Skip to content

Privacy Policy

Last Updated: 25 August 2025

ATC TechBridge (“ATC,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy (“Policy”) explains how we collect, use, disclose, and protect information when you interact with our website, communications, and services (collectively, the “Services”).

This Policy does not cover third-party websites, services, or tools. For information on a third party’s privacy practices, please consult their privacy policy.

At a Glance

  • What we collect: Contact details, business information, support data, technical logs.
  • Why we use it: To deliver IT and managed services, provide support, meet legal obligations, and improve our services.
  • How long we keep it: From 30 days (logs) to 6 years (business records), depending on type, then securely deleted.

1. Updates to this Policy

We may update this Policy from time to time. If we make material changes, we will revise the “Last Updated” date and may provide additional notice (e.g., banner on our website or email).

2. Information We Collect

Information You Provide

We collect information you provide directly, for example when you:

  • Submit a contact form
  • Request support
  • Sign up for newsletters or updates
  • Engage with us for services

This may include your name, email, phone number, company, and any content you provide.

We generally rely on implied consent for business communications related to our services, and express consent for any use of personal data beyond providing those services, such as marketing or optional programs.

Information Collected Automatically

We may automatically collect limited technical information through cookies or analytics tools, such as:

  • IP address and browser type
  • Device and operating system
  • Pages viewed and time spent

ATC TechBridge does not currently use third-party advertising pixels or behavioral tracking. If this changes, we will update this Policy.

Information from Other Sources

We may receive information from business partners, referral sources, or publicly available records and combine that with other information we collect.

We collect only the personal data necessary for the purposes identified in this Policy and limit collection to what is reasonably required to provide our Services.

We provide notice of data collection at or before the point of collection, such as through online forms, contracts, or system prompts, as required under U.S. privacy laws.

3. How We Use Information

We may use your information for the following purposes:

  • Provide IT and managed services (including help desk support, endpoint monitoring, security management, compliance reporting, and related consulting)
  • Endpoint and device monitoring (system health, patch status, security alerts)
  • Support and ticket resolution (help desk records, troubleshooting notes)
  • Backup and recovery (system metadata, logs)
  • Policy and compliance support (audits, reporting, runbooks, evidence)
  • Communicate (respond to inquiries, send updates, provide notices)
  • Customer service (technical support, account administration)
  • Marketing (send relevant information about ATC services; you may opt out at any time)
  • Analytics (understand usage trends to improve our website and services)
  • Security and compliance (protect systems, investigate fraud, meet legal obligations)
  • Legal and contractual (as necessary to perform under agreements with you)

Lawful Bases for Processing (GDPR/UK/EU)

Depending on your jurisdiction, we rely on the following legal bases for processing personal data:

  • Provide and improve services: Contract (performance of a contract), Legitimate Interests
  • Communicate: Contract, Legitimate Interests
  • Customer service: Contract, Legitimate Interests
  • Marketing: Consent (where required), Legitimate Interests
  • Analytics: Legitimate Interests
  • Security and compliance: Legal Obligation, Legitimate Interests
  • Legal and contractual: Contract, Legal Obligation

For Japan (APPI), we obtain consent before processing any sensitive personal information, and we specify the purposes of use in advance.

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

4. Sharing of Information

We do not sell your personal information. We may share information as follows:

  • Service providers who assist us in delivering Services (e.g., hosting, email, ticketing, analytics)
  • Legal or regulatory authorities where required by law
  • Corporate transactions (merger, acquisition, restructuring) where permitted
  • With your consent or as otherwise disclosed at the time of collection

We may also share de-identified or aggregated data for lawful business purposes.

For clients, processing of personal data is further governed by our Data Processing Addendum and its Data Processing Schedule.

We maintain an up-to-date list of sub-processors available on request and will notify clients of material changes as required by law or contract.

Upon request, we will provide information about our use of service providers who may access personal data on our behalf, including the purposes for which they are engaged.

5. Data Retention

ATC TechBridge retains personal data only as long as necessary to provide the Services, fulfill the purposes described in this Policy, or comply with legal obligations (e.g., CRA, PHIPA).

  • Operational logs: generally 30–90 days
  • Support records: up to 1 year
  • Business/financial records: as required by law (typically 6 years in Canada)
  • All other data: securely deleted or returned within 30 days after contract termination unless otherwise required by law or SOW.

Accountability (PIPEDA)

ATC TechBridge is accountable for all personal data under its control. We maintain policies and practices to ensure compliance with PIPEDA, including employee training, contractual safeguards with service providers, and periodic internal reviews. Individuals may challenge our compliance with PIPEDA by contacting our Privacy Officer.

We are committed to keeping personal information accurate, complete, and up-to-date as necessary. Our detailed privacy policies and practices are available to individuals upon request.

6. Security

We implement reasonable administrative, technical, and physical safeguards to protect personal information, including encryption, multi-factor authentication, least-privilege access, and secure tenant segregation. No system is 100% secure; if you learn of a security issue, contact us immediately.

