Privacy

Privacy Policy

Effective Date: [INSERT DATE] | Last Updated: [INSERT DATE]

1. Introduction

Grateful Marketing™ (“we,” “us,” “our,” or “Grateful Marketing”) is a Canadian AI-powered digital marketing consultancy serving legal, financial, insurance, B2B, D2C, and service-based businesses. We are deeply committed to protecting the privacy and personal information of our clients, website visitors, email subscribers, and prospects.

This Privacy Policy explains how we collect, use, disclose, store, and protect personal information. It also outlines your rights and choices regarding your personal information.

This policy applies to information collected through:

  • Our website and any subdomains we operate
  • Our consulting, strategy, and training engagements with clients
  • Email marketing, newsletters, and business communications
  • AI-powered tools and platforms we use to deliver services (including but not limited to Growth Hub 365 and our internal AI agent team)
  • Business development activities, proposals, and discovery conversations

By using our website or engaging our services, you acknowledge that you have read and understood this Privacy Policy.

2. Who We Are

Grateful Marketing is the data controller (GDPR) and organization accountable (PIPEDA) for the personal information described in this policy.

[INSERT: Legal business name, registered business address, jurisdiction of incorporation]

Contact for privacy matters:

[INSERT: Privacy Officer name, email, phone number, and mailing address]

For residents of the European Union or United Kingdom, we can be reached at the contact details above. If you require a local representative under Article 27 GDPR, please contact us to request current representative details.

3. Information We Collect

We collect personal information that you provide directly to us, information collected automatically through technology, and information received from third parties.

3.1 Information You Provide Directly

  • Contact information: name, business name, job title, email address, phone number, mailing address.
  • Client engagement information: business goals, marketing challenges, brand assets, strategic priorities, team structure, and any other information shared during consulting engagements.
  • Account and billing information: billing contact, payment details (processed via secure third-party processors — we do not store full payment card numbers), purchase orders, and tax identifiers where required.
  • Communications: emails, meeting notes, proposal responses, feedback, survey responses, and any correspondence with our team.
  • Marketing preferences: newsletter subscriptions, event registrations, and content download information.

3.2 Information Collected Automatically

  • Website usage data: pages visited, time spent, referring URLs, browser type, device type, operating system, and approximate geographic location (derived from IP address).
  • Cookies and similar technologies: see Section 8 for full details on cookies and tracking technologies.
  • Log data: IP address, access times, error logs, and technical diagnostic information.

3.3 Information from Third Parties

  • Professional networks: publicly available information from LinkedIn and other professional sources used for legitimate business development.
  • Service providers: information from our analytics, email, CRM, and AI platform providers.
  • Referrals: contact information provided by mutual connections or existing clients who refer you to us.

3.4 Sensitive Personal Information

We do not knowingly collect sensitive categories of personal information (such as health data, biometric data, racial or ethnic origin, religious beliefs, or sexual orientation) as part of our services. Clients should not share sensitive personal information with us unless specifically required for an engagement and governed by a separate written agreement.

4. How We Use Your Information

We use personal information for the following purposes, each supported by a lawful basis under applicable privacy laws:

4.1 To Deliver Our Services

  • Provide AI business consulting, AI and marketing strategy and deployment, and AI team training and empowerment services
  • Develop proposals, statements of work, and service agreements
  • Conduct discovery calls, workshops, and ongoing engagement activities
  • Configure, deploy, and support AI tools and platforms on your behalf

Lawful basis: Contract performance (GDPR Art. 6(1)(b)); consent and reasonable purposes (PIPEDA).

4.2 To Communicate With You

  • Respond to inquiries and provide customer support
  • Send service updates, appointment confirmations, and administrative notices
  • Share educational content, newsletters, and event invitations (where you have opted in)

Lawful basis: Legitimate interests (GDPR Art. 6(1)(f)); consent for marketing communications (GDPR Art. 6(1)(a); CASL for Canadian recipients).

4.3 To Operate and Improve Our Business

  • Analyze website performance and user behavior
  • Improve our services, content, and methodology (including the Gratitude™ methodology)
  • Conduct market research and competitive analysis
  • Train and refine our internal AI agents using properly anonymized or authorized data

Lawful basis: Legitimate interests (GDPR Art. 6(1)(f)); reasonable purposes (PIPEDA).

  • Comply with applicable laws, regulations, tax requirements, and legal process
  • Protect our rights, property, and safety, and those of our clients and third parties
  • Detect and prevent fraud, security incidents, and unauthorized activity

Lawful basis: Legal obligation (GDPR Art. 6(1)(c)); legitimate interests (GDPR Art. 6(1)(f)).

