Document Owner: Chief Information Security Officer (CISO) – fulfilled by CTO
Policy Classification: Public
Version: 2.0
Effective Date: 2025-01-01
Last Reviewed: 2025-11-14
Next Review Date: 2026-06-30
Approved By: Chris Patterson, CPO (acting CTO)
This policy describes the way that ActiveXchange collects, uses, retains, safeguards, discloses and disposes of the first-party personally identifiable information (PII) of prospective and current customers, their members, personnel, and others “data subjects”. ActiveXchange strives to meet or exceed legislative requirements in all jurisdictions where the ActiveXchange Platform, its products and services are delivered (collectively “the Platform”), and will ensure that it remains current with changing technologies and laws. Any and all changes will be posted to the ActiveXchange website and the Platform, where appropriate.
The Privacy Policy applies to all data collected, aggregated, and otherwise processed by ActiveXchange for use in the Platform, including its web applications, APIs, data services, integrations, documentation, and any related tools or resources. This policy governs all forms of data processing, whether by manual or automated means, partners, or authorized third parties, via web browser, cloud infrastructure, electronic device, or programmatic interface.
The Privacy Policy covers all activities related to account creation, data input and processing, system interactions, and content accessed, generated, or managed through the Platform. They also apply to any updates, enhancements, or new features introduced by ActiveXchange, unless explicitly stated otherwise.
1.1. Clearly define the rights, obligations, controls, and legal basis for the collection, use, and processing of personal data by ActiveXchange, for the customer and its users, and the data subjects.
3.1. Prevent unauthorized access, disclosure, modification, and destruction of personal information.
3.2. Comply with ISO/IEC 27001:2022 and all applicable legal and regulatory requirements (e.g. GDPR, PIPEDA, Australia Privacy Act, California Privacy Rights Act).
3.3. Maintain a continually improving Privacy Policy.
3.4. Ensure business continuity and minimize risk.
|
Role
|
Responsibility
|
|---|---|
|
Executive Team
|
|
|
ISMS Owner / CISO
|
Oversee policy implementation and continuous improvement
|
|
Security Team
|
Enforce policy compliance, respond to threats, and manage incident response
|
|
System Administrators
|
Manage secure cloud infrastructure and configurations
|
|
Technology Team
|
Apply secure coding, deployment, and infrastructure best practices
|
|
All Staff
|
Comply with the policy, report incidents or risks
|
|
Users & Data Subjects
|
Comply with the policy, report incidents or risks
|
* ISO 27001 Reference: A.5.1, A.5.3, A.5.4
4.1. Accountability
4.1.1. ActiveXchange shall appoint a person(s) (the “Privacy Officer”, for each jurisdiction) whose responsibilities include the implementation and monitoring of the ActiveXchange Privacy Policy. The Privacy Officer will be responsible for ActiveXchange compliance with privacy principles.
4.1.2. The Privacy Officer will report to the CISO and the ultimate responsibility for Privacy compliance is held with the ActiveXchange Board of Directors.
4.1.3. The Privacy Officer may at their discretion enlist assistance of staff, however this will not in any manner mitigate their responsibility for Privacy compliance.
4.1.4. The Privacy Officer’s identity will be fully disclosed and publicly accessible to ActiveXchange
customers and the public in general.
4.1.5. The Privacy Officer will ensure that all personal information in possession is managed in accordance with this Policy, including that which may be transferred to a third party.
4.1.6. ActiveXchange will implement internal policies which will facilitate adherence to this Privacy Policy including but not limited to the following:
4.1.6.1. Security measures at all levels designed to protect personal information in our possession.
4.1.6.2. Implementing procedures designed to respond to complaints and/or inquiries.
4.1.6.3. Staff training in all facets of information management, including awareness of ActiveXchange’s Privacy Policy and practices and procedures developed in accordance with the Policy.
5.1. First-party & Personal Information
5.1.1. Customer (organization) and their user information; name, organization name & address, email address, title, and password, collectively “Customer Information” or “User Information”.
