as of May 25, 2018
Personal information we collect and process
Your email address
When you place an order, you must provide your email address, it must be your real email address, and you are agreeing to read email we send to that address. We use your email address as the identifier for your subsequent logins to our system, and as the primary means of contacting you for any and all communications related to your order. We must have a way of contacting you in order to fulfill our contract with you. Your email address is also used for similar purposes of contact and identification by some third parties we deal with, as described in the section on third-party processing, below.
If you wish, you may also choose to subscribe to our email newsletter. If you wish to receive the email newsletter then you must indicate this wish by filling out the subscription form or checking the subscription box during the checkout process. It will not happen by default.
We store your email address as part of the record of your order, so that we can provide post-sale support and to allow you to look up information about past orders on our Web site, normally indefinitely, and your newsletter subscription until such time as you choose to end your subscription.
Your name and address
When you place an order, you must provide your name and (geographic or postal) address so that we can fulfill our obligations in the contract you are making with us. This information is shared with certain other parties involved in processing and fulfilling your order, as described in the section on third-party processing, below. Your name and address is also used to verify any credit card transaction you make, in order to protect you from fraud.
We store your name and address, normally indefinitely with the record of your order, so that we can provide post-sale support and to allow you to look up information about past orders on our Web site. It also is usually included in tax-related and import/export records which we are required to keep for a minimum of six years.
Your telephone number
When you place an order, you must provide your telephone number so that we can pass it to the delivery carrier in fulfillment of our contract with you. Most delivery methods require a contact number for the recipient, and it is not possible to predict in advance whether a specific order will need one. Your phone number may also be used for credit card verification. This information is shared with certain other parties involved in processing and fulfilling your order, as described in the section on third-party processing, below.
We do not normally call customers by telephone at all, but if there is a case in which we are urgently required to contact you (for example, because of a safety recall) and we cannot use email, then we may use the telephone number you provided with your order as a means of contacting you.
We store your telephone number, normally indefinitely, as part of the record of your order.
As a company incorporated under the Canada Business Corporations Act, we are legally required to keep certain financial records. Some of these records may incidentally contain personal information about you. We are required to keep all tax-related information (even including information about international transactions to which no Canadian tax applies, since we must be able to prove that no Canadian tax did apply) for a minimum of six years; and details of imports and exports for a minimum of six years. Some items that would not normally contain much or any personal information, such as annual reports, we may be required to keep indefinitely. In addition, as a matter of good accounting practice we keep the corporate general ledger indefinitely, and we are required to keep an audit trail of our financial records which, because this is the point of an audit trail, does not allow for completely eradicating all traces of information once stored.
You can configure your Web browser not to send cookies, or to send only a limited selection of cookies. This configuration must be done by you. We cannot alter the configuration of your Web browser. We inform you about the existence of cookies when you first visit our site. The fact that you have seen and acknowledged this notice is itself represented in a cookie, and you will see the notice again after deleting your cookies, or on every page if you choose to never send cookies.
Choosing not to send cookies will probably interfere with your use of the Web site, and in particular, it will probably make ordering products from us impossible, but it is under your control. Should you wish to place an order with us and never send any cookies, we encourage you to contact us by channels other than the World Wide Web, such as through email to email@example.com.
Like almost all other sites on the Web, our site is provided using Web servers which keep logs of all HTTP and HTTPS transactions, including technical information such as your IPv4 or IPv6 addresses, the URLs on our site to which your browser connects, the time and date of each transaction, the User-Agent string by which your browser identifies itself, the number of bytes sent and received, any errors that were detected, and other similar pieces of information routinely sent by your browser, which we collectively refer to as "log information."
There are some items of log information, such as your IP address, which we cannot possibly avoid collecting and processing at least briefly when you connect, because their use is essential to the Internet connection by which you view pages on our site. Some others, such as the User-Agent string, are under your control by configuring your browser.
Log information is not in itself personally identifiable, but it could possibly be correlated with other information (such as the timing of Web-storefront orders) to become personally identifiable. We do not routinely perform such correlation.
We collect, store, and process log information as a necessary part of operating a stable and secure Web site. We most frequently use it for intrusion detection, in support of our obligations to you and others to maintain the security and integrity of personal, financial, and other data on our systems. We also use log information for resolving technical problems encountered during routine maintenance.
Some of our intrusion detection systems operate automatically and will disconnect or block connections from a suspected intruder without human intervention, on the basis of suspicious patterns detected in log information. Such automated decision-making is necessary to fulfill our obligations to you and others of maintaining industry standards of privacy and security.
The main HTTP/HTTPS log on our backend server is automatically deleted after an amount of time that varies depending on the overall level of traffic but is typically ten days. Other servers, and other server software on the main server, keep other logs, but those are even less likely than the main HTTP/HTTPS log to contain personally identifiable information, and they are automatically deleted on similar schedules.
