What personal information does Aktok collect?

Aktok collects information you provide during registration such as your name and email address, as well as information collected automatically including IP address, device data, browser type, geolocation data, cookie information, and your interaction history with the platform.

How does Aktok use my personal information?

Aktok uses your personal information to personalize and improve our services, manage your account, enable chatbot communication, fulfill service requests, and analyze how users interact with the platform.

Does Aktok share my personal information with third parties?

Aktok does not rent or sell your personal information. We may share de-identified or aggregate data with partners, and share information with affiliated businesses, service agents, or as required by law — but never in a way that personally identifies you without your knowledge.

Does Aktok use cookies?

Yes. Aktok uses cookies to recognize your browser or device, track how features are used, and customize your experience. You can adjust your browser settings to limit cookies, though this may affect some platform features.

How does Aktok protect my account and personal data?

Your Aktok account is protected by a password and, where applicable, third-party sign-on mechanisms such as Facebook. While we take strong measures to protect your data, we cannot guarantee complete security against unauthorized access or technical failures.

Does Aktok collect information from children under 13?

No. Aktok does not knowingly collect personal information from children under the age of 13. If we discover such information has been collected, it will be deleted immediately. Please contact welcome@aktok.com if you believe a child under 13 has submitted personal data.

Can I opt out of data collection on Aktok?

You can choose not to provide certain information, though some data is required to use Aktok's features. You may stop using the Services at any time, though conversation logs from chatbot interactions may remain in our records.

Will Aktok notify me if the Privacy Policy changes?

Yes. Aktok will notify users of Privacy Policy changes by placing a notice on aktok.com, sending an email, or through other appropriate means. Continued use of the Services after changes are posted means you accept the updated policy.

How can I contact Aktok about my privacy?

For any privacy-related questions or concerns, you can contact Aktok at welcome@aktok.com or by mail at Aktok Inc, 31 Queen St. (StartupZone), Charlottetown, PE, Canada, C1A 4A4.

Privacy Policy

How we collect, use, disclose, and protect your personal information.

Effective: April 3, 2026 · Last Updated: April 3, 2026

1. Introduction and Scope

1.1 This Privacy Policy ("Policy") describes how Aktok Inc, a corporation incorporated under the laws of Prince Edward Island, Canada ("Aktok," "we," "us," or "our"), collects, uses, discloses, retains, and protects personal information in connection with the Aktok platform and related services (the "Service").

1.2 This Policy applies to all individuals who access or use the Service, including account holders, workspace members, website visitors, and individuals whose data is stored in the Service by our customers ("you" or "your").

1.3 By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you are a workspace administrator, you are responsible for ensuring that your workspace members and any individuals whose data you store in the Service are informed of the applicable data practices described herein.

1.4 This Policy should be read together with our:

1.5 If you do not agree with this Policy, you must not access or use the Service.

Key Points

What	Details
Who we are	Aktok Inc, Prince Edward Island, Canada
What we collect	Account data, CRM data, project data, AI interactions, usage analytics, payment info (Section 2)
Why we process it	Service delivery, AI features, security, payments, support, improvement (Section 3)
Legal bases	Contract performance, legitimate interest, consent, legal obligation (Section 4)
Who we share with	Sub-processors listed in Section 5.2 — we never sell personal data
International transfers	Canada (adequacy), USA and EU via SCCs with Transfer Impact Assessments (Section 6)
How long we keep it	Varies by category: 30 days to 7 years (Section 7)
Your rights	Access, correct, delete, export, object, restrict, portability (Section 8)
Automated decisions	AI-assisted scoring, recommendations, and classification — no decisions with legal effect without human review (Section 5.4.2)
Data protection contact	legal@aktok.com (Section 16)

2. Information We Collect

We collect personal information from three sources: information you provide directly, information collected automatically, and information obtained from third parties.

