Privacy · PIPEDA
Privacy Policy
How CyberMotion AI Inc. collects, uses, and protects personal information.
Effective date: 10 July 2026 · Last reviewed: 2026-07-10
1. Introduction
CyberMotion AI Inc. ("CyberMotion AI", "we", "us") is committed to protecting personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. This policy explains what we collect, why we collect it, how we use it, and the choices available to you.
Our principal office is located at 95 King Street East, Suite 205, Toronto, ON M5C 1G4. For privacy enquiries, contact [email protected] or call +1 (416) 598-3170.
2. Scope
This policy applies to personal information collected through cybermotionai.pro, our contact forms, email correspondence, contractual engagements, and events where we act as an organisation collecting data. It does not cover third-party websites linked from our pages. Client telemetry and security log data processed during engagements are governed by separate data processing agreements.
3. Information we collect
3.1 Information you provide directly
When you submit our contact form, request a briefing, or correspond with us, we may collect your name, email address, company name, job title, telephone number, and message content. If you enter a service engagement, we additionally collect billing contacts, technical contacts, and information required for identity verification and conflict checks.
3.2 Information collected automatically
When you visit our website, we may collect IP address, browser type, device type, referring URL, pages viewed, and timestamps. Optional analytics cookies, if you consent, help us understand aggregate traffic patterns. See our Cookie Policy for details.
3.3 Information from third parties
We may receive business contact details from referral partners or public professional directories when you have expressed interest in cybersecurity services. We verify such information before adding it to our CRM and honour opt-out requests promptly.
4. Purposes of collection and use
We use personal information for the following purposes, relying on consent, contractual necessity, or legitimate interests as appropriate:
- Responding to enquiries and scheduling briefings
- Delivering contracted cybersecurity services
- Managing billing, accounting, and tax compliance
- Improving our website and service offerings through aggregated analytics
- Complying with legal obligations, court orders, and lawful regulatory requests
- Protecting our rights, personnel, and systems from fraud or abuse
We do not sell personal information. We do not use contact form data for unrelated marketing without explicit consent.
5. Consent and withdrawal
We obtain meaningful consent before collecting personal information beyond what is strictly necessary for a requested service. Consent may be express (checkbox, signed agreement) or implied (you voluntarily provide a business card at an event). You may withdraw consent for non-essential processing by emailing [email protected]. Withdrawal does not affect processing already completed or processing required by law.
6. Disclosure to third parties
We share personal information only when necessary:
- Service providers: Hosting, email delivery, CRM, and accounting platforms under written confidentiality obligations
- Professional advisers: Lawyers, auditors, and insurers bound by professional secrecy
- Legal requirements: When compelled by valid legal process in Canada
- Business transactions: In connection with a merger or acquisition, subject to confidentiality and notice where practicable
Subprocessors handling client data during engagements are listed in project-specific data processing agreements. Cross-border transfers outside Canada occur only with appropriate safeguards and documented consent where required.
7. Retention
Contact form submissions are retained for twenty-four months unless a business relationship develops, in which case records follow our corporate retention schedule (typically seven years after last activity for commercial records). Security logs from our website are retained for ninety days. Contractual project artefacts follow agreed client schedules and legal minimums.
8. Security safeguards
We implement administrative, technical, and physical safeguards proportionate to the sensitivity of information held. Measures include access controls, encryption in transit, employee confidentiality agreements, security awareness training, and incident response procedures. No method of transmission over the internet is perfectly secure; we encourage clients to use encrypted channels for sensitive material.
9. Individual rights
Under PIPEDA, you have the right to access personal information we hold about you, request correction of inaccuracies, and challenge our compliance. Submit requests to [email protected]. We respond within thirty days unless an extension is permitted. If you are unsatisfied with our response, you may contact the Office of the Privacy Commissioner of Canada.
10. Children
Our services and website are directed at business professionals. We do not knowingly collect personal information from individuals under sixteen. If you believe we have inadvertently done so, contact us for prompt deletion.
