// Legal

Privacy Policy

Last updated: April 29, 2026

This Privacy Policy explains how Baseline Security (“we,” “us,” “our”) collects, uses, and protects personal information when you visit baselinesecurity.io or engage with our advisory services.

1. Who we are

Baseline Security is a private cybersecurity, privacy, and IT advisory practice operating from Montreal, Quebec, Canada. For privacy questions, write to [email protected].

2. Information we collect

Information you provide directly

When you submit our contact form, we collect: your name, email address, company name, organizational stage, and the content of your message. We collect this information only when you choose to provide it.

Information collected automatically

When you visit baselinesecurity.io, our hosting and edge-security infrastructure (Cloudflare) automatically collects technical information including IP address, browser user-agent, referring URL, and pages visited. This is used for site security, performance, and aggregate analytics.

Cookies and similar technologies

See our Cookie Policy for details on the cookies and similar technologies used on this site.

3. How we use information

  • To respond to inquiries and deliver services you request
  • To provide, secure, and improve baselinesecurity.io
  • To comply with legal and regulatory obligations
  • To detect, prevent, and respond to fraud or security incidents

4. Legal basis for processing

Where required by law (including the EU/UK GDPR, Quebec Law 25, and Canada’s PIPEDA), we rely on the following legal bases:

  • Consent: when you submit the contact form or subscribe to updates
  • Legitimate interest: for site security, fraud prevention, and aggregate analytics that do not materially impact your privacy
  • Contractual necessity: to deliver services under a signed engagement
  • Legal obligation: when retention or disclosure is required by applicable law

5. Sharing your information

We do not sell, rent, or trade personal information. We share data only with vetted service providers operating under written data processing agreements:

  • Cloudflare, Inc.: hosting, DNS, edge security, and privacy-focused web analytics (United States). Cloudflare Web Analytics is cookieless and does not collect personal data. See our Cookie Policy for details.
  • Resend: transactional email delivery for contact form notifications (United States)
  • Zoho Corporation: inbound business email (Canada / India)

We may also disclose information when required by law, court order, or to protect rights, property, or safety.

6. International data transfers

Where personal data is transferred outside Canada or the EEA/UK, we rely on Standard Contractual Clauses, adequacy decisions, or equivalent safeguards permitted by applicable law.

7. Retention

  • Contact form submissions: retained for the lifetime of any resulting engagement and up to 36 months thereafter, unless you request earlier deletion.
  • Server and security logs: rotated within 30 days.
  • We delete information sooner upon valid request, unless retention is legally required.

8. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, restrict, or object to the processing of your personal information. Quebec residents have these rights under Law 25; EU/UK residents under GDPR; other Canadian residents under PIPEDA; California residents under the CCPA/CPRA.

To exercise any of these rights, email [email protected]. We respond within 30 days. If we cannot resolve a complaint, you may have the right to file a complaint with your data protection authority (e.g., the Commission d’accès à l’information du Québec, the Office of the Privacy Commissioner of Canada, or your EU/UK supervisory authority).

9. Security

We protect personal information using technical and organizational measures aligned with the standards we recommend to clients, including encryption in transit and at rest, least-privilege access controls, multi-factor authentication, and a documented incident response process. No method of transmission or storage is 100% secure; we work to continuously improve our controls.

10. Children

This site is intended for business audiences and is not directed to individuals under 16. We do not knowingly collect personal information from children.

11. Changes to this Policy

We may update this Policy. The “Last updated” date above reflects the most recent change. Material changes will be highlighted on this page for at least 30 days.

12. Contact

Baseline Security
5455 Av. de Gaspé
Montreal, QC H2T 3B3, Canada
[email protected]

Back to home