What we collect.
What we don't.

1 · Who we are

4UIT Inc. ("4UIT," "we," "us," "our") is an Ottawa-based managed IT and cybersecurity firm, federally incorporated in Canada. Our registered address is 5 - 2000 Thurston Drive, Ottawa, ON K1G 4K7. This policy explains how we collect, use, store, and protect personal information when you visit our website, use our services, or otherwise interact with us.

Our Privacy Officer, as required under Quebec's Law 25 and recommended under PIPEDA, is Amanjot Singh (Founder), reachable at hello@4uit.ca or 1-833-721-4848.

2 · What we collect

Personal information

• Contact details — name, email, phone, mailing address (when you fill in a form, request a quote, or sign a contract)
• Business details — company name, role, business address
• Communication records — emails, support tickets, call notes, scoping documents
• Service-delivery information — IT inventory, network configuration, access credentials, system logs (for managed-IT and cybersecurity customers, only as needed to deliver the service)
• Billing information — invoicing address, payment-method details, transaction history (handled by our payment processor; we don't store full card numbers)

Technical information

• Server logs — IP address, browser, device, pages visited, time on page (collected automatically by our hosting provider to keep the site running and stop abuse)
• Cookies and similar technologies — see the Cookie Policy for details
• Analytics — Google Analytics with consent (anonymised IP, no cross-site tracking by default)

From third parties

We may receive information from referrals, public business directories, or partners — only when there's a legitimate business purpose and the source has appropriate consent.

3 · Why we use it

We use personal information for these specific purposes:

• Service delivery — providing managed IT, cybersecurity, cloud, web design, and computer-repair services we've contracted to deliver
• Customer support — responding to your inquiries, troubleshooting, sending service updates
• Account management — billing, contracts, quarterly reviews
• Marketing — only with consent: occasional service updates, industry insights, event invitations. You can withdraw consent at any time
• Legal compliance — meeting tax, regulatory, and lawful-disclosure obligations
• Site analytics — only with consent: understanding which pages get used so we can improve them

4 · Cookies and tracking

We use a small number of cookies, broken into four categories: essential, analytics, functional, and marketing. The essentials are always on (the site doesn't work without them). The other three are off by default and only run after you give consent through the banner. Full breakdown — including names, expiry, and purpose — is on the Cookie Policy.

5 · Who we share with

Service providers (data processors)

We share information with carefully selected third parties who help us run the business. Each is bound by a written agreement to protect your data. The categories of processing we rely on:

• Website hosting and content delivery — data may be processed in Canada and the United States.
• Database and form-submission storage — hosted in Canadian-region cloud where supported.
• Transactional email delivery — used to send notification emails when you submit a form.
• Web analytics and search-console diagnostics — only after you consent through the cookie banner.
• DNS and content-delivery edge — network routing only; no personal data stored at this layer.
• Managed-cybersecurity telemetry — for managed-MDR/EDR customers, endpoint telemetry flows to our cybersecurity vendor's analyst team under a separate Data Processing Addendum.
• Tenant administration — for customers whose Microsoft 365 or Google Workspace tenants we manage, we have administrative access under a separate engagement letter.
• Email mailbox hosting — for our @4uit.ca addresses.

A current named list of sub-processors and the jurisdictions in which they operate is available on request — email hello@4uit.ca with subject "Sub-processor list."

Business partners

With your explicit consent, we may share information with named business partners for joint service delivery (for example, a cyber-insurance broker referral).

Legal disclosure

We disclose information when required by law — court orders, valid government requests, fraud or security investigations, or to protect the safety of our staff or clients.

Business transactions

If 4UIT Inc. is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction, subject to the same privacy protections set out in this policy. We'll notify affected individuals before any such transfer takes effect.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. Period.

6 · Where we store it

Personal information is primarily stored in Canadian-region cloud infrastructure. When a service we use processes data in another country (most often the United States), the transfer is covered by appropriate contractual safeguards (standard contractual clauses, data-processing agreements) and disclosed in the third-party processor list above.

7 · How we secure it

We follow the same security discipline we sell — because it would be embarrassing not to. That includes:

• Technical safeguards — encryption in transit (TLS 1.2+) and at rest, multi-factor authentication on all admin accounts, hardened backup with immutable copies, EDR on every endpoint, network segmentation
• Administrative safeguards — written information-security policy, joiner-mover-leaver process, quarterly access reviews, vendor security assessments
• Physical safeguards — locked premises, screen privacy, no unattended printed material containing personal data
• Incident response — documented runbook, rehearsed annually

Data retention

We retain personal information only as long as necessary to fulfil the purposes for which it was collected, satisfy legal obligations (tax records: 7 years), or where you've explicitly asked us to keep it. When the retention period ends, we delete or fully anonymise the data.