5.1.2. Personally identifiable information may be collected or accessed for a data subject; name, address, email, phone number, gender, date of birth, identification code (within the customer’s systems of record).
5.1.3. Behavioural and historic information of a data subject; such as membership types and periods, visit (to a customer location) or activity frequency, type, and duration.
5.2. Third-party & Public Information:
5.2.1. Publicly available information, such as Census or other statistical information from reputable (typically national) recognized entities.
5.3. Usage & Diagnostic Analytics Information
5.3.1. IP address, device information, browser type.
5.3.2. Logs of actions with the Platform by users, such as features used, frequency, changes made.
5.4. Communication Data
5.4.1. Support requests, customer service interactions.
5.4.2. Marketing preferences and consents.
5.5. Collection Methods
5.5.1. Directly entered by a customer or user within the Platform, or provided to ActiveXchange to facilitate recording.
5.5.2. Automatically collected via API, webhook, or similar direct access to a customer’s system(s) of record, facilitated and authorized by the customer.
5.5.3. Automatically collected by the Platform, firewall, gateway or similar access authorization element.
5.6. Collection Limitations
5.6.1. All information shall be collected fairly and lawfully within the criteria as set forth in this
Privacy Policy.
5.6.2. ActiveXchange and its customers shall not indiscriminately collect information. The amount and type of information collected shall be limited to that which is required to fulfill its identified purposes.
5.6.3. ActiveXchange and its customers will not use any form of deception in gaining personal information from its members.
5.7. Accuracy of Information
5.7.1. ActiveXchange shall strive to ensure to the extent possible that the information entrusted in the Platform is maintained in an accurate manner.
5.7.2. ActiveXchange shall, in good faith, take action to maintain the interests of the individual and ensure that decisions are not made for or about an individual based on personal information that is flawed.
6.1. ActiveXchange shall only collect the information reasonably necessary to (for);
6.1.1. Deliver the products and services specified under a Service Agreement.
6.1.2. Provide, maintain, and improve the Platform, its products and services.
6.1.3. Facilitate authorization and compliance with applicable laws.
6.1.4. Customer and user support, account management, and billing.
6.1.5. Direct communications, marketing, and advertising to customers and their users.
6.2. ActiveXchange will, when applicable, educate its customers on the purpose for the collection of the data requested at the time of purchase.
6.3. Collectors, processors, and handlers of the personal information shall be familiar with the potential use of the personal data.
6.4. All personal data collected by ActiveXchange shall be stored on ActiveXchange Secure Cloud Servers.
6.5. ActiveXchange shall request permission and receive it in writing from each customer, prior to the use of any personal information collected which is extraneous to that which has been identified above, unless said usage is authorized by law.
6.6. It is always your choice to provide information in certain fields although failure to complete certain sections may inhibit your ability to fully access or effectively use specific products and services through the Platform.
6.7. Disclosure of Processing Activities
6.7.1. ActiveXchange publicly discloses the methods by which your personal information is handled. This information is readily available through this Privacy Policy, on our website, within the Platform or upon request by contacting the ActiveXchange.
6.7.2. The information available includes:
6.7.2.1. The name and contact information of the designated ActiveXchange Privacy Officer.
6.7.2.2. Tool(s) within the Platform that can be used to access or change your information.
6.7.2.3. A description of the type of personal information held by ActiveXchange and our general uses thereof.
6.7.2.4. Information used for communication or promotional opportunities.
7.1. In delivery of the Platform, its products and services under Service Agreement, personal information may be processed and used as follows;
7.1.1. Ensure that an individual’s geographical, age and gender information are consistent.
7.1.2. Analysis and statistical evaluation of an individual or groups trends in behaviours and other insights.
7.1.3. Appending of third-party data to enhance data records and facilitate aggregated insights and modelling, which may involve the training, validation and application of artificial intelligence (e.g. Machine Learning), to facilitate predictive insights of behaviours, preferences and segmentation.
7.1.4. Matching or associating records from disparate data sources to the individual.
7.1.5. Specific research purposes including but not necessarily limited to demographic type research and establishing aggregated audiences, trends and benchmarks.
