Effective Date: March 27, 2026
This Privacy Policy governs the collection, use, disclosure, storage, retention, and protection of Personal Information by the Company ("BRANDLIX INC."), a federal corporation incorporated under the Canada Business Corporations Act, carrying on business principally in Alberta, and operating the online platform accessible at Brandlix.CA and its associated applications in connection with the provision of its Managed Software as a Service (“MSaaS”) solutions (the “Company,” “Provider,” “We,” “Us,” “Our,” or "Brandlix").
We publish this Policy to fulfill our obligations under the Personal Information Protection Act (Alberta) (“PIPA”), the Protection of Privacy Act (Alberta) (“POPA”) for any public-sector interactions, the Alberta Consumer Protection Act (as amended), the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”), Canada’s Anti-Spam Legislation (“CASL”), the by-laws of the Canadian Internet Registration Authority (“CIRA”) (as amended in August 2025), and all other applicable provincial and federal privacy statutes (collectively, “Applicable Privacy Laws”), as amended or replaced from time to time. It also incorporates, where relevant to international clients or data subjects, elements of the General Data Protection Regulation (EU) 2016/679 (as simplified in 2025), the California Consumer Privacy Act/California Privacy Rights Act (“CCPA/CPRA”) (regulations finalized September 2025), and anticipated updates to the HIPAA Security Rule (expected in 2026).
This Privacy Policy forms an integral part of the Company’s 26-agreement Unitary Architecture and contractual framework, and is expressly subordinate in all respects to the Master Subscription Agreement (“MSA”) and the Data Processing Addendum (“DPA”), which hold absolute supremacy and prevent any clause drift. This Policy is incorporated by reference into the MSA and the DPA executed by our Customers. In the event of any inconsistency, the MSA and DPA prevail. We may update this Privacy Policy from time to time. Any material change will be communicated directly to our Customers and posted with the new effective date. All capitalized terms not defined herein have the meanings ascribed to them in the MSA or DPA.
In this Privacy Policy, the following terms have the meanings set out below:
“Company” means the federal corporation identified in the Master Subscription Agreement and its affiliates that process Personal Information.
“Client” means the subscriber to the Services.
“Controller” and “Processor” have the meanings assigned under PIPA and, where applicable, GDPR or CCPA/CPRA.
“Customer” means the legal entity that subscribes to our MSaaS offerings.
“DPA” means the Data Processing Addendum
“End-User” means any individual whose Personal Information is processed by us on behalf of a Customer.
“MSA” means the Master Subscription Agreement.
“Personal Information” means information about an identifiable individual as defined under Applicable Privacy Laws.
“Sensitive Personal Information” includes health information, biometric data, and information about minors.
“Services” means the MSaaS platform, associated artificial-intelligence modules, cloud infrastructure, and professional services described in the Master Subscription Agreement.
We collect only the Personal Information that is necessary for the provision of the Services and for the legitimate operations of our business. When you or your End-Users interact with the Services, we may collect account and contact details (name, email address, telephone number, billing information); authentication credentials and usage logs; device and technical data (IP address, browser type, operating system); location data where required for regulatory compliance or service delivery; and any Personal Information uploaded or generated through the MSaaS platform, including health-related data where the Customer has elected HIPAA-aligned modules. We do not collect Personal Information beyond what is disclosed in this Privacy Policy or in the Data Processing Addendum.
We collect, use, and process Personal Information solely for the following purposes:
(a) to register and authenticate Customers and End-Users; (b) to deliver, maintain, and improve the MSaaS platform and any artificial-intelligence features; (c) to process payments and manage billing; (d) to communicate service-related notices and support requests; (e) to comply with legal and regulatory obligations, including anti-money-laundering, anti-spam, and data-sovereignty requirements; (f) to conduct internal audits, analytics, and product development (in aggregated, de-identified form wherever possible); and (g) to enforce our contractual rights under the Master Subscription Agreement.
We do not use Personal Information for any purpose that is incompatible with the purposes identified at the time of collection.
Our processing of Personal Information is based on:
(a) the consent of the individual or the Customer (obtained through clear, affirmative action such as clicking “I Agree” or explicit written instruction in an order form); (b) performance of our contractual obligations under the Master Subscription Agreement; (c) compliance with legal or regulatory obligations; or (d) other exceptions expressly permitted under Applicable Privacy Laws.
Consent is documented, time-stamped, and stored for audit. Individuals may withdraw consent at any time by contacting our Privacy Officer; withdrawal does not affect the lawfulness of processing that occurred before withdrawal. We do not rely on implied consent for Sensitive Personal Information; express consent is always required. We ensure consent is meaningful, informed, specific, and not obtained through deception or undue influence.
We take reasonable steps to ensure that Personal Information in our custody is accurate, complete, and up to date for the purposes for which it is used. Customers and End-Users may request correction of inaccurate information at any time. We will respond within thirty (30) days and will notify any third parties to whom the information has been disclosed where appropriate and required by law.
