PRIVACY
Privacy policy
How Cyber Synth AI Inc. collects, uses, discloses, and protects personal information. Last updated: 10 July 2026.
1. Organisation identity
This privacy policy applies to personal information collected by Cyber Synth AI Inc. ("Cyber Synth AI", "we", "us", "our"), a Canadian corporation providing defensive AI cybersecurity consulting and security engineering services.
Registered address: 48 Camden Street, Suite 105, Toronto, ON M5V 1V1, Canada
Business Number: BN 693418570 RC0001
Website: cybersynthai.pro
General enquiries: [email protected]
Privacy Officer: [email protected]
2. Scope and applicability
This policy covers personal information we collect through cybersynthai.pro, enquiry and contact forms, email and telephone communications, client engagements, and related business activities. It applies to visitors, prospective clients, current clients, and individuals who communicate with our Toronto AI security studio.
Client engagements involving security logs, telemetry, and operational data are governed by additional contractual terms and data-processing agreements. Where a signed agreement conflicts with this policy regarding client operational data, the agreement prevails. This policy governs personal information about individuals — not anonymised or aggregated security telemetry used for detection engineering.
3. Legal framework
We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. As an Ontario-based organisation serving clients across Canada, we follow PIPEDA's ten fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use and disclosure, accuracy, safeguards, openness, individual access, and challenging compliance.
Where we process personal information of individuals in other jurisdictions, we apply comparable protections and honour applicable local requirements to the extent they apply to our activities.
4. Information we collect
4.1 Information you provide directly
When you submit our contact form, book a detection review, or correspond with us by email or phone, we may collect:
- Full name and job title
- Business email address and telephone number
- Organisation name and industry sector
- Enquiry subject and message content
- PIPEDA consent confirmation (timestamp and affirmative checkbox response)
- Any additional information you choose to provide about your security environment or project requirements
4.2 Client engagement data
During cybersecurity consultancy and detection engineering projects, we may process personal information contained within client-provided security logs, incident reports, identity and access management records, and communications. Such data is collected only with client authorisation, for defined project purposes, and under contractual confidentiality obligations. We analyse this data to deliver machine-learning threat detection, SOC automation, alert triage improvements, and related security engineering services.
4.3 Automatically collected information
When you visit cybersynthai.pro, our servers and optional analytics tools may collect:
- IP address (which may be considered personal information in some contexts)
- Browser type, device type, and operating system
- Pages visited, referring URL, and session duration
- Cookie identifiers and consent preferences (stored for six months)
See our cookie policy for details on cookies and opt-out mechanisms.
5. Purposes of collection and use
We collect and use personal information for the following identified purposes:
- Responding to enquiries: To reply to contact form submissions, schedule detection reviews, and provide information about our AI security studio services.
- Delivering services: To perform cybersecurity consultancy, threat modelling, ML threat detection development, SOC automation engineering, phishing detection system builds, model security reviews, and detection QA for client organizations.
- Contract administration: To prepare proposals, statements of work, invoices, and project communications.
- Legal and regulatory compliance: To meet record-keeping obligations, respond to lawful requests, and protect our legal rights.
- Website improvement: To analyse aggregated usage patterns and improve site content and functionality, where analytics cookies are accepted.
- Marketing communications: Only where you have provided explicit consent to receive updates about our detection engineering services. You may unsubscribe at any time.
We do not use personal information for purposes unrelated to those identified above without obtaining additional consent, except where permitted or required by law.
6. Consent
We obtain meaningful consent before collecting, using, or disclosing personal information, except where PIPEDA permits collection without consent (for example, certain legal compliance purposes or publicly available information used for purposes consistent with its publication).
Our contact form includes a PIPEDA consent checkbox that is not pre-checked. Submission without affirmative consent is rejected. You may withdraw consent for future processing by contacting our Privacy Officer, subject to legal or contractual restrictions on retention.
For client engagements, consent and authorisation for processing security logs and operational data is documented in the statement of work and data-processing terms agreed at project kickoff.
