PRIVACY POLICY
Effective Date
24 March 2026
Last Updated
24 March 2026
1. Who We Are
CASTELLAR ("Castellar," "we," "us," or "our") is a Canadian business-to-business consulting firm. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information when you visit our website, communicate with us, engage us for consulting services, attend our events, or otherwise interact with our business. As a Canadian company, we aim to handle personal information in accordance with applicable Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, substantially similar provincial private-sector privacy laws.
This Policy is intended for professional and commercial interactions. In many cases, the information we process relates to business contacts, client representatives, prospective clients, suppliers, partners, and website users acting in a professional capacity.
2. Scope
This Policy applies to personal information collected through our website, contact forms, email communications, video calls, events, newsletters, proposals, contracts, client onboarding, project delivery, invoicing, recruitment, and other related business operations. It does not apply to third-party websites, platforms, or services that we do not control, even where those services are linked from our website or used in connection with our work.
Where required by applicable law, we will provide supplemental notices for specific services, jurisdictions, or processing activities.
3. Personal Information We Collect
We collect only the personal information reasonably necessary for our business operations and service delivery. Depending on how you interact with us, this may include:
· Identity and contact details, such as your name, business email address, telephone number, company, business address, and job title.
· Professional and commercial information, such as company sector, market focus, project requirements, engagement history, purchasing information, and records relating to consulting assignments.
· Communications data, such as the content of emails, meeting requests, form submissions, call notes, correspondence, and feedback.
· Technical and usage data, such as IP address, browser type, device information, referring pages, approximate geolocation, website pages visited, and interaction data collected through cookies or analytics tools.
· Payment and billing information, such as billing contact details, invoice information, and limited payment-related data handled directly or through payment processors.
· Recruitment data, where applicable, such as CVs, resumes, employment history, references, and other information submitted as part of a job application.
4. Sources of Information
We collect personal information directly from you, from your employer or organization, from publicly available professional sources such as company websites or professional networking platforms, from referrals and business partners, and from service providers that support our website, scheduling, communications, analytics, CRM, or project delivery functions.
5. How We Use Personal Information
We use personal information for legitimate business purposes, including to operate our website, respond to enquiries, prepare proposals, provide consulting services, manage client and supplier relationships, arrange meetings, administer contracts, process invoices, maintain records, improve our website and service offering, send business communications, recruit personnel, protect our systems, prevent fraud, and comply with legal or regulatory obligations.
Where required by law, we will rely on consent for specific activities, including certain marketing communications and non-essential cookies.
6. Canadian Privacy Compliance and Other Applicable Laws
As a Canadian company, our handling of personal information is governed primarily by applicable Canadian privacy laws, including PIPEDA and, where relevant, substantially similar provincial private-sector laws, such as those in British Columbia, Alberta, and Quebec. Where we collect, use, or otherwise process personal information relating to individuals in other jurisdictions, we will also comply with applicable local laws to the extent they apply to the relevant activity.
Where laws such as the EU General Data Protection Regulation (GDPR) or the UK GDPR apply, we may process personal data on one or more of the following bases: your consent, performance of a contract, steps requested before entering into a contract, compliance with a legal obligation, and our legitimate interests in operating, securing, and developing a professional consulting business, provided those interests are not overridden by your rights.
Where we rely on consent, you may withdraw that consent at any time, subject to legal or operational limits.
7. Cookies, Analytics, and Similar Technologies
Our website may use cookies and similar technologies to ensure the site functions properly, remember preferences, understand website traffic, and improve performance. Where required by law, non-essential cookies will be used only after obtaining your consent through an appropriate consent mechanism.
Depending on how our website is configured, we may use third-party tools such as website analytics platforms, scheduling tools, CRM integrations, and embedded content providers. These third parties may collect information in accordance with their own privacy notices.
You can usually control cookies through your browser settings. Disabling some cookies may affect website functionality.
8. Marketing Communications
We may send business updates, newsletters, event notices, or service-related communications to individuals who have requested information from us, engaged with us in a professional capacity, or otherwise provided consent where required. We aim to comply with applicable marketing and anti-spam laws, including Canada's Anti-Spam Legislation (CASL) where applicable. You can opt out of marketing emails at any time by using the unsubscribe link in the email or by contacting us at connect@castellar.ca
We may still send non-marketing messages necessary for our business relationship, including responses to enquiries, service notices, billing information, or contractual communications.