7.2. ActiveXchange customers may from time to time authorize the use of personal information including name and contact information for the purposes of facilitating promotional opportunities, including by facilitating other third parties who ActiveXchange or its customers believe provide services or goods that may be of interest. ActiveXchange, its customers and any such third parties may contact you with promotions or to provide further specific communications. ActiveXchange customers will be informed of and provided an opportunity to opt in or out of this use of information at the time of purchase of associated services, and may revoke such consent at any time.
7.3. ActiveXchange may also use information about an individual who accesses secure areas of the Platform and other ActiveXchange information systems.
8.1. ActiveXchange may from time to time enlist the services of third party service providers in order to provide programs, technical and support services. Prior to enlisting the services, ActiveXchange shall evaluate consistency with or otherwise contractually commit the third party to treat any information shared in accordance with the Privacy Policy of ActiveXchange wherever possible.
8.2. Customer and User Information may be shared with trusted service providers and business partners who contribute to the operation of the Platform, such as hosting, analytics, and email services.
8.3. ActiveXchange may disclose your personal information to a legal government authority that has asserted its lawful authority to obtain the information or where the authority provides reasonable grounds to believe the information could be useful in the investigation of any unlawful activity, or to comply with a subpoena or warrant or an order made by the court, person, or body with jurisdiction to compel the production of the information or otherwise as permitted by applicable law.
8.4. ActiveXchange may at its discretion release customer and user information for the purposes of collecting debts which may be owed to ActiveXchange.
8.5. In the event of a merger, acquisition, or other corporate transaction, your information may be transferred to our successor as part of the transaction. ActiveXchange will ensure that its successor remains contractually obligated to each customer to treat their information in a manner consistent with this Privacy Policy.
8.6. ActiveXchange may also share information in an anonymized or aggregated form that does not identify individuals or customers.
8.7. Any other sharing or transfer of information controlled by ActiveXchange shall only be executed with each customer’s prior explicit and written consent.
8.8. International Data Transfers
8.8.1. ActiveXchange personnel from one country may access or process data stored, with residency in another country. These activities are protected by multifactor authentication, role-based access controls, dedicated private firewalls and VPN gateways.
8.8.2. In so far as practical (e.g. cloud provider data centres available), data and information collected, received, and aggregated from a customer, its users, and its data subjects are accessed, processed, and stored in the country of origin.
9.1. ActiveXchange shall maintain documents, records, and information (including personal information) for certain periods of time dependent upon necessity and legal obligation. More specifically:
9.1.1. Personal, demographic, geographic, and behavioural data may be retained for at least five years after it can be verified the data subject has ceased activity, with the customer.
9.1.2. Customer and User Information may be retained for at least five years after the business relationship and contractual obligations have ceased.
9.1.3. Aggregated non-identifiable data and information may be retained indefinitely.
9.2. Certain documents may be subject to legislated retention periods either federally or state/provincially and these will be respected at all times by ActiveXchange.
10.1. By consenting to and providing personal information to an ActiveXchange customer, you are deemed to consent to our use of the information for the purposes of products and services provided to the customer, under this Privacy Policy and to disclosure of the information to other associated entities for the same purpose.
10.2. Subject to applicable legislation, upon request by the individual concerned ActiveXchange shall disclose whether or not it actually holds personal information on an individual. We shall disclose the source of this information when requested and provide an account of third parties to whom the information may have been disclosed.
10.3. A copy of any identifiable information held on an individual, its storage and processing residency and other processing metadata available shall be provided upon request. When requested, such information shall be provided in a portable format (e.g. .csv) to facilitate transfer to or sharing with other systems or service providers.
10.4. A customer and its users may request ActiveXchange assistance in corrections and updates to their information, notification and communications preferences, or may effect these changes directly in the Platform.
10.5. Requests for corrections and updates to personal information sourced from system(s) of record shall be made directly with the controller of the system of record. You must contact the entity collecting your information to effect any changes or updates. ActiveXchange will work directly with the customer or system of record, upon notice, to confirm ActiveXchange held data reflects these updates accurately.