5. Use of AI Systems and Automated Processing

As an AI-powered consultancy, we use artificial intelligence tools to deliver services. We believe in transparency about how AI interacts with your information.

5.1 How We Use AI

  • AI agents assist our team with research, drafting, analysis, and client workflow automation
  • AI platforms may process client-provided content to generate strategies, marketing assets, or training materials
  • Client-facing AI solutions (such as answering and booking systems) may process inquiries from your customers on your behalf

5.2 Safeguards

  • We select AI vendors that offer enterprise-grade data protection, including data processing agreements and, where possible, no-training guarantees on client data
  • We do not use client-confidential information to train public or third-party AI models without explicit written consent
  • We maintain human oversight of AI-generated outputs before they are delivered to clients or published

5.3 Automated Decision-Making

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing. Where AI is used to support decisions (for example, lead scoring or content recommendations), a human reviews and approves material outcomes.

6. How We Share Your Information

We do not sell personal information. We share personal information only in the circumstances described below, and only with parties bound by appropriate confidentiality and data protection obligations.

6.1 Service Providers and Processors

We use carefully selected service providers to help us operate our business, including:

  • Cloud hosting and infrastructure providers
  • Customer relationship management (CRM) platforms
  • Email marketing and automation platforms
  • Analytics providers
  • AI and machine-learning platform providers
  • Payment processors
  • Professional advisors (accountants, lawyers, insurers)

6.2 Collaborators

We work with trusted collaborators (including our collaborator Lotus and other contracted specialists) who support the delivery of services. All collaborators are bound by written confidentiality and data handling obligations.

We may disclose personal information when required to comply with a lawful request from a government authority, court order, subpoena, or applicable law, or to enforce our terms of service or protect our rights.

6.4 Business Transfers

If Grateful Marketing is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to the continued protections of this Privacy Policy or an equivalent successor policy.

We will share personal information for any other purpose disclosed to you at the time of collection, or with your explicit consent.

7. International Data Transfers

Grateful Marketing is based in Canada. Personal information we collect may be processed, stored, or accessed in Canada, the United States, and other jurisdictions where our service providers operate.

For transfers out of the European Union, United Kingdom, or Switzerland, we rely on appropriate safeguards such as:

  • The European Commission’s adequacy decision for Canada (commercial organizations)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Addendum where applicable
  • Other lawful transfer mechanisms as required

For Canadian clients, certain service providers may store or process personal information outside of Canada. In accordance with PIPEDA, we remain accountable for personal information transferred to service providers and require them to maintain equivalent levels of protection.

[Server hosting note: Once Growth Hub 365’s Canadian server hosting is confirmed, this section will be updated to reflect Canadian data residency for regulated and data-sovereignty-sensitive clients.]

8. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your experience, analyze traffic, and support our marketing efforts.

8.1 Types of Cookies We Use

  • Strictly necessary cookies: required for the website to function properly (these cannot be disabled).
  • Performance and analytics cookies: help us understand how visitors use our website (for example, Google Analytics).
  • Functional cookies: remember your preferences and improve usability.
  • Marketing and advertising cookies: deliver relevant content and measure campaign effectiveness.

You can control cookies through your browser settings and, where applicable, through a cookie preference center displayed on our website. For users in the EU, UK, and other consent-required jurisdictions, non-essential cookies are only set after you provide consent.

For U.S. residents where applicable, we honor recognized opt-out preference signals such as the Global Privacy Control (GPC).

9. Data Retention

We retain personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

General retention guidelines:

  • Client engagement records: for the duration of the engagement plus seven (7) years for tax, legal, and contractual purposes.
  • Prospect and lead information: up to three (3) years from the last meaningful interaction, unless you opt out sooner.
  • Newsletter and marketing subscribers: until you unsubscribe, plus suppression list retention as required by law.
  • Website analytics: typically up to twenty-six (26) months, in accordance with analytics provider defaults.
  • Financial and billing records: as required by Canadian tax law, generally seven (7) years.

When personal information is no longer required, we securely delete, anonymize, or destroy it.

10. Your Privacy Rights

You have rights regarding your personal information. These rights vary depending on where you live.

10.1 Rights Available to All Individuals

  • Access: request a copy of the personal information we hold about you.
  • Correction: request that inaccurate or incomplete information be corrected.
  • Deletion: request that we delete your personal information, subject to legal retention requirements.
  • Withdraw consent: withdraw consent for processing based on consent (this does not affect prior lawful processing).
  • Opt out of marketing: unsubscribe from marketing emails at any time using the link in our communications.

