Privacy Policy
Last Updated: 2026-05-16
1. Who We Are
Yellowhead Digital ("we", "us", "our") is a digital infrastructure analysis business based in British Columbia, Canada, operated by Christopher Enns as a sole proprietorship.
We act as the Data Controller for personal data collected through our website and services.
Contact: privacy@yellowhead.digital
2. What Data We Collect
Account Data
Name, email address, company name, and billing address provided when you create an account or purchase a service.
Diagnostic Inputs
Business URL, domain name, and answers to self-assessment questions you submit when running a Forensic Diagnostic.
Usage Data
Session behaviour, feature usage, report access patterns, and interaction data collected automatically when you use our platform.
Payment Data
All payment processing is handled by Stripe. We do not store credit card numbers or full payment card data. We retain transaction records (amount, date, subscription tier) for billing and tax purposes.
Diagnostic Output Data
Pillar scores, AI-generated findings, and recommendations produced by our diagnostic engine based on your inputs.
Communications
Emails you send us, support enquiries, and transactional emails we send you via our service providers.
Public Business Data
Where you provide a business URL or domain, we may collect publicly available data about that business (social media profiles, website content, publicly listed contact details) as part of delivering the diagnostic service. The subject of such analysis may be any business, including a business that is itself a Yellowhead Digital customer; see Section 3 (What our service analyses) for further detail on how subject-of-analysis services interact with customer protections.
Customer redistribution to third parties (all tiers)
Customers at any subscription tier may submit business URLs and diagnostic inputs in respect of third parties, and may redistribute the resulting deliverables to those third parties (or to others acting in advisory or service-provider capacities for them), per Terms of Service §8 Customer redistribution of deliverables. In this context, the Customer (account holder) acts as the party responsible for the data submission. Yellowhead Digital processes this data on the same basis as any other diagnostic input — we do not have a direct relationship with the third party unless that third party independently creates a Yellowhead Digital account.
Where a Customer submits third-party data and/or redistributes a deliverable, the Customer is responsible for:
- Ensuring they have appropriate authority to submit the third party's business information for analysis;
- Informing the third party that the diagnostic analysis is performed using third-party AI services (as listed in Section 4 below);
- Imposing use restrictions on the third party no less protective than those in our Terms of Service and the applicable Schedule (per Terms §8); and
- Coordinating any data-subject-rights requests from individuals within the third party's organisation (for example, requests under GDPR, PIPEDA, UK DPA, Quebec Law 25, or equivalent regimes), routing those requests to Yellowhead Digital as needed for fulfilment via the contacts in Section 5 of this policy.
Client-organisation infrastructure (Enterprise and Agency Accounts)
Enterprise and Agency account holders have access to multi-tenant client-organisation infrastructure that scopes reports, deliverables, members, and billing within distinct client-organisations under a single account. The responsibilities above apply equally to Customers using this infrastructure and to Customers redistributing on an ad-hoc basis at lower tiers; the tier difference is operational support, not a different responsibility regime.
Customer system data accessed during consulting engagements
For Customers who engage Yellowhead Digital for Infrastructure Audit, Architect (Blueprint, Build, or Monitoring/Orchestration retainer), or Assist (Advisory or Hands-On) services, Yellowhead Digital is granted access to Customer systems for the purpose of delivering the engaged service. The categories of data Yellowhead Digital may observe or process during such engagements include:
- System configuration data — tag manager containers, analytics property settings, ad account structures, consent platform configurations, server-side tagging schemas, integration architecture documentation.
- Personal data of Customer staff — names, email addresses, and access credentials of personnel granting access or participating in the engagement. Yellowhead Digital acts as Data Controller for this category.
- Personal data of Customer end-users embedded in audited or operated systems — for example, hashed identifiers in advertising audiences, GA4 user properties, conversion records, consent-log entries. Yellowhead Digital acts as Data Processor for this category, with Customer as Data Controller. The standard Data Processing Agreement (Section 10) governs this relationship and is incorporated by reference into the applicable Order Form or Statement of Work.
- Commercially confidential data — campaign performance, audience definitions, ad spend, conversion rates, customer segmentation logic. Treated as Confidential Information under the Terms of Service.
- Build artifacts (Architect engagements only) — code, configurations, integration credentials, and technical documentation produced or modified during build work.
Access to Customer systems is granted under the applicable Order Form or SOW and revoked (or transitioned to read-only) on engagement completion per those documents. Yellowhead Digital does not use access granted under one Order Form or SOW to perform work outside the scope of that document.
3. How We Use Your Data
Service delivery: To create and manage your account, process diagnostic reports, and deliver results.
Engagement delivery: To perform Infrastructure Audit, Architect (Blueprint, Build, or Monitoring/Orchestration retainer), and Assist (Advisory or Hands-On) services for Customers, including configuration analysis, system observation, build implementation, knowledge transfer, and ongoing monitoring or orchestration delivery.
Billing and payments: To process subscription payments and service invoices via Stripe, and to meet Canadian tax record-keeping requirements.
Communications: To send transactional emails (receipts, report notifications, account alerts) and, where you have consented or where we have a legitimate interest, product updates and service announcements.
Identified marketing use: We may use your business name and logo to identify you as a Yellowhead Digital customer in our marketing materials, case studies, customer reference lists, and on our website. The licence to do so applies across all subscription tiers on an opt-out basis — see Section 7 of our Terms of Service for the per-tier mechanics (Free / Starter / Pro Tier: opt-out licence with fourteen-day revocation; Enterprise / Agency / Custom Tier: opt-out licence with thirty-day revocation). Mutual prior written consent is required for joint press releases, joint or co-authored case studies, and direct quotes or specific statements attributed to you, regardless of tier. Where you are a sole proprietor or individual contractor and your business name is substantially identifiable with you personally, we will not use your name or logo without your prior affirmative consent regardless of subscription tier. Materials already published before you revoke the licence (or exercise your opt-out right under Terms §7) or close your account may be retained and continue to be displayed per the Surviving rights subsection of Terms §7.
Platform improvement: To understand how the platform is used, identify issues, and develop new features.
Organisation and client-organisation access: Where you belong to an organisation or agency account, diagnostic reports and account data may be visible to other members of that organisation and, for agency accounts, scoped to the relevant client-organisation. The organisation administrator controls member access. If you leave an organisation, your access is removed but organisation-owned data is retained by the organisation.
Domain visibility for organisation administrators: Where you hold a Yellowhead Digital account using an email address at a domain verified to an organisation account, the organisation administrator may see the existence of your account (name and email address only) for the limited purposes set out in Terms of Service §3 — invitation, abuse prevention across uncoordinated accounts on the same domain, and billing consolidation. The administrator does not see your diagnostic results or account contents through domain visibility alone; access to those requires you to accept an organisation invitation. You may decline invitation and continue using your personal account independently. We rely on legitimate interest (abuse prevention and organisation administration) as the lawful basis for this processing under PIPEDA, GDPR, UK DPA, and equivalent regimes.
Use of your data (all tiers):
Aggregate, anonymised insights. We use aggregate, de-identified data derived from all service tiers to produce industry benchmarking reports and publish anonymised case studies. Insights published in this form cannot identify you or your business.
Service improvement (identified data). We use identified data from client engagements — including diagnostic inputs and outputs, engagement notes, and internal analysis — to improve our diagnostic models, develop new product features, and inform delivery of subsequent engagements. This use is internal to Yellowhead Digital and is not transferred to third parties beyond the sub-processors listed in Section 4.
What we do not sell. We do not sell, license, or otherwise transfer to third parties the data you submit through your account, the diagnostic and analytical outputs we generate at your direction, or any other subscriber-side data we hold about you as a Yellowhead Digital customer.
What our service analyses. Yellowhead Digital's diagnostic, competitive-reporting, and intelligence services analyse publicly available data about businesses — including websites, social media, news media, public registries, and similar sources — on the instruction of the requesting customer. The subject of that analysis may be any business, including a business that is itself a Yellowhead Digital customer. Being a Yellowhead Digital customer protects the subscriber-side data described above; it does not exempt your business's public footprint from being a subject of analysis performed for another customer using publicly-sourced information. This is a foundational feature of the service.
Lawful bases for processing (EU/UK data subjects)
For data subjects in the EU, UK, and other GDPR-aligned jurisdictions, the lawful bases under Article 6(1) of the GDPR (and the equivalent provisions of the UK GDPR and UK Data Protection Act 2018) on which we rely are as follows:
| Processing purpose | Lawful basis | Article 6(1) reference |
|---|---|---|
| Service delivery (account creation, diagnostic generation, report delivery) | Contract | (b) |
| Consulting engagement delivery (Infrastructure Audit, Architect, Assist) | Contract | (b) |
| Billing, payment processing, and tax-record retention | Contract; legal obligation (Canadian tax law) | (b), (c) |
| Transactional communications (receipts, report notifications, account alerts) | Contract | (b) |
| Product updates and service announcements | Legitimate interest, or consent where required by jurisdiction | (f) or (a) |
| Identified marketing use of Customer name and logo (Free / Starter / Pro Tier opt-out licence, 14-day revocation) | Legitimate interest, subject to opt-out under Terms §7 | (f) |
| Identified marketing use of Customer name and logo (Enterprise / Agency / Custom Tier opt-out licence, 30-day revocation) | Legitimate interest, subject to opt-out under Terms §7 | (f) |
| Joint press releases, joint or co-authored case studies, and direct quotes or specific statements attributed to Customer (all tiers) | Consent | (a) |
| Platform improvement and feature development (anonymised analytics) | Legitimate interest | (f) |
| Service improvement using identified engagement data | Legitimate interest, subject to the safeguards in Section 5 of our Terms | (f) |
| Organisation and client-organisation member access management | Contract (with the organisation account holder) | (b) |
| Domain-based account visibility for organisation administrators | Legitimate interest (abuse prevention and organisation administration) | (f) |
| Aggregate, anonymised industry benchmarking (post-anonymisation data falls outside GDPR scope) | Legitimate interest until anonymisation completes | (f) |
Where we rely on legitimate interest, we have conducted a balancing assessment and concluded that our interest does not override the data subject's rights and freedoms. You may object to processing on legitimate-interest grounds at any time — see Section 7 (Your Rights) of this policy.
4. Third-Party Processors
We use the following categories of third-party services. We distinguish between (a) processors that handle your personal data on our behalf under Article 28 of the GDPR (and equivalent obligations in PIPEDA, UK DPA, Quebec Law 25, and similar regimes), and (b) public-data retrieval services that receive query inputs about target businesses (names, URLs, public profile lookups) and return publicly-sourced information. The latter do not receive your personal data and are not engaged as processors on our behalf; they are listed here for full transparency.
4a. Processors of your personal data (Article 28)
Each processor below is bound by a Data Processing Agreement (DPA) and, where applicable, Standard Contractual Clauses (SCCs) or EU-US Data Privacy Framework (DPF) certification for transfers of EU/UK personal data.
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Database hosting (account data, diagnostic data, all customer-identifiable records) | USA (EU region available) | DPA / SCCs |
| Stripe | Payment processing | USA | PCI-DSS / DPA / DPF / SCCs |
| Vercel | Frontend hosting | Global CDN | DPA / DPF / SCCs |
| Railway | Backend hosting | USA | DPA / DPF / SCCs |
| Resend | Transactional email delivery | USA | DPA / DPF / SCCs |
| OpenAI | AI analysis prompts containing customer-submitted context | USA | DPA / DPF / SCCs |
| Google (Gemini) | AI analysis prompts containing customer-submitted context | USA | DPA / DPF / SCCs |
| Anthropic (Claude) | AI analysis prompts containing customer-submitted context | USA | DPA / DPF / SCCs |
| Meta Pixel / Ad attribution | Site visitor tracking and advertising attribution | USA | DPA / DPF / SCCs |
| Google Analytics 4 | Usage analytics on the Service | USA | DPA / DPF / SCCs |
4b. Public-data retrieval services (not engaged as Article 28 processors)
The following services receive only target-business identifiers (business names, URLs, public profile lookups, geographic queries) and return publicly-sourced information. They do not receive your account data, your behavioural data, your billing information, your self-assessment answers, or any other personal data that identifies you as a Yellowhead Digital customer. They are vendors of public-information retrieval, not processors of your personal data on our behalf.
| Service | Purpose | Location | Notes |
|---|---|---|---|
| Apify | Web scraping of target-business URLs supplied to the diagnostic | EU | EU-based; the API call carries the target URL and scraping configuration |
| Newsdata.io | News and media search by target-business name | India | No EU adequacy decision; receives only target-business search queries, no customer personal data |
| Gnews.io | News and media search by target-business name | Switzerland | EU adequacy decision applies |
| Perplexity | Grounded-information retrieval about target businesses (business name, URL, and regional focus only) | USA | DPF certified, SCCs available |
| Google Places API | Business location and address lookup by name | USA | DPF certified, SCCs available |
| Meta Graph API | Public social-profile lookup for target businesses | USA | DPF certified, SCCs available |
If you have questions about which category any specific service falls into, or whether your personal data is involved in a particular processing flow, contact us at privacy@yellowhead.digital.
We do not sell your personal data to any third party, for any purpose.
5. Cookies and Tracking
We use the following tracking technologies:
- Google Analytics 4 (GA4): Collects anonymised usage analytics to help us understand how the platform is used. (Tier 1 opt-in; Tier 2 opt-out — see Consent by jurisdiction below.)
- Google Tag Manager (GTM): Manages and deploys analytics and marketing tags. (Consent tier follows the underlying tag — GTM itself does not collect tracking data; the tags it loads do.)
- Meta Pixel (Meta Platforms): Loads on marketing and conversion pages to support advertising attribution and audience measurement on Meta-owned platforms (Facebook, Instagram). The Pixel is a client-side tracking technology that captures page-view, event, and identifier data and shares it with Meta. (Tier 1 opt-in required before the Pixel fires; Tier 2 opt-out — see below.)
- Necessary cookies: Required for login sessions and security. These do not require consent.
Consent by jurisdiction
We apply a tiered consent model based on your location:
- Tier 1 — Opt-in required (EU/EEA, UK, Switzerland, Brazil, Quebec): Analytics and marketing cookies are blocked until you provide explicit consent via our cookie banner. You can withdraw consent at any time via the "Cookie Preferences" link in the footer.
- Tier 2 — Opt-out (US states with privacy laws, rest of Canada, Australia): Analytics and advertising cookies are enabled by default. You can opt out at any time via the "Do Not Sell or Share My Personal Information" link in the footer.
- Tier 3 — Unregulated regions: Analytics and advertising cookies are enabled by default.
Global Privacy Control (GPC)
We honour the Global Privacy Control (GPC) browser signal. If your browser sends a GPC signal, we treat it as an opt-out of advertising and data-sharing cookies. You may override this by explicitly accepting advertising cookies via the cookie preferences overlay.
Additional opt-out options
All visitors may opt out of GA4 tracking by enabling "Do Not Track" in their browser or by using the Google Analytics Opt-out Browser Add-on.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 2 years after closure |
| Diagnostic inputs (submitted URLs, domain names, self-assessment answers) | Duration of account + 24 months after closure, then deleted or anonymised |
| Diagnostic reports (outputs) | 24 months, then anonymised and retained in aggregate |
| Customer-staff personal data (consulting engagement participants — names, emails, access credentials of personnel granting access or participating in an Audit, Architect, or Assist engagement) | Duration of engagement + 2 years after engagement closure |
| Engagement working papers and deliverables (audit reports, build artifacts, internal analysis, configuration snapshots, knowledge-transfer documentation) | 7 years from final delivery (aligns with Canadian tax and professional-services record-keeping floor) |
| Customer system access credentials and tokens granted for engagement work | Revoked or transitioned to read-only at engagement completion per the applicable Order Form or SOW; not retained beyond that point |
| Payment records | 7 years (Canadian tax requirement) |
| Support communications | 2 years |
| Analytics data | As per GA4 data retention settings (max 14 months) |
Anonymisation. Where this table refers to data being "anonymised," we mean removing all direct and indirect identifiers — name, email, account ID, business name, business URL, domain, and any other field that could reasonably be used to re-identify a Customer or business — and retaining only aggregate data in a form that cannot reasonably be re-linked to any individual or business. Anonymised data is irreversible and falls outside the scope of personal-data protections under PIPEDA, GDPR, and equivalent regimes.
7. Your Rights
EU/UK only — GDPR and UK Data Protection Act 2018
If you are located in the EU or UK, you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Erasure ("right to be forgotten"): Request deletion of your personal data where there is no compelling reason for us to continue processing it.
- Portability: Receive your data in a structured, machine-readable format.
- Restriction: Ask us to limit how we use your data in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Complaint: Lodge a complaint with your national supervisory authority (e.g. the ICO in the UK, or your EU Member State's DPA).
Brazil — LGPD (Lei Geral de Proteção de Dados)
If you are located in Brazil, you have the right to:
- Confirmation and access: Confirm whether we process your data and request access to it.
- Correction: Request correction of incomplete or inaccurate data.
- Anonymisation, blocking, or deletion: Request anonymisation or deletion of unnecessary or excessive data.
- Data portability: Receive your data in a structured format for transfer to another service.
- Revocation of consent: Withdraw consent at any time for processing based on consent.
- Complaint: File a complaint with the ANPD (Autoridade Nacional de Proteção de Dados).
Quebec — Law 25 (Act Respecting the Protection of Personal Information in the Private Sector)
If you are located in Quebec, you have the right to:
- Access the personal information we hold about you.
- Rectification of inaccurate information.
- Withdrawal of consent for non-essential processing.
- De-indexation: Request that your personal information be de-indexed from search results where dissemination contravenes the law.
- Complaint: File a complaint with the Commission d'accès à l'information du Québec (CAI).
California only — CCPA/CPRA
California residents have the right to:
- Know what personal information we collect and how we use it.
- Delete personal information we hold about you (subject to exceptions).
- Correct inaccurate personal information.
- Opt out of sale: We do not sell personal information. This right is not applicable.
- Non-discrimination: We will not discriminate against you for exercising your privacy rights.
Canada — PIPEDA and BC PIPA
You have the right to:
- Access the personal information we hold about you.
- Correction of inaccurate information.
- Withdraw consent for non-essential processing.
- Description of recipients (BC PIPA §23): Request information about the organisations or persons to whom we have disclosed your personal information.
Australia — Australian Privacy Act 1988
You have the right to:
- Access and correction of your personal information.
- Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles.
- Notification of eligible data breaches: Where a data breach is likely to result in serious harm to any individual whose personal information we hold, we will notify affected individuals and, where applicable, the Office of the Australian Information Commissioner (OAIC), as soon as practicable, in a manner consistent with Part IIIC of the Privacy Act 1988 (Cth) (Notifiable Data Breaches scheme). We apply this practice voluntarily to Australian customers regardless of whether the small-business exemption currently applies to us.
How to Exercise Your Rights
Email privacy@yellowhead.digital with your request. We will respond within thirty (30) days. We may ask you to verify your identity before processing your request.
8. International Data Transfers
Yellowhead Digital is based in British Columbia, Canada. Personal data transferred internationally is protected under the following mechanisms:
- Transfers from the EU and EEA to Canada. Yellowhead Digital relies on the European Commission's adequacy decision for Canada under Article 45 of the GDPR, which covers personal data transferred to recipients subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) in the course of commercial activities. We process all personal data described in this policy in the course of commercial activities subject to PIPEDA.
- Transfers from the UK to Canada. We rely on the UK's adequacy regulations for Canada (made under section 17A of the UK Data Protection Act 2018) on equivalent terms.
- Transfers from Quebec to Yellowhead Digital. Yellowhead Digital is located in British Columbia and is subject to BC PIPA, which has been recognised by the Office of the Privacy Commissioner of Canada as substantially similar to PIPEDA. Cross-provincial transfers within Canada are not restricted, and we apply BC PIPA and PIPEDA standards uniformly.
- Onward transfers to US-based processors. Personal data transferred from Yellowhead Digital to US-based sub-processors listed in Section 4a is protected by one or more of: certification under the EU-US Data Privacy Framework (DPF) and its UK and Swiss extensions; Standard Contractual Clauses (SCCs) approved by the European Commission; or equivalent transfer mechanisms under the law of the data subject's jurisdiction. The specific mechanism for each processor is set out in the Safeguard column of the Section 4a table.
- Onward transfers to other jurisdictions. Where Section 4a or 4b lists processors located outside Canada and the EU/EEA/UK (for example, India), we have evaluated the legal protections in that jurisdiction and applied additional contractual safeguards where appropriate. Section 4b processors do not receive your personal data; they receive only target-business identifiers and return publicly-sourced information.
- Brazil (LGPD), Australia (Privacy Act 1988), Quebec (Law 25), California (CCPA/CPRA), and other regimes. Where we transfer personal data subject to a regime not addressed above, we rely on the lawful transfer mechanisms available under that regime, including contractual safeguards, the data subject's consent where required, and any applicable adequacy or whitelist determinations.
9. Children
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@yellowhead.digital and we will delete it promptly.
10. Data Processing Agreements (B2B Customers)
For Enterprise, Agency, Custom, and other B2B Customers where Yellowhead Digital processes personal data on Customer's behalf (Customer being the "Data Controller" and Yellowhead Digital being the "Data Processor"), Yellowhead Digital offers a standalone Data Processing Agreement (DPA). This includes (without limitation) consulting engagements under the Infrastructure Audit Order Form, the Blueprint SOW, the Architect Build SOW, the Architect Order Form — Retainer (Monitoring / Orchestration), and the Assist Order Form — Hourly where Yellowhead Digital processes personal data of Customer's end-users embedded in Customer's systems.
Our DPA addresses:
- Scope, nature, and purpose of processing
- Categories of data subjects and personal data processed
- Sub-processor obligations and notification mechanism (including the third-party processors listed in Section 4)
- Technical and organisational security measures
- Data subject rights assistance
- International transfer safeguards (Standard Contractual Clauses where applicable)
- Audit and inspection rights
- Personal data breach notification timing
- Data return and deletion at termination of services
To request our standard DPA, email privacy@yellowhead.digital. We will provide our template for review within ten (10) business days. Bespoke amendments may be negotiated for Customers with specific regulatory or contractual requirements.
For B2B engagements where a DPA is required by law (for example, under GDPR Article 28 where Customer is processing data of EU data subjects), the DPA forms part of, and is incorporated by reference into, the applicable Order Form or Statement of Work.
11. Updates to This Policy
We may update this policy from time to time.
Material changes — including without limitation changes to the purposes of processing, the categories of data we collect, the categories of recipients, the legal bases on which we rely, your rights as a data subject, our retention periods, or the international transfer mechanisms we use — we will give you at least thirty (30) days advance notice by email before the change takes effect.
Changes in Data Controller identity — including in the event of a corporate restructure (such as Yellowhead Digital → Yellowhead Digital Ltd.) — we will notify registered users by email at the time the change takes effect, accompanied by an updated policy reflecting the new Controller details. Advance notice is not required for this category, consistent with the assignment mechanism in Terms of Service §14.
Non-material updates — including without limitation typographical corrections, sub-processor list updates under Section 4 of this policy, clarifying-language changes that do not alter rights or obligations, and updates to public-facing URLs or document references — we may make without advance notice but will post the updated policy at yellowhead.digital/privacy with an updated "Last Updated" date.
Your continued use of our services after an update constitutes acceptance of the revised policy.