9. Disclosure of Personal Information
We do not sell personal information. We may disclose personal information only where reasonably necessary for business purposes, including to:
· service providers and processors who host, support, secure, analyze, or administer our systems and services;
· professional advisers, including legal, accounting, audit, insurance, and compliance advisers;
· business partners, subcontractors, or specialist consultants engaged to support a project, where appropriate and subject to contractual controls;
· payment providers, cloud providers, CRM providers, scheduling platforms, and communications platforms;
· courts, regulators, law enforcement, or other authorities where disclosure is required or permitted by law; and
· a buyer, investor, successor, or other relevant party in connection with a merger, acquisition, reorganization, financing, or sale of all or part of our business.
Where we disclose personal information to vendors or partners acting on our behalf, we take reasonable steps to ensure they are bound by confidentiality and data protection obligations appropriate to the circumstances.
10. International and Cross-Border Processing
We are based in Canada, but we may use service providers or work with clients, partners, or contractors in other countries. As a result, personal information may be accessed, processed, or stored outside the province or country in which it was originally collected, including outside Canada.
Where required by applicable law, we implement appropriate safeguards for cross-border processing and transfers. These may include contractual protections, data processing agreements, confidentiality obligations, access controls, vendor due diligence, and other reasonable security measures. Where Quebec or other laws require additional assessments or safeguards before personal information is communicated outside the jurisdiction, we will address those requirements as applicable. Personal information transferred to another jurisdiction may be subject to lawful access by courts, regulators, law enforcement, or national security authorities in that jurisdiction.
11. Data Retention
We retain personal information only for as long as reasonably necessary for the purposes described in this Policy, including to provide services, maintain business and financial records, resolve disputes, establish or defend legal claims, meet tax and accounting obligations, enforce agreements, and comply with legal requirements.
Retention periods may vary depending on the nature of the relationship, the sensitivity of the information, applicable limitation periods, and statutory obligations. When information is no longer required, we will securely delete, anonymize, or de-identify it, where appropriate.
12. Security and Incident Response
We maintain reasonable administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, or loss. These measures may include role-based access controls, password protections, encryption in transit where appropriate, secure third-party platforms, staff confidentiality obligations, and procedures for incident response and vendor oversight.
No method of transmission over the internet or electronic storage is completely secure. Accordingly, while we take reasonable precautions, we cannot guarantee absolute security.
If a privacy or security incident involving personal information occurs, we will assess it promptly and take steps required by applicable law, which may include containment, investigation, notification, reporting, and recordkeeping.
13. Your Privacy Rights
Depending on your location and the laws that apply, you may have rights in relation to your personal information. These may include the right to request access to the personal information we hold about you, request correction, request deletion, object to or restrict certain processing, withdraw consent where processing is based on consent, request portability of certain data, or make a complaint to a regulator.
For individuals in Canada, privacy rights may arise under PIPEDA or applicable provincial private-sector privacy laws. In general, this may include rights to request access to personal information, request correction of inaccurate information, withdraw consent where applicable, and make a complaint to the relevant privacy regulator. Individuals in the EEA, the UK, and certain U.S. states may have additional rights where those laws apply.
To exercise applicable rights, please contact us using the details below. We may need to verify your identity before responding. We will respond within the time required by applicable law, subject to lawful exemptions and practical limitations.
14. Additional U.S. State Disclosures Where Applicable
Where U.S. state privacy laws apply to our processing, eligible individuals may have rights to know what categories of personal information we collect, use, disclose, or retain; request deletion or correction; obtain a copy of certain information; and receive equal service for exercising applicable rights. We do not sell personal information and do not share personal information for cross-context behavioral advertising unless expressly stated otherwise in a separate notice or consent tool.
Authorized agents may submit requests where permitted by law, subject to verification requirements.
15. Children
Our services and website are intended for professional business use and are not directed to children. We do not knowingly collect personal information from children.
16. Third-Party Services and Links
Our website and operations may use or link to third-party services, software, plug-ins, and websites. Those third parties operate under their own terms and privacy practices. We encourage you to review their privacy notices before providing information through or to those services.
17. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law, technology, our services, or our data practices. When we make changes, we will update the 'Last Updated' date at the top of this document. Material changes will be communicated in a manner appropriate to the circumstances.
18. Contact Us
If you have any questions, requests, or complaints regarding this Privacy Policy or our handling of personal information, please contact:
CASTELLAR
· Email: connect@castellar.ca
Individuals outside Canada may also contact their local regulator, data protection authority, or attorney general, where applicable.