Privacy Policy
1. Who We Are
Arctic Reach is a web development agency based in Quebec, Canada. We design, build, and maintain websites for clients across Canada and internationally.
Privacy Officer / Person Responsible for Personal Information:
Seb Molgat — [email protected]
For the purposes of Quebec’s Act respecting the protection of personal information in the private sector (Law 25), Seb Molgat is the designated person responsible for personal information.
2. What This Policy Covers
This policy describes how we collect, use, and protect personal information on arcticreach.dev — our agency website. It also explains your rights under applicable law.
If you are a client whose website we host or maintain, see Section 9 for how we handle personal information in that context.
3. Information We Collect
3.1 Contact Form
When you submit our contact form, we collect:
- Full name
- Email address
- Your message
Stored in: Our secure, self-hosted server located in Canada.
Retained for: 2 years, or until your inquiry is resolved, whichever comes first.
3.2 Appointment Booking (Cal.com)
When you book a consultation through our website, we collect:
- Full name
- Email address
- Selected date and time
- Any notes you provide
Stored in: Our secure, self-hosted server located in Canada. Cal.com is self-hosted on the same infrastructure as this website; no booking data is sent to third-party booking platforms.
3.3 Website Analytics (Umami)
We use Umami, a privacy-focused analytics tool, self-hosted on our own server in Canada. Umami collects:
- Page views and navigation paths
- Referral source (the website that linked to ours)
- Browser type and operating system (aggregated)
- Approximate country (derived from anonymized IP; the full IP is not stored)
Umami does not use cookies and does not share data with any third party.
3.4 Cookies and Local Storage
| Cookie | Purpose | Duration |
|---|---|---|
| LiteSpeed Cache | Performance caching | Session / up to 7 days |
| TranslatePress | Language preference | 1 year |
We do not use advertising cookies or cross-site tracking cookies.
3.5 Transactional Email
When you submit our contact form, your message is delivered to us via Resend (Resend Inc., United States), a transactional email relay. Resend processes your name, email address, and message content in transit. Resend does not retain email content beyond delivery. Resend is GDPR-compliant and maintains a Data Processing Agreement. Their privacy policy is available at resend.com/legal/privacy-policy.
3.6 Server Logs
Our web server automatically records standard technical data including IP addresses, timestamps, and requested URLs. Logs are retained for 30 days and used only for security and troubleshooting.
4. Why We Collect This Information
| Data | Legal Basis (GDPR) | Quebec Law 25 Basis |
|---|---|---|
| Contact form | Legitimate interest (pre-contractual communication) | Consent via voluntary submission |
| Cal.com bookings | Performance of a contract / pre-contractual steps | Necessary to deliver requested service |
| Analytics | Legitimate interest (improving our website) | Consent (anonymized, non-identifying) |
| Server logs | Legitimate interest (security) | Necessary for system security |
We do not sell, rent, or trade your personal information.
5. Who Has Access to Your Information
Your information is accessible only to:
- Arctic Reach personnel (currently: Seb Molgat)
- Resend Inc. — for contact form email delivery only
- Infrastructure providers for routine hosting operations
We do not use third-party email marketing, CRM platforms, or advertising networks.
International Transfers
Contact form submissions are relayed through Resend’s infrastructure in the United States. Resend maintains GDPR-compliant data processing agreements. If you are in the EU/EEA and wish to know more about the safeguards in place, contact [email protected].
6. Your Rights
All visitors (Quebec Law 25 / PIPEDA)
- Access: Request a copy of the personal information we hold about you
- Correction: Request that we correct inaccurate or incomplete information
- Withdrawal of consent: Withdraw consent for non-essential processing at any time
- Complaint: File a complaint with the Commission d’accès à l’information (CAI) at cai.gouv.qc.ca
EU/EEA residents (GDPR)
In addition to the above:
- Erasure: Request deletion of your personal information
- Portability: Receive your data in a structured, machine-readable format
- Restriction: Ask us to limit how we process your data
- Objection: Object to processing based on legitimate interest
- Supervisory authority: Lodge a complaint with your local data protection authority
To exercise any of these rights, contact: [email protected]
We will respond within 30 days. Identity verification may be required.
7. Data Security
Personal information is stored on a self-hosted, hardened server in Canada protected by:
- Encrypted HTTPS connections (TLS 1.2/1.3)
- Network firewalls and access controls
- Automated daily backups stored in encrypted cloud storage
- No unnecessary third-party access
In the event of a breach that poses a serious risk of harm, we will notify affected individuals and the appropriate regulatory authority within 72 hours, as required by Law 25 and GDPR.
8. Data Retention
| Data type | Retention period |
|---|---|
| Contact form submissions | 2 years |
| Booking records | 3 years (business records) |
| Analytics data | 13 months (rolling) |
| Server logs | 30 days |
9. Our Role as a Data Processor
As a web development agency, we build and maintain websites that collect personal information from your visitors and customers. In this capacity, we act as a data processor on your behalf, and you (our client) are the data controller.
We process your end-users’ data only according to your documented instructions. Clients are responsible for:
- Maintaining their own privacy policy on their website
- Obtaining required consents from their users
- Notifying us of any data subject rights requests we need to fulfill
Clients who require a Data Processing Agreement (DPA) — including those subject to GDPR — may request one at [email protected].
10. Children’s Privacy
Our website is not directed at children under the age of 14 (or 16 for EU residents). We do not knowingly collect personal information from minors. If we discover we have inadvertently collected such data, we will delete it promptly.
11. Changes to This Policy
We may update this policy periodically. The “Last updated” date at the top will reflect any changes. For material changes, we will post a notice on our website.
12. Contact
Arctic Reach
[email protected]
Quebec, Canada