Legal

Privacy Policy

Last updated: June 2026

This Privacy Policy describes how Lowkey (“we”, “us”, “our”) collects, uses, discloses, and protects information about you when you use our website at lowkeyagency.caand our growth-infrastructure platform (collectively, the “Services”). It also describes your privacy rights and how applicable law protects you.

1. Who We Are

Lowkey is a Canadian growth-infrastructure agency. Our registered business operates out of Canada. For the purposes of applicable privacy law, Lowkey is the data controller for personal information collected through the Services.

Questions or requests: contact@lowkeyagency.com

2. Information We Collect

Information you provide directly:

  • Name, email address, company name, and message — submitted through our contact, audit, or booking forms.
  • Account credentials when you register for a platform account (email and hashed password).
  • Billing information (card number, billing address) — collected and processed by Stripe. We never see or store raw card data.
  • Communications with us, including support requests and chatbot conversations.

Information collected automatically:

  • Log data: IP address, browser type and version, referring URL, pages visited, and timestamps.
  • UTM / campaign parameters present in the URL when you arrive.
  • Cookie identifiers and analytics event data (subject to your cookie consent preferences).
  • Performance data collected by our error-monitoring provider.

Information from third parties:

  • If you connect via Google OAuth, we receive your name, email, and profile picture from Google.
  • Payment status from Stripe (charge success / failure) — we do not receive full card data.

3. How We Use Your Information

We use collected information to:

  • Respond to your inquiries, scope and deliver service engagements, and communicate about your account.
  • Operate, maintain, and improve the platform, including debugging and infrastructure work.
  • Process payments and manage subscriptions via Stripe.
  • Send transactional emails (receipts, deliverable notifications, magic-link logins).
  • Analyse aggregate usage patterns to prioritise product improvements (where you have consented to analytics cookies).
  • Detect fraud, abuse, and security incidents.
  • Comply with legal obligations.

We do not sell your personal information to third parties, use it for behavioural advertising via ad networks, or profile you for purposes unrelated to the service you requested.

4. Legal Bases for Processing (GDPR / PIPEDA)

Where applicable privacy law requires a legal basis, we rely on:

  • Performance of a contract — to deliver the services you have engaged us for.
  • Legitimate interests — security monitoring, fraud prevention, platform analytics, and service improvement, where these are not overridden by your rights.
  • Consent — for optional analytics and marketing cookies, email marketing. You may withdraw consent at any time.
  • Legal obligation — where we are required to process data to comply with law.

5. Cookies & Tracking

We use cookies and similar technologies as described in our Cookie Notice, presented to you on first visit. Cookies fall into three categories:

  • Strictly Necessary — session management, CSRF protection, and consent storage. Always active.
  • Analytics — PostHog (self-hosted or cloud) to understand aggregate usage patterns. Active only with your consent.
  • Marketing — campaign attribution. Active only with your consent.

You can update your preferences at any time using the “Cookie settings” link in the site footer.

6. Data Retention

We retain personal information only as long as necessary for the purposes set out here, or as required by law:

  • Enquiry / lead data: 3 years from last interaction, or until you request deletion.
  • Account data: for the life of the account plus 90 days after closure.
  • Billing records: 7 years as required by Canadian tax law.
  • Server logs: 90 days rolling.
  • Analytics events: 12 months from capture (PostHog retention settings).

7. How We Share Your Information

We do not sell personal information. We share it only in the following circumstances:

  • Service providers — sub-processors listed on our Trust Center (/trust) who process data on our behalf under data-processing agreements. Examples: Stripe (billing), Resend (email), Neon / Supabase (database), Upstash (Redis), PostHog (analytics).
  • Legal requirements — if required by court order, regulatory body, or to protect the safety of persons.
  • Business transfer — if we merge, are acquired, or transfer substantially all assets, your information may be transferred as part of that transaction. We will notify you in advance.

8. International Transfers

Our service providers may process data in the United States or other jurisdictions. Where required, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses under GDPR, or equivalent mechanisms). For questions about specific transfer mechanisms, contact us at contact@lowkeyagency.com.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of personal information we hold about you.
  • Correction — request correction of inaccurate data.
  • Deletion — request erasure of your personal information ('right to be forgotten'), subject to legal retention requirements.
  • Restriction — request we restrict processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting lawfulness of prior processing.

To exercise any of these rights, email contact@lowkeyagency.com with the subject “Privacy Request”. We will respond within 30 days. You also have the right to lodge a complaint with your applicable supervisory authority.

10. Security

We implement technical and organisational measures to protect your information — including encryption in transit (TLS 1.2+), encryption at rest, access controls, and regular dependency auditing. See our Security page for details. No system is impenetrable; if you believe your data has been compromised, contact us immediately.

11. Children's Privacy

The Services are not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us for prompt deletion.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email (if you have an account) or by posting a notice on the site. The “Last updated” date at the top of this page reflects the most recent revision.

13. Contact

For privacy enquiries: contact@lowkeyagency.com

This policy is provided for informational purposes. We recommend engaging qualified legal counsel to ensure it meets your specific regulatory requirements.