Privacy Policy

1. Who We Are

HelixCast (“HelixCast,” “we,” “us,” or “our”) is a digital signage and workplace communication platform. Our customers are businesses that use HelixCast directly to manage and broadcast content to screens across their locations. This policy applies to visitors of our marketing website, prospective customers, registered users, and any individuals whose personal data we may process in connection with delivering our services.

Our principal place of business is in Canada. As a Canadian company, our data practices are governed primarily by the Personal Information Protection and Electronic Documents Act (“PIPEDA”), Quebec's Act Respecting the Protection of Personal Information in the Private Sector (as amended by Law 25), Canada's Anti-Spam Legislation (“CASL”), and applicable provincial privacy statutes. Our primary market is North American-based businesses. We do not actively market to, target, or solicit customers located in countries subject to the General Data Protection Regulation (“GDPR”), including the European Union (“EU”), European Economic Area (“EEA”), or the United Kingdom (“UK”). However, if an individual located in those jurisdictions independently chooses to sign up for or use the Service, we are committed to handling their data responsibly and in accordance with their rights, including promptly honoring any deletion request. See Section 16 for more detail.

2. Scope of This Policy

This Privacy Policy covers:

• Personal data collected through our website at helixcast.comand any subdomains (collectively, the “Site”).
• Personal data collected through the HelixCast application, platform, APIs, and related services (collectively, the “Service”).
• Personal data we receive from third-party sources, partners, and data vendors in connection with sales, marketing, and product improvement activities.

This policy does not apply to the data practices of third-party websites or services that may be linked from our Site. We encourage you to review the privacy policies of those third parties independently.

3. Information We Collect

We collect personal data in the following ways and categories:

3a. Information You Provide Directly

• Account registration: Your name, work email address, job title, company name, and password when you create an account.
• Contact and inquiry forms: Any information you submit through our contact, demo request, or support forms, including your name, email address, phone number, company, and the content of your message.
• Billing and payment: Billing contact name, billing address, and payment card details. Card processing is handled by our payment processor, Stripe, Inc. We do not receive or store your full card number, CVV, or similar sensitive payment credentials.
• Communications: The content of emails, messages, or other communications you send to us, including support tickets.
• Profile information: Any optional profile details you choose to provide, such as a profile photo or organizational role.
• User-uploaded content: Images, videos, files, text, and other media you upload to the Service for display on your screens. See Section 11 for important terms regarding uploaded content.

3b. Information Collected Automatically

When you visit our Site or use the Service, we and our third-party partners automatically collect certain technical and behavioral data, including:

• Log data: IP address, browser type and version, operating system, referring URLs, pages visited, time and date of visits, and time spent on each page.
• Device identifiers: Device type, hardware model, unique device identifiers, and mobile network information.
• Cookies and similar tracking technologies: Session cookies, persistent cookies, pixel tags, web beacons, local storage objects, and similar technologies. See Section 9 for detailed information.
• Usage and behavioral data: Feature interactions, click patterns, scroll depth, navigation paths, search queries within the Service, content scheduling activity, screen connection events, and other actions taken within the Service.
• Performance data: Page load times, error logs, crash reports, and diagnostic telemetry.

3c. Information We Receive from Third Parties

• Identity resolution and visitor intelligence vendors: We use third-party tools, including but not limited to RB2B and Retention.com, that may match website visitor activity to known individual or company profiles using cookies, pixel tags, IP-based signals, and email address association. As a result, we or these vendors may associate your website visits or logged-in sessions with your name, email address, company, job title, and other professional data maintained in their respective databases. This data may be used to send you personalized marketing communications. See Section 9 for opt-out information.
• Intent data and market research platforms: We may receive signals about your research behavior and buying intent from third-party data providers that analyze online activity across their networks. This may include information about the topics your company has been researching, software categories of interest, or competitive comparisons you have made.
• CRM and enrichment providers: We may enrich our records with publicly available firmographic data (e.g., company size, industry, technology stack) and contact data from providers such as LinkedIn, Apollo, ZoomInfo, Clearbit, or similar business data services.
• Social and single sign-on providers: If you choose to sign in or connect an account via a third-party service (e.g., Google), we receive profile information from that provider in accordance with your settings and their policies.
• Referral and partner sources: If you were referred to HelixCast through a partner or affiliate, we may receive your contact information from that partner.

