee.

11. Children’s Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected information from a child, we will delete it promptly.

If you believe we have inadvertently collected information from a child, please contact our Privacy Officer immediately.

12. Cookies and Tracking Technologies

12.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. We use cookies and similar technologies to:

• Remember your preferences and settings
• Analyze website traffic and usage patterns
• Provide personalized content and advertising
• Maintain security and prevent fraud

12.2 Types of Cookies We Use

Essential Cookies (Required)

• Session management and authentication
• Security and fraud prevention
• Load balancing and performance

Analytics Cookies (Optional)

• Google Analytics (traffic analysis)
• Usage patterns and behavior
• Performance monitoring

Marketing Cookies (Optional)

• Advertising platforms (Google Ads, LinkedIn)
• Conversion tracking
• Retargeting and remarketing

Preference Cookies (Optional)

• Language settings
• UI preferences
• Consent management

12.3 Managing Cookies

You can control cookies through:

• Browser settings: Most browsers allow you to refuse or delete cookies
• Cookie consent tool: Our website provides options to accept/reject optional cookies
• Opt-out tools: Industry opt-out tools (e.g., Digital Advertising Alliance of Canada)

Note: Disabling essential cookies may prevent you from using parts of our website.

12.4 Do Not Track

Our website does not currently respond to “Do Not Track” browser signals. You can manage tracking through cookie settings and opt-out tools.

13. Third-Party Links

Our website may contain links to third-party websites. SKADI is not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing personal information.

14. Email Marketing and Communications

14.1 Consent

We send marketing emails only with your consent (express or implied based on existing business relationships). Each marketing email includes:

• Clear identification of the sender (SKADI)
• An unsubscribe mechanism
• Our contact information

14.2 Opting Out

You may opt out of marketing communications by:

• Clicking the “unsubscribe” link in any marketing email
• Contacting privacy@skadicyber.com
• Updating your communication preferences in your account settings

Note: You cannot opt out of essential service communications (e.g., security alerts, billing notices, account notifications).

15. Business Customer Data

When you use Frostbow or our security services, you may provide us access to data about your employees, contractors, or customers (“Business Customer Data”).

15.1 Data Controller vs. Processor

• You are the data controller for Business Customer Data
• SKADI is the data processor acting on your instructions
• You are responsible for obtaining necessary consents and providing privacy notices to your individuals

15.2 Our Obligations as Processor

We will:

• Process Business Customer Data only as instructed by you
• Implement appropriate security measures
• Assist you in responding to individual rights requests
• Delete or return data upon request or contract termination
• Notify you of data breaches affecting Business Customer Data

15.3 Data Processing Agreement

Business customers should review our Data Processing Agreement (DPA) which provides additional details about data processing, security, and compliance.

16. Data Breach Notification

In the event of a data breach involving personal information:

16.1 Our Responsibilities

We will:

• Investigate and contain the breach
• Assess the risk to affected individuals
• Notify the Office of the Privacy Commissioner of Canada if required
• Notify affected individuals if there is a real risk of significant harm
• Take steps to mitigate harm and prevent recurrence

16.2 What We’ll Tell You

Breach notifications will include:

• Description of the breach
• Personal information involved
• Steps we’ve taken to mitigate harm
• Steps you can take to protect yourself
• Contact information for questions

17. Changes to This Privacy Policy

SKADI may update this Privacy Policy from time to time to reflect:

• Changes in our practices or services
• Changes in applicable laws
• Technological developments
• Customer feedback

When we make material changes:

• We will update the “Last Updated” date
• We will notify you by email or prominent website notice
• We may request renewed consent where required by law

We encourage you to review this policy periodically.

18. Complaints and Dispute Resolution

18.1 Internal Complaints Process

If you have a complaint about our privacy practices:

1. Contact our Privacy Officer (Section 2) with details of your concern
2. We will investigate and respond within 30 days
3. We will work with you to resolve the issue to your satisfaction

18.2 External Complaints

If you are not satisfied with our response, you may file a complaint with:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3

Toll-free: 1-800-282-1376
Phone: 819-994-5444
TTY: 819-994-6591
Website: www.priv.gc.ca
Email: info@priv.gc.ca

You may also have the right to file a complaint with your provincial privacy commissioner.

19. Consent and Acceptance

By using our services or providing personal information to SKADI, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy.

If you do not agree with this Privacy Policy, please do not use our services or provide us with personal information.

For services requiring express consent (e.g., marketing communications), we will obtain your explicit agreement through:

• Opt-in checkboxes
• Signed agreements
• Documented verbal consent
• Electronic acceptance

20. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

SKADI Cyber Defense Corporation

Privacy Officer: Rachel Clark, Founder & CEO
Email: defense@skadicyber.com
Website: skadicyber.com
Address: 16 Dominion Street, Bracebridge, ON P1L 2A5, Canada

For Security Incidents: security@skadicyber.com
For General Inquiries: info@skadicyber.com
For Customer Support: support@skadicyber.com

Appendix A: PIPEDA’s 10 Fair Information Principles

This Privacy Policy is based on PIPEDA’s 10 principles:

1. Accountability: SKADI is responsible for personal information under our control
2. Identifying Purposes: We identify why we collect information before or at the time of collection
3. Consent: We obtain your consent for collection, use, or disclosure
4. Limiting Collection: We collect only information necessary for identified purposes
5. Limiting Use, Disclosure, and Retention: We use information only for stated purposes and retain only as long as necessary
6. Accuracy: We keep information accurate, complete, and up-to-date
7. Safeguards: We protect information with security appropriate to its sensitivity
8. Openness: We make information about our policies and practices readily available
9. Individual Access: You can access your personal information and challenge its accuracy
10. Challenging Compliance: You can challenge our compliance with these principles

Appendix B: Glossary

Anonymization: Processing to permanently remove identifying information
Consent: Voluntary agreement to collection, use, or disclosure of personal information
Data Controller: Entity that determines purposes and means of processing
Data Processor: Entity that processes data on behalf of a controller
Encryption: Converting data into unreadable code
PIPEDA: Personal Information Protection and Electronic Documents Act
Personal Information: Information about an identifiable individual
Pseudonymization: Processing to prevent identification without additional information

© 2025 SKADI Cyber Defense Corporation. All rights reserved.

This Privacy Policy was last updated on November 1, 2025.