2.1 Information You Provide Directly

When you create an account, use the Service, or communicate with us, you may provide the following categories of personal information:

Category	Data Points	Purpose
Account registration	Name, email address, password (stored in hashed form), phone number (optional)	Account creation and authentication
Profile information	First name, last name, timezone, language preference, profile photo	Personalization of the Service
Workspace data	Workspace name, workspace URL, workspace settings, member roles and permissions	Multi-tenant service delivery
CRM data	Contacts, companies, deals, custom fields, notes, tags	Core CRM functionality
Project management data	Tasks, time logs, comments, assignments, projects	Core project management functionality
Communications	Chat messages, email content (via IMAP/SMTP synchronization)	Core communication functionality
Files and attachments	User-uploaded documents, images, and media files	File storage and sharing functionality
Payment information	Credit card details (tokenized via Stripe), billing address	Subscription billing and payment processing
AI interactions	Prompts, conversations with AI agents, chatbot configurations	AI feature delivery
Enrichment lookups	Identifiers submitted for enrichment (e.g., email address, company name)	Fetching publicly available business information
Website builder content	Page content, templates, SEO settings, brand kit configurations	Website builder functionality
Support requests	Messages to our support team, feedback submissions	Customer support and service improvement

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information, including:

Category	Data Points	Purpose
Device and browser information	IP address, browser type and version, operating system, device type	Security, compatibility, and troubleshooting
Usage analytics	Pages visited, features used, session duration, click patterns	Service improvement and product development
Session recordings	Mouse movements, clicks, scrolls, form interactions (PostHog, Microsoft Clarity)	UX research and improvement
Cookies and similar technologies	Session tokens, authentication cookies, preference cookies, analytics cookies	See our Cookie Policy
Error and diagnostic data	Stack traces, error context, session identifiers	Bug fixing, reliability, and service stability
Email tracking data	Email open events, link click events (for emails sent through the Service)	Email effectiveness measurement
Push notification data	Device tokens, notification preferences	Notification delivery
Server logs	Request timestamps, endpoints accessed, response codes	Security monitoring and debugging

2.3 Usage analytics are collected through multiple tools: Matomo (self-hosted on our own infrastructure — data is not transferred to any external provider), PostHog, Google Analytics 4, and Microsoft Clarity. For details on each tool and the cookies they set, see our Cookie Policy.

2.4 Session Recordings.PostHog and Microsoft Clarity record browsing sessions on the aktok.com website to help us understand how visitors use the site and identify usability issues. Session recordings are only collected with your consent.

2.5 Information from Third Parties

We may receive personal information about you from the following third-party sources:

Source	Data Received	Purpose
Google OAuth	Google profile information (name, email address, avatar)	Account authentication via single sign-on
SSO provider	Identity claims as configured by your workspace administrator	Enterprise authentication
QuickEmailVerification	Email validity status	Account security and email deliverability
NumVerify / Telnyx	Phone number validity status	Account security and phone verification

3. How We Use Your Information

3.1 We use the personal information we collect for the following purposes:

Purpose	Categories of Data Used	Legal Basis (GDPR)
Providing the Service — account management, CRM, project management, chat, email, file storage, website builder, scheduling	Account data, workspace data, CRM data, PM data, communications, files, website builder content	Performance of contract
AI feature delivery — powering AI agents, content generation, data analysis, lead scoring, chatbot interactions	AI interactions, CRM context (no raw personal data sent for model training)	Performance of contract
Data enrichment — fetching publicly available business information based on identifiers you submit	Enrichment lookup identifiers	Legitimate interest (improving data quality for users who submit the lookup)
Authentication and security — verifying identity, preventing unauthorized access, detecting fraud	Account credentials, device information, IP address, server logs	Performance of contract
Payment processing — processing subscription payments and managing billing	Payment information, billing address	Performance of contract
Customer support — responding to inquiries, resolving issues, providing technical assistance	Support requests, account data, usage data	Legitimate interest (providing customer support)
Service improvement — analyzing usage patterns, improving features, developing new functionality	Usage analytics, error data, aggregated usage statistics	Legitimate interest (improving the Service)
Communication — sending service-related notifications, security alerts, billing updates	Email address, notification preferences, device tokens	Performance of contract
Compliance — meeting legal obligations, responding to legal process, enforcing our terms	All categories as required	Legal obligation

3.2 We do not use your personal information for:

Selling personal information to third parties;
Targeted advertising based on your User Content;
Training any AI or machine learning model — whether Aktok's own or any third party's — with your data; or
Any purpose incompatible with the purposes described in this Policy.

