ClearBreach

Privacy Policy

Last updated: July 2026

Who we are

ClearBreach Technologies Inc. (“ClearBreach”, “we”, “us”) is an Alberta corporation providing automated privacy breach assessment services to Canadian small and medium-sized organizations and managed service providers. We are subject to the Alberta Personal Information Protection Act (Alberta PIPA) for intraprovincial commercial activity, and to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) for cross-border and interprovincial commercial activity.

What information we collect and why

Waitlist signups (clearbreach.ca)

If you submit your email address on our early access page, we collect your email address for the sole purpose of notifying you when ClearBreach launches. We do not collect any other information at this stage.

Subscriber accounts (app.clearbreach.ca)

When you subscribe to ClearBreach, we collect your name, email address, organization name, and registered province. This information is required to create your account, process your payment through Stripe, and provide the service.

Assessment sessions

Breach assessment answers never leave your browser.The ClearBreach assessment wizard runs entirely in your browser. Your answers to the assessment questions are stored only in your browser’s session storage and are never transmitted to our servers. We record only anonymized assessment metadata — the verdict (BELOW_RROSH or RROSH), which privacy frameworks were evaluated, your operating provinces, and your assessment count — for service operation and to enforce the per-year assessment limit included in your subscription.

Usage and technical data

We collect standard server logs (IP address, browser type, pages visited, timestamps) for security monitoring and service operation. We do not use third-party analytics platforms that track individual behaviour across websites.

Cookies and similar technologies

We use a small number of essential cookies and similar technologies that are necessary to operate the Service — for example, to keep you signed in (authentication and session cookies) and to remember your assessment progress within your browser. We do not use advertising cookies or third-party cookies that track you across other websites. You can control or delete cookies through your browser settings; disabling essential cookies may prevent parts of the Service from working.

How we use your information

  • To provide and operate the ClearBreach service
  • To process payments and manage your subscription
  • To send transactional email (account setup, password reset, renewal reminders)
  • To notify waitlist subscribers when ClearBreach launches
  • To send triggered regulatory notifications to subscribers
  • To respond to support and privacy inquiries

Your consent

We collect, use, and disclose your personal information with your knowledge and consent, except where permitted or required by law. By using ClearBreach, you consent to the collection and use of your personal information as described in this policy. You may withdraw your consent at any time, subject to legal and contractual restrictions (see Your rights under Alberta PIPA and PIPEDA below).

Email communications and CASL consent

ClearBreach complies with Canada’s Anti-Spam Legislation (CASL). We send commercial electronic messages only to individuals who have provided express consent.

  • Waitlist subscribers consent to receive a one-time launch notification by submitting their email address on our early access page.
  • ClearBreach subscribers consent to receive subscription-related communications and triggered regulatory notifications by purchasing a subscription, as disclosed at the point of purchase.

You may withdraw consent at any time by clicking the unsubscribe link in any email or by contacting us at hello@clearbreach.ca. Unsubscribing from email communications does not cancel your subscription or affect your access to the assessment tool.

How we share and disclose your information

We do not sell, rent, or trade your personal information. We disclose your personal information only to the service providers described below, and we may disclose it where required or permitted by law — for example, in response to a valid court order, subpoena, or legal process, or where reasonably necessary to protect the rights, safety, or property of ClearBreach or others.

Third-party service providers

We use the following third-party service providers to operate ClearBreach. Each provider processes personal information only as necessary to deliver the service and is bound by contractual data protection obligations.

ProviderJurisdictionPurposeData processed
Stripe Inc.USAPayment processingPayment card information and billing details. ClearBreach does not store payment card information. Stripe privacy policy →
Amazon Web Services (AWS SES)Canada (ca-central-1)Transactional email deliveryEmail address and email content (account setup, password reset, renewal reminders, payment failure notifications, triggered regulatory notifications). Does not process breach assessment content.
Microsoft CorporationCanada (Toronto / Quebec City)Staff email hostingClearBreach staff correspondence at @clearbreach.ca addresses.
DigitalOcean LLCCanadaApplication and database hostingSubscriber account data and application data, hosted on servers located in Canada.

US CLOUD Act: Amazon Web Services and Microsoft Corporation are US-incorporated entities and may be subject to the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which permits US law enforcement to compel production of data stored outside the United States. Email delivery (AWS SES) and staff email (Microsoft 365) are processed in Canadian data centres.

Data residency and cross-border transfers

The ClearBreach application and subscriber database are hosted in Canada (DigitalOcean). Transactional email is processed by AWS SES in the ca-central-1 (Canada) region. Payment processing is handled by Stripe, a US-based provider. By using ClearBreach, you acknowledge that your billing and account information may be transferred to and processed in the United States in connection with Stripe. Microsoft 365 and AWS SES process data in Canadian data centres but are US-incorporated entities subject to the US CLOUD Act. Breach assessment answers are never transferred — they remain in your browser only.

Data retention

  • Waitlist email addresses — retained until ClearBreach launches and the launch notification is sent, after which they are removed from the waitlist audience within 90 days.
  • Subscriber account data — retained for the duration of your subscription and for 24 months following cancellation, after which it is deleted.
  • Assessment records — anonymized assessment metadata (verdict tier, frameworks evaluated, operating provinces, assessment count) are retained for 24 months, consistent with PIPEDA breach record-keeping requirements.

Your rights under Alberta PIPA and PIPEDA

You have the right to request access to the personal information we hold about you, to request correction of inaccurate information, and to withdraw consent to our use of your personal information (subject to legal and contractual restrictions). These rights exist under both Alberta PIPA (ss.24, 28) and PIPEDA (Principles 9 and 3).

To exercise these rights, contact our Privacy Officer at privacy@clearbreach.ca. We will respond within 30 days for PIPEDA requests and within 45 days for Alberta PIPA requests, as required by each statute.

How to file a privacy complaint

If you believe ClearBreach has not handled your personal information in accordance with Alberta PIPA or PIPEDA, you may file a complaint with our Privacy Officer at privacy@clearbreach.ca. Please describe the nature of your concern and the personal information involved. We will acknowledge receipt of your complaint and respond within 30 days.

If you are not satisfied with our response, you may escalate your complaint to the applicable regulator:

  • Alberta PIPA complaints — Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta) at oipc.ab.ca
  • PIPEDA complaints — Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca

Security

We implement appropriate technical and organizational safeguards to protect personal information against unauthorized access, disclosure, or loss. These include encrypted data transmission (TLS), database access controls, and the privacy-by-design architecture that keeps breach assessment answers in your browser only.

In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will notify affected individuals and the applicable regulator (the OPC and/or OIPC Alberta) as required by PIPEDA and Alberta PIPA, and maintain records of the breach as required by law.

Children

ClearBreach is a business tool and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us at privacy@clearbreach.ca and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to subscribers by email. The date at the top of this page reflects the most recent update.

Contact

General inquiries: hello@clearbreach.ca
Privacy inquiries and access requests: privacy@clearbreach.ca

ClearBreach Technologies Inc.
Alberta, Canada