1. About Secrecy Evolution & This Policy

Secrecy Evolution Inc. (“Secrecy Evolution,” “we,” “our,” or “us”) is a federally incorporated cybersecurity compliance consulting firm based in Mississauga, Ontario, Canada. We provide ISO 27001 gap assessments, cyber insurance readiness reviews, cybersecurity architecture reviews, and virtual CISO (vCISO) services to Ontario and Canadian businesses.

This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our website at secevol.com, our contact and inquiry forms, our client engagements, and our free open-source browser extension, CyberPeace.

This Policy is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian provincial privacy laws. By using our website or services, you acknowledge this Policy.

2. Privacy Officer

Secrecy Evolution has designated a Privacy Officer responsible for overseeing compliance with this Policy and PIPEDA.

Privacy Officer: Satvir Matharu, Founder & Principal Consultant
Email: info@secevol.com
Phone: +1 (365) 333-2377
Address: 350 Burnhamthorpe Road West, Unit 200, Mississauga, ON L5B 3J1

All privacy inquiries, access requests, correction requests, and complaints should be directed to the Privacy Officer.

3. Information We Collect

Website forms

When you submit a risk assessment scorecard or inquiry form on our website, we collect the information you provide: name, email address, phone number (if provided), company name, and your responses. This data is stored in our WordPress database hosted by Automattic (WordPress.com) and processed by Fluent Forms (WPManageNinja LLC).

Direct contact

When you contact us directly by email or phone, we collect the contact information and message content you provide.

Client engagements

When you engage Secrecy Evolution for consulting services, we may collect: business contact details, information about your IT environment and security posture, documentation relevant to the scope of assessment, and any personal information contained within materials you share with us in the course of the engagement.

Website analytics

We collect anonymised usage data through Google Analytics, including pages visited, time on site, browser type, and approximate geographic region. IP addresses are anonymised before storage. We have implemented Google Consent Mode v2 so analytics data is not collected until you accept analytics cookies.

Live chat

If you interact with our live chat widget (Tawk.to), your messages and any contact details you provide are processed by Tawk.to on our behalf. The chat widget is not loaded until you accept live chat cookies via our consent banner.

What we do not collect

We do not collect payment card information through our website. We do not collect special categories of sensitive personal data (health, financial account numbers, SINs) unless directly relevant to an engagement and shared at your initiation.

4. How We Use Your Information

• To respond to inquiries, consultation requests, and service proposals
• To deliver cybersecurity compliance consulting services you have engaged us for
• To produce gap assessments, readiness reports, and recommendations
• To send educational content, guides, or service updates only if you have opted in
• To improve our website, content, and service delivery based on anonymised analytics
• To comply with legal, regulatory, and contractual obligations

We never sell, rent, or trade your personal information to any third party for marketing purposes.

5. Third-Party Service Providers

We work with the following third-party service providers that may process personal data on our behalf. Each is bound by contractual data protection obligations consistent with PIPEDA.

Provider	Purpose	Data Location	Privacy Policy
Automattic (WordPress.com)	Website hosting and content management. All form submissions and site data are stored on WordPress.com servers.	USA (standard contractual protections)	automattic.com/privacy
WPManageNinja LLC (Fluent Forms)	Contact form and risk scorecard submissions. Form data is stored in the WordPress database hosted by Automattic.	USA (via WordPress.com)	wpmanageninja.com/privacy-policy
Google LLC (Google Analytics / Site Kit)	Anonymised website analytics. Only activated after cookie consent is granted.	USA	policies.google.com/privacy
Tawk.to Inc.	Live chat widget. Only loaded after cookie consent is granted.	USA / EU	tawk.to/privacy-policy
WPCode / Imtiaz Ahmad	Code snippet management (no personal data processed)	N/A	N/A
Rank Math SEO (MyThemeShop)	Search engine optimisation metadata (no personal data)	N/A	N/A

We do not authorise any of these providers to use your personal information for their own marketing purposes.

6. Cookies & Tracking Technologies

Our website uses cookies. When you first visit secevol.com, a cookie consent banner allows you to accept or decline non-essential cookies. Your choice is stored as an HTTP cookie and in your browser’s local storage, and persists for 12 months. You can change your preference at any time using the “Cookie Preferences” link in our site footer.

Category	Description	Loaded before consent?	Can be declined?
Essential	WordPress session management, security tokens, and cookie consent preference storage. Required for the site to function.	Yes — required	No
Analytics	Google Analytics (via Google Consent Mode v2). Anonymised page visits, session duration, and traffic sources. IP anonymisation is enabled.	No — blocked until accepted	Yes — decline in banner
Live Chat	Tawk.to chat widget. Enables live chat support. Widget is hidden until consent is granted.	No — blocked until accepted	Yes — decline in banner

You can also manage cookies through your browser settings at any time.

