Section 1: Who We Are

Net Atelier Inc. is a corporation incorporated under the laws of the Province of Ontario, Canada. We operate the Net Atelier platform — a workflow tool for interior designers managing bespoke, high-value projects.

Responsible organization: Net Atelier Inc.
Address: Toronto, Ontario, Canada
Privacy Officer: privacy@net-atelier.com

Our designated Privacy Officer is accountable for our compliance with this policy and applicable privacy laws, including PIPEDA and Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25). You may contact the Privacy Officer at any time with questions, concerns, or requests.

Section 2: Information We Collect

We collect information in three ways:

Information you provide directly:

• Account information: name, email address, studio name, role, phone number
• Billing information: payment method details (processed securely by Stripe — we never store full card numbers)
• Profile information: team size, project types, preferences
• Communications: messages you send to our support team, feedback, survey responses

Information collected automatically:

• Usage data: features used, pages visited, actions taken within the platform
• Device information: browser type, operating system, screen resolution, device type
• Log data: IP address, access times, referring URLs, pages viewed
• Performance data: page load times, errors encountered
• Cookie and tracking data: see our Cookie Policy at net-atelier.com/cookies for full details

Information from third parties:

• Single sign-on providers (Google, Microsoft) if you choose to authenticate this way — limited to name, email, and profile photo
• Payment processor (Stripe) for billing status and transaction confirmations

Categories of Personal Information collected (for CCPA/CPRA purposes):

• Identifiers (name, email, IP address, account ID)
• Commercial information (subscription plan, billing history, transaction records)
• Internet or electronic network activity (usage data, log data, feature interactions)
• Professional or employment-related information (studio name, role, team size)
• Inferences drawn from the above (product preferences, feature usage patterns)

We do not collect: Social Security numbers, driver’s licence numbers, biometric data, precise geolocation, racial or ethnic origin, religious beliefs, health information, sexual orientation, or financial account numbers (Stripe handles all payment data).

Section 3: How We Use Your Information

We use the information we collect for the following purposes:

• Providing and maintaining the Service — your account, features, and data (legal basis: contract performance; PIPEDA: necessary for the service)
• Processing payments and managing your Subscription (legal basis: contract performance)
• Sending transactional communications — account confirmations, billing receipts, security alerts, service updates (legal basis: contract performance; CASL: existing business relationship exemption)
• Providing customer support when you contact us (legal basis: contract performance)
• Improving the Service — understanding usage patterns, identifying bugs, prioritizing features (legal basis: legitimate interest; PIPEDA: implied consent for non-sensitive analytics)
• Protecting against fraud, abuse, and security threats (legal basis: legitimate interest)
• Complying with legal obligations (legal basis: legal compliance)

We do not use your information for:

• Targeted advertising — we do not show ads and never will
• Selling to data brokers — your information is never sold, as defined under the CCPA/CPRA or any other applicable law
• Sharing for cross-context behavioural advertising
• Training AI or machine learning models on your Customer Data without your explicit opt-in consent

Marketing communications: with your express consent (obtained separately under CASL), we may send product updates and feature announcements. You can unsubscribe at any time via the link in any email, or through your account settings at net-atelier.com/settings/notifications. We process unsubscribe requests within 10 business days. We will never email your end clients.

Section 4: Customer Data (Controller vs. Processor)

Customer Data — your designs, specifications, client information, budgets, proposals, and all content you create or upload — receives the highest level of protection.

Important distinction:

• Net Atelier is the data controller for your account information (name, email, billing) — we determine why and how this data is processed.
• Net Atelier is the data processor for your Customer Data (designs, client specifications, project files) — you determine why and how this data is processed; we process it only on your instructions to provide the Service.

Our commitments regarding Customer Data:

• Ownership: you retain full ownership. We claim no rights to it.
• Isolation: your Customer Data is logically isolated from other customers. No cross-firm data sharing, ever.
• Access: we access Customer Data only when necessary to provide support you request, maintain the Service, or comply with legal obligations. All access is logged and auditable.
• AI features: any AI-powered features (such as the AI Product Picker) process your data in real-time to serve your request. We do not retain inputs or outputs for training purposes unless you explicitly opt in. AI processing is performed by our sub-processors listed at net-atelier.com/legal/sub-processors.
• Portability: you can export all Customer Data at any time in standard formats using our built-in export tools.
• Deletion: upon account termination, Customer Data is available for export for 30 days, after which it is permanently and irreversibly deleted from our systems — including backups — within 90 days.