3.3 Necessity of Providing Data. Certain personal information is required to enter into and perform our contract with you:

(a) Account registration data (name, email, password) is a contractual requirement — without it, we cannot create your account or provide the Service;
(b) Payment information is a contractual requirement for paid subscriptions — without it, we cannot process your subscription; and
(c) Workspace data is necessary for the multi-tenant architecture of the Service — without it, your workspace cannot function.

All other personal information (such as profile photo, phone number, and AI interaction data) is voluntary. Not providing optional data may limit certain features but will not prevent you from using the core Service.

4.1 If you are located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or another jurisdiction that requires a legal basis for processing personal data, we rely on the following legal bases under Article 6 of the GDPR:

4.2 Performance of a Contract (Article 6(1)(b)). We process personal data that is necessary to perform our contract with you, including providing the Service, managing your account, processing payments, and delivering AI-powered features.

4.3 Legitimate Interest (Article 6(1)(f)). We process personal data where we have a legitimate business interest that is not overridden by your rights and freedoms. Our legitimate interests include:

Maintaining the security and integrity of the Service;
Improving and developing the Service;
Providing customer support;
Preventing fraud and abuse;
Analyzing aggregated usage data; and
Sending service-related communications.

We have documented balancing tests for each legitimate interest listed above, weighing our interests against the potential impact on your rights and freedoms. You may request a copy of the relevant balancing test by contacting us at legal@aktok.com.

4.4 Consent (Article 6(1)(a)). Where required by applicable law, we obtain your consent before processing personal data for specific purposes, including:

Analytics cookies and tracking technologies (see our Cookie Policy);
Session recordings (if and when activated);
Push notifications; and
Marketing communications.

You may withdraw your consent at any time by contacting us at legal@aktok.com or by adjusting your preferences within the Service.

4.5 Legal Obligation (Article 6(1)(c)). We process personal data when necessary to comply with applicable laws, regulations, or legal processes, including tax reporting obligations and responses to lawful government requests.

5.1 We do not sell your personal information to third parties. We share personal information only in the following circumstances:

5.2 Service Providers and Sub-Processors

We engage third-party service providers ("Sub-Processors") to assist in operating the Service. Each Sub-Processor processes personal data only on our behalf and in accordance with our instructions.

AI and LLM Providers

Service	Purpose	Data Shared	Location
Anthropic (Claude)	Premium LLM -- conversational AI, content generation	User prompts, CRM context (no raw personal data sent for model training)	USA
Google (Gemini)	Fallback LLM, text embeddings	User prompts, content for embedding	USA
Groq	Free-tier LLM (fast inference)	User prompts, CRM context	USA
OpenAI	Tier 2 fallback LLM (planned)	User prompts, CRM context	USA
Cohere	Search result reranking (planned)	Search queries, document snippets	USA / Canada
Voyage AI	Fallback embedding provider (planned)	Content for embedding	USA
Mistral	Premium embedding option (planned)	Content for embedding	France (EU)
Jina AI	Web content extraction for knowledge base	URLs, extracted text	Germany (EU)

Note: Your User Content is never shared with LLM providers for model training purposes. Prompts are transmitted solely for real-time inference. Services marked "planned" are not yet active and will be added to this table when deployed.

Other AI Infrastructure

Service	Purpose	Data Shared	Location
Rasa	NLP and intent classification	User messages	Self-hosted (no external data transfer)
Google Dialogflow	Dialog management	User input, intent data	USA (Google Cloud)
Qdrant	Vector database for retrieval-augmented generation	Embeddings only (no raw personal data)	Self-hosted (no external data transfer)

