Privacy Policy
Last updated: January 2026
1. Introduction
ClayGen Consulting Inc., doing business as TSSAC and related trade names (“TSSAC”, “we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at tssac.ca or use our services.
We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Where our members operate in jurisdictions subject to GDPR or CCPA, we extend equivalent protections.
By using our website or services, you consent to the collection, use, and disclosure of your information as described in this policy. You may withdraw consent at any time by contacting us (see Section 11).
2. Information We Collect
2.1 Information You Provide
We collect information you provide directly when you:
- Create an account: Name, email address, phone number, password, and organization name
- Complete your profile: Job title, mailing address, province, and communication preferences
- Submit a contact form: First name, last name, work email, company name, employee count, area of interest, and message
- Subscribe to our newsletter: Email address
- Purchase a membership: Billing address and payment information (processed by Stripe; we do not store credit card numbers)
- Use our managed services: Technical information about your IT environment, including Microsoft 365 configuration, device inventories, and security posture data
- Submit support tickets: Description of issues, screenshots, and attachments you provide
2.2 Information Collected Automatically
When you visit our website, we may automatically collect:
- Device information: IP address, browser type and version, operating system, and device type
- Usage data: Pages visited, time spent on pages, referring URL, and click patterns
- Analytics data: Collected via Google Analytics 4 (see Section 6 for cookie details)
- Authentication data: Login timestamps, session duration, and IP addresses associated with your account
2.3 Information from Third Parties
We may receive information from:
- Microsoft: Security posture data, license information, and user directory data when you connect your Microsoft 365 tenant
- Clerk (authentication provider): Account verification and session data
- Stripe: Payment confirmation and subscription status (not full card numbers)
3. How We Use Your Information
We use the information we collect to:
- Provide our services: Deliver managed IT, security monitoring, Microsoft 365 management, and support
- Process memberships: Handle applications, payments, and billing
- Communicate with you: Send service updates, security alerts, support responses, and newsletters (with your consent)
- Improve our platform: Analyze usage patterns to improve features and user experience
- Ensure security: Detect fraud, prevent unauthorized access, and protect our systems
- Comply with legal obligations: Respond to lawful requests and enforce our terms
We do not use your personal information for automated decision-making or profiling that produces legal effects.
4. Information Sharing and Disclosure
We do not sell your personal information. We may share your information with:
4.1 Service Providers
We use the following third-party services to operate our platform:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Clerk | Authentication and user management | Name, email, profile data | United States |
| Stripe | Payment processing | Billing details, payment data | United States |
| Google Analytics | Website analytics | Usage data, IP address (anonymized) | United States |
| Microsoft | M365 management (CSP partner) | Tenant data, license info | Canada (data centre) |
| Resend / Postmark | Transactional and marketing email | Email address, name | United States |
| Amazon Web Services | Cloud hosting and storage | All platform data | Canada (ca-central-1, Montreal) |
| Upstash | Rate limiting and caching | Session identifiers | United States |
| Cloudflare | DNS and CDN | Web requests, IP addresses | Global (edge network) |
4.2 Microsoft Cloud Solution Provider (CSP)
As a Microsoft CSP partner, we share necessary information with Microsoft to provision and manage Microsoft 365 licenses on your behalf. This is governed by the Microsoft Partner Agreement and your Microsoft customer agreement.
4.3 Legal Requirements
We may disclose your information when required by law, court order, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
5. Data Storage and Security
5.1 Canadian Data Residency
Your data is primarily stored in Canada using AWS ca-central-1 (Montreal). Our databases, file storage, backups, and monitoring infrastructure are all located in Canadian data centres.
5.2 Cross-Border Data Transfers
Some of our service providers (listed in Section 4.1) are based in the United States. When your data is processed by these providers, it may be transferred outside Canada. We ensure these transfers are protected by contractual safeguards and the providers maintain appropriate security standards.
5.3 Security Measures
We implement the following security measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls and multi-factor authentication
- Regular security assessments and automated vulnerability scanning
- Audit logging of administrative and sensitive operations
- Automated database backups with hourly recovery point
- Incident response procedures and breach notification protocols
6. Cookies and Tracking Technologies
We use cookies and similar technologies on our website. A cookie is a small text file stored on your device. We categorize cookies as follows:
6.1 Essential Cookies (Always Active)
These cookies are necessary for the website to function. They cannot be disabled.
| Cookie | Purpose | Duration | Provider |
|---|---|---|---|
| __clerk_* | Authentication and session management | Session | Clerk |
| csrf_token | Cross-site request forgery protection | 8 hours | TSSAC |
| admin_session_start | Admin session timeout tracking | 8 hours | TSSAC |
| cookie_consent | Stores your cookie preference | 365 days | TSSAC |
6.2 Analytics Cookies (Optional)
These cookies help us understand how visitors use our website. They are only set if you consent.
| Cookie | Purpose | Duration | Provider |
|---|---|---|---|
| _ga | Distinguishes unique visitors | 2 years | Google Analytics |
| _ga_* | Maintains session state | 2 years | Google Analytics |
| _gid | Distinguishes visitors (24h window) | 24 hours | Google Analytics |
6.3 Managing Cookies
When you first visit our website, a cookie consent banner will ask for your preference. You can change your preference at any time by clearing your browser cookies and revisiting the site, or by using your browser settings to manage cookies. Note that disabling essential cookies may affect website functionality.
7. Data Retention
We retain your information for the following periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of membership + 30 days | Service delivery |
| Billing records | 7 years after last transaction | Tax and legal requirements (CRA) |
| Support tickets | Duration of membership + 90 days | Service continuity |
| Security logs | 90 days | Security incident investigation |
| Analytics data | 26 months (Google default) | Website improvement |
| Newsletter subscriptions | Until unsubscribe | Your consent |
When your data is no longer needed, it is securely deleted or anonymized.
8. Your Rights Under PIPEDA
Under PIPEDA, you have the right to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Withdrawal of consent: Withdraw consent for non-essential uses of your information (e.g., marketing emails). Note that withdrawing consent for essential processing may require cancellation of your membership
- Deletion: Request deletion of your personal information, subject to legal retention requirements
- Complaint: File a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated
To exercise any of these rights, contact our Privacy Officer (see Section 11). We will respond within 30 days of receiving your request.
8.1 Right to Delete
Upon request, we will delete your personal information from our active systems within 30 days. Please note:
- Billing records must be retained for 7 years per CRA requirements
- Information in encrypted backups will be deleted when the backup naturally expires
- We cannot delete information held by third-party providers (e.g., Clerk, Stripe) on your behalf, but we can direct you to their deletion processes
- Anonymized or aggregated data that cannot identify you may be retained
9. Children's Privacy
Our services are intended for business use and are not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will promptly delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our website and updating the “Last updated” date at the top of this page. For significant changes, we may also notify you via email if you have an account.
We encourage you to review this policy periodically. Your continued use of our services after changes take effect constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our privacy practices, please contact our Privacy Officer:
Privacy Officer
ClayGen Consulting Inc., doing business as TSSAC
Email: privacy@tssac.ca
Phone: +1 (800) XXX-XXXX
If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at 1-800-282-1376.