7. Limiting collection, use, and disclosure
We collect only personal information that is reasonably necessary for the identified purposes. We do not sell personal information to third parties. We do not disclose personal information to unrelated marketing lists or data brokers.
We may disclose personal information to:
- Service providers who assist with hosting, email delivery, analytics, or payment processing, under contractual obligations to protect data and use it only for specified purposes
- Professional advisors (legal, accounting) bound by confidentiality duties
- Law enforcement or regulatory authorities when required by valid legal process
- Successors in the event of a merger or acquisition, with notice to affected individuals where required
8. Handling of client security data and logs
Security logs, telemetry, and incident data provided by clients during engagements may contain personal information (usernames, IP addresses, email addresses, device identifiers). We handle such data with heightened care:
- Access is restricted to assigned senior security engineers and analysts on the project team
- Data is stored on encrypted systems with role-based access controls
- Processing is limited to delivering the contracted detection engineering, anomaly detection, SIEM tuning, or model security services
- Client data is not used to train models for other clients without explicit written consent
- Data is returned or securely destroyed at project end according to the statement of work
We maintain data governance practices aligned with PIPEDA and communicate retention schedules to clients during onboarding.
9. Cross-border data processing
Our primary hosting infrastructure is located in Canada. Some service providers (for example, email routing or analytics platforms) may process data in the United States or other jurisdictions. Where personal information is transferred outside Canada, we assess the receiving organisation's data protection practices and implement contractual safeguards consistent with PIPEDA's accountability principle. By submitting an enquiry or engaging our services, you acknowledge that limited cross-border processing may occur for operational purposes.
10. Retention
We retain personal information only as long as necessary to fulfil the purposes for which it was collected:
- Contact enquiries: Up to twenty-four months from last communication, unless a business relationship continues
- Client project records: Duration specified in the statement of work, typically three to seven years for contractual and tax records
- Security log data: Per client agreement; typically deleted or returned within thirty days of project completion unless ongoing retainer terms apply
- Cookie consent preferences: Six months, then re-prompted
- Analytics data: Aggregated retention per vendor policy, typically thirteen to twenty-six months
When retention periods expire, we securely delete or anonymise personal information.
11. Security safeguards
We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the information we hold. Measures include access controls, encryption in transit (HTTPS/TLS), encrypted storage for client engagement data, employee confidentiality obligations, and incident response procedures for suspected data breaches.
No method of transmission or storage is completely secure. In the event of a breach involving personal information that creates a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as required by PIPEDA breach notification provisions.
12. Individual access and correction rights
Under PIPEDA, you have the right to:
- Request access to personal information we hold about you
- Request correction of inaccurate or incomplete information
- Withdraw consent for future processing, subject to legal and contractual limits
- Challenge our compliance with PIPEDA
To exercise these rights, contact our Privacy Officer at [email protected]. We will respond within thirty days, or inform you if an extension is required. We may request information to verify your identity before releasing records.
13. Office of the Privacy Commissioner of Canada
If you are unsatisfied with our response to a privacy concern, you may contact:
Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, QC K1A 1H3
Toll-free: 1-800-282-1376
Website: www.priv.gc.ca
14. Children's privacy
Our services and website are directed at business professionals and organisations. We do not knowingly collect personal information from individuals under sixteen years of age.
15. Third-party links
Our website may contain links to external sites. We are not responsible for the privacy practices of third-party websites. We encourage you to review their privacy policies before providing personal information.
16. Changes to this policy
We may update this privacy policy to reflect changes in our practices, services, or legal requirements. The "Last updated" date at the top of this page indicates the most recent revision. Material changes will be posted on cybersynthai.pro. Continued use of our website after changes constitutes acceptance of the updated policy for website-related processing.
17. Contact the Privacy Officer
For any privacy-related questions, access requests, or complaints:
Privacy Officer
Cyber Synth AI Inc.
48 Camden Street, Suite 105
Toronto, ON M5V 1V1, Canada
Email: [email protected]
Phone: +1 (416) 428-9153