10.6. Following confirmation ActiveXchange holds your personal information, you may request the deletion and destruction of your identifiable information, which ActiveXchange will reasonably comply with so long as it is lawful to do so, and provide certification to you that such actions have been completed.
10.7. At any time, you may withdraw your consent (or opt out) of marketing and promotional communications from ActiveXchange, its customers, affiliated and otherwise authorized third parties.
10.8. At any time, you may withdraw your consent (or opt out) of having your personally identifiable information used in the training, verification and validation, or object to resultant decisions of artificial intelligence (e.g. machine learning) technology employed by ActiveXchange.
10.9. Nominal fee and timing to facilitate provision of information requests
10.9.1. Subject to applicable legislation, ActiveXchange shall endeavor to provide requested information within 30 days of receipt of the information request and only charge a nominal $100 (local currency equivalent) fee for the purpose of off-setting expenses incurred in
supplying the requested information.
10.9.2. Requests and notifications solely to determine if personal information of an individual exists, to correct or update, or delete and destroy such information are not subject to any fee.
11.1. ActiveXchange uses technical and organizational controls to protect your information, though no method is completely secure.
11.2. Security safeguards have been implemented to ensure your personal information is protected from theft as well as unauthorized access, disclosure, copying, use or modification thereof.
11.3. The level of safeguards employed shall be directly related to the level of sensitivity of the personal information collected. The more sensitive the information, the higher the level of security employed.
11.4. Methods of protection and safeguards employed may include and not necessarily limited to; password protected files, folders, drives, offices and storage areas, security clearances and background checks and least privileged access permissions as well as technology measures such as passwords, multi-factor authentication, TLS encryption, anti-virus, anti-spam, anti-malware, anti-DDoS, firewalls and gateways.
11.5. All information is classified to and access governed by the ActiveXchange Information Security Policy, a copy of which is available upon request.
11.6. Third-Party Disclosure: we do not sell or trade your information to outside parties without your consent, except as required by law or to trusted partners who are contractually obligated to maintain the protection of your personal information consistent with this Privacy Policy.
12.1. The Platform, its products and services are not intended for use by minors, including children, adolescents, or youth, under the minimum legal age required by law.
12.2. Personal information on individual minors is not knowingly collected without appropriate parental or guardian consent. If ActiveXchange becomes aware of personal information collected on minors without consent, we will delete and destroy such information as soon as possible.
12.3. Personal information on individual minors is not knowingly used to facilitate promotional or marketing communications by ActiveXchange, its customers, or trusted third parties. This information is excluded on the basis of date of birth information available to ActiveXchange at the time of data processing for this intended purpose.
12.4. Parents or guardians who believe their minor dependent’s information has been provided to ActiveXchange shall be afforded the same rights and consent opportunities as if they were the data subject themselves.
13.1. The Platform may contain links to third-party websites or services that are not operated or controlled by ActiveXchange.
13.2. ActiveXchange is not responsible for the privacy practices, content, or security of third-parties.
13.3. Users are encouraged to review the privacy policies of any third-party websites or services they visit before sharing any personal information.
14.1. This Privacy Policy shall be governed by and construed in accordance with the laws of the jurisdiction of the point of origin of the relevant information, without regard to its conflict of laws principles;
14.1.1. GBR & FRO – England, UK and the General Data Protection Regulation (GDPR) under the Supervisory Authority of the UK.
14.1.2. CAN – Alberta, CAN and the Personal Information Protection and Electronic Documents Act (PIPEDA) under the authority of the Office of the Privacy Commissioner of Canada.
14.1.3. USA – California, USA and the California Privacy Rights Act (CPRA) under the authority of the California Privacy Protection Agency.
14.1.4. AUS – New South Wales, AUS and the Australian Privacy Act under the authority of the Office of the Australian Information Commissioner.
14.1.5. NZL – New Zealand and the New Zealand Privacy Act under the authority of the Office of the Privacy Commissioner of New Zealand.
15.1. If you have any questions or concerns about this Privacy Policy, please contact ActiveXchange at: [email protected] (GBR, FRO), [email protected] (CAN), [email protected] (USA), [email protected] (AUS, NZL).