4. How We Use Your Information

We use personal data for the following purposes:

• Providing the Service: Creating and managing your account, processing transactions, delivering features, authenticating logins, and providing customer support.
• Service improvement and product development: Analyzing usage patterns, understanding feature adoption, conducting A/B testing, identifying bugs, and developing new features and products.
• Personalization: Customizing your experience within the Service based on your role, preferences, and usage history.
• Marketing and sales communications: Sending product announcements, feature updates, promotional content, case studies, webinar invitations, and sales outreach. You may opt out of marketing emails at any time by clicking the unsubscribe link in any such communication or by emailing privacy@helixcast.com.
• Behavioral analytics and intent-based marketing: Using your website behavior, product usage, and third-party intent signals to identify prospects, prioritize outreach, personalize advertising campaigns, and serve relevant content across third-party channels including LinkedIn, Google, and email.
• Market research: Aggregating and analyzing data to understand market trends, customer segments, and competitive positioning. Where used for market research, data is typically aggregated or anonymized.
• Safety and abuse prevention: Detecting, investigating, and removing illegal, infringing, or harmful content uploaded to the Service, including in response to reports and in compliance with applicable law.
• Security and fraud prevention: Monitoring for suspicious activity, unauthorized access, abuse, and threats to the integrity of the Service.
• Legal compliance: Meeting our obligations under applicable laws, regulations, and legal processes, including responding to lawful subpoenas, court orders, or government requests.
• Business operations: Billing, auditing, recordkeeping, enforcing our Terms of Service, and resolving disputes.
• Mergers and acquisitions: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the acquiring entity, subject to customary confidentiality obligations.

5. Legal Basis and Authority for Processing

As a Canadian company, our primary authority for collecting, using, and disclosing personal data is Canadian privacy law — principally PIPEDA and applicable provincial statutes. See Section 15 for a full description of Canadian legal requirements. To the extent that GDPR or similar laws apply to any incidental processing we conduct, we additionally rely on the following bases:

• Fulfillment of a contract: Processing your account information and usage data to provide the Service you have signed up for (PIPEDA Schedule 1, Principle 3; GDPR Article 6(1)(b)).
• Legitimate interests: We process data for marketing, analytics, security, product improvement, and business operations where those interests are not overridden by your rights and privacy interests (PIPEDA Schedule 1; GDPR Article 6(1)(f)).
• Consent: For non-essential cookies, commercial electronic messages (as required by CASL), and other processing where consent is required by applicable law, we will seek your consent and process data only to the extent of that consent (PIPEDA Schedule 1, Principle 3; GDPR Article 6(1)(a)).
• Legal obligation: We may process data where required to comply with applicable law or to respond to a valid legal process (GDPR Article 6(1)(c)).

For users located in the United States, our processing is also governed by applicable U.S. federal and state privacy laws, including the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), and similar state statutes where applicable.

6. Data Sharing and Disclosure

We do not sell your personal data for monetary consideration. We may, however, share or disclose data in the following circumstances:

• Service providers and subprocessors: We engage third-party companies to perform functions on our behalf, including cloud hosting and infrastructure (e.g., AWS, Google Cloud), payment processing (Stripe), email delivery (e.g., SendGrid, Postmark), customer relationship management, marketing automation, analytics, error monitoring, and customer support. These providers access personal data only to the extent necessary to perform services on our behalf and are bound by contractual obligations governing data confidentiality and security.
• Analytics and tracking vendors: We share website and behavioral data with analytics platforms (e.g., Google Analytics, Segment, Mixpanel, Amplitude, Heap, or similar tools) and visitor identification vendors (e.g., RB2B, Retention.com) as described in Sections 3c and 9.
• Advertising and retargeting platforms: We may share hashed email addresses, pixel data, or audience lists with advertising platforms including Google Ads, LinkedIn Campaign Manager, Meta Ads, and similar platforms to serve targeted advertisements.
• Intent data providers: We may share de-identified or aggregated data with market intelligence and intent data platforms that we use to identify in-market prospects.
• Law enforcement and legal process:We may disclose user data, including uploaded content, to law enforcement agencies, government authorities, or other third parties when required by applicable law, court order, or legal process, or when we believe in good faith that such disclosure is necessary to prevent harm, investigate illegal activity, or protect the rights and safety of HelixCast, our users, or others. We will report discovered or reported child sexual abuse material (“CSAM”) to the National Center for Missing and Exploited Children (“NCMEC”), the Canadian Centre for Child Protection (“CCCP”), and any other authority required by law, and will cooperate fully with any resulting investigation.
• Business transfers: If HelixCast is acquired, merged, or sells all or a portion of its assets, personal data may be transferred as part of that transaction. We will provide notice before personal data is transferred and becomes subject to a different privacy policy.
• With your consent: We may share data in additional ways if you have given us explicit consent.