Platform Services

Service	Purpose	Data Shared	Privacy Policy
Stripe	Payment processing	Billing information, tokenized card details	stripe.com/privacy
Matomo	Web analytics	Usage data, IP address, device information	Self-hosted (no external data transfer)
PostHog	Product analytics, session recording, feature flags	Usage data, session recordings, feature flag evaluations	posthog.com/privacy
Google Analytics 4	Web traffic analysis	Usage data, IP address, device information	policies.google.com/privacy
Microsoft Clarity	Session recording and heatmaps	Mouse movements, clicks, scrolls, page interactions	privacy.microsoft.com
Meta (Facebook Pixel)	Advertising audiences and conversion tracking	Page visits, conversion events	facebook.com/privacy
Google Ads / AdSense	Ad serving and conversion tracking	Ad interactions, conversion events	policies.google.com/privacy
Firebase (Google)	Push notifications	Device tokens, user identifiers	firebase.google.com/support/privacy
Telnyx	SMS and phone verification	Phone numbers	telnyx.com/privacy-policy
BetterStack	Log monitoring and alerting	Error context, server logs	betterstack.com/privacy
Sentry	Error tracking	Stack traces, user context, session identifiers	sentry.io/privacy
QuickEmailVerification	Email address validation	Email addresses	quickemailverification.com/privacy-policy
NumVerify	Phone number validation	Phone numbers	numverify.com/privacy-policy

Self-hosted services (Matomo, Rasa, Qdrant): your data remains on Aktok-controlled infrastructure and is not transmitted to an external provider.

This sub-processor list is current as of April 2026. We update this list when sub-processors change and revise the "Last Updated" date at the top of this Policy.

Sub-Processor Changes. If we add or replace a Sub-Processor, we will update this list and notify customers with active subscriptions by email at least thirty (30) days before the new Sub-Processor begins processing personal data. If you object to a new Sub-Processor on reasonable data protection grounds, you may notify us at legal@aktok.com within the 30-day notice period. We will work with you in good faith to find an alternative solution. If no mutually acceptable resolution can be reached, you may terminate the affected services without penalty by providing written notice before the new Sub-Processor begins processing.

Within a workspace, data is shared among workspace members in accordance with the roles and permissions configured by the workspace administrator. Workspace administrators can control what data is visible to individual members. Data is logically isolated between workspaces.

5.4 AI Processing

When you use AI-powered features, your prompts and relevant CRM context are sent to the applicable AI provider for real-time inference. Your User Content is never used to train, fine-tune, or improve any AI or machine learning model — whether Aktok's own or any third party's.

5.4.1 Workspace-Specific Models. Where a workspace enables AI features that create workspace-specific models (such as custom classifiers or recommendation models), those models are trained exclusively on the data within that workspace, serve only that workspace, and are permanently deleted upon termination of the workspace subscription. Workspace-specific models are never shared with or made available to other workspaces or customers.

For more details on the AI systems used and how your data is processed, see our AI Transparency Notice.

5.4.2 Automated Decision-Making and Profiling. The Service includes features that use automated processing, including profiling, to assist workspace users. These features may include:

(a) Lead scoring and prioritization — AI-assisted ranking of contacts or deals based on engagement signals, fit criteria, and historical patterns;
(b) Content recommendations — AI-generated suggestions for email copy, chatbot responses, and outreach messaging;
(c) Intent classification — automated categorization of inbound messages by topic or intent to support routing and response;
(d) Predictive analytics — trend identification and forecasting based on CRM and project data; and
(e) Smart notifications — automated alerts triggered by data patterns (e.g., deal inactivity, task overdue).

These features are designed to assist human decision-making, not replace it. No automated process within the Service produces decisions that have legal effects on individuals or similarly significantly affect them without human review.

If we introduce automated decision-making that produces legal effects or similarly significant impacts, we will: (i) inform you before such processing begins; (ii) provide meaningful information about the logic involved; (iii) explain the significance and envisaged consequences; and (iv) implement a mechanism for you to request human review of the decision, express your point of view, and contest the outcome, as required by Article 22 of the GDPR.

5.4.3 Data Stored by Customers (Processor Role). When workspace users store personal data about third-party individuals in the Service (e.g., CRM contacts, company records, and communication logs), Aktok acts as a data processor on behalf of the workspace customer, who acts as the data controller under the GDPR.

As data controller, the workspace customer is responsible for: (a) ensuring a lawful basis for processing the data; (b) providing the required information notices to data subjects under Article 13 or Article 14 of the GDPR; and (c) responding to data subject access requests relating to data they have stored in the Service.

Aktok supports controllers in meeting these obligations by providing data export tools, deletion capabilities, and access controls within the platform.

5.5 Data Enrichment

When you use the enrichment feature, identifiers you submit (such as an email address or company name) are sent to enrichment services to retrieve publicly available business information. The results may be cached on our systems and used to serve other customers performing similar lookups. Your enrichment lookup activity (which identifiers you searched for, when, and how often) is never shared with other customers or third parties.