The Data Processing Addendum (DPA) at net-atelier.com/legal/dpa governs our processing of Customer Data and forms part of our Terms of Service.

Section 5: Consent

Canadian residents: we rely on the following consent mechanisms under PIPEDA:

• Express consent: for collection and use of sensitive Personal Information, for marketing communications (CASL), and for sharing Personal Information with third parties for purposes beyond service delivery
• Implied consent: for non-sensitive information reasonably required to provide the Service, and for analytics to improve the Service
• You may withdraw consent at any time by contacting privacy@net-atelier.com or adjusting your settings at net-atelier.com/settings/privacy. Withdrawal of consent may limit our ability to provide certain features of the Service.

Quebec residents: under Law 25, we obtain consent that is manifest, free, informed, and given for specific purposes. Consent is requested separately from other information and in clear, simple language. See Section 14 for your specific rights.

US residents: we rely on your agreement to our Terms of Service (contract) and your opt-out rights under applicable state laws. See Section 13 for your specific rights.

We do not require consent beyond what is necessary to provide the Service (PIPEDA s.4.3.3).

Section 6: Data Sharing & Third Parties

We share information only in these limited circumstances:

Service providers who help us operate the platform:

• Cloud infrastructure: Microsoft Azure and Google Cloud Platform (GCP) — Canadian regions as primary, with encrypted backups
• Payment processing: Stripe — handles all payment transactions; we never see or store full card numbers
• Analytics: PostHog (cloud) — product analytics to improve the Service; no data sent to third-party analytics platforms

All service providers are bound by data processing agreements and are prohibited from using your data for their own purposes. Each sub-processor is assessed for privacy compliance before engagement.

We may also disclose information:

• To comply with a valid legal process (subpoena, court order, or government request under Canadian or US law) — we will notify you unless legally prohibited from doing so
• To protect the rights, safety, or property of Net Atelier, our customers, or the public
• In connection with a merger, acquisition, or sale of assets — your data protections transfer to the successor, and we will notify you before your Personal Information is transferred or becomes subject to a different privacy policy

We do not and will never:

• Sell your Personal Information (as defined under the CCPA/CPRA or any applicable law)
• Share your Personal Information for cross-context behavioural advertising
• Share data with advertising networks
• Allow third-party tracking on our platform

Section 7: Sub-Processors

We maintain a current list of sub-processors at net-atelier.com/legal/sub-processors. This list includes the sub-processor name, purpose, data processed, and location.

We will notify you at least 30 days before adding a new sub-processor via email or in-app notification. If you object to a new sub-processor, you may contact us within those 30 days to discuss alternatives. If we cannot resolve the objection, you may terminate the affected Service without penalty.

Section 8: Data Storage & Security

Infrastructure:

• Primary hosting: Microsoft Azure and Google Cloud Platform (GCP) — Canadian regions, your data stays in Canada by default
• Data encrypted at rest (AES-256) and in transit (TLS 1.2+)
• Database backups encrypted and stored in a geographically separate region

Application security:

• Role-based access controls within your account
• Two-factor authentication (2FA) available for all Users
• Session management with configurable timeout
• Regular penetration testing by independent security firms
• Vulnerability disclosure program at net-atelier.com/security

Organizational security:

• Employee access to production systems requires MFA and is logged
• Background checks for all employees with data access
• Annual security awareness training
• Incident response plan tested quarterly
• Privacy impact assessments conducted for new features or processing activities (as required by PIPEDA and Quebec Law 25)

Section 9: Cookies & Tracking Technologies

We use cookies and similar technologies sparingly. For full details — including a complete cookie table, consent mechanisms, and how to manage your preferences — see our Cookie Policy at net-atelier.com/cookies.

In summary:

• Essential cookies: session management, security tokens, user preferences. Always active; required for the Service to function.
• Analytics cookies: PostHog (cloud) — helps us improve the product. Optional; you can opt out in your account settings.
• We do not use: advertising cookies, social media tracking pixels, cross-site tracking, or fingerprinting.

Global Privacy Control (GPC): we honour GPC signals. If your browser sends a GPC signal, we treat it as a request to opt out of any sale or sharing of Personal Information (none of which we engage in) and disable optional analytics cookies.

Do Not Track (DNT): there is currently no industry standard for DNT signals. We do not respond to DNT but we do honour the more specific GPC signal described above.

Section 10: International Data Transfers

Net Atelier is operated from Canada. Your data is primarily stored in Canada (Azure Canada Central / GCP northamerica-northeast1).