7. Data Retention

We retain personal data for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law. Our general retention guidelines are:

• Account data: Retained for the duration of your account and for up to three (3) years after account closure to support legal, billing, and dispute-resolution needs.
• Uploaded content: Retained while your account is active. Upon account deletion, uploaded content is removed from active storage within 30 days, except where retention is required for legal or law enforcement purposes.
• Usage logs and telemetry: Retained for 90 days in raw form, after which they are aggregated or purged.
• Marketing and communication records: Retained for the duration of our business relationship and for up to three (3) years thereafter, unless you request earlier deletion.
• Financial and transaction records: Retained for seven (7) years to comply with tax and accounting obligations.
• Support tickets and correspondence: Retained for three (3) years from the date the ticket was resolved.
• Legal hold: If data is subject to an active legal hold, litigation, or regulatory investigation, we will retain it until the hold is lifted regardless of our normal retention schedules.

You may request deletion of your personal data at any time as described in Section 12.

8. Security

We implement commercially reasonable technical and organizational security measures designed to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest using AES-256 or equivalent standards.
• Role-based access controls and least-privilege principles for internal access to production systems.
• Regular vulnerability assessments and security reviews.
• Incident response procedures, including notification obligations.

No security system is impenetrable. In the event of a data breach that poses a real risk of significant harm to individuals, we will notify affected users and the relevant supervisory authority (the Office of the Privacy Commissioner of Canada and/or Quebec's Commission d'accès à l'information as applicable) within the timeframes required by law, and in any event no later than 72 hours of becoming aware of the breach.

9. Cookies, Tracking Technologies, and Online Advertising

We and our third-party data partners use cookies, pixel tags, web beacons, session replay scripts, browser fingerprinting, IP intelligence tools, and other similar tracking technologies on our Site and within the Service. This section explains in detail how these technologies work, what data they collect, and how you can control them.

9a. Types of Cookies We Use

• Strictly necessary cookies: Required for the Service to function. These include authentication tokens, session identifiers, CSRF protection tokens, and load balancing cookies. These cannot be disabled without breaking core functionality.
• Performance and analytics cookies: Used to understand how visitors interact with our Site and Service, including page views, session duration, navigation paths, feature usage, and error rates.
• Functional cookies: Used to remember your preferences, such as language settings, timezone, and UI customizations.
• Marketing and targeting cookies: Used to build audience profiles, track the effectiveness of advertising campaigns, enable retargeting, and deliver personalized content or advertisements on our Site and on third-party platforms.
• Identity resolution cookies:Deployed by our data partners (including RB2B and Retention.com) to associate your website activity with your known professional identity, including your email address and company affiliation, based on data in those partners' databases.

9b. Email Association and Behavioral Targeting

When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email address. We (or service providers on our behalf) may then send communications and marketing to these email addresses.

You may opt out of receiving this advertising by visiting https://app.retention.com/optout.

You also have the option to opt out of the collection of your personal data in compliance with GDPR by visiting https://www.rb2b.com/rb2b-gdpr-opt-out.