5.6 Legal Requirements

We may disclose personal information if required to do so by law or in the good faith belief that such disclosure is necessary to:

(a) Comply with a legal obligation, court order, or legal process;
(b) Protect and defend the rights or property of Aktok;
(c) Prevent or investigate possible wrongdoing in connection with the Service; or
(d) Protect the personal safety of users of the Service or the public.

5.7 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred to the acquiring entity. We will provide notice before your personal information becomes subject to a different privacy policy.

5.8 De-Identified and Aggregated Data

We may create de-identified or aggregated data from personal information in a manner that cannot reasonably be used to identify you. Such data is not considered personal information under this Policy, and we may use and disclose it for any lawful purpose, including analytics, benchmarking, and service improvement.

6. International Data Transfers

6.1 Aktok is based in Canada. Your personal information may be processed in Canada and in other countries where our Sub-Processors operate (primarily the United States, Germany, and France), as identified in Section 5.2.

6.2 European Economic Area (EEA) and Switzerland. Canada has received an adequacy decision from the European Commission under Article 45 of the GDPR, recognizing that Canada provides an adequate level of protection for personal data. Transfers of personal data from the EEA to Canada are therefore permitted without the need for additional safeguards.

6.3 United Kingdom. Canada has received a UK adequacy regulation under the UK GDPR, recognizing that Canada provides an adequate level of protection for personal data. Transfers from the UK to Canada are therefore permitted without additional safeguards.

6.4 Transfers to Other Countries. Where personal data is transferred to Sub-Processors located in countries that have not received an adequacy decision (such as the United States), we implement appropriate safeguards, including:

(a) Standard Contractual Clauses ("SCCs") approved by the European Commission;
(b) The UK International Data Transfer Agreement or Addendum (for UK transfers);
(c) Transfer Impact Assessments ("TIAs") to evaluate the legal framework of the recipient country and assess whether supplementary measures are necessary to ensure an essentially equivalent level of protection; and
(d) Contractual commitments requiring Sub-Processors to protect personal data to the standards required by the GDPR.

6.5 You may request a copy of the relevant transfer mechanism by contacting us at legal@aktok.com.

7. Data Retention

7.1 We retain personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements.

7.2 The following table sets out our standard retention periods:

Data Category	Retention Period	Rationale
Account data	Duration of account + 30 days	Service delivery and account retrieval window
CRM and project management data	Duration of workspace subscription + 30 days	Service delivery and data retrieval window
Communication logs	Duration of workspace subscription + 30 days	Service delivery
Payment records	7 years after last transaction	Tax and legal obligations
Server logs	90 days	Security monitoring and debugging
Analytics data	26 months	Industry standard for analytics retention
Error tracking data	90 days	Debugging and reliability
Email tracking data	12 months	Campaign performance analysis
Backup data	30 days after deletion from primary systems	Disaster recovery

7.3 After the applicable retention period, personal data is securely deleted or anonymized. Where deletion from backup systems is not immediately practicable, we will isolate and protect the data from further processing until deletion is possible.

7.4 You may request deletion of your personal data at any time, subject to Section 8 (Your Privacy Rights). Some data may be retained beyond your request where required by applicable law.

8. Your Privacy Rights

8.1 All Users

Regardless of your location, you have the right to:

(a) Access the personal information we hold about you;
(b) Correct inaccurate personal information;
(c) Delete your account and associated personal data;
(d) Export your data in a structured, commonly used, and machine-readable format (CSV and JSON) through the platform's data export features; and
(e) Object to or opt out of specific processing activities (e.g., marketing communications).

