ThemisIQ Compliance Inc.

Privacy Policy

Effective: May 17, 2026TIQ-PRV-001 · v2.0ThemisIQ Compliance Inc. · Canadaprivacy@themisiq.co
Governing law: Canada (PIPEDA · Law 25 · CASL) + US state privacy laws + GDPR / UK GDPR for EU/UK customers
ThemisIQ Compliance Inc. is a Canadian company. This Privacy Policy complies with Canadian federal and provincial privacy law as the primary framework. Additional rights for US residents (CCPA/CPRA, state laws, CAN-SPAM, COPPA) are set out in Section 9.
Contents
Who we are What we collect How we use your data Legal basis Data sharing International transfers Data retention Your rights US residents NEWCookies Contact & complaints
Section 1

Who we are

ThemisIQ Compliance Inc. ("ThemisIQ", "we", "us") is a compliance intelligence and SaaS platform company incorporated in Canada, operating www.themisiq.co.

Our designated Privacy Officer is the Chief Executive Officer — privacy@themisiq.co. All privacy requests should be directed to this address.

Section 2

What we collect

CategoryExamplesOur role
Account dataName, work email, job title, company, billing addressController
Platform dataGHG data, workforce metrics, supply chain data, AI inventories entered into ThemisIQ modulesProcessor — you are the controller
Assessment dataCompliance Assessment answers, email, company, roleController
Usage dataLog data, IP addresses, browser type, pages visited, feature usageController
What we never collect
Payment card numbers (Stripe handles these). Special category personal data unless specifically agreed in writing. We never sell personal data. We use no advertising cookies or tracking pixels.
Section 3

How we use your data

PurposeData usedLegal basis
Delivering the ThemisIQ platformAccount data, platform dataContract performance
Sending assessment resultsAssessment data, emailExpress consent (CASL)
Marketing emailsAccount data, emailExpress consent (CASL) — unsubscribe anytime
Billing and invoicingAccount dataContract / legal obligation (CRA)
Platform securityUsage data, log dataLegitimate interests
Section 4

Legal basis

For Canadian residents, our basis is the PIPEDA fair information principles — primarily consent and legitimate business purposes.

For EU/EEA/UK residents, our bases under GDPR / UK GDPR are: contract performance (Art. 6(1)(b)), consent (Art. 6(1)(a)), legal obligation (Art. 6(1)(c)), and legitimate interests (Art. 6(1)(f)).

For Québec residents, Law 25 applies additional requirements — Privacy Impact Assessments, 72-hour breach reporting to the CAI, named Privacy Officer, and data portability rights.

Section 5

Data sharing

RecipientData sharedPurposeLocation
Supabase (AWS)All platform dataDatabase, auth, storageUSA
VercelApplication trafficHosting and CDNGlobal
StripeBilling dataPayment processingUSA
ResendName, emailTransactional emailUSA
AnthropicStructured prompts onlyAI-assisted featuresUSA
We do not sell, share, or trade personal data
ThemisIQ does not sell personal information as defined under CCPA. We do not share personal information for cross-context behavioural advertising. ThemisIQ products are entirely ad-free.
Section 6

International transfers

ThemisIQ is Canadian. Data is processed in Canada and transferred to sub-processors in the United States.

EU/UK customers — GDPR transfer mechanism
For EU/UK customers, we rely on Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c) and the UK International Data Transfer Agreement (IDTA). Our DPA incorporating SCCs is available at legal@themisiq.co.
Section 7

Data retention

Data typeRetention periodBasis
Customer platform dataSubscription duration + 90 daysContract
Account and contact data7 years from last activityCanada Revenue Agency
Marketing consent records3 years from last interactionCASL
Assessment / lead data3 years from collectionPIPEDA / CASL
Security and audit logs5 yearsISO 27001 / SOC 2
Billing records7 yearsCanada Revenue Agency
Section 8

Your rights (all jurisdictions)

To exercise any right, email privacy@themisiq.co. We respond within 30 days (Canada/EU) or 45 days (US). No charge for the first request in any 12-month period.

🇺🇸 US residents — additional rights
Section 9

Additional rights for US residents

ThemisIQ does not sell personal information as defined under CCPA §1798.140(ad). You do not need to submit a "Do Not Sell or Share" request because we do not engage in these activities.

Residents of California, Virginia, Colorado, Connecticut, Texas, Montana, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, and Maryland have rights to access, delete, correct, and port their personal data. To exercise any right, email privacy@themisiq.co.

CAN-SPAM: All ThemisIQ commercial emails to US recipients comply with CAN-SPAM. Every commercial email contains a functioning one-click unsubscribe link honoured within 48 hours.

COPPA: The ThemisIQ platform is directed exclusively at business professionals. We do not knowingly collect personal information from persons under 13.

Section 10

Cookies

We use essential cookies (session management, authentication) and optional analytics cookies (anonymised usage). We do not use advertising cookies, tracking pixels, or third-party behavioural targeting. ThemisIQ products are entirely ad-free.

Section 11

Contact & complaints

Privacy Officer — ThemisIQ Compliance Inc.
Email: privacy@themisiq.co · Response: 30 days (Canada/EU) · 45 days (US)