Privacy Policy

1. Information We Collect

In the course of providing the Service, we collect the following categories of information:

• Email address — provided at checkout and used for report delivery, order confirmations, and customer support communications.
• Payment information — processed securely by our payment processor, Stripe, Inc. Northscope never receives, stores, or has access to your full credit card number, CVV, or other sensitive payment credentials. We retain only a transaction reference identifier and the last four digits of your card for support purposes.
• Uploaded documents — financial statements, tax returns, contracts, lease agreements, and any other files you submit for analysis. These documents are transmitted directly to our secure processing infrastructure.
• Form responses — information you provide through our intake forms, including business or property type, industry classification, asking price, geographic location, and answers to structured assessment questions.
• IP address and browser information — collected automatically when you access the Service. This includes your Internet Protocol address, browser type and version, operating system, and referring URL. This information is used for security monitoring and fraud prevention.
• Terms of Service acceptance records — when you accept our Terms of Service, we record the timestamp of acceptance, your IP address at the time of acceptance, and the version of the Terms accepted. These records are maintained for legal compliance purposes.

2. Lawful Basis for Processing

We process your personal information on the following lawful bases:

• Contractual necessity — Processing of your personal information and uploaded documents is required to fulfill our service agreement with you. Without this information, we cannot perform the analysis you have requested or deliver your report.
• Consent — You provide explicit consent to the collection and processing of your information at checkout and through your acceptance of the Terms of Service. Consent is freely given, specific, informed, and unambiguous, as indicated by your affirmative action in submitting your order.
• Legitimate interests — We have legitimate business interests in improving our analytical methodology, maintaining the security and integrity of the Service, detecting and preventing fraud, and generating anonymized market intelligence. We have assessed that these interests do not override your fundamental rights and freedoms.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Analysis and report generation — To process your uploaded documents through our analytical infrastructure, conduct multi-perspective risk assessment, and produce your comprehensive due diligence report.
• Report delivery — To deliver your completed report to the email address you provided at the time of purchase.
• Payment processing — To process your payment, verify the transaction, and maintain records required for accounting and tax compliance.
• Customer support — To respond to your inquiries, troubleshoot issues with your order, and provide assistance related to your report or account.
• Methodology improvement — To refine, calibrate, and improve the accuracy and depth of our analytical methodology over time.
• Anonymized market intelligence — To generate anonymized, aggregated market data and analytical insights as described in our Terms of Service. Individual transactions and personal information are never identifiable in such outputs.
• Legal compliance — To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to enforce our Terms of Service.

4. Document Security

The security of your documents is of paramount importance. Northscope implements the following measures to protect the confidentiality and integrity of all uploaded materials:

• Encryption in transit — All documents are transmitted over encrypted HTTPS connections using TLS 1.2 or higher, ensuring that your files cannot be intercepted during upload.
• Secure storage — Uploaded documents are stored on secure, access-controlled infrastructure with encryption at rest. Access is restricted through strict authentication and authorization controls.
• Isolated processing — Documents are processed by secure computational infrastructure in isolated environments. Each analysis operates independently to prevent cross-contamination of data between engagements.
• Document retention — Uploaded documents are retained only as long as reasonably necessary to provide and improve the Service, and are subject to our data retention policies as described in Section 7.
• No sale of personal information — Northscope does not sell your personal information. Data may be shared with third-party service providers who assist in delivering and improving the Service, as described in this Privacy Policy.
• Restricted access — Access to customer documents is restricted to automated processing systems. Human access occurs only when necessary for customer support at your explicit request or to comply with legal obligations.

5. Third-Party Service Providers

Northscope engages the following third-party service providers to deliver the Service. Each provider processes data only as necessary to perform its designated function:

Each third-party provider processes data only as necessary to perform its designated function and is bound by its own privacy and security obligations. Northscope does not sell your personal information.

6. Cross-Border Data Transfers

Northscope operates primarily from Canada. However, to provide the Service, your data may be processed on servers located in the United States and other jurisdictions where our third-party service providers maintain infrastructure.

By using the Service, you acknowledge and consent to the transfer, processing, and storage of your personal information in jurisdictions that may have data protection standards different from those in your jurisdiction of residence. We implement appropriate safeguards to protect your information during such transfers, including encryption in transit and at rest, strict access controls, and contractual obligations with our service providers.

For Canadian residents, cross-border transfers of personal information are conducted in accordance with the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA). We ensure that personal information transferred outside of Canada receives a comparable level of protection through appropriate contractual and technical safeguards.

