Privacy Policy
Effective Date: January 1, 2025
Last Updated: December 19, 2024
Pilotcore ("we," "our," or "us") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, share, and safeguard your information when you interact with our website and services.
1. Data Collection
We collect the following personal information when you use our services:
Information You Provide Directly
- Email address: Required for guide downloads, consultation requests, and email communications
- Name: First and last name for personalised communications
- Company information: Company name and role for business context
- Survey responses: Readiness assessment answers to understand your needs
- Consultation details: Service interests and context you provide in consultation forms
Information We Collect Automatically
- Email engagement data: Whether you open our emails, click links, or unsubscribe
- Timestamps: When you submit forms, download guides, or engage with our emails
- IP address: Automatically collected by our infrastructure provider (AWS)
Information We Do Not Collect
We do not collect browsing history, device identifiers, location data, or demographic information beyond what you explicitly provide.
2. Purpose and Use of Your Information
We use your personal information for the following legitimate business purposes:
Marketing Communications
- Sending educational email sequences about cloud architecture, DevSecOps, and security compliance
- Delivering compliance guides (CMMC, CPCSC) you've requested
- Sharing relevant blog posts and expertise demonstrations
Lead Qualification
- Assessing your readiness for consulting services through survey responses
- Personalizing follow-up communications based on your interests
- Scheduling consultation calls when you express interest
Service Delivery
- Processing consultation requests and booking calendar appointments
- Responding to inquiries submitted through contact forms
- Providing customer support
Business Operations
- Improving our email content and website based on engagement metrics
- Maintaining records for tax and accounting purposes (consultation records only)
- Complying with legal obligations
3. Legal Basis for Processing
Canadian Law (PIPEDA)
We process your personal information based on your express consent:
- Downloading a guide constitutes consent to receive related email communications
- Submitting a consultation request constitutes consent to contact you about services
- You may withdraw consent at any time by unsubscribing or contacting us
United States Law (CAN-SPAM)
We comply with CAN-SPAM requirements:
- You have an established business relationship when you request our guides or consultations
- All emails include a clear unsubscribe mechanism
- All emails identify Pilotcore as the sender
- Our physical business address is included in email footers
Anti-Spam Legislation (CASL)
We comply with Canada's Anti-Spam Legislation:
- Express consent is obtained before sending commercial electronic messages
- All emails clearly identify Pilotcore as the sender
- Unsubscribe mechanisms are provided in every email
- Unsubscribe requests are processed within 10 business days
4. Controller Identity, Data Sharing, and Disclosure
For personal information covered by this policy, the controller is Pilotcore Systems Inc. You can contact the controller at privacy@pilotcore.io.
We share your personal information only in the following limited circumstances:
Service Providers and Sub-Processors
Material additions or replacements to this list are posted here with 30 days' notice. Where required, we also email active leads with nurture consent.
| Processor | Role | Transfer mechanism |
|---|---|---|
| AWS | SES, DynamoDB, Lambda, S3, CloudFront, and SNS infrastructure. | AWS GDPR Data Processing Addendum and Standard Contractual Clauses. Primary processing region is us-east-1; some governance services use ca-central-1. |
| Google reCAPTCHA | Bot protection on forms. | Google Cloud DPA and SCCs. Token generation is consent-gated. |
| booking-platform | In-house consultation booking subsystem. | Hosted in the same AWS region as the lead-generation core; no third-country transfer for this workload. |
| Google Calendar | Attendee invites and booking calendar events. | Google Workspace DPA and SCCs. |
Third Parties We Do NOT Share With
We do not sell, rent, or share your personal information with:
- Third-party marketing platforms or data brokers
- Advertisers or analytics companies
- Social media platforms
- Any other commercial entities
Legal Disclosures
We may disclose your information if required by law, court order, or government regulation, or to protect our legal rights.
5. Right of Access, Erasure, and Portability
You may request access to your personal information, a portable export, correction of inaccurate information, or erasure where the law allows it.
Self-Service Requests
The self-service request page at /privacy/data-request verifies your email and then calls the GDPR-001/002 endpoints: GET /api/gdpr/data-export for access and portability, and DELETE /api/gdpr/delete-account for erasure.
We respond within 30 days from token verification. Exports are normally returned within 5 minutes, erasure can take up to 30 days when archived records must be processed, and rectification normally completes within 24 hours.
Identity Verification
Email-token verification is the primary identity check. High-risk requests, including erasure of older records or suppression-list entries, may require a secondary challenge based on your lead history.
Partial Retention
Erasure is subject to lawful partial-retention exceptions. Business records, deletion audit logs, and suppression evidence may be retained where tax, accounting, CAN-SPAM, CASL, GDPR Article 17(3)(b), or legal-hold obligations require it.
6. Other Privacy Rights
You also have the following rights regarding your personal information:
Right to Correction
Request correction of inaccurate or incomplete personal information.
Right to Withdraw Consent
Withdraw your consent to marketing communications at any time by:
- Clicking the "Unsubscribe" link in any email
- Emailing privacy@pilotcore.io with "UNSUBSCRIBE" in the subject line
- Contacting us through the website contact form
Right to Opt-Out
Opt out of specific email sequences while remaining subscribed to others (contact us to customise preferences).
7. Data Retention
We retain personal information according to the accepted DEC-004 retention policy:
| Record | Retention fields |
|---|---|
| leads_table |
hot_storage: 180 days from last engagement cold_storage: 5 years from lead creation permanent_deletion: 5 years + 30 days (grace period) |
| nurture_sequences_table |
active_sequences: Retain while status != 'completed' completed_sequences: 365 days after completion unsubscribed_sequences: 90 days after unsubscribe (audit trail) |
| global_unsubscribes_table |
retention: PERMANENT (compliance requirement) note: Suppression list must persist to honor opt-outs |
| email_events_table |
retention: 90 days (CloudWatch Logs for audit) aggregated_metrics: 2 years |
| consultation_bookings_table | retention: 7 years (business records requirement) |
Exceptions
Records flagged for legal hold (e.g., ongoing dispute, regulatory inquiry) are exempt from automatic deletion.
This retention policy ensures we balance our legitimate business needs with your privacy rights and data minimization principles.
8. Complaint Pathways
If we do not resolve your privacy concern, you may contact the Office of the Privacy Commissioner of Canada (OPC) for Canadian privacy complaints or the Information Commissioner's Office (ICO) for UK data-protection complaints.
- OPC: Office of the Privacy Commissioner of Canada complaint process.
- ICO: Information Commissioner's Office complaint process.
9. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:
- Email: privacy@pilotcore.io
- Response Time: Within 30 days
- Subject Line: For faster processing, use "Privacy Request" in your subject line
For general inquiries, you may also use our website contact form.
Additional Information
Data Security
We implement industry-standard security measures to protect your personal information:
- Encrypted data transmission (HTTPS/TLS)
- Access controls limiting who can view your data
- Regular security assessments of our infrastructure
- Automated backups and disaster recovery procedures
However, no internet transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
International Data Transfers
Your personal information may be processed in us-east-1 and ca-central-1 for AWS-hosted services, and by Google services where reCAPTCHA or Calendar features are used. The processor table above lists the applicable DPA and Standard Contractual Clauses for each transfer.
Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will post the updated policy on this page with a new "Last Updated" date. If we make material changes, we will notify active subscribers by email.
Children's Privacy
Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us immediately.
Your Consent
By providing your email address to download guides or request consultations, you consent to this Privacy Policy and our use of your information as described herein.
This Privacy Policy is written in plain language to ensure accessibility and understanding. If any provision is unclear, please contact us for clarification.