ThemisIQ Compliance Inc. ("ThemisIQ", "we", "us") is a compliance intelligence and SaaS platform company incorporated in Canada, operating www.themisiq.co.
Our designated Privacy Officer is the Chief Executive Officer — privacy@themisiq.co. All privacy requests should be directed to this address.
| Category | Examples | Our role |
|---|---|---|
| Account data | Name, work email, job title, company, billing address | Controller |
| Platform data | GHG data, workforce metrics, supply chain data, AI inventories entered into ThemisIQ modules | Processor — you are the controller |
| Assessment data | Compliance Assessment answers, email, company, role | Controller |
| Usage data | Log data, IP addresses, browser type, pages visited, feature usage | Controller |
| Purpose | Data used | Legal basis |
|---|---|---|
| Delivering the ThemisIQ platform | Account data, platform data | Contract performance |
| Sending assessment results | Assessment data, email | Express consent (CASL) |
| Marketing emails | Account data, email | Express consent (CASL) — unsubscribe anytime |
| Billing and invoicing | Account data | Contract / legal obligation (CRA) |
| Platform security | Usage data, log data | Legitimate interests |
For Canadian residents, our basis is the PIPEDA fair information principles — primarily consent and legitimate business purposes.
For EU/EEA/UK residents, our bases under GDPR / UK GDPR are: contract performance (Art. 6(1)(b)), consent (Art. 6(1)(a)), legal obligation (Art. 6(1)(c)), and legitimate interests (Art. 6(1)(f)).
For Québec residents, Law 25 applies additional requirements — Privacy Impact Assessments, 72-hour breach reporting to the CAI, named Privacy Officer, and data portability rights.
| Recipient | Data shared | Purpose | Location |
|---|---|---|---|
| Supabase (AWS) | All platform data | Database, auth, storage | USA |
| Vercel | Application traffic | Hosting and CDN | Global |
| Stripe | Billing data | Payment processing | USA |
| Resend | Name, email | Transactional email | USA |
| Anthropic | Structured prompts only | AI-assisted features | USA |
ThemisIQ is Canadian. Data is processed in Canada and transferred to sub-processors in the United States.
| Data type | Retention period | Basis |
|---|---|---|
| Customer platform data | Subscription duration + 90 days | Contract |
| Account and contact data | 7 years from last activity | Canada Revenue Agency |
| Marketing consent records | 3 years from last interaction | CASL |
| Assessment / lead data | 3 years from collection | PIPEDA / CASL |
| Security and audit logs | 5 years | ISO 27001 / SOC 2 |
| Billing records | 7 years | Canada Revenue Agency |
To exercise any right, email privacy@themisiq.co. We respond within 30 days (Canada/EU) or 45 days (US). No charge for the first request in any 12-month period.
ThemisIQ does not sell personal information as defined under CCPA §1798.140(ad). You do not need to submit a "Do Not Sell or Share" request because we do not engage in these activities.
Residents of California, Virginia, Colorado, Connecticut, Texas, Montana, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, and Maryland have rights to access, delete, correct, and port their personal data. To exercise any right, email privacy@themisiq.co.
CAN-SPAM: All ThemisIQ commercial emails to US recipients comply with CAN-SPAM. Every commercial email contains a functioning one-click unsubscribe link honoured within 48 hours.
COPPA: The ThemisIQ platform is directed exclusively at business professionals. We do not knowingly collect personal information from persons under 13.
We use essential cookies (session management, authentication) and optional analytics cookies (anonymised usage). We do not use advertising cookies, tracking pixels, or third-party behavioural targeting. ThemisIQ products are entirely ad-free.