7. International Data Transfers

Some of our service providers operate servers in the United States. When your personal information is transferred outside Canada:

• WordPress.com (Automattic): Governed by Automattic’s Privacy Policy. Automattic participates in the EU-US Data Privacy Framework where applicable.
• Google Analytics: Google LLC is certified under applicable cross-border data transfer frameworks. IP anonymisation is enabled and Consent Mode v2 is implemented.
• Tawk.to: Data may be processed in the USA and EU under Tawk.to’s standard data protection agreements.
• Fluent Forms (WPManageNinja): Form data is stored within your WordPress.com database (Automattic); no separate cross-border transfer beyond Automattic.

By using our website, you acknowledge that your data may be processed in jurisdictions outside Canada. We take reasonable steps to ensure your information receives equivalent protection.

8. Data Security

Secrecy Evolution implements security safeguards appropriate to the sensitivity of personal information we handle:

• Encrypted data transmission (HTTPS / TLS) on all website communications
• Role-based access controls limiting who can access personal information
• Multi-factor authentication (MFA) on all administrative accounts
• Regular security assessments of our own systems and third-party integrations
• Secure deletion of personal data when retention periods expire

9. Data Retention

Data Type	Retention Period	Reason
Website form submissions (Fluent Forms)	2 years from submission	Follow-up and relationship management
Direct email/phone contact records	2 years from last contact	Follow-up and relationship management
Client engagement files	7 years from engagement end	Legal, contractual, and tax obligations
Google Analytics data	26 months	Google Analytics default; anonymised
Live chat transcripts (Tawk.to)	12 months	Service continuity
Breach records	24 months minimum	PIPEDA mandatory breach record-keeping
Cookie consent records	12 months	Demonstrate consent compliance

When data is no longer required, it is securely deleted or anonymised. You may request earlier deletion subject to our legal obligations (see Section 11).

10. Breach Notification

In the event of a breach of security safeguards involving your personal information, Secrecy Evolution will act in accordance with PIPEDA’s mandatory breach notification requirements:

• Assessment: We will promptly assess whether the breach creates a real risk of significant harm to affected individuals.
• OPC Notification: If a real risk of significant harm exists, we will report the breach to the Office of the Privacy Commissioner of Canada without unreasonable delay (target: within 72 hours of determination).
• Individual Notification: We will notify affected individuals directly as soon as feasible. Notification will include: what happened, what information was involved, steps we are taking, and what you can do to protect yourself.
• Record-Keeping: We maintain a record of all breaches for a minimum of 24 months regardless of whether the breach met the reporting threshold.

To report a suspected privacy incident involving your information, contact our Privacy Officer at info@secevol.com.

11. Your Rights Under PIPEDA

You have the following rights with respect to your personal information held by Secrecy Evolution:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete information.
• Withdrawal of consent: Withdraw consent to our use of your personal information at any time, subject to legal or contractual restrictions.
• Deletion: Request deletion of your personal information, subject to our legal retention obligations.
• Complaint: File a complaint about our privacy practices (see Section 16).

We will respond to all rights requests within 30 days. Contact our Privacy Officer at info@secevol.com. We may ask you to verify your identity before processing your request.

12. Quebec Law 25

Quebec’s Act respecting the protection of personal information in the private sector (Law 25 / Bill 64), fully in force since September 2023, applies to personal information about Quebec residents. Key Law 25 requirements we adhere to: a designated Privacy Officer (Section 2), a published privacy policy meeting Quebec requirements (this document), and breach notification to the Commission d’accès à l’information (CAI) within 72 hours for high-risk breaches.

13. CyberPeace Browser Extension

CyberPeace is a free, open-source privacy browser extension developed by Secrecy Evolution. Published on GitHub at github.com/SatvirMatharu/cyberpeace.

14. Children’s Privacy

Our website and services are directed at business professionals and are not intended for individuals under 18. We do not knowingly collect personal information from children. Contact info@secevol.com if you believe this has occurred.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page. Continued use of our website or services after changes are posted constitutes acceptance of the updated Policy.

16. Contact & Complaints

Satvir Matharu, Privacy Officer
Secrecy Evolution Inc.
350 Burnhamthorpe Road West, Unit 200
Mississauga, ON L5B 3J1
info@secevol.com
+1 (365) 333-2377

We will acknowledge your request within 5 business days and respond fully within 30 days.

If not satisfied, escalate to the Office of the Privacy Commissioner of Canada (OPC): priv.gc.ca  |  1-800-282-1376

Quebec residents may also contact the Commission d’accès à l’information (CAI) at cai.gouv.qc.ca.