When we act as a service provider, we process End-User Personal Information strictly on the documented instructions of the Customer and in accordance with the Data Processing Addendum. We do not sell End-User Personal Information, nor do we use it for our own marketing purposes. The Customer remains the controller of such information; our role is limited to processing.
We act as a data controller with respect to the Personal Information of our direct Customers and prospective Customers, and as a data processor with respect to End-User Personal Information. In both capacities, we maintain a comprehensive information-security program, conduct regular privacy impact assessments, and keep records of processing activities as required by law. We designate a Privacy Officer who is accountable for our compliance program.
We implement and maintain administrative, technical, and physical safeguards appropriate to the sensitivity of the Personal Information. These include encryption in transit and at rest, multi-factor authentication, regular vulnerability scanning, access controls based on least privilege, and employee training. All processing of health-related or other high-risk data occurs within environments certified to ISO 27001, SOC 2, and HIPAA standards, where applicable. We contractually obligate our service providers and subcontractors to maintain equivalent safeguards to the extent we exercise direct control over them; with respect to the expandable WordPress.org ecosystem, third-party plugins, and infrastructure partners including Akamai Technologies, Inc., over which we exercise limited direct control, we maintain full vicarious accountability in accordance with the Master Subscription Agreement and the Data Processing Addendum.
We disclose Personal Information only in the following circumstances:
(a) to affiliates and authorised subcontractors bound by Applicable Privacy Laws (and, where required, contractual obligations that provide equivalent protections); (b) to professional advisers and auditors under strict confidentiality obligations; (c) to law-enforcement or regulatory authorities where required or permitted by law; and (d) to a successor in the event of a corporate reorganisation, provided the successor agrees to be bound by this Policy.
We never sell Personal Information.
All core Personal Information is stored in secure data centres located in Canada. Any transfer outside Canada occurs only under a written agreement that incorporates appropriate safeguards recognised by Canadian authorities (such as standard contractual clauses or equivalent) and only where necessary for service delivery or legal compliance. We maintain an up-to-date list of sub-processors and their locations, available to Customers upon request.
We retain Personal Information only for as long as is necessary to fulfil the purposes for which it was collected or to satisfy legal or contractual obligations. Upon expiry of the retention period, or upon a valid deletion request where permitted, we securely destroy or irreversibly de-identify the information using industry-standard methods.
Our platform uses strictly necessary cookies and similar technologies ("Essential") to enable core functionality. We deploy analytics, functional and marketing cookies only with prior consent. If our artificial-intelligence modules make automated decisions that could materially affect an individual (including profiling), we provide prior notice, explain the underlying logic, and offer a meaningful opportunity for human review. Individuals may object to this automated processing.
Our Services are not directed to children under the age of thirteen (13) or to minors below the age of majority in their province of residence. We do not knowingly collect Personal Information from children. If we become aware that we have collected such information without verifiable parental consent, we will delete it promptly. Where provincial legislation imposes stricter rules (for example, under Quebec’s Law 25), we comply fully.
You have the right to:
(a) access your Personal Information; (b) request correction of inaccurate information; (c) withdraw consent (subject to contractual or legal limitations); (d) request deletion where permitted; (e) receive information about automated decision-making; and (f) object to processing based on legitimate purposes.
To exercise any of these rights, submit a verified request to our Privacy Officer at the contact details below. We will respond within thirty (30) days (or any shorter period required by law) at no charge, unless the request is manifestly unfounded or excessive. You also have the right to file a complaint with the Office of the Privacy Commissioner of Canada, the Alberta Information and Privacy Commissioner, or any other applicable provincial regulator(s).
In the event of a breach that creates a real risk of significant harm, we will notify affected individuals and the applicable regulator(s) (including the Office of the Privacy Commissioner of Canada and/or the Alberta Information and Privacy Commissioner) without unreasonable delay as required by Applicable Privacy Laws. We maintain an incident-response plan that includes containment, investigation, mitigation, and post-incident review.
We maintain a privacy management program that includes policies, training, audits, and breach-response procedures. Our designated Privacy Officer is responsible for compliance and can be contacted as follows:
Privacy Officer:
BRANDLIX INC.
Email: privacy@brandlix.ca
We will investigate and respond to every complaint within thirty (30) days. We will escalate any unresolved issues to the appropriate regulatory authority if requested.
This Policy is governed by the laws of the Province of Alberta and the federal laws of Canada applicable therein. If any provision is held to be invalid, the remainder continues in full force. Continued use of the Services after an update constitutes acceptance of the revised Policy.
This Policy does not limit any rights you may have under the Master Subscription Agreement or the Data Processing Addendum. In the event of any conflict, the Master Subscription Agreement prevails with respect to contractual obligations; this Policy governs our privacy commitments to individuals.
Approved and Issued by the Company
Effective: March 27, 2026
BRANDLIX INC.
© 2026 BRANDLIX INC. All Rights Reserved.
CAN-AB-MSaaS-PP-v5.0 / CR-0326