Trust & Security
Trust Center
Transparency about how we handle your data, who we share it with, and the standards we meet. Our legal documents are linked throughout.
Compliance
Regulatory Posture
PIPEDA
We follow the Personal Information Protection and Electronic Documents Act as the governing data-privacy law for Canadian operations.
GDPR / UK GDPR
Our privacy practices are aligned with GDPR principles (lawful basis, data minimisation, rights). A signed DPA is available for EU/UK controllers.
CASL
All commercial electronic messages include unsubscribe mechanisms and are sent only to recipients with express or implied consent.
CAN-SPAM
Email communications include physical address, opt-out mechanism, and are not deceptive.
PCI DSS
We do not store, process, or transmit cardholder data. All card processing is handled by Stripe (PCI DSS Level 1 service provider).
Sub-Processors
Third-Party Data Processors
We engage the following sub-processors to deliver our Services. Each is bound by a data-processing agreement with security and privacy obligations at least as protective as our own. Last reviewed: June 2026.
| Provider | Purpose | Location | Data Processed |
|---|---|---|---|
| Vercel, Inc. | Web hosting & edge delivery | USA (global CDN) | IP address, Log data, Request metadata |
| Neon Inc. / Neon Serverless Postgres | Primary relational database | USA (AWS us-east-1) | All application data, User records, Lead data |
| Upstash, Inc. | Managed Redis (rate limiting, caching) | USA (AWS us-east-1) | Session rate-limit identifiers, Cache keys (no PII) |
| Stripe, Inc. | Payment processing & billing | USA (global) | Card data (PCI DSS scope), Billing address, Email |
| Resend, Inc. | Transactional email delivery | USA | Recipient email address, Email content |
| PostHog, Inc. | Product analytics (consent-gated) | USA (AWS us-east-1) | Anonymised usage events, Session data (no PII without consent) |
| Sentry (Functional Software, Inc.) | Error monitoring & performance | USA | Stack traces, Request context, User ID (when logged in) |
| Google LLC | OAuth sign-in (optional) | USA (global) | Name, Email, Profile picture (when OAuth used) |
| Airtable, Inc. | CRM / lead intake | USA | Lead name, Email, Company, Message |
Changes to this list are notified to affected clients 30 days in advance per our DPA.
Retention
Data Retention Schedule
Lead / enquiry data
3 years from last contact
Account & user data
Life of account + 90 days
Billing records
7 years (tax law)
Server & access logs
90 days rolling
Analytics events
12 months
Error / crash reports
30 days
Contact
Data & Privacy Enquiries
For privacy requests, DPA enquiries, opt-out requests, or data-subject rights exercises, contact us at: contact@lowkeyagency.com
For security vulnerability reports: security@lowkeyagency.ca
Trust Center last reviewed: June 2026.