Effective Date: 2026-04-24. Last Updated: 2026-04-24.
docs/operations/PRIVACY_POLICY.md. It must be reviewed by a PIPEDA-specialist Canadian lawyer before publication is considered final. Canadian privacy law is strict. Quebec's Law 25 imposes additional obligations for Quebec residents.
Crystallux Inc. ("Crystallux", "we", "us", "our") is committed to protecting your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. Registered office: 47 Gaydon Avenue, Toronto, Ontario, Canada. Website: crystallux.org. Privacy Officer contact: info@crystallux.org.
Our Privacy Officer is Mary Akintunde, founder of Crystallux Inc. Use subject line "Privacy inquiry" for faster routing. Response commitment: 30 days or less, per PIPEDA.
For Clients (businesses that subscribe): account creation and service delivery, billing and payment processing, customer support and communications, compliance with legal obligations, marketing with your consent. For Leads (individuals whose contact information our clients surface): delivering outreach on behalf of our clients in compliance with CASL, personalising outreach based on publicly available business information, recording replies, meeting-booking automation, maintaining audit logs. We do not collect personal information for purposes beyond those listed above without further consent.
Client consent is obtained through the Master Services Agreement, which explicitly references this Privacy Policy, combined with acceptance of Terms of Service on account creation. Lead consent: our clients are responsible for ensuring that the contacts they engage with have CASL-compliant consent (implied or express). Every outreach message sent through Crystallux includes clear sender identification, the client's business contact information, and a working unsubscribe mechanism. Clients may withdraw consent by terminating the MSA. Leads may withdraw consent by replying "unsubscribe" or "remove" to any Crystallux-sourced outreach. Processed within 10 business days per CASL.
From Clients (businesses): full name, business name and address, business email and phone, Business Number (BN), GST and HST registration, payment details (stored by our payments provider), Calendly URL, logo and brand assets, service usage analytics.
From Leads (individuals): name, job title, employer, business address, business email, business phone, publicly available LinkedIn data, publicly available firmographic data, reply content, meeting booking metadata. We do not collect payment information from leads, sensitive personal information, government identifiers (SIN, driver's licence, passport), or minors' data.
We collect only the personal information necessary for the identified purposes. We do not collect personal information indiscriminately. For leads, we do not source personal information beyond publicly available business contact data. We do not purchase consumer contact lists. We do not use web scraping on restricted websites.
Personal information is used only for the purposes identified in section 3 and disclosed only as described in section 8. We do not sell personal information. We do not share personal information with third parties for their independent marketing purposes.
TLS 1.3 in transit. Database encryption at rest. Row-Level Security on client-scoped data. Time-limited dashboard tokens. Multi-factor authentication on Crystallux admin accounts. Audit logs of all data access. Personnel privacy and security training.
Client data during active term: retained for the duration of the MSA. Post-termination: retained 90 days, then deleted. Financial records: retained 7 years per CRA requirements. Outreach logs: retained 3 years post-termination for compliance and dispute-resolution, then deleted. Early deletion available on request (see section 10).
You have the right to access your personal information, correct inaccurate information, withdraw consent, and challenge Crystallux's compliance with PIPEDA. If unsatisfied with our response, you may escalate to the Office of the Privacy Commissioner of Canada (priv.gc.ca, 1-800-282-1376). To exercise these rights, email info@crystallux.org with subject line "Privacy request". We respond within 30 days as required by PIPEDA.
We may update this Privacy Policy to reflect changes in practices or legal requirements. Material changes: email notice to your registered contact at least 30 days before the effective date, plus updated "Last Updated" date, plus prominent dashboard notice. Continued use of the Service after the effective date constitutes acceptance.
crystallux.org uses minimal cookies and analytics. Session cookies for authentication (required for dashboard login). Anonymous site analytics only (privacy-friendly platform, no third-party ad tracking). No cross-site tracking.
Crystallux is a B2B service intended for businesses and authorised representatives at least 18 years of age. We do not knowingly collect personal information from individuals under 18.
If you are a resident of Quebec, additional rights apply under Quebec's Law 25: data portability (receive your personal information in a structured, commonly used format), right to decommissioning (removal or de-indexing in specific circumstances), automated decision-making disclosure. To exercise Quebec-specific rights, email info@crystallux.org with "Quebec Law 25 request" in the subject line.
Crystallux uses the following service providers to deliver the Service. Each is bound by contractual confidentiality and security obligations. This disclosure is maintained for PIPEDA compliance and is not intended as a feature list.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, dashboard backend | North America (AWS) |
| Stripe | Payment processing | United States and Canada |
| Anthropic | AI content generation | United States |
| Google (Gmail API) | Email message delivery | United States |
| Apollo.io | B2B prospect enrichment | United States |
| Twilio | SMS and WhatsApp delivery | United States |
| Vapi | Voice call automation | United States |
| Unipile | LinkedIn automation | European Union |
| Tavus | Personalised video generation | United States |
| Cloudflare | Website hosting and DDoS protection | Global |
International data transfers: some service providers store and process personal information outside of Canada, primarily in the United States and European Union. We contractually require providers to adhere to standards substantially equivalent to PIPEDA where possible.
Effective: 2026-04-24
Questions: info@crystallux.org
Privacy Officer: Mary Akintunde, Founder
Mail: Crystallux Inc., 47 Gaydon Avenue, Toronto, Ontario, Canada