15.2. To assist in timely delegation and attention of notices appropriately, please use an email subject, such as: Privacy Policy Attn. Privacy Officer.
16.1. The ActiveXchange Privacy Officer is responsible to maintain and accountable to execute the process for the resolution of grievances in the administration of this Privacy Policy.
16.2. Notice of Complaint
16.2.1. The complaining party agrees to notify ActiveXchange in writing as soon as practicable.
Notices must be sent to the designated contact listed herein (or any updated contact provided in writing by ActiveXchange) via email (with confirmation receipt) and must include:
16.2.1.1. A description of the nature of the complaint.
16.2.1.2. Any relevant supporting information or documentation.
16.2.1.3. The specific relief or resolution sought.
16.2.2. Notices are deemed received on the date of delivery confirmation receipt.
16.3. Resolution & Escalation Process
16.3.1. Upon receipt of a complaint notice, ActiveXchange will engage in good faith discussions to resolve the complaint. The escalation process shall proceed as follows:
16.3.1.1. Initial Review – The designated representatives for ActiveXchange will review and respond to the complaint notice within 10 business days of receipt of the notice.
16.3.1.2. Management Escalation – If the complaint is not resolved within 20 business days of the initial review, it shall be escalated to senior management or executive-level representatives of ActiveXchange for resolution.
16.3.1.3. Good Faith Effort – Both parties shall make reasonable efforts to resolve the complaint informally before initiating formal proceedings.
16.3.1.4. If the complaint cannot be resolved through informal discussions or escalation and after more than 30 business days, ActiveXchange will assist and cooperate with the lodging of the complaint with your local privacy authority or data protection regulator.
16.4. ActiveXchange shall investigate all complaints and if deemed justified, ActiveXchange shall take appropriate steps to ensure compliance is achieved, including making changes to its policies to allow for compliance in the future.
16.5. Your right to lodge a complaint directly with your local privacy authority or data protection regulator, at any time, shall not be diminished by the notification, resolution, and escalation process described herein.
17.1. Entire Agreement
17.1.1. This Privacy Policy, together with the Terms of Use and any other agreements entered into with ActiveXchange regarding the Platform, make up the entire agreement between the user, their organization, and ActiveXchange. They replace any previous agreements or understandings, whether written or oral.
17.2. Severability
17.2.1. If any part of these Terms are found to be invalid or unenforceable by a court, the part is removed or limited as necessary, and shall not alter the force and effect of the remainder of the Terms.
17.3. Waiver
17.3.1. Prior lack of enforcement by ActiveXchange of any part of these Terms, does not constitute any waiver of right to enforce these Terms at any future time.
17.4. Assignment
17.4.1. You may not transfer or assign your rights or obligations under these Terms without our written consent. ActiveXchange may transfer or assign its rights and obligations under these Terms without your consent, including in connection with a merger, acquisition, or sale of assets.
18.1. ActiveXchange reserves the right to modify its Privacy Policy at any time. Any changes will be posted on our website and in the Platform. A customer or its users’ continued use of ActiveXchange Platform and services after changes are posted constitutes acceptance of the modified terms.
19.1. By accessing or using the ActiveXchange Platform, its products or services, the user acknowledges they have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must not access or use the Platform.
20.1. This policy and the ISMS will be reviewed annually by the security team.
20.2. Updates will reflect organizational, technological, or regulatory changes.
20.3. Audit findings and incidents will feed into continual improvement efforts.
* ISO 27001 Reference: A.18.2
|
Role
|
Responsibility
|
Description
|
Author
|
Approved
|
|---|---|---|---|---|
|
2.0
|
||||
|
1.0
|
2025-01-01
|
|||
1. Microsoft Azure: Backend databases & frontend software platform management. Compliance and regulatory disclosures; https://www.microsoft.com/en-us/trust-center, https://learn.microsoft.com/en-us/azure/security/fundamentals/overview.
2. Google Cloud: Internal file management. Compliance and regulatory disclosures;
https://cloud.google.com/security/compliance/.