Third parties who process data on the Web on our behalf, most notably BigCommerce, also maintain similar log information, usually without sharing it with us or others. See the notes below on our relationships with specific third party processors and their privacy policies.
The subset of log information stored in our analytics system is normally kept for up to six months, potentially as much as one year; the cookie information is kept by you, potentially for up to the two-year default cookie expiry requested by our analytics software, but subject to your own decisions when you configure your browser.
BigCommerce, which provides e-commerce hosting for our Web site, also implements its own built-in analytics using the log and cookie information that it also needs to collect for other reasons. See the notes on BigCommerce's processing of data for us, below.
We do not use Google Analytics or similar third-party tracking systems that connect with advertising on other Web sites; we host our own analytics system on the same servers that provide the rest of the Web site, and we do not share the data from it.
Information that may appear in backups
Like almost all professionally-run enterprises that use computers, we maintain both automatic and manual regular backups of the data on our systems as a whole and of especially important data sets in particular.
Our backups are arranged in a hierarchy from frequently-made and easily-accessible spare copies of data (such as within RAID systems: multiple copies of the data stored as soon as it is collected) to long-term archives stored in secure locations physically separate from our main operations.
The backups we keep that are most relevant to personal information about you consist of a rotating set of daily and weekly backups of the main backend server, the oldest of which are automatically overwritten after 14 days. Manually-created "snapshot" backups sometimes also exist and may continue to store otherwise-deleted information for up to six months. Other backups we make, some of them with longer retention times, do not ordinarily contain personally identifiable information about you.
Some financial records are permanently archived to write-only backup media and we are not permitted to destroy these.
Third-party data processors are all expected, and many are legally required, to keep backups of their own. They do not share their backups with us.
Specially sensitive personal information
We do not collect or process information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data of any kind, data concerning health, or anyone's sex life or sexual orientation.
We do not collect or process information relating to criminal convictions and offences or related security measures.
We do not collect or process information specifically related to children, to the age of persons, or to whether you are a child. Our services are not targeted specifically to children. It is our obligation to treat all persons equally without regard to age.
Do not send us specially sensitive personal information of these kinds.
The main storefront of this Web site, and order processing and integration services related to it, are hosted by BigCommerce, Inc., a US corporation. They collect and process data about you on our behalf whenever you visit the site; most of your online interactions with us involve BigCommerce's servers.
Some of our own collection and processing of your data is performed on cloud servers rented from Linode LLC, a US corporation. The servers we rent from them are physically located in Germany. Linode does not directly handle any data about you, but in principle they have access to all the data we store or process on these servers because they provide and maintain the infrastructure.
When you make a credit card transaction on this Web site, the transaction including associated personal information is processed by Stripe, Inc., a US corporation, and its affiliates. As a payment processor and part of the banking industry, Stripe's collection and use of personal information is heavily regulated by law; and some issues implicating Internet privacy for other data (such as handling of data deletion requests) are pre-empted by legal record-keeping requirements for financial data.
Personal information in credit card transactions is often used by entities involved in credit card processing for automated decision making to detect and reject fraudulent transactions, and so transactions may be declined on the basis of such automated decisions. North Coast Synthesis Ltd. only makes fraud-rejection decisions under human control, but we set minimum requirements for valid card information to accept a transaction, and we are unable to process transactions that the Stripe system rejects, and it may do so on the basis of automated decisions. Your own card issuer may also reject transactions that we and Stripe would allow, on the basis of automated decision-making, subject to your agreement with your card issuer.
Similarly, if you make financial transactions with us in some other way, other payment processors may be involved. In particular, if you send us money by Interac e-Transfer, you must necessarily do it using an account you have already established with your own bank, and according to whatever terms and conditions you have agreed upon with them, which will probably include terms about collection and sharing of personal information.
When you buy something and we contract to ship it to you, we necessarily give personal information about you (specifically, your name, shipping address, telephone number, possibly email address, and for international shipments a legally-required declaration of the contents of the package) to a shipping carrier, post office, or courier service. Both we and the carrier need this information to fulfill the contract for the goods and services you have purchased.
The telephone number is required by most carriers for contacting you about final delivery of your package, and also often required by Customs authorities, with the carriers requiring it to accept the package so that they can provide it to Customs authorities. The email address is used by some carriers as an identifier so you can log into their systems to change or track the delivery process, as well as for contacting you about final delivery of your package.
Exactly which carrier we use depends on your location and the size and nature of the shipment. We normally choose an appropriate carrier for each order, but you can also contact us before placing your order if you wish to negotiate with us to use some specific carrier (an extra charge may be applicable). For some destinations we may also purchase shipping services from a carrier through a third-party reseller who integrates the carrier's computer systems with our own, and in such cases the reseller also processes information about you and the package. Although we may possibly use others in special cases, the carriers and resellers we normally use, with links to their privacy policies which apply to the services they provide for us and for you, are as follows.
