Privacy Policy

1. Introduction and Scope

This Privacy Policy ("Policy") describes how Lotrasoft ("we," "us," or "our") collects, uses, and discloses personal information in the course of our commercial activities, including your use of our website, client portals, and our cybersecurity and IT service offerings.

We are committed to protecting the privacy and security of our clients and their users in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation in Ontario, Alberta, British Columbia, and Quebec.

2. Priority of Agreements and Service-Specific Terms

This Policy provides a general framework for our privacy practices. However, due to the highly technical nature of cybersecurity and managed IT services, specific professional engagements often require specialized data handling, retention periods, or security controls.

Service-Specific Priority: Any privacy-related requirements, data processing instructions, or specific security protocols for a particular engagement (e.g., Managed Security Services, Incident Response, or Cloud Hosting) will be governed by the specific Master Services Agreement (MSA), Statement of Work (SOW), or Data Processing Agreement (DPA) executed for that engagement. In the event of any conflict between this Policy and a service-specific agreement, the terms of the specific engagement shall take precedence for that particular service.

3. Personal Information We Collect

We collect only the information necessary to provide our services and manage our business relationship with you.

3.1. Information You Provide Directly

• Contact & Account Data: Names, business email addresses, phone numbers, and job titles provided during inquiries or onboarding.
• Credentials: Usernames, passwords, and multi-factor authentication (MFA) metadata for access to our secure portals.
• Support Interactions: Records of communications with our helpdesk or security analysts.

3.2. Technical and Security Telemetry

In the course of providing cybersecurity services, we automatically collect technical data from protected networks and devices:

• Network Identifiers: IP addresses, MAC addresses, and device hostnames.
• Security Logs: System event logs, connection metadata, and telemetry used for threat detection and incident response.
• Endpoint Metadata: Information regarding operating system versions, software inventory, and security patch status.

4. How We Use Your Information

We process personal information for purposes that a reasonable person would consider appropriate under the circumstances:

• Service Delivery: To manage your IT infrastructure, provide technical support, and fulfill our contractual obligations.
• Threat Detection & Mitigation: To monitor network traffic for indicators of compromise (IoCs), identify malicious activity, and conduct forensic investigations.
• Security Intelligence: To develop anonymized, aggregated threat intelligence to protect our broader client base. Identifiable personal information is not shared in this process.
• Legal Compliance: To comply with Canadian law, including anti-money laundering (AML) and audit requirements.

5. Disclosure and Sharing

We do not sell your personal information. We only share information in the following circumstances:

• Sub-processors: We use trusted third-party vendors for cloud infrastructure (e.g., AWS, Azure) and security toolsets. These vendors are contractually bound to provide a comparable level of protection and are prohibited from using your data for their own purposes.
• Legal & Law Enforcement: We may disclose information if required by a valid subpoena, warrant, or court order. In accordance with the Supreme Court of Canada's ruling in R. v. Bykovets, we require a judicial warrant for the disclosure of IP addresses to law enforcement, except in immediate emergencies.
• Business Transfers: In a merger or acquisition, personal information may be transferred as a business asset subject to the protections of this Policy.

6. International Data Transfers and Data Residency

While we are a Canadian organization, your data may be stored or processed in other jurisdictions, typically the United States, depending on the cloud services selected. When data crosses borders, we ensure:

• Contractual Safeguards: We use robust agreements to ensure your data remains protected to Canadian standards.
• Notice: You acknowledge that data in foreign jurisdictions may be subject to the lawful access requirements of those countries.
• Canadian Data Residency: We strive to store Canadian data within Canada for the vast majority of our services. For engagements that include Canadian Regulatory Compliance services, we guarantee 100% data residency compliance, ensuring that all data subject to such agreements remains stored and processed exclusively within Canadian borders, using Canadian-based infrastructure and data centers.

7. Security Safeguards

We implement physical, organizational, and technological safeguards appropriate to the sensitivity of the information we manage:

• Encryption: Use of industry-standard encryption for data at rest and in transit.
• Access Control: Strict role-based access control (RBAC) and mandatory MFA for all personnel.
• Monitoring: Continuous security logging and monitoring of our own systems and portals.

8. Data Retention and Destruction

We retain personal information only for as long as necessary to fulfill the identified purposes or as required by law.

• Technical Logs: Generally retained for 90 to 365 days unless a longer period is required for an ongoing investigation or by contract.
• Administrative Records: Retained for the duration of the contract plus a period for legal and tax compliance (typically 7 years).
• Secure Destruction: Upon expiry of retention periods, data is securely deleted or anonymized to prevent recovery.

9. Your Rights

Under Canadian law, you have the right to:

• Request access to the personal information we hold about you.
• Request corrections to inaccurate or incomplete information.
• Withdraw consent for certain processing activities (subject to legal or contractual restrictions).

10. Accountability and Contact Information

We have appointed a Privacy Officer to oversee our compliance with this Policy and privacy laws. For any inquiries or to exercise your rights, please contact:

If we are unable to resolve your concern, you have the right to contact the Office of the Privacy Commissioner of Canada or your provincial privacy regulator.