9c. Visitor Identification and Intent Tracking Tools

We may use one or more of the following categories of marketing and analytics technologies:

• Visitor identification tools (e.g., RB2B, Retention.com, Clearbit Reveal, Demandbase, 6sense, or similar): These tools identify the company or individual visiting our website based on IP address resolution, cookie matching, or first-party login data.
• Behavioral analytics and session recording (e.g., Mixpanel, Amplitude, Heap, FullStory, Hotjar, or similar): These tools record user interactions, clicks, form completions, and navigation sequences to help us improve usability.
• Product analytics (e.g., Segment, Amplitude, Mixpanel, or similar): These tools track in-product behavior to help us understand feature adoption and customer success.
• CRM and marketing automation (e.g., HubSpot, Salesforce, Customer.io, Mailchimp, or similar): These platforms store contact records and automate outreach sequences based on behavioral triggers.
• Advertising pixels (e.g., Google Ads conversion tracking, LinkedIn Insight Tag, Meta Pixel, or similar): These pixels track conversions, build retargeting audiences, and attribute advertising spend.
• Third-party intent data (e.g., G2, TechTarget, Bombora, or similar): Aggregated signals indicating that a company or person has been researching products in our category.

9d. Your Cookie Choices

• Browser settings: Most browsers allow you to block or delete cookies. Blocking all cookies may impact functionality of the Service.
• Do Not Track: We currently do not alter our data collection practices in response to Do Not Track signals, though we may do so in the future as standards emerge.
• Google Analytics opt-out: tools.google.com/dlpage/gaoptout
• Retention.com opt-out: https://app.retention.com/optout
• RB2B GDPR opt-out: https://www.rb2b.com/rb2b-gdpr-opt-out
• Interest-based advertising: Opt out via the Digital Advertising Alliance at optout.aboutads.info or the Network Advertising Initiative at optout.networkadvertising.org.

10. Third-Party Links and Integrations

Our Site and Service may contain links to third-party websites, integrations with third-party platforms (e.g., Google Workspace, Slack, Canva), or embedded content from third parties. Clicking such links or enabling such integrations may allow those third parties to collect data about you. We do not control these third parties and are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party service before using it.

11. User-Uploaded Content — Copyright, Prohibited Content, and Liability

HelixCast allows users to upload, store, and display content — including images, videos, documents, and other media — through the Service. This section describes our policies and your responsibilities regarding that content.

11a. Your Responsibility for Uploaded Content

You are solely responsible for all content you upload, store, publish, or display through the Service (“User Content”). By uploading content, you represent and warrant that:

• You own all rights to the content, or you have obtained all necessary licenses, permissions, consents, and authorizations required to upload, display, and use the content through the Service.
• The content does not infringe, misappropriate, or violate any third party's intellectual property rights, including copyrights, trademarks, patents, trade secrets, moral rights, or rights of publicity or privacy.
• The content does not violate any applicable law or regulation, including laws governing defamation, obscenity, privacy, data protection, or consumer protection.
• The content does not contain, depict, or promote any illegal material, including child sexual abuse material (“CSAM”), non-consensual intimate images, content that incites violence or hatred, or any other material that is illegal under Canadian, U.S., or other applicable law.

11b. Copyright and Intellectual Property

HelixCast respects intellectual property rights and expects users to do the same. We comply with the Copyright Act(Canada) and, to the extent applicable, the U.S. Digital Millennium Copyright Act (“DMCA”) and other applicable intellectual property laws. If you believe that content uploaded by a user infringes your copyright or other intellectual property rights, you may submit a written notice to:

Upon receipt of a valid notice, we will investigate and, where appropriate, remove or disable access to the infringing content and notify the uploading user. Repeat infringers may have their accounts terminated. We reserve the right to restore content if we receive a valid counter-notice from the uploader asserting a good- faith belief that the removal was in error.

11c. Prohibited Content — Absolute Prohibitions

The following categories of content are strictly prohibited on the Service and will result in immediate removal, permanent account termination, and reporting to the appropriate authorities:

• Child sexual abuse material (CSAM) and child exploitation content: Any content that sexually exploits, depicts, or endangers minors, including images, videos, or any other media that constitutes CSAM under the Criminal Code of Canada (Section 163.1), the U.S. Protection of Children Against Sexual Exploitation Act, or any other applicable law. We have zero tolerance for this content. Upon discovery or credible report, we will immediately remove the content, permanently terminate the offending account, preserve relevant evidence, and report to the Canadian Centre for Child Protection (Cybertip.ca), the National Center for Missing and Exploited Children (NCMEC CyberTipline), and any relevant law enforcement or government authority. We will cooperate fully with any resulting investigation, including providing user data and content to law enforcement without further notice to the user where required by law.
• Non-consensual intimate images:Any intimate or sexually explicit images or recordings of a person shared without that person's consent (“revenge porn” or “image-based abuse”).
• Content inciting violence or terrorism: Any content that glorifies, promotes, facilitates, or incites violence, terrorism, or genocide against individuals or groups.
• Malware, spyware, or harmful code: Any files or links designed to damage, disrupt, or gain unauthorized access to systems.
• Other illegal content: Any content that is illegal under applicable Canadian, U.S., or other applicable law, including content that violates laws against defamation, hate speech, criminal harassment, or fraud.

