Trust & Security

Trust Center

Transparency about how we handle your data, who we share it with, and the standards we meet. Our legal documents are linked throughout.

Compliance

Regulatory Posture

PIPEDA

Compliant

We follow the Personal Information Protection and Electronic Documents Act as the governing data-privacy law for Canadian operations.

GDPR / UK GDPR

Aligned

Our privacy practices are aligned with GDPR principles (lawful basis, data minimisation, rights). A signed DPA is available for EU/UK controllers.

CASL

Compliant

All commercial electronic messages include unsubscribe mechanisms and are sent only to recipients with express or implied consent.

CAN-SPAM

Compliant

Email communications include physical address, opt-out mechanism, and are not deceptive.

PCI DSS

Reliant on Stripe

We do not store, process, or transmit cardholder data. All card processing is handled by Stripe (PCI DSS Level 1 service provider).

Sub-Processors

Third-Party Data Processors

We engage the following sub-processors to deliver our Services. Each is bound by a data-processing agreement with security and privacy obligations at least as protective as our own. Last reviewed: June 2026.

ProviderPurposeLocationData Processed
Vercel, Inc.Web hosting & edge deliveryUSA (global CDN)IP address, Log data, Request metadata
Neon Inc. / Neon Serverless PostgresPrimary relational databaseUSA (AWS us-east-1)All application data, User records, Lead data
Upstash, Inc.Managed Redis (rate limiting, caching)USA (AWS us-east-1)Session rate-limit identifiers, Cache keys (no PII)
Stripe, Inc.Payment processing & billingUSA (global)Card data (PCI DSS scope), Billing address, Email
Resend, Inc.Transactional email deliveryUSARecipient email address, Email content
PostHog, Inc.Product analytics (consent-gated)USA (AWS us-east-1)Anonymised usage events, Session data (no PII without consent)
Sentry (Functional Software, Inc.)Error monitoring & performanceUSAStack traces, Request context, User ID (when logged in)
Google LLCOAuth sign-in (optional)USA (global)Name, Email, Profile picture (when OAuth used)
Airtable, Inc.CRM / lead intakeUSALead name, Email, Company, Message

Changes to this list are notified to affected clients 30 days in advance per our DPA.

Retention

Data Retention Schedule

Lead / enquiry data

3 years from last contact

Account & user data

Life of account + 90 days

Billing records

7 years (tax law)

Server & access logs

90 days rolling

Analytics events

12 months

Error / crash reports

30 days

Contact

Data & Privacy Enquiries

For privacy requests, DPA enquiries, opt-out requests, or data-subject rights exercises, contact us at: contact@lowkeyagency.com

For security vulnerability reports: security@lowkeyagency.ca

Trust Center last reviewed: June 2026.