11. Changes to this policy
We may update this policy to reflect legal or operational changes. Material updates will be posted on this page with a revised effective date. Continued use of our website after changes constitutes acknowledgement of the updated policy for website-related processing.
12. Contact
Privacy Officer
CyberMotion AI Inc.
95 King Street East, Suite 205, Toronto, ON M5C 1G4
[email protected]
+1 (416) 598-3170
13. Data breach notification
In the event of a breach of security safeguards involving personal information under our control that creates a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as required by PIPEDA. Notifications will describe the circumstances, types of information involved, steps we are taking, and contact information for further enquiries. We maintain an internal incident register for all privacy-related events, including near-misses, to drive corrective action.
14. International transfers
Where personal information must be processed outside Canada, for example by a cloud subprocessor with United States data centres, we conduct transfer impact assessments and implement contractual clauses requiring equivalent protection. Clients receive subprocessor lists during onboarding and advance notice of material changes. You may object to new subprocessors on reasonable grounds related to privacy risk.
15. De-identification and aggregated analytics
We may create aggregated statistics from website analytics that cannot reasonably identify individuals. Such statistics inform service improvements and may appear in anonymised form in marketing materials. Aggregated data is not subject to individual access requests because it does not constitute personal information under PIPEDA.
16. Employee and contractor access
Access to personal information is limited to personnel with a legitimate business need. Employees and contractors sign confidentiality agreements and receive annual privacy training. Access is reviewed quarterly and revoked promptly upon role change or termination. Privileged administrative access is logged and monitored.
17. Complaint process
If you believe we have mishandled your personal information, email [email protected] with sufficient detail for investigation. We assign a reviewer who was not involved in the original decision. You will receive a written response explaining our findings and any remedial steps. Unresolved concerns may be escalated to the Office of the Privacy Commissioner of Canada at priv.gc.ca.
18. Marketing communications
We send service updates and event invitations only to contacts who have opted in or have an existing business relationship and have not opted out. Each marketing email includes an unsubscribe link processed within ten business days. Transactional messages related to active contracts are not marketing and cannot be unsubscribed from while services continue.
19. Automated decision-making
Our client-facing services may use automated scoring for security alert triage within contracted engagements. Website contact form submissions are not subject to automated decision-making with legal or similarly significant effects. If we introduce such processing in future, this policy will be updated and additional consent obtained where required.
20. Records of processing
We maintain internal records describing categories of personal information processed, purposes, retention, and recipients. Enterprise clients may request a summary aligned with their vendor due diligence questionnaires during procurement. Responses are provided within fifteen business days of a verified request.
21. Accessibility of privacy requests
Privacy access and correction requests may be submitted in writing by email or post. We accommodate reasonable format requests for responses, including structured data exports where technically feasible. Identity verification may be required before disclosing personal information to prevent unauthorised access.
22. Research and product development
Aggregated, de-identified telemetry patterns from client engagements may inform internal research to improve detection models. Such use is governed by contract and excludes identifiable personal information unless explicitly authorised. Clients may opt out of contributing to aggregate research pools without affecting core service delivery.
23. Third-party authentication
We do not currently offer social login on cybermotionai.pro. If single sign-on options are introduced for client portals in future, this policy will be updated to describe identity providers, data shared with them, and authentication logs retained.
24. Schedule of subprocessors
Website hosting and transactional email providers process limited personal information on our behalf under data processing terms. Current categories include Canadian and North American cloud infrastructure providers with ISO 27001 or equivalent certifications. An updated subprocessor list is available on request to enterprise procurement teams and is reviewed semi-annually for continued suitability.
25. Version history
Material changes to this Privacy Policy are archived internally with effective dates. You may request the date and summary of the last three revisions by contacting our Privacy Officer. We encourage periodic review of this page, particularly before submitting new categories of personal information through updated forms or integrations.
Printed copies of this policy are available upon request for accessibility purposes.