Legal
Privacy Policy
Introduction
Steelhead is a boutique artificial intelligence consulting firm based in Calgary, Alberta, Canada. We build custom AI systems for small and mid-market businesses.
This privacy policy explains how we collect, use, store, and protect your personal information when you visit our website at steelheadai.com. It applies exclusively to data collected through this website and does not cover information handling practices related to individual client engagements, which are governed by separate agreements.
This policy is designed to comply with Alberta's Personal Information Protection Act (PIPA) and Canada's Anti-Spam Legislation (CASL).
Information We Collect
We collect a limited set of information through two channels: data you provide directly and data collected automatically.
Information You Provide Directly
| Source | Data Collected |
|---|---|
| Contact form | Name, email address, company name, message content |
| Newsletter signup | Email address only |
Information Collected Automatically
| Service | Data Collected |
|---|---|
| Plausible Analytics | Page URLs, referrer URLs, device type, browser, country/region/city (derived from IP address; raw IP is never stored), dwell time |
| Cloudflare | IP address and user-agent string (processed ephemerally for security purposes only) |
We do not collect financial data, biometric data, health information, or data from minors through this website.
How We Use Your Information
Responding to inquiries. When you submit a contact form, we use the information you provide to review your message and respond. The legal basis is implied consent: by voluntarily submitting your contact details, you create a reasonable expectation of a response.
Sending newsletters. If you subscribe to our newsletter, we use your email address to send periodic industry insights and firm updates. The legal basis is express consent, established through your affirmative opt-in action at the point of subscription. This is fully compliant with Canada's Anti-Spam Legislation (CASL). Every newsletter includes an unsubscribe link.
Website security. Cloudflare processes IP addresses and user-agent strings to protect the website from automated attacks, bot traffic, and other threats. The legal basis is legitimate interest in maintaining a safe and available website.
Improving content and user experience. Plausible Analytics collects anonymized, aggregate data about how visitors interact with the website. Because this data is fully anonymized at the point of collection (no raw IP addresses are stored, no cookies are used, and no cross-site tracking occurs), it does not constitute personal information under PIPA. We use these aggregate statistics to understand which content resonates, identify navigation issues, and improve the overall experience.
Third-Party Service Providers
We work with a small number of specialized service providers to operate this website. Each provider functions as a data processor, operating under our documented instructions and bound by a Data Processing Agreement (DPA).
| Provider | Purpose | Data Handled | Processing Location | Certification |
|---|---|---|---|---|
| Formspree | Contact form submissions | Name, email, company, message, IP address | United States (AWS) | SOC 2 Type 2 |
| Beehiiv | Newsletter delivery | Email address, subscription status, engagement metrics | United States (AWS) | SOC 2 Type 1 |
| Cloudflare | DNS, CDN, WAF, bot management | IP address, user-agent, edge routing metadata | Global edge network | N/A |
| Plausible Analytics | Privacy-first website analytics | Anonymized page views, referrers, device type, geography | EU (Germany, Hetzner) | N/A |
All processors operate under Data Processing Agreements that restrict use of your data to the specific services described above.
Cross-Border Data Transfers
Data submitted through our contact form and newsletter signup is processed by Formspree and Beehiiv on infrastructure located in the United States. When your personal information is transferred to the US, it becomes subject to US law, including the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which grants US authorities the ability to compel US-based service providers to disclose data stored on their servers.
Website analytics data is processed by Plausible Analytics exclusively within the European Union, on Hetzner servers in Germany.
Cloudflare processes web traffic at the edge node nearest to the visitor's geographic location.
We maintain contractual safeguards with all vendors, including Data Processing Agreements that limit data use to the contracted service and prohibit secondary exploitation of your information.
Cookies and Tracking
We do not use marketing cookies or analytics cookies. Plausible Analytics operates entirely without cookies, local storage, or persistent identifiers.
Cloudflare may set a single essential security cookie called __cf_bm. This cookie is part of Cloudflare's bot management system. It is session-only, expires within approximately 30 minutes, does not store personally identifiable information, and does not track users across websites.
Because we use no non-essential cookies, no cookie consent banner is required under current privacy regulations. The cookie banner included on this website was built as a precaution for future-proofing; if our technology stack changes to include non-essential cookies, we will implement proper consent management at that time.