Data Breach Notification

If personal data is involved in a security incident, we will notify affected clients promptly and support them in meeting any legal notification obligations.

7. Your Choices & Rights

  • Marketing: You may opt out of promotional emails by following the unsubscribe link or contacting us.
  • Access & correction: You may request a copy of personal information we hold about you or ask us to correct it.
  • Deletion: You may request deletion of your information, subject to legal or contractual requirements.
  • Cookies: You may adjust your browser settings to reject cookies, though some features may be limited.

Your GDPR Rights (where applicable):

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to object to processing
  • Right to data portability
  • Right not to be subject to automated decision-making (not applicable, as we do not conduct such processing)
  • Right to lodge a complaint with a supervisory authority

For a detailed description of how these rights are operationalized, please see our Data Processing Addendum and Data Processing Schedule.

Appeals: If we deny your privacy rights request, you may appeal by contacting our Privacy Officer. We will provide a written response within the timeframe required by law, not exceeding 45 days unless applicable law permits a longer period.

If your appeal is denied, you may have the right to escalate your concern to your state’s privacy regulator.

Sensitive Data: Where applicable laws (e.g., CPRA, PHIPA, APPI) grant additional rights regarding sensitive personal information (such as health, biometrics, or precise geolocation), you may exercise those rights by contacting us.

We limit the use of sensitive personal information to the purposes disclosed in this Policy, and do not use it for additional purposes without your consent.

We will respond to requests to exercise your privacy rights within 30 days, or within any other timeframe required by applicable law. Where permitted, this period may be extended with notice to you.

Data Portability: You may request a copy of your personal information in a structured, commonly used, and machine-readable format, and you may request that we transmit this data directly to another organization where technically feasible. California residents may request access to their personal information up to twice in a 12-month period, free of charge.

8. International Users

ATC is based in Ontario, Canada. If you access our Services from outside Canada, your data may be transferred and processed in Canada or other jurisdictions that may not have the same data protection laws as your home country.

  • EEA/UK/Switzerland: If GDPR or equivalent applies, you may exercise rights of access, correction, erasure, restriction, portability, and objection. Our legal bases for processing are outlined in Section 3. Canada benefits from an EU adequacy decision; for transfers outside Canada, we rely on Standard Contractual Clauses or other safeguards. You also have the right to lodge a complaint with a supervisory authority. You may also lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
  • U.S. users: Depending on your state, you may have rights under CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and others. These may include the right to opt out of the sale or sharing of personal information, limit use of sensitive personal information, and appeal denied requests. ATC does not sell personal data. California residents may also limit the use of sensitive personal information and opt out of sharing for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals. We do not sell or share the personal information of individuals we know are between 13–16 years old without their opt-in consent.
  • Japan (APPI): You have the right to access, correct, or delete your data. Cross-border transfers of data from Japan are subject to your consent or legal safeguards, as required under APPI. We maintain records of third-party disclosures of data as required under APPI and provide individuals with opt-out mechanisms where applicable.

Canadian Health Data (PHIPA)

For health care clients in Ontario, ATC TechBridge may act as an “agent” under the Personal Health Information Protection Act (PHIPA). We provide IT and managed services for environments where personal health information (PHI) is processed, but we do not access or process patient data ourselves except incidentally and only as necessary to provide services. When acting as an agent, ATC TechBridge processes PHI solely on behalf of and in accordance with the instructions of the health information custodian.

We maintain audit logs of access to PHI and support custodians in providing patients with access records as required under PHIPA. If PHI is compromised, we will notify the custodian without undue delay, and in any event within 72 hours of becoming aware, and support them in notifying affected individuals as required.

Patients seeking to exercise rights under PHIPA should contact their health information custodian directly. ATC TechBridge does not respond to patient requests except through the custodian.

Our personnel are trained on PHIPA obligations, and any sub-processors supporting health care clients are contractually required to comply with PHIPA standards.

Employee and Contractor Data

For employees, contractors, and job applicants, we handle personal data in accordance with internal confidentiality and HR policies, available to staff on request.

Certifications and Audits

ATC TechBridge undergoes periodic internal and external reviews of its security and privacy practices. Upon request, we may provide clients with summaries of certifications or audits (e.g., SOC 2, ISO 27001) to support their compliance obligations.

9. Contact Us

If you have questions about this Policy or wish to exercise your rights, please contact us at:

ATC TechBridge
Attention: Privacy
628 Station Rd.
Alfred ON,
K0B 1A0
Email: privacy@atctechbridge.ca

Our designated Privacy Officer/Data Protection Officer can be reached at this address for questions or appeals.

This Policy is intended for website visitors, prospects, and clients. For employee/contractor confidentiality and IP obligations, please see our Confidentiality & IP Agreement.

For more information about how we handle client and end-user data, please see our Data Processing Addendum and Data Processing Schedule.