Privacy Policy

Last Updated: April 2026

WebCoreLab (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, store, and protect your personal information when you visit our website at https://webcorelab.com, use our services, or otherwise interact with us.

This policy has been designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), the General Data Protection Regulation (GDPR) for our European clients and visitors, the Canadian Anti-Spam Legislation (CASL), and the Accessibility for Ontarians with Disabilities Act (AODA).

By using our website or engaging our services, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy.

1. Information We Collect

1.1 Personal Information You Provide

We collect personal information that you voluntarily provide to us, including but not limited to:

  • Contact Information: Name, email address, phone number, mailing address, and company name, provided through our contact forms, email correspondence, or phone consultations.
  • Account and Billing Information: Payment details, billing address, tax identification numbers, and banking information necessary for processing payments via bank wire, Stripe, or PayPal.
  • Project-Related Information: Business information, content, assets, credentials, and other materials you provide in connection with our services.
  • Communications: Records of your correspondence with us, including emails, contact form submissions, and chat transcripts.
  • Newsletter Subscriptions: Email address and communication preferences when you subscribe to our newsletter via the Mailster plugin.

1.2 Information Collected Automatically

When you visit our website, we automatically collect certain information through cookies and similar technologies, including:

  • Usage Data: Pages visited, time spent on pages, click patterns, referring URLs, and navigation paths.
  • Device Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
  • Location Data: Approximate geographic location based on your IP address.
  • Cookie Data: Information collected through cookies, web beacons, and similar tracking technologies as described in our Cookie Policy.

1.3 Information from Third Parties

We may receive information about you from third-party sources, including:

  • Analytics providers (Google Analytics)
  • Payment processors (Stripe, PayPal)
  • Security and performance services (Cloudflare)
  • Publicly available sources relevant to our business relationship

2. How We Use Your Information

We use the personal information we collect for the following purposes:

  • Service Delivery: To provide, maintain, and improve our services, including AI development, web development, SEO, digital marketing, and consulting.
  • Communication: To respond to your inquiries, provide project updates, send invoices, and communicate regarding our business relationship.
  • Payment Processing: To process transactions, send billing notices, and manage accounts receivable.
  • Marketing: To send newsletters, promotional content, and information about our services, only where you have provided consent or where permitted by applicable law.
  • Website Improvement: To analyze usage patterns, diagnose technical issues, and improve the functionality and user experience of our website.
  • Security: To detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activities.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.
  • Business Operations: To manage our business, including record-keeping, internal reporting, and administrative purposes.

3. Legal Basis for Processing

We process your personal information based on the following legal grounds:

  • Consent: Where you have given us explicit consent to process your personal information for specific purposes, such as receiving our newsletter or marketing communications. You may withdraw your consent at any time.
  • Contractual Necessity: Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract.
  • Legitimate Interests: Where processing is necessary for our legitimate business interests, such as improving our services, website analytics, fraud prevention, and direct marketing to existing clients, provided such interests are not overridden by your rights and freedoms.
  • Legal Obligation: Where processing is necessary to comply with a legal obligation to which we are subject, such as tax reporting or responding to lawful requests from public authorities.

4. PIPEDA Compliance

As a Canadian organization, WebCoreLab complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and adheres to its ten fair information principles:

  • Accountability: We are responsible for the personal information under our control and have designated a Privacy Officer to oversee compliance.
  • Identifying Purposes: We identify the purposes for which personal information is collected at or before the time of collection.
  • Consent: We obtain meaningful consent for the collection, use, and disclosure of personal information, except where permitted or required by law.
  • Limiting Collection: We limit the collection of personal information to that which is necessary for the identified purposes.
  • Limiting Use, Disclosure, and Retention: We do not use or disclose personal information for purposes other than those for which it was collected, except with consent or as required by law. We retain personal information only as long as necessary to fulfill those purposes.
  • Accuracy: We keep personal information as accurate, complete, and up-to-date as necessary for the purposes for which it is used.
  • Safeguards: We protect personal information with security safeguards appropriate to the sensitivity of the information.
  • Openness: We make information about our privacy policies and practices readily available.
  • Individual Access: Upon request, we inform individuals of the existence, use, and disclosure of their personal information and provide access to that information.
  • Challenging Compliance: Individuals may challenge our compliance with these principles by contacting our Privacy Officer.

