Privacy Policy
Effective 2026-06-01. Privacy questions, data-access requests, or DPA requests: info@vastura.ca.
1. Who we are
Vastura Ltd is an Alberta-incorporated corporation operating vasturadigital.ca and the related SaaS products described at /pages/catalogue. We act as a controller of personal information about visitors to our marketing site and account-holders, and as a processor of personal information that subscribers ingest into the Services (Customer Content). Throughout this Policy, "we", "us", "Vastura" means Vastura Ltd.
2. What we collect
Marketing-site visitors
- Information you provide via forms or email (name, email, message).
- Standard server logs (IP address, browser, referrer, pages viewed) for security and operations.
- Analytics cookies (only with your consent — see Cookies below).
Subscribers
- Account information (email, name, password hash, billing address).
- Payment information — handled directly by Stripe and not stored by Vastura.
- Service usage telemetry (tier, seat count, feature usage, API calls).
- Customer Content you upload, ingest, or generate via the Services.
3. How we use it
- To provide, operate, secure, and improve the Services.
- To process payments via Stripe.
- To send account, billing, and security notifications (transactional email).
- With your CASL-compliant consent, to send marketing communications (you can unsubscribe at any time).
- To comply with legal obligations and respond to lawful requests.
4. Lawful basis (PIPEDA)
We collect, use, and disclose personal information only for purposes a reasonable person would consider appropriate in the circumstances, with your knowledge and consent (express or implied) where required by PIPEDA. You may withdraw consent at any time subject to legal or contractual restrictions; doing so may prevent us from continuing to provide the Services.
5. How we share it
We do not sell personal information. We share it only with the sub-processors listed below to provide the Services, with our professional advisors under confidentiality, when legally required, or in connection with a corporate transaction (merger or sale) where the acquirer agrees to honour this Policy.
6. Sub-processors
We engage the following sub-processors to deliver the Services. We will provide reasonable notice of changes via this page.
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Inc. | Payment processing & subscription billing | United States (PCI-DSS Level 1) |
| Cloudflare Inc. | Edge compute, D1 database, R2 object storage, CDN | Global (data residency Canada/US) |
| Anthropic PBC | AI model processing for product features | United States (zero data retention via API) |
| Shopify Inc. | Marketing storefront (vasturadigital.ca only) | Canada / United States |
| Resend | Transactional email delivery | United States |
| Render Services Inc. | Backend hosting | United States |
DocuSign and Google Analytics 4 may be engaged in the future and will be added here with notice.
7. Cross-border transfers
Some sub-processors store and process data outside Canada. We rely on contractual protections (DPAs, standard contractual clauses where applicable) and on industry-recognised security certifications held by those sub-processors. By using the Services, you consent to this transfer for the stated purposes.
8. Retention
We retain account information for as long as you maintain an active subscription and for a reasonable period afterwards (typically 36 months) to comply with tax, audit, and legal-defence requirements. Customer Content is deleted from active systems within 30 days of account closure on written request. Backups are retained per our backup-retention schedule and are deleted on rolling cycles.
9. Security
We implement administrative, technical, and physical safeguards commensurate with the sensitivity of the information processed. These include encryption in transit (TLS 1.2+), encryption at rest where supported by our sub-processors, role-based access control, audit logging (append-only), least-privilege access, and security training for staff.
10. Your rights
You may request access to, correction of, or deletion of your personal information by emailing info@vastura.ca. We will respond within 30 days, subject to verification of identity and applicable legal exceptions. You may also complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) if you believe we have not complied with PIPEDA.
11. Cookies & tracking
See our Cookie Policy. We display a cookie consent banner on first visit and gate non-essential cookies (analytics, marketing) behind your explicit consent.
12. Children
The Services are not directed to children under 16 and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact us and we will delete it.
13. Changes to this Policy
We may update this Policy. Material changes will be notified by email or via the subscriber dashboard. The current version is always at this URL.
14. Contact
Privacy Officer
Vastura Ltd
Alberta, Canada
info@vastura.ca