11d. Content Moderation and Enforcement

HelixCast does not proactively screen or review all User Content prior to upload. However, we reserve the right, but not the obligation, to review, monitor, remove, or disable access to any User Content at any time and for any reason, including content that violates this policy, our Terms of Service, or applicable law, or that we determine in our sole discretion to be harmful, objectionable, or in violation of third-party rights. You may report prohibited or infringing content by emailing privacy@helixcast.com with “Content Report” in the subject line.

11e. HelixCast's Limitation of Liability for User Content

HelixCast is a passive conduit and storage provider with respect to User Content. We do not create, edit, endorse, or adopt User Content as our own. To the maximum extent permitted by applicable law:

• HelixCast is not responsible or liable for any User Content uploaded, displayed, or distributed by users through the Service, including for any infringement of intellectual property rights, violation of privacy rights, defamation, or other harm caused by such content.
• HelixCast shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from your upload of content that infringes third-party rights or violates applicable law.
• You agree to indemnify, defend, and hold harmless HelixCast and its officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable legal fees) arising out of or in connection with User Content you upload, your violation of this section, or your infringement of any third-party rights.
• HelixCast complies with safe harbor provisions under applicable law to the extent they are available, including provisions analogous to those under Section 512 of the U.S. DMCA and Section 31.1 of the Canadian Copyright Act, by acting expeditiously to remove or disable access to infringing content upon receiving proper notice.

12. Your Rights and Choices

Regardless of where you are located, you may exercise the following rights with respect to your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that we correct inaccurate or incomplete personal data.
• Deletion: Request that we delete your personal data. You can exercise this right at any time by emailing privacy@helixcast.com. We will process your deletion request within 30 days, subject to exceptions for data we are required to retain by law.
• Portability: Request your data in a machine-readable, portable format.
• Opt-out of marketing: Unsubscribe from marketing emails at any time via the unsubscribe link in any email or by contacting privacy@helixcast.com.
• Withdraw consent: Where we process data based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

To exercise any of these rights, email privacy@helixcast.com with the subject line “Privacy Request.” We may ask you to verify your identity before fulfilling your request. We will respond within 30 days, or as required by applicable law.

13. California Privacy Rights (CCPA / CPRA)

Although HelixCast is a Canadian company, we serve customers located in the United States. If you are a California resident, the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), gives you the following additional rights:

• Right to know about the categories and specific pieces of personal data collected, sources, business purposes, and third parties with whom we share it.
• Right to delete personal data we have collected from you, subject to exceptions.
• Right to correct inaccurate personal data.
• Right to opt out of sale or sharing:We do not sell personal data for money. However, our use of advertising pixels, identity resolution tools, and behavioral tracking may constitute “sharing” for cross-context behavioral advertising under the CPRA. You may opt out by contacting privacy@helixcast.com or using the opt-out mechanisms in Section 9d.
• Right to limit use of sensitive personal information as defined by the CPRA.
• Right to non-discrimination for exercising these rights.

To submit a CCPA/CPRA request, email privacy@helixcast.com with the subject “California Privacy Request.” We will respond within 45 days (with a possible 45-day extension).

Categories of personal data collected in the preceding 12 months: Identifiers (name, email, IP address), commercial information (transactions), internet/network activity (browsing, usage), geolocation data (city/region from IP), professional and employment information, and inferences drawn from the above.

14. Other U.S. State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Utah (UCPA), Montana, Oregon, and other states with comprehensive consumer privacy laws may have rights similar to those in Section 13, including rights to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising, the sale of personal data, and certain automated profiling decisions.

To exercise applicable state privacy rights, email privacy@helixcast.com with the subject “State Privacy Request” and your state of residence. We will respond within the timeframes prescribed by your applicable state law and provide reasons and appeal instructions if we decline to act.