For Canadian residents: your Personal Information is processed in Canada. If any processing occurs outside Canada (e.g., through a sub-processor such as Stripe), we ensure equivalent protections are in place through contractual data processing agreements, and we disclose this in our sub-processor list. Under PIPEDA, we remain accountable for your data regardless of where it is processed.

For US residents: your Personal Information may be processed in Canada and the United States. Canadian privacy law provides protections recognized as adequate by many international standards.

For residents of other jurisdictions: if you access the Service from outside Canada or the US, your information may be transferred to and processed in Canada. We will ensure appropriate safeguards are in place for any international transfer.

Note regarding government access: Canadian law enforcement may access data stored in Canada under Canadian legal process. US law enforcement may seek access to data under US legal process (including the CLOUD Act). We will challenge overbroad or improper requests and notify affected customers where legally permitted.

Section 11: Data Retention

We retain your information only as long as necessary:

• Account information: retained while your account is active, plus 30 days after termination for data export
• Customer Data: retained while your account is active; permanently deleted within 90 days of account termination (including backups)
• Billing and transaction records: retained for 7 years as required by Canadian tax law (Income Tax Act) and applicable US tax regulations
• Usage analytics: aggregated and anonymized after 24 months; individual-level data deleted
• Support communications: retained for 3 years after resolution for quality assurance, then deleted
• Security and access logs: retained for 12 months, then deleted
• CASL consent records: retained for the duration of consent plus 3 years (as recommended by CRTC guidance)
• Breach records: retained for 24 months as required by PIPEDA SOR/2018-64

You can request earlier deletion of your Personal Information at any time (see Your Privacy Rights sections below), subject to legal retention requirements.

Section 12: Your Privacy Rights — Canada

Under PIPEDA and applicable provincial privacy legislation, Canadian residents have the right to:

• Access: request a copy of the Personal Information we hold about you
• Correction: request correction of inaccurate or incomplete Personal Information
• Withdrawal of consent: withdraw consent for any optional data processing at any time (this will not affect lawfulness of processing before withdrawal)
• Complaint: file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your applicable provincial privacy commissioner if you believe your rights have been violated

To exercise these rights, contact our Privacy Officer at privacy@net-atelier.com. We will respond within 30 days. If we need more time, we will notify you of the reason and the expected timeline.

There is no fee for making a request. We will verify your identity before processing any request to protect your information.

Section 13: Your Privacy Rights — United States

US residents may have the following rights, depending on their state of residence:

California residents (CCPA/CPRA):

• Right to know: request the categories and specific pieces of Personal Information we have collected, the sources, business purposes, and categories of third parties with whom we share it
• Right to delete: request deletion of Personal Information we have collected (subject to exceptions)
• Right to correct: request correction of inaccurate Personal Information
• Right to opt out of sale/sharing: we do not sell or share your Personal Information, but you may exercise this right at any time via the “Do Not Sell or Share” link on our website or by contacting privacy@net-atelier.com
• Right to limit use of sensitive Personal Information: we do not use sensitive Personal Information for purposes beyond what is necessary to provide the Service
• Right to non-discrimination: we will not discriminate against you for exercising your privacy rights
• Authorized agent: you may designate an authorized agent to make requests on your behalf with proper verification

Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, New Jersey, and other states with comprehensive privacy laws:

• Right to access, correct, delete, and obtain a portable copy of your Personal Information
• Right to opt out of targeted advertising (we do not engage in targeted advertising)
• Right to opt out of sale of Personal Information (we do not sell Personal Information)
• Right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (we do not engage in such profiling)
• Right to appeal: if we deny your request, you have the right to appeal. We will provide instructions for how to do so.

To exercise any of these rights, contact privacy@net-atelier.com. We will respond within 45 days (California) or 45 days (most other states). If we need an extension, we will notify you.

We verify requests by matching information you provide against our records. We will not require you to create an account to make a request.

Section 14: Your Privacy Rights — Quebec

Under Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25), Quebec residents have specific additional rights:

• Right to access and rectification (Section 27-28)
• Right to data portability: receive your Personal Information in a structured, commonly used technological format, or have it transferred to another organization (Section 27.3, effective September 2024)
• Right to de-indexation: request that we cease disseminating your Personal Information if it causes you serious injury and the dissemination contravenes the law or a court order (Section 28.1)
• Right to be informed of automated decision-making: if we make decisions based solely on automated processing of your Personal Information, you have the right to be informed and to submit observations (Section 12.1)

Privacy by default: for Quebec residents, our privacy settings are configured to the highest level of confidentiality by default (Section 9.1). You may choose to lower your privacy settings in your account preferences.

Consent: we request consent separately for each specific purpose, in clear and simple language, and not as a condition of using the Service beyond what is necessary (Section 14).

Anonymization and de-identification: when we anonymize Personal Information, we do so using generally accepted best practices and in accordance with the criteria determined by the Commission d’accès à l’information (Section 23).

Incidents: any confidentiality incident involving your Personal Information will be handled in accordance with Section 18 (see Section 18 below).

Language: cette politique est disponible en français sur demande. (This policy is available in French upon request.) Contact privacy@net-atelier.com.

Section 15: Do Not Sell or Share

Net Atelier does not sell Personal Information.

Net Atelier does not share Personal Information for cross-context behavioural advertising.

We have not sold or shared Personal Information in the preceding 12 months.

If you wish to exercise your opt-out right regardless, you may:

• Click the “Do Not Sell or Share My Personal Information” link in our website footer
• Contact privacy@net-atelier.com
• Send a GPC signal through your browser (we honour GPC)

This section is provided in compliance with the CCPA/CPRA (Cal. Civ. Code §1798.120, §1798.135).

Section 16: Automated Decision-Making & Profiling

Net Atelier does not make decisions based solely on automated processing that produce legal or similarly significant effects on you.

Our AI-powered features (such as the AI Product Picker) are assistive tools that provide suggestions for your consideration. They do not make decisions on your behalf.

For product analytics, we analyze aggregate usage patterns to improve the Service. This analysis does not result in decisions about individual users’ access to or pricing of the Service.

Quebec residents (Law 25, Section 12.1): if we introduce any automated decision-making in the future, we will inform you at the time the decision is made, allow you to submit observations, and request that we review the decision.

California residents (CCPA regulations on ADMT): we do not use automated decision-making technology to make decisions concerning your access to or the price of financial or lending services, housing, insurance, education, criminal justice, employment, healthcare, or essential government services.

Section 17: Children’s Privacy

Net Atelier is not intended for use by individuals under 18 (or the age of majority in their jurisdiction). We do not knowingly collect Personal Information from children under 13 (COPPA) or minors under 18.

If we learn that we have collected information from a child under 13, we will delete it promptly and notify the parent or guardian if required by law.

If you believe we have inadvertently collected information from a minor, please contact privacy@net-atelier.com.

Section 18: Breach Notification

In the event of a security breach involving your Personal Information:

Canadian residents (PIPEDA, SOR/2018-64): if a breach creates a real risk of significant harm, we will:

• Notify you as soon as feasible, including a description of what happened, the type of Personal Information involved, and steps you can take to mitigate potential harm
• Report the breach to the Office of the Privacy Commissioner of Canada
• Maintain a record of the breach for 24 months

Quebec residents (Law 25, Section 3.5): we will notify the Commission d’accès à l’information du Québec and affected individuals of any confidentiality incident that presents a risk of serious injury.

US residents: we will notify you in accordance with applicable state breach notification laws (all 50 states and DC have breach notification statutes). Notification timelines vary by state (e.g., California requires notification “in the most expedient time possible and without unreasonable delay”).

In all cases, we aim to notify affected individuals within 72 hours of confirming a breach, via email and in-app notification, including: what happened, what data was affected, what we are doing about it, and what steps you can take.

Section 19: Changes to This Policy

We may update this policy from time to time. We will notify you of material changes at least 30 days before they take effect, via email and in-app notification. Material changes include: new categories of Personal Information collected, new purposes for use, new third-party disclosures, or changes to your rights.

Minor clarifications or formatting changes may be made without advance notice but will always be reflected in the “Last updated” date.

Quebec (Law 25): we will publish notice of amendments to this policy as required by Section 8.2.

We maintain a version history of this policy at net-atelier.com/legal/privacy/archive. Previous versions are available upon request.

Section 20: Contact & Privacy Officer

Privacy Officer
Net Atelier Inc.
Toronto, Ontario, Canada
Email: privacy@net-atelier.com

For general support: hello@net-atelier.com
For security concerns: security@net-atelier.com

Expected response time:

• General privacy inquiries: within 5 business days
• Formal rights requests (access, deletion, correction): within 30 days (or 45 days for CCPA requests)
• Breach notifications: within 72 hours of confirmation

Filing a complaint:
If you are not satisfied with our response, you may file a complaint with:

• Office of the Privacy Commissioner of Canada — priv.gc.ca — 1-800-282-1376
• Commission d’accès à l’information du Québec (Quebec residents) — cai.gouv.qc.ca
• Your applicable US state attorney general
• The California Attorney General (California residents) — oag.ca.gov