5. GDPR Compliance

For individuals located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we provide the following additional protections in accordance with the General Data Protection Regulation (GDPR):

5.1 Data Controller

WebCoreLab acts as the data controller for personal information collected through our website and in connection with our services. Our contact details are provided at the end of this policy.

5.2 Your Rights Under GDPR

In addition to the rights described in Section 10 of this policy, individuals in the EEA, UK, and Switzerland have the following rights:

  • Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data under certain circumstances.
  • Right to Object: You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.
  • Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects concerning you.

5.3 International Data Transfers

When we transfer personal data from the EEA to Canada, we rely on the European Commission’s adequacy decision regarding Canada’s PIPEDA. For transfers to other countries, we implement appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission.

6. CASL Compliance

WebCoreLab complies with the Canadian Anti-Spam Legislation (CASL) in all electronic communications. In accordance with CASL:

  • We obtain express or implied consent before sending commercial electronic messages (CEMs), including newsletters and marketing emails.
  • All CEMs include our accurate contact information, a clear identification of the sender, and a functional unsubscribe mechanism.
  • We process unsubscribe requests within ten (10) business days, as required by CASL.
  • We maintain records of consent, including when and how consent was obtained.
  • We do not use misleading subject lines, false sender information, or deceptive practices in any electronic communications.
  • Our newsletter, managed through the Mailster plugin, includes a double opt-in process and an easy-to-use unsubscribe link in every message.

7. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your experience, analyze usage, and support our security infrastructure. For detailed information about the cookies we use and how to manage your preferences, please refer to our Cookie Policy.

In summary, we use the following categories of cookies:

  • Essential Cookies: Required for the basic functioning of our website, including WordPress session management and Cloudflare security features.
  • Analytics Cookies: Used to understand how visitors interact with our website, primarily through Google Analytics.
  • Functional Cookies: Used to remember your preferences, such as language settings and cookie consent choices.

8. Third-Party Services

We use the following third-party services that may collect or process your personal information:

8.1 Google Analytics

We use Google Analytics to analyze website traffic and usage patterns. Google Analytics collects information such as your IP address (anonymized), browser type, pages visited, and session duration. Google’s privacy policy is available at https://policies.google.com/privacy.

8.2 Cloudflare

We use Cloudflare for content delivery network (CDN) services, web application firewall (WAF) protection, DDoS mitigation, and performance optimization. Cloudflare may process your IP address and other technical data for security purposes. Cloudflare’s privacy policy is available at https://www.cloudflare.com/privacypolicy/.

8.3 Stripe

We use Stripe to process credit card and electronic payments. Stripe collects and processes payment information in accordance with PCI DSS standards. Stripe’s privacy policy is available at https://stripe.com/privacy.

8.4 PayPal

We use PayPal as an alternative payment processing method. PayPal collects and processes payment information in accordance with its own privacy policy, available at https://www.paypal.com/webapps/mpp/ua/privacy-full.

8.5 WordPress

Our website is built on the WordPress platform. WordPress and certain plugins may set cookies and collect data as necessary for website functionality, content management, and newsletter operations (Mailster plugin).

9. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our general retention periods are as follows:

  • Client Project Data: Retained for the duration of the client relationship plus seven (7) years to comply with tax and business record-keeping requirements.
  • Contact Form Submissions: Retained for two (2) years unless a business relationship is established, in which case the client retention period applies.
  • Newsletter Subscriber Data: Retained until you unsubscribe, plus thirty (30) days for processing the unsubscribe request.
  • Website Analytics Data: Retained for twenty-six (26) months in accordance with our Google Analytics configuration.
  • Financial and Billing Records: Retained for seven (7) years as required by Canadian tax law.
  • Cookie Data: Retained for the periods specified in our Cookie Policy, which vary by cookie type.