Data breach response

If a breach of security safeguards occurs that creates a real risk of significant harm to an individual (PIPEDA's threshold — bodily harm, humiliation, reputation damage, identity theft, financial loss, etc.), we will:

• Notify the Office of the Privacy Commissioner of Canada as soon as feasible after determining the threshold is met
• Notify affected individuals directly (by email or letter) as soon as feasible, with a clear description of what happened, what data was involved, what we're doing about it, and what they should do
• Notify any organization or government institution that may be able to reduce the risk of harm (per s. 10.2 PIPEDA)
• Internally, we aim for a 72-hour discovery-to-notification window as an operating discipline, even though PIPEDA does not set a hard deadline
• Maintain breach records for 24 months — including breaches that don't meet the reporting threshold — sufficient for the OPC to verify our compliance, per the PIPEDA breach-of-security-safeguards regulations

Quebec residents under Law 25 are also notified through our Privacy Officer when a breach involves their personal information; the Commission d'accès à l'information du Québec is notified per Law 25's separate timelines.

8 · Your rights

Under PIPEDA, Quebec's Law 25, and aligned with GDPR best practice, you have the right to:

• Access — request a copy of personal information we hold about you
• Correct — request that we fix inaccurate or incomplete information
• Withdraw consent — for marketing communications or any optional data processing, at any time
• Delete (right to erasure) — request that we delete your personal information, subject to legal-retention obligations
• Restrict processing — limit how we use your information in specific circumstances
• Object to processing — particularly for direct marketing or processing based on legitimate interest
• Data portability — receive your data in a structured, machine-readable format
• Cease automated decisioning — under Law 25, request that no significant decision about you be made solely by automated processing

To exercise any of these rights, email hello@4uit.ca with the subject line "Privacy Request." We respond within 30 days and may require ID verification before we hand over personal information.

Complaints

If you're not satisfied with how we've handled a privacy concern, you can file a complaint with:

• Office of the Privacy Commissioner of Canada — priv.gc.ca
• Information and Privacy Commissioner of Ontario (for Ontario customers, particularly under PHIPA) — ipc.on.ca
• Commission d'accès à l'information du Québec (for Quebec residents under Law 25) — cai.gouv.qc.ca

9 · Children's information

Our services are designed for businesses, not children. We don't knowingly collect personal information from anyone under 13. If we discover that we've collected information from a child under 13, we delete it. If you are a parent or guardian and believe your child has submitted information to us, contact us immediately and we'll remove it.

10 · International transfers

Some of the categories of service providers listed in section 5 — notably web hosting, content delivery, and analytics — may process data in the United States or other jurisdictions. When personal information leaves Canada, we ensure the transfer is covered by appropriate contractual safeguards (standard contractual clauses or equivalent) and that the receiving service maintains a level of protection equivalent to the standard we'd apply in Canada. Where a category processes data outside Canada, the relevant entry in section 5 says so.

11 · Quebec residents (Law 25)

Bill 64, now Quebec's Act to modernize legislative provisions as regards the protection of personal information (commonly "Law 25"), applies to Quebec residents. In addition to the rights above, Quebec residents have:

• The right to know whether automated decisions are made about them, with explanation
• The right to data portability (in force since September 2024)
• Specific consent for use of biometric data, geolocation, and profiling

Our designated Privacy Officer for Law 25 inquiries is reachable at hello@4uit.ca.

12 · Changes to this policy

We update this policy when our practices change, when third-party processors change, or when the law changes. The current version's effective date is at the top of the page. For material changes (new third-party processor, new data category, new use), we'll notify customers by email and post a notice on the homepage for at least 30 days before the change takes effect.

13 · How to reach us

For privacy questions, access requests, complaints, or anything else covered by this policy:

4UIT Inc. — Privacy Officer
5 - 2000 Thurston Drive
Ottawa, ON K1G 4K7
Canada

Email: hello@4uit.ca (subject: "Privacy Request")
Phone: 1-833-721-4848 (toll-free)
Hours: Sales Mon–Sat 08:00–19:00 ET · Technical Support 24/7

Effective date: 2026-05-02
Compliance: PIPEDA (S.C. 2000, c. 5) · Quebec Act Respecting the Protection of Personal Information in the Private Sector (CQLR P-39.1, as modernized by Law 25) · aligned with EU GDPR best practice for non-Canadian visitors.
This policy supersedes any prior privacy policy issued by 4UIT Inc.