Privacy Policy
Last Updated: 2026-04-11
Yellowhead Digital, a business operated by Christopher Enns
Last Updated: 2026-04-11
1. Who We Are
Yellowhead Digital ("we", "us", "our") is a digital infrastructure analysis business based in British Columbia, Canada, operated by Christopher Enns as a sole proprietorship.
We act as the Data Controller for personal data collected through our website and services.
Contact: privacy@yellowhead.digital
2. What Data We Collect
Account Data
Name, email address, company name, and billing address provided when you create an account or purchase a service.
Diagnostic Inputs
Business URL, domain name, and answers to self-assessment questions you submit when running a Forensic Diagnostic.
Usage Data
Session behaviour, feature usage, report access patterns, and interaction data collected automatically when you use our platform.
Payment Data
All payment processing is handled by Stripe. We do not store credit card numbers or full payment card data. We retain transaction records (amount, date, subscription tier) for billing and tax purposes.
Diagnostic Output Data
Pillar scores, AI-generated findings, and recommendations produced by our diagnostic engine based on your inputs.
Communications
Emails you send us, support enquiries, and transactional emails we send you via our service providers.
Public Business Data
Where you provide a business URL or domain, we may collect publicly available data about that business (social media profiles, website content, publicly listed contact details) as part of delivering the diagnostic service.
Client-Organization Data (Enterprise and Agency Accounts)
Enterprise and Agency account holders may submit business URLs and diagnostic inputs on behalf of their client-organizations. In this context, the account holder acts as the party responsible for the data submission. Yellowhead Digital processes this data on the same basis as any other diagnostic input — we do not have a direct relationship with the agency's client unless that client independently creates a Yellowhead Digital account.
Agency account holders are responsible for:
- Ensuring they have appropriate authority to submit their clients' business information for analysis;
- Informing their clients that diagnostic analysis is performed using third-party AI services (as listed in Section 4 below); and
- Managing access to diagnostic reports and deliverables within their client-organization structure.
3. How We Use Your Data
Service delivery: To create and manage your account, process diagnostic reports, and deliver results.
Billing and payments: To process subscription payments and service invoices via Stripe, and to meet Canadian tax record-keeping requirements.
Communications: To send transactional emails (receipts, report notifications, account alerts) and, where you have consented or where we have a legitimate interest, product updates and service announcements.
Platform improvement: To understand how the platform is used, identify issues, and develop new features.
Organisation and client-organization access: Where you belong to an organisation or agency account, diagnostic reports and account data may be visible to other members of that organisation and, for agency accounts, scoped to the relevant client-organization. The organisation administrator controls member access. If you leave an organisation, your access is removed but organisation-owned data is retained by the organisation.
Aggregate anonymized insights (all tiers):
We use aggregate, de-identified data derived from all service tiers to improve our diagnostic models, develop new product features, produce industry benchmarking reports, and publish anonymized case studies. This data cannot identify you or your business. We do not sell your personal data or business-specific data to third parties.
4. Third-Party Processors
We use the following third-party services to deliver our platform. Each is bound by a Data Processing Agreement (DPA) or equivalent instrument.
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Database hosting | USA (EU region available) | DPA |
| Stripe | Payment processing | USA | PCI-DSS, DPA |
| Vercel | Frontend hosting | Global CDN | DPA |
| Railway | Backend hosting | USA | DPA |
| Resend | Transactional email | USA | DPA |
| OpenAI | AI analysis | USA | DPA / SCCs |
| Google (Gemini) | AI analysis / Places API | USA | DPA / SCCs |
| Perplexity | AI analysis | USA | DPA |
| Apify | Web scraping | EU | DPA |
| Anthropic | AI analysis (Claude) | USA | DPA / SCCs |
| Meta Platforms | Social media data / Meta Pixel / Ad attribution | USA | DPA / SCCs |
| Newsdata.io | News & media data for competitive analysis | EU | DPA |
| Gnews.io | News & media data for competitive analysis | EU | DPA |
| Google Analytics 4 | Usage analytics | USA | DPA / SCCs |
We do not sell your personal data to any third party, for any purpose.
5. Cookies and Tracking
We use the following tracking technologies:
- Google Analytics 4 (GA4): Collects anonymized usage analytics to help us understand how the platform is used.
- Google Tag Manager (GTM): Manages and deploys analytics and marketing tags.
- Necessary cookies: Required for login sessions and security. These do not require consent.
Consent by jurisdiction
We apply a tiered consent model based on your location:
- Tier 1 — Opt-in required (EU/EEA, UK, Switzerland, Brazil, Quebec): Analytics and marketing cookies are blocked until you provide explicit consent via our cookie banner. You can withdraw consent at any time via the "Cookie Preferences" link in the footer.
- Tier 2 — Opt-out (US states with privacy laws, rest of Canada, Australia): Analytics and advertising cookies are enabled by default. You can opt out at any time via the "Do Not Sell or Share My Personal Information" link in the footer.
- Tier 3 — Unregulated regions: Analytics and advertising cookies are enabled by default.
Global Privacy Control (GPC)
We honour the Global Privacy Control (GPC) browser signal. If your browser sends a GPC signal, we treat it as an opt-out of advertising and data-sharing cookies. You may override this by explicitly accepting advertising cookies via the cookie preferences overlay.
Additional opt-out options
All visitors may opt out of GA4 tracking by enabling "Do Not Track" in their browser or by using the Google Analytics Opt-out Browser Add-on.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 2 years after closure |
| Diagnostic reports | 24 months, then anonymized and retained in aggregate |
| Payment records | 7 years (Canadian tax requirement) |
| Support communications | 2 years |
| Analytics data | As per GA4 data retention settings (max 14 months) |
7. Your Rights
EU/UK only — GDPR and UK Data Protection Act 2018
If you are located in the EU or UK, you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Erasure ("right to be forgotten"): Request deletion of your personal data where there is no compelling reason for us to continue processing it.
- Portability: Receive your data in a structured, machine-readable format.
- Restriction: Ask us to limit how we use your data in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Complaint: Lodge a complaint with your national supervisory authority (e.g. the ICO in the UK, or your EU Member State's DPA).
Brazil — LGPD (Lei Geral de Proteção de Dados)
If you are located in Brazil, you have the right to:
- Confirmation and access: Confirm whether we process your data and request access to it.
- Correction: Request correction of incomplete or inaccurate data.
- Anonymisation, blocking, or deletion: Request anonymisation or deletion of unnecessary or excessive data.
- Data portability: Receive your data in a structured format for transfer to another service.
- Revocation of consent: Withdraw consent at any time for processing based on consent.
- Complaint: File a complaint with the ANPD (Autoridade Nacional de Proteção de Dados).
Quebec — Law 25 (Act Respecting the Protection of Personal Information in the Private Sector)
If you are located in Quebec, you have the right to:
- Access the personal information we hold about you.
- Rectification of inaccurate information.
- Withdrawal of consent for non-essential processing.
- De-indexation: Request that your personal information be de-indexed from search results where dissemination contravenes the law.
- Complaint: File a complaint with the Commission d'accès à l'information du Québec (CAI).
California only — CCPA/CPRA
California residents have the right to:
- Know what personal information we collect and how we use it.
- Delete personal information we hold about you (subject to exceptions).
- Correct inaccurate personal information.
- Opt out of sale: We do not sell personal information. This right is not applicable.
- Non-discrimination: We will not discriminate against you for exercising your privacy rights.
Canada — PIPEDA and BC PIPA
You have the right to:
- Access the personal information we hold about you.
- Correction of inaccurate information.
- Withdraw consent for non-essential processing.
Australia — Australian Privacy Act 1988
You have the right to:
- Access and correction of your personal information.
- Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles.
How to Exercise Your Rights
Email privacy@yellowhead.digital with your request. We will respond within 30 days. We may ask you to verify your identity before processing your request.
8. International Data Transfers
Our business is based in Canada, which the EU Commission has recognised as providing an adequate level of data protection. Data transferred to US-based processors is covered by Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms under applicable law.
9. Children
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@yellowhead.digital and we will delete it promptly.
10. Updates to This Policy
We may update this policy at any time by posting the revised version at yellowhead.digital/privacy. The "Last Updated" date at the top of this page will reflect all changes.
For material changes, we will notify registered users by email before the change takes effect.
Your continued use of our services after an update constitutes acceptance of the revised policy.
Yellowhead Digital
https://yellowhead.digital
privacy@yellowhead.digital