Privacy Policy

This Privacy Policy describes how ShadeSec Inc. ("we", "us") handles personal information when you use Control+S (the "Service"), visit our websites, or communicate with us. We are committed to handling personal information in accordance with the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act respecting the protection of personal information in the private sector ("Law 25"), the EU and UK General Data Protection Regulation (GDPR), and other applicable privacy laws.

We have designated a person accountable for our privacy practices as required by PIPEDA and Law 25.

• Privacy Officer: Anouar Mansour
• Email: contact@controls.run
• Mail: ShadeSec Inc., Toronto, Ontario, M6K 3N4, Canada

Please contact the Privacy Officer with any questions, concerns, or requests about this policy or your personal information.

The Service is offered to organizations ("Customers"). Depending on what information is at issue, we act either as a data controller or as a data processor.

• to provide, secure, and operate the Service, including authentication and access control;
• to process evidence with AI and return suggested control mappings and maturity scores;
• to communicate with you about the Service, including transactional emails, invitations, and security notices;
• to bill you, collect payments, and maintain records for accounting and tax purposes;
• to detect, investigate, and prevent fraud, abuse, and security incidents;
• to improve and develop the Service, using de-identified or aggregated data where possible;
• to comply with legal obligations and to enforce our Terms.

We do not use Customer Content to train generative AI models.

Where the GDPR applies, we rely on the following legal bases:

• Contract — to provide the Service you requested and to bill for it.
• Legitimate interests — to secure the Service, prevent abuse, improve our product, and communicate with users about service-related matters.
• Consent — for specific purposes where we ask for it, such as optional communications. You can withdraw consent at any time.
• Legal obligation — to comply with laws that apply to us, such as tax and corporate records requirements.

We do not sell personal information. We share it only with trusted service providers that help us operate the Service, under contracts that require them to protect the information and process it only on our behalf. A current list of our subprocessors, including their purpose and data location, is published on our Trust page.

We may also disclose personal information (a) to comply with a legal obligation, court order, or government request; (b) to protect the rights, property, or safety of ShadeSec, our users, or others; or (c) in connection with a merger, acquisition, financing, or sale of assets, in which case we will take reasonable steps to ensure it remains protected.

ShadeSec Inc. is based in Canada, which is recognized by the European Commission as providing adequate protection for personal data transferred from the EEA under Commission decision 2002/2/EC. Our subprocessors are primarily located in the United States. When we transfer personal information out of the EEA, the UK, or Switzerland, we rely on mechanisms such as the European Commission's Standard Contractual Clauses or the UK Addendum, as applicable. We conduct transfer impact assessments where required by Law 25 before relying on service providers outside Quebec.

We retain personal information only as long as necessary for the purposes described in this policy, including legitimate business, accounting, and legal needs.

• Account data — for as long as your account is active, and up to 90 days after deletion to allow for recovery and dispute handling.
• Customer Content — for as long as needed to provide the Service and for the retention period described in the applicable Service terms or agreement. Customers should download supported reports, evidence files, or workspace data they need before termination. After termination, we delete Customer Content from live systems within 90 days, except where law requires retention.
• Billing records — for the period required by applicable tax and accounting law (typically 6 to 7 years).
• Backups — rotated on our standard cycle, typically within 30 days.
• Security logs — up to 12 months, or longer if needed to investigate an incident.

Depending on where you live, you may have the following rights:

• Access — to obtain a copy of the personal information we hold about you.
• Correction — to ask us to correct information that is inaccurate or incomplete.
• Deletion — to ask us to delete personal information in specified circumstances.
• Portability — to receive certain information in a structured, commonly used format (Law 25 and GDPR).
• Restriction or objection — to ask us to limit processing, or to object to processing based on legitimate interests.
• Withdraw consent — where processing is based on your consent.
• Automated decisions — to request human review of a decision that has a significant effect on you and is based solely on automated processing. We do not make such decisions about users of the Service.

To exercise a right, email contact@controls.run. We will respond within the timeframes required by applicable law (typically 30 days). We may need to verify your identity before acting on a request. If your personal information is part of Customer Content controlled by an organization, we will refer your request to that organization.

You also have the right to lodge a complaint with a supervisory authority: the Office of the Privacy Commissioner of Canada (priv.gc.ca), the Commission d'accès à l'information du Québec (cai.gouv.qc.ca), or the data protection authority in your country of residence.

The Service uses strictly necessary cookies to keep you signed in and to maintain your session. We do not use advertising cookies, cross-site tracking, or third-party analytics cookies. You can clear cookies in your browser at any time, but doing so will sign you out.

The Service is not directed to children. We do not knowingly collect personal information from anyone under 16, or under 14 where Law 25 applies, without parental consent. If you believe we have collected information from a child, contact us and we will delete it.

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit and at rest, access controls, authentication requirements, logging, and sandbox isolation for code execution. No system is perfectly secure. We describe our security practices in more detail on our Trust page. To report a vulnerability, see our security.txt.

If we become aware of a personal information breach that presents a real risk of significant harm to affected individuals, we will notify the applicable supervisory authorities and affected individuals or our Customers (where we are the processor) without undue delay and, in the case of the GDPR, within 72 hours of becoming aware of the breach, to the extent feasible.

We may update this policy from time to time. If changes are material, we will provide notice (for example, by email or in-product notice) before they take effect. The effective date at the top of this page reflects the most recent update.

Email contact@controls.run or write to ShadeSec Inc., Attn: Privacy Officer, Toronto, Ontario, M6K 3N4, Canada.