10.2 Canadian Residents (PIPEDA and Provincial Laws)

Under PIPEDA and applicable provincial privacy laws (including Quebec’s Law 25, Alberta’s PIPA, and British Columbia’s PIPA), you have the right to:

  • Know the purposes for which your personal information is collected, used, and disclosed
  • Access your personal information and request corrections
  • Challenge our compliance with privacy laws
  • For Quebec residents: data portability and the right to request de-indexing

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner.

10.3 United States Residents

Depending on your state of residence (including California, Virginia, Colorado, Connecticut, Utah, Texas, and others with comprehensive privacy laws), you may have the right to:

  • Know what personal information we collect, use, disclose, and “sell” or “share” (as defined by your state’s law)
  • Access, correct, or delete your personal information
  • Opt out of the sale or sharing of personal information and targeted advertising
  • Limit the use of sensitive personal information
  • Non-discrimination for exercising your privacy rights
  • Appeal a denial of your request

California residents: we do not sell personal information for monetary consideration. Under the California Consumer Privacy Act (CCPA/CPRA), certain sharing for cross-context behavioral advertising may qualify as “sharing” — you may opt out via our website preference center or by contacting us.

To exercise your rights, contact us using the information in Section 14. We will verify your identity before fulfilling requests.

10.4 European Union, United Kingdom, and Switzerland Residents

Under the GDPR, UK GDPR, and the Swiss Federal Act on Data Protection, you have the right to:

  • Access your personal data (Art. 15)
  • Rectification of inaccurate data (Art. 16)
  • Erasure / “right to be forgotten” (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing based on legitimate interests or direct marketing (Art. 21)
  • Not be subject to decisions based solely on automated processing (Art. 22)
  • Lodge a complaint with your local supervisory authority

10.5 How to Exercise Your Rights

To exercise any of these rights, contact us using the information in Section 14. We will respond within the timeframes required by applicable law — typically 30 days (PIPEDA and most U.S. state laws) or one month (GDPR), with possible extensions for complex requests.

We may need to verify your identity before processing your request. We will not discriminate against you for exercising any of your privacy rights.

11. How We Protect Your Information

We implement technical, administrative, and physical safeguards appropriate to the sensitivity of the personal information we handle. These include:

  • Encryption of data in transit (TLS/SSL) and at rest where feasible
  • Access controls, role-based permissions, and multi-factor authentication for internal systems
  • Regular review of third-party vendors and data processing agreements
  • Secure storage of client assets and confidential information
  • Employee and collaborator training on privacy and data protection
  • Incident response procedures and breach notification protocols

No method of transmission or storage is 100% secure. If we become aware of a personal information breach that creates a real risk of significant harm, we will notify affected individuals and the appropriate regulators in accordance with applicable law (including the PIPEDA Breach of Security Safeguards Regulations and GDPR Articles 33–34).

12. Children’s Privacy

Our services are directed to businesses, non-profits, and professionals. We do not knowingly collect personal information from individuals under the age of 16 (or under the applicable age of consent in your jurisdiction). If you believe we have collected information from a minor, please contact us and we will promptly delete it.

13. Third-Party Websites and Services

Our website and communications may contain links to third-party websites, platforms, or services that we do not control. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party sites or services before providing personal information.

14. How to Contact Us

We welcome your questions, comments, and concerns about this Privacy Policy or our privacy practices.

Grateful Marketing — Privacy Officer

[INSERT: Privacy Officer name]

[INSERT: Email address — e.g., privacy@gratefulmarketing.com]

[INSERT: Mailing address]

[INSERT: Phone number]

Regulatory Authorities

If you are not satisfied with our response, you may contact the appropriate privacy regulator:

  • Canada: Office of the Privacy Commissioner of Canada — www.priv.gc.ca
  • Quebec: Commission d’accès à l’information du Québec
  • Alberta / British Columbia: respective Office of the Information and Privacy Commissioner
  • United States: your state attorney general or state privacy agency (California Privacy Protection Agency for CA residents)
  • European Union: your national supervisory authority (list available at edpb.europa.eu)
  • United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, our services, or applicable laws. When we make material changes, we will update the “Last Updated” date at the top of this policy and, where appropriate, notify you directly (for example, by email or through a notice on our website).

We encourage you to review this policy periodically to stay informed about how we protect your personal information.

Thank you for trusting Grateful Marketing™.
Your privacy is part of our gratitude. GM