15. Canadian Privacy Laws

As a company incorporated and operating in Canada, our data practices are primarily governed by Canadian federal and provincial privacy legislation. This section describes those laws, how they apply to us, and the rights they give you.

15a. PIPEDA (Personal Information Protection and Electronic Documents Act)

PIPEDA is Canada's federal private-sector privacy law. It governs how organizations collect, use, and disclose personal information in the course of commercial activities. Under PIPEDA, we are required to:

• Obtain meaningful consent before or at the time of collecting personal information, and use or disclose it only for the purposes for which consent was given.
• Limit collection to information necessary for the identified purposes (data minimization).
• Keep personal information accurate, complete, and up to date as required for its intended use.
• Protect personal information with security safeguards appropriate to the sensitivity of the data.
• Be open and transparent about our privacy policies and practices.
• Give individuals access to their personal information and allow them to challenge its accuracy.
• Report breaches of security safeguardsthat pose a real risk of significant harm to the Office of the Privacy Commissioner of Canada (“OPC”) and notify affected individuals without unreasonable delay.

Complaints under PIPEDA may be filed with the OPC at www.priv.gc.ca.

15b. Quebec Law 25

Quebec's Law 25 (also known as “Bill 64”) is Canada's most comprehensive provincial privacy statute. Fully in force since September 2023, it applies to any organization collecting or using personal information about Quebec residents. Our obligations under Law 25 include:

• Privacy officer: We have designated a person responsible for the protection of personal information. Contact: privacy@helixcast.com.
• Privacy impact assessments (PIAs): Conducted for new projects or technologies involving personal information.
• Breach notification:We notify the Commission d'accès à l'information (“CAI”) and affected individuals of any breach that presents a risk of serious injury, without delay.
• Right to data portability: Quebec residents may request their personal information in a structured, portable technological format.
• Right to deindexation / erasure: Quebec residents may request that personal information published online be deindexed or stopped from being disseminated where it causes them harm.
• Profiling transparency: When we use technology to identify, locate, or profile an individual, we disclose this in the present policy and provide means to activate any applicable privacy settings.
• Cross-border transfers: Before communicating personal information outside Quebec, we conduct a privacy impact assessment to ensure adequate protection.

Complaints under Law 25 may be filed with the CAI at www.cai.gouv.qc.ca.

15c. Alberta and British Columbia PIPA

Alberta and British Columbia each have their own Personal Information Protection Act (PIPA). These statutes are substantially similar to PIPEDA and include consent requirements, access and correction rights, and breach notification obligations. To the extent we handle personal information of residents of those provinces in an intra-provincial context, we comply with the applicable provincial PIPA.

15d. Canada's Anti-Spam Legislation (CASL)

CASL governs commercial electronic messages (“CEMs”) sent to Canadian recipients. We comply with CASL as follows:

• Consent: We send marketing emails only to recipients who have provided express consent, or where implied consent applies (e.g., an existing business relationship within the prior 24 months, or an inquiry within the prior 6 months).
• Identification: All CEMs identify HelixCast as the sender and include our mailing address.
• Unsubscribe mechanism: Every CEM includes a clearly visible unsubscribe mechanism. We honor unsubscribe requests within 10 business days.
• No misleading content: We do not use false or misleading sender information, subject lines, or body content.

You may withdraw CASL consent at any time by clicking the unsubscribe link in any marketing email or by contacting privacy@helixcast.com.

15e. Your Rights Under Canadian Law

• Right of access: Request access to the personal information we hold about you and an explanation of how it has been used and disclosed.
• Right to correction: Request that we correct inaccurate or incomplete personal information.
• Right to withdraw consent: Withdraw consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. Withdrawal may affect our ability to provide the Service.
• Right to complain: File a complaint with the OPC (federal) or the applicable provincial privacy commissioner.
• Right to portability (Quebec residents): Request data in a structured, portable format under Law 25.
• Right to deindexation (Quebec residents): Request deindexation or cessation of online dissemination of personal information that causes harm.

To exercise any of these rights, email privacy@helixcast.com with the subject “Canadian Privacy Request.” We will respond within 30 days.