- Canada Post https://www.canadapost.ca/privacy
- DHL http://www.dhl.com/en/legal.html#privacy
- FedEx http://www.fedex.com/ca_english/privacycode.html
- netParcel https://netparcel.com/privacy-policy.html
- Shipstation https://netparcel.com/privacy-policy.html
- UPS https://www.ups.com/ca/en/help-center/legal-terms-conditions/privacy-notice.page
For international shipments sent through Canada Post, your own country's postal service will usually also handle the package, according to their own privacy policies and laws.
International sales are legally required to be declared to Customs authorities in the receiving country. Sufficiently large shipments leaving Canada to some destinations usually also require an export declaration (electronic B13A form) made to the Canada Border Services Agency; although there are exceptions, this requirement applies to nearly all shipments we make valued at CAD $2,000 or more to destinations other than Canada and the USA.
We make Customs-related declarations, which include personal information about you and usually include all the information that would be on your invoice from us, when the declarations are legally required. We are also required by Canadian law to maintain records about all Customs-related matters for a minimum of six years, and we cannot honour requests from you to alter or destroy these records.
Some pages on our Web site contain embedded video from YouTube, which is a service provided by Google, Inc., a US corporation. When your browser loads these pages, it connects to Google's servers as well as ours, and there is at least the potential for your browser to send cookies to Google's servers. See the description of "cookies" above. You can configure your browser not to send cookies to or otherwise communicate with Google, but that is outside our control. We are not involved in any collection or processing of personal information by Google.
At the time of this writing we have no such pages, but it is our plan to eventually embed some video content of our own, served from our own servers, in our Web storefront. Since that would come from us, hosted on the same servers that host the rest of the site, it would have no additional privacy consequences beyond those of using our site at all.
Except as required by the relationships described above, it is our policy in general not to share personal information about you with any other parties.
In some instances, such as when required to do so by a Canadian court order, we may be legally required to share information about you, and even to do so without notifying you. It is our policy in general not to honour requests that purport to have legal authority when it is not clear that we are obligated to do so, for example, if they claim authority other than on the basis of Canadian law; if they contain threats of any kind; or if they do not have the backing of a Canadian court order.
When resolving technical and security problems, and especially if you attack us or our systems, it may be necessary or appropriate for us to share technical information with administrators of computer systems and others as necessary in order to resolve the problems, protect others from attack, and to fulfill our obligation to maintain the security of personal and financial information. Technical information we share when resolving technical and security problems may incidentally include information about you. We will limit this kind of sharing to the minimum of what is necessary or appropriate.
To the extent it may be required or permitted by law, you can request that we provide you with copies of personal information we have about you.
To the extent it may be required or permitted by law, you can request that we correct, destroy, or limit to specific purposes the processing of, personal information we have about you.
For personal information that we are using on the condition of your consent, you can withdraw your consent at any time. The only personal information of this kind is your email address insofar as it is used for sending you our newsletter. Note that we also collect and use your email address for other purposes described above, which are not subject to explicit consent and may continue even if you unsubscribe from the newsletter. You can change your consent to receive the email newsletter by contacting us by email and asking to be removed from the newsletter list.
If the security of personal information about you has been compromised, or has probably been compromised, in a meaningful way by an intrusion or other security-related incident, then we are obligated to inform you about it promptly, and we may use any contact information we have collected, with preference to the email address, to contact you.
When you request access, correction, destruction, or limitation of processing with respect to personal information about yourself, we are obligated (in order to protect your own rights) to verify that you really are the person the information is about. You are not permitted to make these requests with respect to personal information about someone other than yourself. We do not accept form letter privacy requests drafted, promoted, or submitted by third parties.
We cannot grant all requests because we have obligations and legitimate needs that can override some requests, but if we cannot grant a request we will at least give some explanation of why not.
We do not charge a fee to grant any ordinary privacy-related requests, but we can charge a reasonable fee if necessary in the case of unusually difficult or frequent requests.
All privacy-related requests should be addressed by email to firstname.lastname@example.org or by post to:
North Coast Synthesis Ltd.
777 Bay Street
Toronto ON M5G 2C8
Such words and phrases as "North Coast," "we," and "us" refer to North Coast Synthesis Ltd., a company incorporated under the laws of Canada. Such words as "You" refer to the natural person who visits this Web site and may be subject of personal information.
Privacy rights in general are only applicable to natural persons. That means human beings; corporations and other kinds of non-human legal entities do not have privacy rights.
We and the third parties we contract with take appropriate steps in accordance with industry standards to protect the security, privacy, and integrity of personal information.