Privacy Policy

CorridorBridge Ops (the "Service") is operated by CorridorBridge Advisory Inc. ("CorridorBridge," "we," "us," or "our"), a corporation incorporated in Canada.

Registered office:
CorridorBridge Advisory Inc.
142 Kent Avenue
Timmins, Ontario P4N 3C1
Canada

For any privacy-related questions, contact our Privacy Officer at . privacy@corridorbridge.com

This Privacy Policy describes how we collect, use, store, and share information when you use our Service through app.corridorbridge.com or our marketing website at corridorbridge.com.

This policy applies to two distinct relationships:

• Customers — consultancy firms and consultants who subscribe to use the Service.
• End-clients — the clients of our Customers, whose information our Customers store within the Service in the course of providing their advisory services.

We act as the data controller for Customer accounts and as a data processor for end-client information stored by our Customers. Where we act as a processor, our Customers determine the purposes for which end-client data is used.

3.1 Information you provide directly

• Account information: name, email address, password (stored as a salted hash), role, phone number (optional), profile picture (optional).
• Company information: company name, address, default currency, default hourly rate.
• End-client information you enter: client company name, primary contact, address, jurisdictional details, risk classifications, and any documents or notes you upload.
• Engagement information: engagement scope, due dates, time entries, documents, reports, and other work product.
• Communications: messages you send to our support team.

3.2 Information collected automatically

• Authentication tokens and session cookies required to keep you signed in.
• Multi-factor authentication factors (TOTP secret) if you choose to enable 2FA.
• Technical logs: IP address, browser type, device information, timestamps, and error reports generated when something goes wrong.
• Audit logs: a record of significant actions taken within your account (e.g., signing in, creating an engagement, deleting a client) for security and compliance purposes.

We do not currently use third-party analytics tools to track your behavior across the Service.

3.3 Information we do not collect

• We do not collect payment card details. When billing is enabled, payment processing will be handled by a PCI-DSS compliant payment processor (such as Stripe), and we will receive only a customer reference and billing metadata, not your card number.
• We do not knowingly collect information from individuals under 16 years of age. The Service is intended for use by professional consultancies, not individuals.

We use the information we collect for the following purposes:

• To provide the Service — including running the application, storing your data, and enabling features you use.
• To authenticate you — verifying your identity at sign-in and securing your account through multi-factor authentication where enabled.
• To send transactional emails — password reset links, account verification, notifications about activity in your account.
• To respond to your support requests — when you email us or use in-app help features.
• To improve and secure the Service — by analyzing error logs, monitoring performance, and detecting unauthorized access.
• To comply with legal obligations — including tax, accounting, and regulatory requirements.

We do not use your information or your end-clients' information to train artificial intelligence models, to sell advertising, or for any purpose other than operating the Service.

Where the General Data Protection Regulation (GDPR) or similar privacy laws apply to you, we rely on the following legal bases:

• Performance of a contract — to provide the Service you have subscribed to.
• Legitimate interests — to secure the Service, prevent fraud, and improve our offerings.
• Consent — for any processing where we explicitly request your consent (e.g., optional features).
• Legal obligations — to comply with applicable law.

For Canadian users, we collect, use, and disclose personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws, including Quebec's Law 25 (Act respecting the protection of personal information in the private sector).

We are committed to keeping your data in Canada. Our primary database, document storage, and authentication systems are hosted in Canadian-region cloud infrastructure.

Some of our subprocessors may process limited operational data (such as error logs or performance metrics) in other jurisdictions. Where this occurs, we use providers that have committed to appropriate safeguards, including standard contractual clauses or equivalent measures.

Enterprise customers with strict data residency requirements may request dedicated infrastructure or specific geographic regions for their data. Contact to discuss. sales@corridorbridge.com

We rely on the following service providers to operate the Service. Each has been chosen for their security practices and commitment to data protection. We require all subprocessors to handle data in accordance with applicable law and our contractual security requirements.

We update this list when subprocessors change. Customers can request advance notification of subprocessor changes by contacting . privacy@corridorbridge.com

We retain your information for as long as your account is active or as needed to provide you with the Service.

• Active accounts: data is retained for the duration of your subscription.
• Inactive accounts: after 12 months of inactivity, we may notify you and delete your account if no response is received within 30 days.
• Cancelled accounts: data is retained for 30 days after cancellation to allow you to export. After 30 days, your data is permanently deleted, except where retention is required by law (e.g., tax records, accounting documentation typically retained for 6-7 years per Canadian regulations).
• Audit logs: retained for 24 months to support security investigations and compliance reviews.
• Backups: encrypted backups are retained for 30 days for disaster recovery purposes.

We take security seriously. Our protections include:

• Encryption in transit using TLS 1.2 or higher for all connections.
• Encryption at rest for our primary database and document storage.
• Multi-factor authentication available to all users and required for administrative accounts.
• Strict access controls limiting employee access to customer data to those who require it for support or operational purposes.
• Audit logging of significant actions, retained for security investigations.
• Rate limiting and abuse prevention on authentication and API endpoints.
• Content Security Policy and HSTS to mitigate cross-site scripting and protocol downgrade attacks.
• Regular security updates to underlying infrastructure and dependencies.

No system is perfectly secure. If you suspect your account has been compromised, contact us immediately at . security@corridorbridge.com

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — request correction of inaccurate or incomplete information.
• Deletion — request deletion of your account and associated data, subject to retention obligations described above.
• Portability — receive your data in a structured, commonly used format (we provide CSV and JSON export).
• Objection — object to certain types of processing.
• Withdrawal of consent — withdraw consent for processing based on consent.
• Lodge a complaint — file a complaint with your local data protection authority. In Canada, this is the Office of the Privacy Commissioner (priv.gc.ca); in Quebec, the Commission d'accès à l'information (cai.gouv.qc.ca).

To exercise any of these rights, contact . We will respond within 30 days. There is no fee for these requests in most cases, though we may charge a reasonable administrative fee for repetitive or excessive requests. privacy@corridorbridge.com

If you are an end-client whose information has been entered into our Service by one of our Customers, please contact that Customer directly to exercise your rights. Where required by law, we will assist them in responding to your request.

We use a minimal number of cookies and similar technologies to operate the Service:

• Authentication cookies (set by Supabase) — required to keep you signed in. These are strictly necessary.
• Session preferences — small amounts of local browser storage to remember your theme (light/dark) and sidebar state.

We do not currently use advertising cookies, third-party analytics cookies, or cross-site tracking technologies. If we add such tools in the future, we will update this policy and request your consent where required.

We do not sell your information. We do not share your information with third parties except in these specific circumstances:

• To our subprocessors as described in Section 7, solely to operate the Service.
• If we are legally required by court order, subpoena, or other valid legal process. Where permitted, we will notify you before disclosure to allow you to object.
• To protect the Service from fraud, abuse, or security threats.
• With your consent for any other purpose.
• In a business transfer — if CorridorBridge is acquired or merges with another entity, your information may transfer as part of the transaction. We will notify you in advance if this affects your data.

Some of our subprocessors operate outside Canada. When personal information is transferred outside Canada, it may be subject to the laws of the destination country, including lawful access requests by government authorities.

For users in the European Economic Area, United Kingdom, or Switzerland, transfers of your personal information outside those regions are made under appropriate safeguards, such as standard contractual clauses approved by the European Commission.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify active customers by email at least 30 days before changes take effect.
• Provide a summary of changes when significant updates are made.

Continued use of the Service after changes take effect constitutes acceptance of the updated policy. If you do not agree with the updated policy, you may cancel your account.

For privacy-related questions, requests, or concerns: