Legal
Privacy Policy
Effective Date: May 17, 2026 · Last Updated: May 17, 2026
1. Introduction
TheMarkups Canada Inc. ("we", "our", or "us") operates the CATAAM platform at cataam.com and app.cataam.com. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our Service.
By using CATAAM, you consent to the data practices described in this policy.
2. Information We Collect
Account Information: Name, email address, organization name, phone number, job title, and password when you register.
Compliance & Audit Data: Documents, policies, evidence files, audit results, control assessments, and other compliance materials you upload or generate using the Service.
Payment Information: Billing address and payment method details. Payment card data is processed by Stripe and never stored on our servers.
Usage Data: IP address, browser type, pages visited, feature usage, and session duration collected automatically via server logs and analytics tools.
Integration Data: Credentials and data from third-party tools you connect (AWS, GitHub, Jira, etc.) for evidence harvesting purposes.
3. How We Use Your Information
- To provide, operate, and improve the CATAAM platform
- To process payments and manage billing for subscriptions and partner invoices
- To send transactional emails (account verification, invoices, security alerts)
- To generate compliance reports and audit trail records on your behalf
- To provide customer support and respond to inquiries
- To detect and prevent fraud, abuse, and security incidents
- To comply with legal obligations
- To send product updates and compliance news (you can opt out at any time)
4. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We share data only in the following circumstances:
Service Providers: We share data with trusted third-party providers (AWS for hosting, Stripe for payments, SendGrid for email) bound by data processing agreements.
Partner Accounts: If your organization is managed by a CISO Reseller or CPA Partner, that partner has access to your organization's compliance data within the platform.
Legal Requirements: We may disclose data if required by law, court order, or government authority.
Business Transfer: In the event of a merger, acquisition, or sale of assets, data may be transferred to the acquiring entity subject to the same privacy protections.
5. Data Retention
We retain your account and compliance data for as long as your account is active. After account termination, we retain data for 90 days to allow data export, then delete it unless legally required to retain it longer.
Anonymized analytics data may be retained indefinitely.
6. Security
We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, role-based access control, and regular security assessments. However, no system is completely secure, and we cannot guarantee absolute security.
In the event of a data breach, we will notify affected users and regulators as required by applicable law.
7. Cookies and Tracking
We use session cookies for authentication and localStorage for user preferences. We use analytics tools to understand platform usage. You can disable cookies in your browser settings, but this may affect platform functionality.
We do not use advertising tracking pixels or third-party ad networks.
8. International Data Transfers
CATAAM is hosted on AWS infrastructure, which may process data in multiple regions. By using the Service, you consent to cross-border data transfers. We ensure such transfers are protected by appropriate safeguards.
9. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Objection — object to certain types of processing
- Withdraw consent — for processing based on consent
To exercise these rights, contact us at privacy@themarkups.com. We will respond within 30 days.
10. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware of such collection, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you by email or in-platform notice for material changes. The updated policy will be effective upon posting with the revised date.
12. Contact Us
For privacy-related questions or to exercise your rights:
TheMarkups Canada Inc. — Data Privacy Mississauga, Ontario, Canada Email: privacy@themarkups.com