7. Data Retention

Northscope retains personal information and submitted documents for as long as reasonably necessary to fulfill the purposes for which it was collected, to provide and improve the Service, to comply with legal and regulatory obligations, to resolve disputes, and to enforce our agreements. Retention periods may vary based on the nature of the data and applicable legal requirements.

You may request deletion of your data by contacting support@northscope.io. Requests will be processed in accordance with applicable law.

8. Derived and Anonymized Data

As described in our Terms of Service, Northscope derives anonymized, aggregated analytical data from engagements conducted through the Service. This derived data is subject to the following safeguards:

• All derived data is fully anonymized and aggregated such that it cannot be traced to any individual transaction, business, or party.
• Anonymization is performed through irreversible processes that remove all personally identifiable information, business names, financial figures attributable to specific entities, and other identifying characteristics.
• Anonymized data is used to improve our analytical methodology, calibrate risk models, and may be used to produce market intelligence products and industry benchmarking reports.
• Your original documents and personal information are never included in anonymized datasets. The derived data reflects only patterns, trends, and statistical distributions observed across the aggregate of all engagements.

9. Your Rights

You have the following rights with respect to your personal information held by Northscope:

• Right to access — You may request a copy of the personal information we hold about you, including uploaded documents (if still within the retention period), your email address, form responses, and any other personal data associated with your engagement.
• Right to correction — You may request the correction of any inaccurate or incomplete personal information we hold about you. We will make reasonable efforts to update our records promptly upon receiving a verified correction request.
• Right to deletion — You may request the deletion of your personal information from our systems, except where we are legally required to retain certain records (such as payment transaction records required for tax and accounting compliance, or Terms of Service acceptance records required for legal compliance).
• Right to withdraw consent — You may withdraw your consent to the processing of your personal information at any time. Please note that withdrawal of consent may result in the Service becoming unavailable to you, and does not affect the lawfulness of processing conducted prior to withdrawal.

To exercise any of these rights, please contact support@northscope.io with your request and, if applicable, your analysis reference number. We will verify your identity before processing any request and will respond in accordance with applicable law.

10. PIPEDA Compliance

Northscope is committed to compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation in Canada. Our privacy practices are guided by the following principles:

• We collect, use, and disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
• We limit the collection of personal information to that which is necessary for the identified purposes and collect information by fair and lawful means.
• We maintain accountability for the protection of personal information through designated privacy oversight within our organization.
• We make information about our policies and practices relating to the management of personal information readily available to individuals.
• Personal information is retained only as long as necessary for the fulfillment of the purposes for which it was collected, as outlined in the Data Retention Schedule above.

If you believe that your privacy rights under PIPEDA have been violated, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada. We encourage you to contact us first at support@northscope.io so that we may attempt to resolve your concern directly.

11. Data Breach Notification

In the event of a data breach that creates a real risk of significant harm to individuals whose personal information is affected, Northscope will take the following actions in accordance with PIPEDA requirements:

• Timely notification — Northscope will notify affected individuals of any confirmed data breach as required by applicable law.
• Content of notification — Breach notifications will include a description of the incident, the types of personal information affected, the steps Northscope has taken and will take to mitigate the impact, the steps affected individuals can take to protect themselves, and contact information for further inquiries.
• Regulatory reporting — We will report breaches to the Privacy Commissioner of Canada where the breach creates a real risk of significant harm, as required under PIPEDA. We will also maintain an internal record of all breaches involving personal information, regardless of severity.
• Mitigation — Upon discovering a breach, we will immediately take all reasonable steps to contain the breach, assess its scope, and mitigate any potential harm to affected individuals.

12. Cookies and Tracking

Northscope is committed to a minimal-tracking approach. Our use of cookies and similar technologies is limited to what is strictly necessary for the operation of the Service:

• Session cookies — We use minimal, session-only cookies that are essential for the proper functioning of the Service. These cookies expire when you close your browser and do not persist across sessions.
• No third-party tracking cookies — We do not deploy any third-party tracking cookies on our website. No external advertising networks, social media platforms, or data brokers receive information about your activity on our site through cookies.
• No advertising cookies — We do not serve advertisements and do not use cookies for advertising targeting, retargeting, or profiling purposes.
• No analytics tracking — We do not use Google Analytics or any similar third-party analytics platforms. We do not track your browsing behavior across pages for analytical purposes.
• Browser local storage — Browser local storage may be used solely for session management and essential user interface state. No personal information is stored in browser local storage.

13. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

• Email: support@northscope.io
• Privacy inquiries are handled by our designated privacy contact, who is responsible for ensuring compliance with this Policy and applicable privacy legislation.
• Address: Toronto, Ontario, Canada

We endeavour to respond to all privacy-related inquiries in a timely manner in accordance with applicable law.