GDPR Compliance

Last Updated: February 19, 2026

Our Commitment to Data Protection

Crystal-fade is committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation and applicable Canadian privacy laws. This page outlines how we comply with data protection principles and your rights as a data subject.

We recognize the importance of transparent data handling practices and have implemented policies and procedures to ensure compliance with regulatory requirements.

Legal Basis for Processing

We process personal data only when we have a lawful basis to do so. Our processing activities rely on one or more of the following legal grounds:

  • Contractual Necessity: Processing is essential to fulfill our service agreements with you
  • Consent: You have given explicit permission for specific processing activities
  • Legitimate Interests: Processing serves our legitimate business interests while respecting your rights and freedoms
  • Legal Obligations: Processing is required to comply with applicable laws and regulations

Where we rely on consent, you maintain the right to withdraw it at any time without affecting the lawfulness of prior processing.

Your Rights Under GDPR

As a data subject, you possess specific rights regarding your personal information:

Right of Access

You may request confirmation of whether we process your personal data and obtain a copy of such data along with supplementary information about our processing activities.

Right to Rectification

If you believe your personal data is inaccurate or incomplete, you can request corrections or updates. We will verify the accuracy of new information before making changes.

Right to Erasure

Under certain circumstances, you may request deletion of your personal data, including when it is no longer necessary for the purposes collected, when you withdraw consent, or when you object to processing.

Right to Restriction of Processing

You can request that we limit how we use your data while we verify its accuracy, assess the lawfulness of processing, or when you need the data for legal claims despite our no longer requiring it.

Right to Data Portability

Where technically feasible, you may receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller without hindrance.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease such processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significant impacts. Should this change, we will update our practices and notify you accordingly.

Exercising Your Rights

To exercise any of the rights described above, please submit a request via email to [email protected]. Include sufficient information to verify your identity and specify which right you wish to exercise.

We will respond to your request within one month of receipt. In complex cases or when we receive multiple requests, this period may be extended by two additional months, and we will inform you of such extension along with the reasons.

We do not charge a fee for most requests. However, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded, excessive, or repetitive.

Data Protection Principles

Our data handling practices adhere to core principles established by data protection regulations:

  • Lawfulness, Fairness, and Transparency: We process data legally, fairly, and with clear communication about our practices
  • Purpose Limitation: We collect data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes
  • Data Minimization: We collect only data that is adequate, relevant, and necessary for our stated purposes
  • Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date
  • Storage Limitation: We retain data only as long as necessary for the purposes collected or as required by law
  • Integrity and Confidentiality: We implement appropriate security measures to protect against unauthorized or unlawful processing and accidental loss or damage

International Data Transfers

Our primary operations are based in Canada. If we transfer personal data outside Canada or the European Economic Area, we ensure appropriate safeguards are in place, such as:

  • Standard contractual clauses approved by relevant authorities
  • Adequacy decisions confirming the recipient country provides adequate protection
  • Binding corporate rules for transfers within our organization

We will provide information about specific safeguards upon request.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify relevant supervisory authorities within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in such risk.

If the breach is likely to result in high risk to your rights and freedoms, we will also communicate the breach to you directly without undue delay, providing information about the nature of the breach and measures taken to address it.

Contact and Complaints

For questions, concerns, or requests related to data protection and GDPR compliance, please contact us:

Crystal-fade
Email: [email protected]

You also have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable regulations. In Canada, you may contact the Office of the Privacy Commissioner of Canada.

Updates to This Statement

We may update this GDPR compliance statement periodically to reflect changes in our practices, legal requirements, or regulatory guidance. Material changes will be communicated through our website or direct notification.