Privacy Policy

We collect only the information necessary to provide our services. This includes:

• Account information: Name, email address, company name (optional), and a password stored as a salted hash.
• Billing information: Billing address and payment method details processed via Stripe or PayPal — we do not store full card numbers.
• Service usage data: IP addresses, resource consumption (CPU, RAM, bandwidth), server logs, and support ticket content.
• Communications: Emails and support tickets you submit to us.
• Technical data: Browser type, operating system, and referring URL collected automatically when you visit our website.

We use collected information for the following purposes:

• Provision, configuration, and management of your hosting services
• Processing payments and issuing invoices
• Communicating service updates, maintenance windows, and security alerts
• Responding to support requests and resolving technical issues
• Detecting and preventing abuse, fraud, or unauthorized access
• Complying with legal obligations and responding to lawful requests
• Improving our infrastructure, website, and service offerings

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

We process your personal information on the following legal grounds under PIPEDA and Quebec Law 25:

• Consent: You provided explicit consent at account creation.
• Contract performance: Processing is necessary to deliver the services you purchased.
• Legitimate interest: Security monitoring, fraud prevention, and service improvement.
• Legal obligation: Compliance with applicable Canadian and Quebec laws.

We retain personal information only as long as necessary:

• Active accounts: Retained for the duration of your service agreement.
• Closed accounts: Data retained for 12 months after closure, then securely deleted.
• Financial records: Invoices and payment records retained for 7 years as required by Canadian tax law.
• Server/access logs: Retained for 90 days for security purposes.
• Support tickets: Retained for 24 months, then anonymized or deleted.

We do not sell your data. We may share limited information with these trusted providers, all bound by confidentiality agreements:

• Payment processors: Stripe and/or PayPal — for payment processing only.
• Email delivery: Transactional email provider for service notifications and invoices.
• Infrastructure providers: Data centre colocation partners in Montreal, Quebec.
• Security services: DDoS mitigation and network security providers.

We may also disclose information when required by law or to protect the rights, property, or safety of NordServ, its clients, or the public.

In the event any service provider processes data outside Canada, we will ensure adequate protections are in place and notify you as required by Law 25.

We implement industry-standard technical and organizational measures, including:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• Bcrypt password hashing with per-user salts
• Two-factor authentication available on all accounts
• Firewall and intrusion detection systems
• Regular security audits and vulnerability assessments
• Role-based access control — staff access only what is necessary
• Encrypted offsite backups stored in Canada

While we take every reasonable precaution, no security system is impenetrable. We encourage you to use a strong, unique password and enable two-factor authentication.

Our website uses a minimal set of cookies strictly necessary for functionality:

• Session cookies: Required to maintain your logged-in state in the billing portal.
• Preference cookies: Store your language preference (EN/FR) and UI settings.
• Security cookies: CSRF tokens to protect form submissions.

We do not use advertising cookies, third-party tracking pixels, Google Analytics, or any behavioural analytics tools.

Under PIPEDA and Quebec Law 25, you have the following rights:

• Right of access: Request a copy of the personal information we hold about you.
• Right of rectification: Request correction of inaccurate or incomplete information.
• Right of erasure: Request deletion of your personal information, subject to legal retention requirements.
• Right to withdraw consent: Withdraw consent at any time, which may affect your ability to use our services.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interest.
• Right to lodge a complaint: File a complaint with the OPC or the Commission d’accès à l’information du Québec.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by law.

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us immediately at [email protected] and we will promptly delete such information.

Notifications will include a description of the breach, the type of information involved, steps taken, and recommended protective measures.

Our website may contain links to third-party websites such as payment processors or status pages. These sites have their own privacy policies, and we are not responsible for their practices. We encourage you to review the privacy policy of any external site you visit.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 14 days before they take effect and update the Effective Date at the top of this page. Your continued use of our services after that date constitutes acceptance of the revised policy.

A full revision history is available upon request.

For privacy-related questions, access requests, or complaints, contact our Privacy Officer:

If you are not satisfied with our response, you may also contact:

• Office of the Privacy Commissioner of Canada — priv.gc.ca
• Commission d’accès à l’information du Québec — cai.gouv.qc.ca