If you are located in the EEA, you have additional rights under the General Data Protection Regulation ("GDPR"), including:

(a) Right of Access (Article 15) -- the right to obtain confirmation of whether we process your personal data and to receive a copy of that data;
(b) Right to Rectification (Article 16) -- the right to have inaccurate personal data corrected and incomplete data completed;
(c) Right to Erasure (Article 17) -- the right to request deletion of your personal data, subject to applicable legal exceptions;
(d) Right to Restriction of Processing (Article 18) -- the right to request that we restrict the processing of your personal data in certain circumstances;
(e) Right to Data Portability (Article 20) -- the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller;
(f) Right to Object (Article 21) -- the right to object to processing based on legitimate interest, including profiling;
(g) Right Regarding Automated Decision-Making (Article 22) -- the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you; and
(h) Right to Withdraw Consent -- where processing is based on consent, the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

You have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

If you are located in the United Kingdom, you have rights equivalent to those described in Section 8.2 under the UK General Data Protection Regulation ("UK GDPR") and the Privacy and Electronic Communications Regulations ("PECR"). In addition:

(a) Your supervisory authority is the Information Commissioner's Office (ICO). You may file a complaint at ico.org.uk;
(b) Any references to the "GDPR" in this Policy include the UK GDPR where applicable to UK residents; and
(c) Transfers of your personal data from the UK are protected under the UK adequacy framework as described in Section 6.3.

8.4 California Residents (CCPA / CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"). While Aktok may not currently meet the CCPA applicability thresholds, we proactively extend the following rights to California residents:

(a) Right to Know -- the right to know what personal information we collect, use, disclose, and sell (if applicable), and the specific pieces of personal information we have collected about you;
(b) Right to Delete -- the right to request deletion of personal information we have collected from you, subject to applicable exceptions;
(c) Right to Correct -- the right to request correction of inaccurate personal information;
(d) Right to Opt-Out of Sale or Sharing -- Aktok does not sell personal information and does not share personal information for cross-context behavioral advertising. If this changes in the future, we will provide a "Do Not Sell or Share My Personal Information" link and update this Policy accordingly;
(e) Right to Non-Discrimination -- we will not discriminate against you for exercising your CCPA rights; and
(f) Right to Limit Use of Sensitive Personal Information -- to the extent we process sensitive personal information, you have the right to limit its use to what is necessary to perform the Service.

To submit a CCPA request, contact us at legal@aktok.com. We will verify your identity before processing any request.

8.5 Canadian Residents (PIPEDA)

Aktok is a Canadian company subject to the Personal Information Protection and Electronic Documents Act ("PIPEDA"). Our privacy practices are guided by PIPEDA's ten fair information principles:

Principle	Our Commitment
1. Accountability	Aktok is responsible for all personal information in our possession or control. Our privacy contact (legal@aktok.com) is accountable for our compliance. We ensure that Sub-Processors are contractually bound to equivalent privacy protections.
2. Identifying Purposes	We identify the purpose for collecting personal information at or before the time of collection. Purposes are described in Section 3 of this Policy.
3. Consent	We obtain meaningful consent for the collection, use, and disclosure of personal information. Consent may be express (e.g., opt-in to marketing) or implied (e.g., providing information to create an account). You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting us at legal@aktok.com.
4. Limiting Collection	We collect only the personal information that is necessary for the identified purposes. We do not collect personal information indiscriminately.
5. Limiting Use, Disclosure, and Retention	Personal information is used or disclosed only for the purposes for which it was collected, except with your consent or as required by law. We retain personal information only as long as necessary (see Section 7).
6. Accuracy	We take reasonable steps to ensure that personal information is accurate, complete, and up to date for its intended purposes. You may update your information through your account settings or by contacting us.
7. Safeguards	We protect personal information using security measures appropriate to the sensitivity of the information (see Section 9).
8. Openness	This Policy describes our personal information management practices. We make information about our policies and practices readily available.
9. Individual Access	You have the right to access the personal information we hold about you and to challenge its accuracy. Access requests can be submitted to legal@aktok.com.
10. Challenging Compliance	You may challenge our compliance with PIPEDA by contacting our privacy contact at legal@aktok.com. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

8.6 Quebec Residents (Law 25 / Bill 64)

If you are a resident of Quebec, you may have additional rights under Quebec's Act respecting the protection of personal information in the private sector, as modernized by Law 25 (formerly Bill 64), which came into effect in stages beginning September 2023. Key provisions include:

(a) Privacy by Default -- we apply privacy-protective settings by default and collect only the personal information necessary for the identified purpose;
(b) Transparency -- we provide clear information about the collection, use, and disclosure of personal information, including disclosure to service providers located outside Quebec;
(c) Consent -- we obtain clear and free consent for the collection and use of personal information. Consent for sensitive information is obtained expressly;
(d) Right to Data Portability -- you have the right to receive your personal information in a structured, commonly used technological format and to have it transferred to another organization, where technically feasible;
(e) Right to De-Indexation -- you have the right to request that we cease disseminating your personal information or that hyperlinks attached to your name be de-indexed, where the dissemination contravenes the law or a court order;
(f) Privacy Impact Assessments -- we conduct privacy impact assessments for initiatives that involve the collection, use, or disclosure of personal information, and for any information system or electronic service delivery project involving personal information; and
(g) Breach Notification -- in the event of a confidentiality incident involving your personal information, we will notify you and the Commission d'accès à l'information du Québec ("CAI") in accordance with applicable requirements.

You may file a complaint with the CAI at cai.gouv.qc.ca.

8.7 How to Exercise Your Rights

To exercise any of the rights described in this Section, you may:

(a) Email us at legal@aktok.com with a description of your request;
(b) Use the platform's self-service tools, including data export features and account settings, where available; or
(c) Write to us at the mailing address provided in Section 16.

We will respond to verified requests within the timeframes required by applicable law:

Jurisdiction	Response Timeframe
GDPR (EEA)	30 days (extendable by 60 days for complex requests)
UK GDPR	30 days (extendable by 60 days for complex requests)
CCPA (California)	45 days (extendable by 45 days with notice)
PIPEDA (Canada)	30 days
Law 25 (Quebec)	30 days (extendable by 30 days with notice)

We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive. We may need to verify your identity before fulfilling your request.

9. Data Security

9.1 We implement technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

(a) Encryption in Transit -- all data transmitted between your device and our servers is encrypted using HTTPS (TLS 1.2 or higher);
(b) Encryption at Rest -- sensitive data, including payment information, is encrypted at rest;
(c) Password Hashing -- user passwords are stored using bcrypt hashing and are never stored in plain text;
(d) Access Controls -- access to personal information is restricted to authorized personnel on a need-to-know basis, with role-based access controls enforced within the platform;
(e) Infrastructure Security -- our infrastructure is hosted on dedicated servers with firewalls, intrusion detection, and monitoring;
(f) Regular Audits -- we regularly review and update our security practices to address emerging threats; and
(g) Vendor Security -- we require Sub-Processors to maintain appropriate security measures through contractual obligations.

9.2 While we take reasonable precautions to protect your personal information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

9.3 Privacy by Design and by Default. In accordance with Article 25 of the GDPR, we integrate data protection principles into the design and development of the Service from the outset. This includes:

(a) Collecting only the personal data necessary for each specific purpose (data minimization);
(b) Applying privacy-protective settings by default (e.g., non-essential cookies are off by default for EEA/UK visitors);
(c) Implementing access controls that restrict data visibility based on workspace roles and permissions;
(d) Pseudonymizing or anonymizing personal data where feasible; and
(e) Conducting regular privacy reviews of new features and changes to data processing.

9.4 Data Protection Impact Assessments. We conduct Data Protection Impact Assessments ("DPIAs") in accordance with Article 35 of the GDPR for processing activities that are likely to result in a high risk to the rights and freedoms of individuals. This includes processing involving:

(a) AI-powered features that analyze or profile personal data;
(b) Large-scale processing of CRM data on behalf of our customers;
(c) New technologies or significant changes to existing data processing activities; and
(d) Systematic monitoring of user behavior within the Service.

DPIAs are reviewed and updated when processing activities change materially.

10. Data Breach Notification

10.1 In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will:

(a) Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR (where applicable);
(b) Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR (where applicable);
(c) Notify the Office of the Privacy Commissioner of Canada and affected individuals as required by PIPEDA's mandatory breach reporting provisions;
(d) Notify the Commission d'accès à l'information du Québec and affected individuals as required by Law 25 (for Quebec residents); and
(e) Document the breach internally, including the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address and mitigate the breach.

10.2 Notifications to supervisory authorities and affected individuals will include, as applicable: (a) a description of the nature of the breach, including the categories and approximate number of individuals and personal data records affected; (b) the name and contact details of our privacy contact (see Section 16); (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

10.3 If you are a workspace administrator, we will also notify you of any breach affecting your workspace data so that you can fulfill your own notification obligations to your end users or customers.

10.4 We maintain an incident response plan that includes identification, containment, eradication, recovery, and post-incident review procedures.

11. Cookies and Tracking Technologies

11.1 We use cookies and similar tracking technologies to operate the Service, remember your preferences, and analyze usage patterns.

11.2 For detailed information about the types of cookies we use, their purposes, and how to manage your cookie preferences, please refer to our Cookie Policy.

11.3 In summary, we use the following categories of cookies:

Category	Purpose	Consent Required
Strictly necessary	Authentication, security, core functionality	No
Functional	User preferences, language, timezone	Yes (EEA/UK)
Analytics	Usage patterns and service improvement (Matomo, PostHog, Google Analytics 4, Microsoft Clarity)	Yes
Session recording	UX research (PostHog, Microsoft Clarity)	Yes
Marketing	Advertising audiences and conversion tracking (Meta Pixel, Google Ads / AdSense)	Yes

12. Children's Privacy

12.1 The Service is designed for business use and is intended for users who are at least eighteen (18) years of age. We do not knowingly collect personal information from individuals under the age of 18.

12.2 If we become aware that we have collected personal information from an individual under 18, we will take steps to delete that information promptly.

12.3 If you believe that we have inadvertently collected personal information from a minor, please contact us immediately at legal@aktok.com.

13. Do Not Track

13.1 Some web browsers transmit "Do Not Track" ("DNT") signals. There is currently no universally accepted standard for how online services should respond to DNT signals.

13.2 We respect your privacy preferences. Our self-hosted analytics platform (Matomo) is configured to honor DNT signals by default. When your browser sends a DNT signal, Matomo will not track your visit.

13.3 For more granular control over tracking, you may manage your cookie preferences as described in our Cookie Policy.

14. Data Processing Agreement

14.1 If you are a business customer using the Service to process personal data on behalf of your own end users or customers, you may be acting as a data controller (under GDPR) or equivalent role under other privacy laws, while Aktok acts as a data processor.

14.2 We offer a Data Processing Agreement ("DPA") for business customers who require one. The DPA sets out the terms governing our processing of personal data on your behalf, including:

(a) The subject matter and duration of processing;
(b) The nature and purpose of processing;
(c) The types of personal data processed;
(d) The categories of data subjects;
(e) Our obligations as a data processor, including security measures and Sub-Processor management;
(f) Standard Contractual Clauses (where applicable); and
(g) Audit rights.

14.3 To request a DPA, please contact us at legal@aktok.com.

15. Changes to This Policy

15.1 We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make changes, we will update the "Last Updated" date at the top of this Policy.

15.2 Material Changes. For material changes to this Policy, we will provide at least thirty (30) days' advance notice through one or more of the following methods:

(a) Email notification to the address associated with your account;
(b) In-app notification within the Service; or
(c) A prominent notice on our website.

15.3 Your continued use of the Service after the effective date of any changes constitutes your acknowledgment and acceptance of the revised Policy. If you do not agree with the revised Policy, you must stop using the Service before the changes take effect.

15.4 Non-Material Changes. Non-material changes (such as corrections of typographical errors or clarifications that do not affect your rights) may take effect immediately upon posting, without advance notice.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Aktok Inc 163 Great George St. (The Foundry) Charlottetown, PE, Canada

Email:legal@aktok.com

Data Protection Contact. Aktok has not designated a Data Protection Officer under Article 37 of the GDPR, as the company does not currently meet the mandatory designation criteria. Our designated privacy contact for all data protection matters is reachable at legal@aktok.com. This contact serves as the point of contact for data subjects and supervisory authorities regarding all matters related to the processing of personal data.

For privacy-specific inquiries, please include "Privacy" in the subject line of your email.

Supervisory Authorities

If you are not satisfied with our response to your privacy inquiry, you may contact the relevant supervisory authority:

Jurisdiction	Authority	Website
Canada	Office of the Privacy Commissioner of Canada	priv.gc.ca
Quebec	Commission d'accès à l'information du Québec	cai.gouv.qc.ca
European Union	Your local data protection supervisory authority	edpb.europa.eu
United Kingdom	Information Commissioner's Office (ICO)	ico.org.uk
California	California Attorney General	oag.ca.gov/privacy