When personal information is no longer required, we securely delete or anonymize it.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • SSL/TLS encryption for all data transmitted between your browser and our website.
  • Cloudflare Web Application Firewall (WAF) for protection against common web threats.
  • Secure storage of data on protected servers with restricted access controls.
  • Regular security assessments and updates to our systems and software.
  • Access controls that limit access to personal information to authorized personnel on a need-to-know basis.
  • Secure payment processing through PCI DSS-compliant providers (Stripe, PayPal).
  • Employee and contractor confidentiality obligations.

While we take reasonable precautions to protect your personal information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Right of Access: You have the right to request a copy of the personal information we hold about you.
  • Right of Correction: You have the right to request correction of inaccurate or incomplete personal information.
  • Right of Deletion: You have the right to request deletion of your personal information, subject to certain legal exceptions (e.g., record-keeping obligations).
  • Right to Data Portability: You have the right to request your personal information in a structured, commonly used, machine-readable format and to transmit that information to another controller.
  • Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to Opt Out of Marketing: You have the right to opt out of receiving marketing communications at any time by using the unsubscribe link in our emails or by contacting us directly.

To exercise any of these rights, please contact our Privacy Officer using the contact information provided below. We will respond to your request within thirty (30) days, as required by PIPEDA, or without undue delay and within one (1) month for GDPR-related requests.

We may require you to verify your identity before processing your request. In certain circumstances, we may be unable to fulfil your request in whole or in part, in which case we will provide you with an explanation.

12. Children’s Privacy

Our website and services are not directed to individuals under the age of sixteen (16). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 16, we will take immediate steps to delete such information. If you believe that a child has provided us with personal information, please contact us immediately at [email protected].

13. International Data Transfers

Your personal information may be transferred to, stored, and processed in countries other than your country of residence, including Canada and the United States (where certain third-party service providers are located). These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer personal information internationally, we ensure appropriate safeguards are in place, including:

  • Adequacy decisions by relevant authorities (e.g., the European Commission’s adequacy decision regarding Canada).
  • Standard Contractual Clauses approved by the European Commission.
  • Binding corporate rules or other legally recognized transfer mechanisms.
  • Contractual obligations requiring third-party recipients to protect personal information to standards consistent with this policy.

14. Data Breach Notification

In accordance with PIPEDA’s mandatory breach notification requirements and the GDPR, WebCoreLab maintains procedures for detecting, investigating, and responding to personal information breaches.

In the event of a breach of security safeguards involving personal information that poses a real risk of significant harm to affected individuals, we will:

  • Report the breach to the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible.
  • Notify affected individuals as soon as feasible, providing a description of the breach, the types of personal information involved, steps we are taking to mitigate harm, and steps individuals can take to reduce their risk.
  • For individuals subject to the GDPR, notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, where feasible, and notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
  • Maintain a record of all breaches, regardless of whether they meet the reporting threshold, for a period of twenty-four (24) months.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational purposes. When we make material changes, we will:

  • Post the updated policy on our website with a revised “Last Updated” date.
  • Notify active clients via email of material changes at least thirty (30) days before they take effect.
  • Where required by law, obtain your consent to material changes.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal information.

16. Contact Information / Privacy Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Privacy Officer:

WebCoreLab — Privacy Officer
120 Eglinton East, Suite 500
Toronto, ON M4P1E2, Canada

Email: [email protected]
Phone: +1-647-546-5599
Website: https://webcorelab.com

If you are not satisfied with our response to your privacy concern, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca. If you are located in the EEA, you may also lodge a complaint with your local data protection authority.