Legal
Privacy policy
Effective date: 10 July 2026. This policy describes how CyberForge AI Inc. collects, uses, discloses, and protects personal information.
1. Introduction and scope
CyberForge AI Inc. ("CyberForge AI," "we," "us," or "our") is an offensive security consultancy incorporated in Ontario, Canada, with its principal place of business at 134 Peter Street, Suite 105, Toronto, ON M5V 2H2. Our business number is BN 517 803 462 RC0001. We are committed to protecting the privacy of individuals whose personal information we collect in the course of operating our website at https://cyberforgeai.pro and delivering professional security services to our clients.
This Privacy Policy applies to personal information collected through our public website, contact forms, email correspondence, telephone communications, and in-person meetings conducted for business development purposes. It does not govern personal information processed on behalf of clients during authorised security engagements; that processing is governed by separate engagement agreements and applicable client instructions.
We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, substantially similar provincial privacy legislation. This policy is designed to meet the transparency requirements of PIPEDA Principle 1 — Accountability and Principle 2 — Identifying Purposes.
2. Accountability
CyberForge AI Inc. is responsible for personal information under its control. We have designated privacy accountability to our operations leadership team. Privacy inquiries, access requests, and complaints may be directed to:
Privacy Officer
CyberForge AI Inc.
134 Peter Street, Suite 105
Toronto, ON M5V 2H2, Canada
Email: [email protected]
Phone: +1 (416) 486-2073
We respond to privacy inquiries during business hours, Monday through Friday, 09:00 to 18:00 Eastern Time. We aim to acknowledge requests within five business days and resolve them within thirty days, subject to complexity and legal requirements.
3. Information we collect
3.1 Information you provide directly
When you submit our contact form, email us, or communicate by phone, we may collect:
- Full name
- Email address
- Telephone number
- Organisation name and job title
- Service interest and message content
- PIPEDA consent confirmation and timestamp
We do not collect more information than is reasonably necessary to respond to your inquiry or establish a professional services relationship.
3.2 Information collected automatically
When you visit cyberforgeai.pro, our servers and, where you have consented, analytics tools may collect:
- IP address (which may be considered personal information in some contexts)
- Browser type and version
- Operating system
- Referring URL
- Pages visited and time spent
- Date and time of access
- Cookie identifiers as described in our Cookie Policy
Non-essential cookies and analytics are activated only after you provide consent through our cookie banner. You may withdraw consent at any time by clearing cookies and revisiting the site to set new preferences.
3.3 Information from third parties
We do not purchase marketing lists or obtain personal information from data brokers for website operations. In limited cases, a mutual business contact may introduce you to us by sharing your professional contact details. In such cases, we use the information only for the stated introduction purpose and provide notice of our privacy practices upon first contact.
4. Purposes for collection, use, and disclosure
We collect and use personal information only for purposes that a reasonable person would consider appropriate in the circumstances. Primary purposes include:
- Responding to inquiries submitted through our website or email
- Scheduling consultations and scoping security engagements
- Preparing proposals, statements of work, and contractual documentation
- Delivering contracted professional services
- Communicating about engagement status, findings, and deliverables
- Invoicing, accounts receivable, and tax compliance
- Improving website functionality and, with consent, understanding visitor behaviour
- Complying with legal obligations, court orders, and regulatory requests
- Protecting our rights, property, and safety, and that of our clients and the public
We will identify any materially new purpose for using personal information and obtain appropriate consent before use, unless otherwise permitted by law.
5. Consent
Consent is the cornerstone of our privacy practice. For contact form submissions, we require explicit opt-in consent via an unchecked checkbox confirming agreement to our privacy practices under PIPEDA. Consent is recorded with a timestamp in America/Toronto timezone at the point of submission.
For cookies, we obtain consent through our banner offering Accept all, Reject all, or Customise options. Essential cookies necessary for site operation do not require consent. Analytics and functional cookies are disabled until you opt in.
You may withdraw consent for non-essential processing at any time, subject to legal or contractual restrictions. Withdrawal does not affect the lawfulness of processing prior to withdrawal. To withdraw consent, contact our Privacy Officer or adjust cookie preferences on your next visit.
6. Disclosure to third parties
We do not sell personal information. We disclose personal information only in the following circumstances:
- Service providers: Trusted vendors who assist with email delivery, hosting, analytics (where consented), and payment processing. These providers are contractually bound to use information only for specified purposes and to maintain appropriate safeguards.
- Professional advisors: Lawyers, accountants, and insurers where disclosure is necessary for advice or coverage.
- Legal requirements: Where required by applicable law, regulation, legal process, or governmental request.
- Business transactions: In connection with a merger, acquisition, or asset sale, subject to confidentiality obligations and notice where practicable.
Contact form submissions are transmitted to our designated email address for processing. Email routing may involve infrastructure providers located in Canada or jurisdictions with comparable privacy protections.
7. Cross-border transfers
Some service providers may process personal information in the United States or other jurisdictions. Where personal information is transferred outside Canada, we assess the recipient's privacy practices and implement contractual protections consistent with PIPEDA accountability requirements. By submitting information through our website, you acknowledge that certain processing may occur outside Canada subject to these safeguards.
8. Retention
We retain personal information only as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.
- Contact inquiries not resulting in engagement: up to twenty-four months, then secure deletion
- Client engagement records: duration of engagement plus seven years for contractual and tax purposes
- Cookie consent preferences: six months, after which the banner reappears
- Analytics data (where consented): aggregated retention per vendor policy, typically thirteen months
When personal information is no longer required, we securely delete or anonymise it using industry-standard methods.
9. Security safeguards
As an offensive security firm, we apply rigorous safeguards to personal information under our control. Measures include:
- Encryption in transit (TLS) for website communications
- Access controls limiting personal information to personnel with legitimate business need
- Multi-factor authentication on administrative systems
- Regular review of access permissions and security configurations
- Employee confidentiality obligations and security awareness training
- Incident response procedures for suspected privacy breaches
No method of transmission or storage is completely secure. We cannot guarantee absolute security but commit to notifying affected individuals and the Office of the Privacy Commissioner of Canada of breaches involving real risk of significant harm, as required by PIPEDA.
10. Your rights
Under PIPEDA, you have the right to:
- Access personal information we hold about you, subject to limited exceptions
- Request correction of inaccurate or incomplete information
- Withdraw consent for non-essential processing
- Challenge our compliance with PIPEDA through our Privacy Officer
- File a complaint with the Office of the Privacy Commissioner of Canada if unsatisfied with our response
Access requests must be submitted in writing to our Privacy Officer. We may request information to verify your identity before disclosing records. We respond within thirty days unless an extension is permitted and communicated.
11. Children's privacy
Our website and services are directed at business professionals and organisations. We do not knowingly collect personal information from individuals under eighteen years of age. If we become aware that we have collected such information without parental consent, we will delete it promptly.
12. Links to other websites
Our website may contain links to third-party sites. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies before providing personal information.
13. Changes to this policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be posted on this page with an updated effective date. Where changes materially affect how we use personal information already collected, we will seek renewed consent where required.
14. Contact us
For questions about this Privacy Policy or to exercise your privacy rights:
CyberForge AI Inc.
134 Peter Street, Suite 105
Toronto, ON M5V 2H2, Canada
Email: [email protected]
Phone: +1 (416) 486-2073
Business hours: Mon–Fri, 09:00–18:00 ET