You can manage or delete cookies at any time through your browser's privacy settings.
Data Retention
| Data Type | Retention Period |
|---|---|
| Contact form submissions | Retained for the duration of any resulting engagement. If no engagement materializes, purged within 12 months of the last communication. |
| Newsletter subscribers | Retained while actively subscribed. On unsubscribe, moved to a suppression list (to prevent accidental re-subscription). Suppressed data purged within 24 months. |
| Plausible Analytics data | Fully anonymized at collection. Retained indefinitely as aggregate statistics with no personal identifiers. |
| Cloudflare security logs | Ephemeral. Automatically purged within 24 hours to 7 days depending on log type. |
Your Privacy Rights
Under Alberta's Personal Information Protection Act (PIPA), you have the following rights regarding your personal information:
- Right to access. You may request a copy of the personal information we hold about you, along with details of how it has been used and to whom it has been disclosed.
- Right to correction. If your personal information is inaccurate, incomplete, or out of date, you may request that we correct it.
- Right to deletion. You may request the permanent erasure of your personal data from our systems and those of our processors.
- Right to data portability. You may request a copy of your personal information in a structured, machine-readable format (CSV or JSON).
- Right to withdraw consent. For newsletter subscriptions, you can withdraw consent at any time by clicking the unsubscribe link in any email. No penalty or detriment will result.
- Right to contest automated decisions. You have the right to challenge any decision made solely by automated means that materially affects you. This right is not currently applicable to this website, as we do not use automated decision-making.
To exercise any of these rights, email the Privacy Officer using the contact information at the bottom of this page. We will verify your identity before processing your request. We will respond within 45 calendar days. There is no charge for exercising your privacy rights.
Data Security
We implement a range of technical and administrative measures to protect your personal information:
- Encryption in transit: All data transmitted between your browser and our website is secured with TLS 1.2 or higher.
- Encryption at rest: Contact form data stored by Formspree is encrypted using AES-256 block-level storage encryption.
- Anonymized analytics: Plausible Analytics uses rotating 24-hour salted hashes to generate anonymous visitor identifiers. Raw IP addresses are never stored.
- Web Application Firewall: Cloudflare WAF continuously monitors incoming traffic for SQL injection, cross-site scripting, and other attack vectors.
- Access controls: All administrative accounts use multi-factor authentication (MFA). Access is governed by the principle of least privilege.
AI and Automated Decision-Making
We do not use personal information submitted through this website to train AI models. Contact form submissions, newsletter signups, and all other user-provided data are strictly ring-fenced from any machine learning or generative AI training processes.
We do not use automated decision-making or algorithmic profiling on website visitors. Every inquiry submitted through our contact form is reviewed and responded to by a human.
If we introduce AI-powered tools on this website in the future (such as chatbots or automated triage systems), we will update this policy before deployment, clearly describe the tool's capabilities and the data it processes, and provide a mechanism for you to request direct human interaction instead.
Children's Privacy
Our services are directed at businesses (B2B). We do not knowingly collect personal information from individuals under the age of majority in Alberta. If we become aware that we have collected data from a minor, we will delete it promptly.
Changes to This Policy
We may update this privacy policy from time to time. For routine changes (corrections, formatting), we will update the effective date at the top of this page.
For material changes (new data categories, new processors, new processing purposes), we will notify newsletter subscribers by email and display a notification banner on the homepage for 30 days.
Contact Us
For any privacy-related questions or to exercise your rights, contact our Privacy Officer:
SteelheadAttn: Privacy Officer
[TODO: Corporate Address]
Calgary, Alberta, Canada
[TODO: Postal Code]
Email: [TODO: privacy@steelheadai.com]
If you are not satisfied with our response, you have the right to file a complaint with the provincial regulator:
Office of the Information and Privacy Commissioner of Alberta410-9925 109 Street NW
Edmonton, AB T5K 2J8
Toll Free: 1-888-878-4044
Website: www.oipc.ab.ca
This privacy policy is a working draft prepared for operational transparency. It will be reviewed by a qualified Alberta privacy lawyer before publication.