Privacy Policy — Draft
⚠️ Draft — not yet in effect. This document is published for public review and feedback only. It has not been finalized by counsel and does not bind TundraFox or its users at this time. Once the text is approved by counsel we will publish a dated, effective version. Comments and corrections are welcome at
[email protected].
Operator: TundraFox (operating name of the entity that owns and operates the service at tundrafox.ca). Jurisdiction: Canada. PIPEDA applies. We operate as a Canadian sovereign software provider and do not transfer personal information outside Canada except as listed in Section 4 (sub-processors).
1. Scope
This Privacy Policy describes how TundraFox collects, uses, discloses, and retains personal information when you use the TundraFox service (the "Service"), which today comprises hosted email, contacts, calendars, and the related management dashboard.
This policy applies to:
- Account holders ("tenants") who register on tundrafox.ca and consume the Service.
- End-users who interact with the Service indirectly (for example, the recipient of an email sent through TundraFox by a tenant).
2. What we collect
Account & contact information — name, email address, business name (where provided), the OIDC identifier issued by our authentication provider (Logto), and the IP address from which you registered.
Billing information — name on card, last 4 digits, card brand, expiry month/year, and tokenized card identifier. We never receive or store full card numbers. Tokenization is performed in your browser by Helcim's JavaScript SDK (Helcim is our payment processor — see Section 4); only the opaque token reaches our infrastructure.
Service metadata — subscriptions, the configuration of each service instance (e.g. domain registered for an email mailbox), provisioning job records, audit logs of administrative actions.
Service content — email messages, calendar events, and contact records that you send, receive, or store through the Service. We treat this as strictly confidential: we do not read it, mine it for advertising signals, or share it with third parties except as required by law.
Operational telemetry — request logs, performance metrics, error traces. These are retained for security and reliability purposes.
3. Why we collect it
- To provision and operate the Service you ordered.
- To bill you and process payments (only for tenants on paid tiers; no free tier exists).
- To send transactional notifications related to your account (provisioning status, billing receipts, service incidents).
- To respond to your support requests.
- To detect and prevent abuse, fraud, and security incidents.
- To comply with legal obligations (record-keeping, tax, court orders).
We do not use your personal information for behavioural advertising and have no advertising relationships with third parties.
4. Sub-processors
We disclose personal information to the following Canadian-rooted sub-processors strictly for the operational purposes above:
| Sub-processor | Purpose | Region |
|---|---|---|
| Leaseweb Canada | Hosting (bare metal infrastructure) | Canada (Toronto) |
| Helcim Inc. | Payment processing (Canadian merchant) | Canada (Calgary) |
| Cloudflare Inc. | DNS, edge TLS termination for non-mail subdomains | Global (we use Cloudflare's CA-only configuration where supported; DNS query routing is global by design) |
| Logto | Identity provider (self-hosted instance) | Canada (on our Leaseweb infrastructure) |
We do not use US-based cloud providers (AWS, GCP, Azure) for any production workload, and we are not subject to the US CLOUD Act because we have no US corporate parent and do not host primary data on US infrastructure.
5. Where data is stored
All primary data — including email content, contacts, calendars, account records, audit logs, and backups — is stored on Canadian bare-metal infrastructure operated under contract with Leaseweb Canada. Data does not leave Canadian soil for storage purposes.
DNS resolution and inbound TLS termination involve Cloudflare's global edge network for performance and DDoS protection; the data that traverses these edges is encrypted in transit and is not stored at the edge.
6. Your rights under PIPEDA
You have the right to:
- Access the personal information we hold about you. Request via
[email protected]. We respond within 30 days as required by PIPEDA. - Correct inaccurate personal information.
- Withdraw consent for processing (which may end your ability to use parts or all of the Service).
- Request deletion of your account and associated personal information.
The dashboard provides a self-service flow:
/profile/delete-account. Deletion is soft-flagged immediately with a 30-day grace period during which you may cancel. After T+30, personal information is hard-deleted and audit logs are retained in pseudonymized form for the period required by the Canada Revenue Agency (six years from the relevant tax year). - Receive a copy of your data in a portable format. The dashboard
provides a self-service flow:
/profile/data-export. A tarball is generated asynchronously and delivered via a presigned download link with a 24-hour expiry. - Lodge a complaint with the Office of the Privacy Commissioner of Canada if you believe we have mishandled your personal information.
7. Retention
| Category | Retention |
|---|---|
| Active account data | For the duration of the account, then deleted on the schedule above |
| Email content | Same as account data (you may delete individual messages at any time) |
| Billing records | Seven years (Canada Revenue Agency requirement) |
| Audit logs (pseudonymized after account deletion) | Six years |
| Operational telemetry (logs, metrics) | 90 days |
8. Security
- All data at rest on our bare-metal infrastructure is encrypted.
- All data in transit uses TLS 1.2 or higher; we publish DMARC, DKIM, SPF, MTA-STS, and TLS-RPT for mail security.
- Multi-factor authentication is supported (and required for administrative accounts).
- We follow OWASP ASVS, NIST 800-53, and ISO 27001-aligned operational practices. (Formal certification roadmap: see security.tundrafox.ca.)
9. Cookies and similar technologies
The dashboard at app.tundrafox.ca uses only essential cookies: authentication session, CSRF tokens, and locale preference. We do not use tracking cookies, marketing cookies, or third-party analytics.
The marketing site at tundrafox.ca does not use cookies at all.
10. Children
The Service is not directed at individuals under the age of majority in their province of residence. We do not knowingly collect personal information from children.
11. Changes to this policy
When we make material changes to this policy, we will:
- Publish the new version with a higher
version_label. - Notify account holders by email at least 30 days before the new version takes effect.
- Require re-acceptance via the dashboard before the new version applies to your account.
We keep every past version of this policy. On request we can show you the exact text that was in effect on any given date — useful if you ever need to audit what you agreed to.
12. Contact
For privacy questions, access requests, deletion requests, or to lodge a complaint:
- Email:
[email protected] - Postal: TBD (counsel to insert)
For complaints not resolved with us, the Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca/