Privacy Policy

Introduction and Scope

This Privacy Policy (“Policy”) describes how Ennote Security Inc. ("Ennote Security", “we”, “us”, or “our”) collects, uses, discloses, processes, and protects personal information relating to individuals (“you” or “your”).

This Policy applies when you:

• Visit our website(s) where this Policy is posted (collectively, the “Websites”);
• Register for or use our collaborative note-taking and knowledge management platform (the "Ennote Security platform") and related services (collectively, the “Services”);
• Communicate with us, including for support or inquiries; or
• Attend our events or otherwise interact with us.

Ennote Security is a company based in British Columbia, Canada. We are committed to protecting your privacy and handling your personal information in an open and transparent manner, in accordance with applicable privacy laws, including British Columbia’s Personal Information Protection Act (PIPA) and other Canadian privacy legislation. We also recognize and aim to uphold the privacy rights of individuals in other jurisdictions, as detailed in this Policy.

Please note: This Privacy Policy does not apply to the extent we process personal information in the role of a service provider (or "processor") on behalf of our Customers for the content they create, upload, or share within our Services ("User Content"). In such cases, the Customer (the individual or entity that has entered into an agreement with us for the Services) is primarily responsible for the personal information contained within their User Content and for ensuring their collection and use of such information complies with applicable laws. We process User Content in accordance with our agreements with our Customers and their lawful instructions.

We do not rent, sell, or trade your Personal Information.

Please read this Privacy Policy carefully. By accessing our Websites or using our Services, you signify your understanding of the terms set out in this Privacy Policy.

What Personal Information We Collect and How We Use It

"Personal Information" means information about an identifiable individual, such as your name, email address, or billing information, and can also include other information that, when combined with other data, can identify you. In some jurisdictions like the EEA, UK, and California, Personal Information (or "personal data") may be defined more broadly.

We collect Personal Information in the following ways:

a) Information You Provide Directly:

• Account Information: When you register for an account with Ennote Security for the Services, we collect your name, email address, and a hashed password.
• Optional Profile Information: You may choose to provide a profile picture, job title, or company name.
• User Content: Our Services allow you to create, upload, store, and share notes, documents, images, tasks, comments, and other content ("User Content") on the Ennote Security platform. While we store and process User Content on your behalf, you control what information you include in your User Content. We advise you not to include unnecessary sensitive personal information in your User Content.
• Collaboration Data: When you collaborate or share User Content, we collect information about who you share with, their email addresses if invited to the platform, and the permissions you grant.
• Payment Information: If you subscribe to paid Services, we require billing information, such as your billing address. Our third-party payment processor (Stripe) will collect and process your credit card details (card number, expiry date, CVC). We do not store your full credit card number; Stripe provides us with a token, the last four digits of your card, card type, and expiry date.
• Communications with Us: When you contact us for support, to provide feedback, or make inquiries, we collect your name, email address, and the content of your communications.
• Marketing Information: If you sign up for our newsletters, webinars, or promotional materials from Ennote Security, we collect your name, email address, and company name (if provided).
• Surveys and Contests: If you participate in surveys or contests offered by Ennote Security, we collect the information you provide.

b) Information We Collect Automatically:

• Log Data: When you use our Websites or Services, our servers automatically record information, including your Internet Protocol (IP) address, browser type and version, operating system, device information, pages visited, the referring URL, and date and time stamps.
• Cookies and Similar Technologies: We use cookies (small text files placed on your device) and similar technologies (e.g., web beacons, pixels) to operate our Websites and Services, recognize you on return visits, personalize your experience, analyze trends, and measure the effectiveness of our marketing. You can manage your cookie preferences through our cookie banner or your browser settings.
• Usage Data (Services): When you use our Services, we collect information about how you interact with them, such as features used, pages visited within the application, UI elements clicked, session duration, and performance data. This helps us understand how our Services are being used so we can improve them.
• Usage Data (Websites): We collect information about your interactions with our Websites, such as pages viewed, links clicked, and time spent on pages, often using third-party analytics tools like Google Analytics.
• Error Monitoring: We use tools to automatically collect information about errors and crashes in our Services to help us diagnose and fix problems.

c) Information from Third Parties:

We generally collect personal information directly from you. However, we may occasionally receive information about you from third parties, such as if another user invites you to collaborate on the Ennote Security platform, or from publicly available sources in the context of business development.

Purposes for Which We Collect and Use Personal Information:

We use your Personal Information for the following purposes:

• To Provide and Maintain Services: To create and manage your account, host your User Content on the Ennote Security platform, enable collaboration, process payments, and provide the features and functionalities of our Services.
• To Communicate with You: To send you transactional communications (e.g., account verification, password resets, service updates, security notifications, billing reminders, weekly summaries if opted-in).
• To Provide Customer Support: To respond to your inquiries and requests, and to troubleshoot issues.
• To Improve Our Websites and Services: To understand how our Websites and Services are used, identify trends, gather demographic information, and improve functionality and user experience.
• For Security and Fraud Prevention: To monitor for and prevent security incidents, protect the rights and safety of Ennote Security, our users, and the public, and to enforce our Terms of Service.
• For Marketing and Promotions (with your consent): To send you information about new products, features, special offers, or other information from Ennote Security we think you may find interesting, where you have opted in to receive such communications. You can opt-out at any time.
• To Comply with Legal Obligations: To meet our legal and regulatory requirements, or as required by court order or other legal process.
• Aggregated or De-identified Information: We may aggregate or de-identify Personal Information so that it can no longer be used to identify you. We use this information for purposes such as analyzing service usage (e.g., "X% of our users utilize the task management feature"), improving our Services, research, and reporting on general trends. We may share such aggregated or de-identified information with third parties.

Our Grounds for Collecting and Using Personal Information

In Canada, and specifically under BC's PIPA, we primarily collect, use, and disclose your Personal Information based on your consent. For users in other jurisdictions, such as the EEA and UK, our legal bases for processing include:

• Consent: By signing up for an account, using our Services, or providing us with your Personal Information for a specific purpose (e.g., contacting support, signing up for a newsletter), you consent to our collection, use, and disclosure of that information as described in this Policy and for the purposes for which it was provided. For certain processing activities, particularly under GDPR/UK GDPR, we will rely on your explicit consent.
  • Express Consent: For sensitive information or uses that are not obvious, we will seek your express consent (e.g., asking you to check a box).
  • Implied Consent (primarily for Canadian users): For less sensitive information or where the purpose of collection is reasonably obvious from the context (e.g., providing your email to create an account), your consent may be implied.
  You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice, by contacting us at [email protected]. Withdrawal of consent may affect our ability to provide you with certain Services.
• Contractual Necessity: Some processing is necessary to fulfill our contractual obligations to you under our Terms of Service, such as providing you with access to the Services you have subscribed to.
• Legal Obligations: We may process your Personal Information where required by law, such as in response to a subpoena, court order, or other valid legal process.
• Legitimate Interests (for EEA/UK users, balanced with your rights): We may process Personal Information for our legitimate interests, such as for improving our Services, security purposes, and fraud prevention, provided that such processing shall not outweigh your rights and freedoms.
• Other Permitted Reasons under PIPA (for Canadian users): PIPA also permits collection, use, or disclosure without consent in certain limited and specific circumstances, such as to collect a debt, in an emergency that threatens life, health, or security, or to investigate a breach of an agreement or a contravention of law.

We do not use your Personal Information for automated decision-making that produces legal effects concerning you or similarly significantly affects you without human intervention, unless you have provided consent or it is necessary for a contract.

Sharing and Disclosure of Personal Information

Ennote Security does not sell, rent, or trade your Personal Information to third parties for their own marketing purposes. We may share or disclose your Personal Information in the following circumstances:

• With Your Consent or at Your Direction: We will share your Personal Information with third parties when we have your consent to do so, or when you direct us to (e.g., when you choose to share User Content with other collaborators on the Ennote Security platform).
• Service Providers (Subprocessors): We engage trusted third-party companies and individuals (our "Subprocessors") to perform services on our behalf to help us operate, provide, improve, understand, customize, support, and market our Services. These Subprocessors may access your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose. For more information about our Subprocessors, including the services they provide and their locations, please see our Subprocessors Page.
• Business Transfers: If Ennote Security is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, your Personal Information may be transferred as part of such a transaction, as permitted by law and/or contract. We will notify you via email and/or a prominent notice on our Websites of any change in ownership or uses of your Personal Information, as well as any choices you may have.
• Legal Requirements: We may disclose your Personal Information if we believe in good faith that it is necessary to:
  • Comply with a legal obligation, applicable law, regulation, or valid legal process (e.g., subpoena, warrant, court order). We will attempt to notify users about legal demands for their Personal Information when appropriate in our judgment, unless prohibited by law or court order or when the request is an emergency.
  • Protect and defend the rights, property, or safety of Ennote Security, our users, or the public, including to enforce our contracts or policies, or in connection with investigating and preventing fraud or security issues.
• Aggregated or De-identified Data: We may share aggregated or de-identified information, which cannot reasonably be used to identify you, for various purposes, including with prospects or partners for business or research purposes.

Data Storage, Security, and Retention

a) Data Storage and International Transfers:

Your Personal Information, including User Content, is primarily stored and processed on servers provided by our cloud infrastructure providers, Amazon Web Services (AWS) and Google Cloud Platform (GCP), located in datacenters within the United States.

As your Personal Information is stored in the United States, it will be subject to the laws of that jurisdiction, including laws that may permit or require disclosure of Personal Information to government authorities, courts, law enforcement, or regulatory agencies in the United States.

For users in the European Economic Area (EEA) and the United Kingdom (UK), when we transfer your personal information to countries outside these regions that are not deemed adequate by relevant authorities, such as the United States, we rely on appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission or UK authorities, or other lawful transfer mechanisms, to ensure your information is protected in accordance with applicable data protection laws.

Some of our other third-party service providers (as referenced in Section 4 and detailed on our Subprocessors page) may also operate in countries outside of Canada, including the United States. This means that certain Personal Information processed by them may also be transferred to, stored, or processed in those jurisdictions and be subject to their laws.

Ennote Security takes contractual and other measures to ensure that any Personal Information transferred to our service providers is protected and handled in accordance with this Privacy Policy and applicable privacy laws.

b) Security:

Ennote Security takes the security of your Personal Information very seriously. We implement reasonable administrative, technical, and physical security measures designed to protect your Personal Information from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction. These measures include, but are not limited to:

• Encryption of User Content at rest and in transit.
• Access controls to limit access to Personal Information to authorized personnel.
• Regular security assessments and updates to our systems.
• Secure development practices.

While we strive to use commercially acceptable means to protect your Personal Information, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us by contacting [email protected]. For more information on our security practices, please visit Security Page.

c) Data Retention:

We will retain your Personal Information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, to provide our Services, to resolve disputes, and to enforce our agreements.

• Account Information: Retained for as long as your account is active and for a reasonable period thereafter in case you decide to re-activate the Services or as required by law.
• User Content: Retained as long as your account is active, or as directed by you or the Customer controlling the account. You can delete your User Content and your account. Upon account deletion, your User Content will be removed from our active systems according to our data deletion processes, subject to our backup policies and any legal holds.
• Marketing Information: Retained until you opt-out of marketing communications.
• Other Data: Other data will be retained for periods appropriate to its purpose or as required by law (e.g., billing information for financial auditing).

When Personal Information is no longer required for the purposes for which it was collected, it will be securely destroyed or de-identified.

Your Privacy Choices and Rights

Depending on your location and applicable law, you may have certain rights regarding your Personal Information. We are committed to respecting these rights.

For Users in Canada (under PIPA and other Canadian Privacy Laws):

You have certain rights regarding your Personal Information. Subject to certain exceptions, these rights include:

• Right to Access: You have the right to request access to the Personal Information we hold about you and to receive an accounting of how it has been used and disclosed.
• Right to Correction (Rectification): You have the right to request that any inaccurate or incomplete Personal Information we hold about you be corrected.
• Right to Withdraw Consent: You have the right to withdraw your consent to our collection, use, or disclosure of your Personal Information at any time, subject to legal or contractual restrictions and reasonable notice. Please note that withdrawing consent may impact our ability to provide you with some or all of our Services.

Additional Information for Users in Certain Jurisdictions

For Users in the European Economic Area (EEA) and United Kingdom (UK):

If you are located in the EEA or the UK, you have certain rights under the General Data Protection Regulation (GDPR) or the UK GDPR, respectively. These rights include:

• Right of Access: To access your personal data.
• Right to Rectification: To correct any inaccurate personal data.
• Right to Erasure (Right to be Forgotten): To have your personal data erased.
• Right to Restrict Processing: To restrict the processing of your personal data.
• Right to Data Portability: To receive your personal data in a structured, commonly used, and machine-readable format.
• Right to Object: To object to the processing of your personal data (e.g., for direct marketing).

Our legal bases for processing your personal data are described in the "Our Grounds for Collecting and Using Personal Information" section. You also have the right to lodge a complaint with a supervisory authority in your jurisdiction.

For Users in California (USA):

If you are a California resident, you have certain rights under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA). These rights include:

• Right to Know: To request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, and the categories of third parties to whom we disclose personal information.
• Right to Delete: To request the deletion of your personal information, subject to certain exceptions.
• Right to Correct: To request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not "sell" or "share" (for cross-context behavioral advertising) your Personal Information as those terms are defined under CCPA/CPRA.
• Right to Non-Discrimination: You have the right not to be discriminated against for exercising any of your CCPA/CPRA rights.
• Right to Limit Use and Disclosure of Sensitive Personal Information (if applicable): We do not collect or process sensitive personal information for the purpose of inferring characteristics about you.

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our Websites that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please contact us at [email protected]. Note that we do not currently disclose personal information to third parties for their direct marketing purposes.

If you are under 18 years of age, reside in California, and have a registered account with our Websites or Services, you have the right to request removal of unwanted data that you publicly post. To request removal of such data, please contact us using the contact information provided below and include the email address associated with your account and a statement that you reside in California.

General Privacy Choices and Exercising Your Rights:

• Cookies and Tracking Technologies: You can manage your cookie preferences through our cookie banner or your browser settings. Most browsers allow you to block or delete cookies.
• Marketing Communications: You can opt-out of receiving promotional emails from us by following the unsubscribe instructions included in those emails or by contacting us at [email protected]. You may still receive transactional emails related to your account and our Services even if you opt-out of marketing communications.

To exercise any applicable rights, please contact us at [email protected]. We will respond to your request within the timeframes required by applicable law. We may need to verify your identity before processing your request.

Policy Regarding Children

Our Services are not directed to or intended for use by children under the age of thirteen (13) (or a higher age threshold if stipulated by applicable local law, such as 16 in some EEA countries). We do not knowingly solicit or collect Personal Information from children. If you are under the relevant age threshold, please do not provide any Personal Information through our Websites or Services. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce our Privacy Policy by instructing their children never to provide Personal Information through our Websites or Services without their permission. If you believe that a child has provided Personal Information to us, please contact us at [email protected], and we will take steps to delete such information from our systems.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will revise the “Last Updated” date at the top of this Policy and may provide you with more prominent notice, such as by adding a statement to our homepage or sending you an email notification, as required by law. Any changes will be effective immediately upon posting of the updated Privacy Policy.

We encourage you to review this Policy periodically to stay informed about our information practices and the ways you can help protect your privacy. Your continued use of our Websites or Services after any changes to this Policy will constitute your acceptance of such changes.