16. International Data Transfers and GDPR

16a. Our Position on GDPR Applicability

HelixCast is a Canada-based company. Our Service is directed at businesses in Canada and the United States. We do not actively target, market to, or solicit business from companies or individuals in the EU, EEA, or UK, and we do not maintain any establishment in those jurisdictions. Accordingly, we do not consider ourselves subject to the GDPR as a general matter. It is also worth noting that Canada (under PIPEDA) has been recognized by the European Commission as an adequate jurisdiction, meaning personal data transferred from the EU to Canada for activities covered by PIPEDA may flow without additional transfer mechanisms.

16b. If an EU/EEA/UK Individual Signs Up Directly

If an individual located in the EU, EEA, or UK independently and voluntarily chooses to create an account, we will handle their personal data responsibly and in good faith. We commit to:

• Using that individual's data only for the purposes for which it was collected and not for unrelated marketing without consent.
• Implementing appropriate security measures as described in Section 8.
• Honoring any access, correction, erasure, portability, or objection request promptly. Deletion requests will be processed within 30 days. Email privacy@helixcast.com with the subject “EU Data Request.”
• Notifying the individual without undue delay upon becoming aware of a personal data breach that poses a risk to their rights and freedoms.

16c. GDPR Rights Summary (for EU/EEA/UK Individuals)

To the extent GDPR applies, EU/EEA/UK individuals have the following rights:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure / “Right to be forgotten” (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object to processing or direct marketing (Article 21)
• Rights related to automated decision-making (Article 22)
• Right to withdraw consent
• Right to lodge a complaint with your national supervisory authority

16d. International Data Transfers

Our servers and operations are primarily located in Canada and may also utilize infrastructure in the United States. As noted above, the European Commission recognizes Canada (under PIPEDA) as an adequate jurisdiction. To the extent that personal data is transferred to U.S.-based infrastructure or subprocessors, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms, and will enter into SCCs upon request. Contact privacy@helixcast.com for a copy of applicable transfer safeguards.

17. Children's Privacy

HelixCast is a business platform intended for use by adults in a professional context. Our Service is not directed at children under the age of 13 (or the applicable minimum age in your jurisdiction, such as 16 in the EU). We do not knowingly collect personal data from children. If we become aware that a child under the applicable minimum age has provided personal data to us, we will delete that data promptly. If you believe a child has submitted data to us, please contact us at privacy@helixcast.com.

18. Do Not Sell or Share My Personal Information

HelixCast does not sell personal data in exchange for money, and does not disclose personal data to third parties for their own commercial benefit in a manner inconsistent with the purposes outlined in this policy. Under PIPEDA and applicable provincial privacy laws, we are prohibited from using or disclosing personal information for purposes other than those for which it was collected, except with consent or as permitted by law.

However, as described in Section 9, we use advertising and identity-resolution technologies that may constitute “sharing” personal data for cross-context behavioral advertising under certain U.S. state privacy laws (e.g., CPRA). To opt out:

• Email privacy@helixcast.com with the subject “Do Not Share My Data”.
• Retention.com opt-out: https://app.retention.com/optout
• RB2B GDPR opt-out: https://www.rb2b.com/rb2b-gdpr-opt-out

19. Automated Decision-Making and Profiling

We use automated systems to build profiles of website visitors and prospects based on their behavior, firmographic attributes, and third-party data signals. These profiles are used to score leads, prioritize sales outreach, and personalize marketing. No automated decision-making that produces legal or similarly significant effects on individuals is carried out using these profiles. As required under Quebec Law 25, we disclose this profiling activity in this policy and provide opt-out mechanisms in Section 9d. For questions about how you have been profiled, contact privacy@helixcast.com.

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the technologies we use. When we make changes, we will update the “Last updated” date at the top of this page. If the changes are material, we will provide more prominent notice, which may include an in-app notification, a banner on our website, or an email to registered users. Your continued use of the Service after any such update constitutes your acknowledgment of the revised policy. We encourage you to review this policy periodically.

21. Contact Us and Data Removal Requests

For any questions, concerns, or requests relating to this Privacy Policy — including requests to access, correct, or remove your personal data — please contact us at:

You may request removal of your personal data at any time by sending an email to privacy@helixcast.com with the subject line “Data Removal Request.” We will process your request within 30 days, subject to any legal obligations that require us to retain certain data.