Privacy Policy

Last Updated: June 8, 2026

Tergum ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our high-availability failover service for WordPress websites (the "Service").

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian provincial privacy legislation, including British Columbia's Personal Information Protection Act (BC PIPA).

1. Definitions

For the purposes of this Privacy Policy:

• "Personal Information" means information about an identifiable individual, as defined under applicable Canadian privacy legislation.
• "Processing" means any operation performed on personal information, including collection, use, disclosure, storage, and deletion.
• "You" or "your" refers to the individual whose personal information we process.

2. Information We Collect

2.1 Information You Provide Directly

When you register for and use our Service, you provide:

• Account Information: Full name, email address, and password when you create an account
• Billing Information: Payment card details (processed securely by Stripe, our payment processor; we store only the last 4 digits, card brand, and expiry date)
• Server Configuration Data: Server hostnames, IP addresses, DNS credentials, and Cloudflare API tokens that you provide during setup
• Communications: Messages, attachments, and information you provide when contacting our support team

2.2 Information Collected Automatically

When you use the Service, we automatically collect:

• Server Metrics: CPU usage, memory usage, disk space, database replication lag, and health status from servers running our Agent software
• Uptime Data: Website response times, HTTP status codes, uptime status, and failover events
• Dashboard Usage: IP addresses, browser type, operating system, device type, access times, and pages visited when using the dashboard
• Feature Usage: Actions taken within the Service, configuration changes, and feature utilization patterns
• Log Data: System logs, error logs, and security event logs

2.3 Information We Do NOT Collect

To protect your privacy, we specifically do NOT:

• Access, read, inspect, or store the content of your websites or web pages
• Access the actual data stored in your databases (we only monitor replication status metadata such as lag time and position)
• Collect personal information about your website visitors or end users
• Track your browsing activity outside of our dashboard
• Engage in behavioral advertising, sell, or otherwise disclose your personal information to third parties for marketing purposes.

3. Legal Basis and Consent for Processing

3.1 Consent

By creating an account and using our Service, you consent to our collection, use, and disclosure of your personal information as described in this Privacy Policy. For specific sensitive operations, we obtain additional explicit consent:

• When you provide server credentials and API tokens, you explicitly consent to our storage and use of these credentials to operate the Service
• When you enable optional features such as email notifications or integrations, you consent to associated data collection and processing

3.2 Withdrawal of Consent

You may withdraw your consent at any time by contacting [email protected] or by canceling your account. However, withdrawal of consent may affect our ability to provide the Service to you. We will explain the implications before processing your withdrawal request.

3.3 Other Legal Bases

We may process your personal information without consent where:

• Required to fulfill our contractual obligations under the Terms of Service
• Necessary to comply with legal obligations (such as tax reporting or responding to valid legal requests)
• Necessary to protect vital interests (such as preventing harm or fraud)
• Required for legitimate business interests that do not override your privacy rights

4. How We Use Your Information

We use the personal information we collect for the following purposes:

• Service Delivery: To provide, operate, maintain, and improve the Service, including monitoring server health, triggering failover events, and synchronizing data
• Alerts and Notifications: To send you alerts about server status, failover events, replication issues, and service updates
• Account Management: To manage your account, process payments, and handle subscription renewals
• Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance
• Service Improvement: To analyze usage patterns, identify bugs, and develop new features
• Security: To detect, prevent, and address technical issues, security threats, fraud, and abuse
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests
• Communications: To send you service-related announcements, updates to our terms or policies, and responses to your communications (we do not send marketing emails without separate opt-in consent)

5. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

We may share your personal information only in the following limited circumstances:

5.1 Service Providers

We engage trusted third-party service providers to assist in operating the Service. These providers are contractually obligated to:

• Process personal information only as instructed by us
• Maintain confidentiality and security of your information
• Comply with PIPEDA or equivalent privacy protections

Our current service providers include:

• Stripe: Payment processing (stripe.com/privacy)
• Cloudflare: DNS management and tunnel services (cloudflare.com/privacypolicy)
• Supabase: Authentication and database services (supabase.com/privacy)
• Infrastructure providers: Cloud hosting services for our platform

Each service provider is bound by Data Processing Agreements (DPAs) requiring PIPEDA-compliant or equivalent handling of personal information. We update this list as our service providers change.

5.2 Legal Requirements

We may disclose your personal information when required by law or in response to:

• Valid legal processes such as search warrants, subpoenas, or court orders
• Legally-binding requests from government authorities or law enforcement
• Requirements under Canadian tax law or financial regulations

Where legally permitted, we will notify you of such requests unless prohibited by law or court order.

5.3 Protection of Rights and Safety

We may disclose personal information if we believe in good faith that it is necessary to:

• Protect the rights, property, or safety of Tergum, our users, or the public
• Detect, prevent, or respond to fraud, security issues, or technical problems
• Enforce our Terms of Service or other agreements
• Respond to claims that content violates the rights of third parties

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, bankruptcy, or similar business transaction, your personal information may be transferred to the successor entity. We will:

• Provide notice to affected users via email at least 30 days before the transfer
• Require the successor entity to honor this Privacy Policy or obtain your fresh consent
• Provide you with the opportunity to delete your account before the transfer, if desired

6. International Data Transfers

6.1 Data Storage Locations

Your personal information may be stored and processed in the following locations:

• Canada: Primary storage location for account data and billing information (subject to PIPEDA and BC PIPA).
• United States: Server metrics and log data stored with our infrastructure providers (AWS, Google Cloud, or Azure) under Standard Contractual Clauses that provide PIPEDA‑equivalent protection.
• European Union: Backup and redundancy systems (where applicable) protected by EU Standard Contractual Clauses; we do not process personal information in the EU unless required for redundancy and with appropriate safeguards.

6.2 Safeguards for International Transfers

When we transfer personal information outside of Canada, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses: We use standard contractual clauses approved by the Office of the Privacy Commissioner of Canada
• Data Processing Agreements: All service providers are bound by DPAs requiring PIPEDA-equivalent protections
• Encryption: All data transfers use TLS 1.2 or higher encryption
• Access Controls: Strict access controls limit who can view personal information
• Legal Assessment: We regularly assess the legal frameworks in destination countries to ensure adequate protection

6.3 Your Rights Regarding International Transfers

You have the right to:

• Withdraw consent for international transfer (which may affect our ability to provide the Service)
• Request information about the specific safeguards in place for your data
• File a complaint with the Office of the Privacy Commissioner of Canada if you believe your information is not adequately protected

7. Data Retention

We retain personal information only as long as necessary to fulfill the purposes for which it was collected or as required by law:

• Account Data: Retained while your account is active and for 90 days after account deletion (to allow for account recovery), then permanently deleted
• Server Metrics and Logs: Retained for 90 days for operational analysis and troubleshooting, then deleted or anonymized
• Billing Records: Retained for 7 years as required by Canadian tax law (Canada Revenue Agency requirements)
• Support Communications: Retained for 2 years after the last interaction to maintain service quality and training records
• Security Logs: Retained for 1 year to support security investigations and comply with cybersecurity best practices

You may request deletion of your personal information at any time by contacting [email protected], subject to legal retention requirements. We will confirm deletion within 30 days of completing the deletion process.

8. Data Security

We implement appropriate technical, organizational, and physical security measures to protect your personal information against unauthorized access, disclosure, alteration, and destruction:

8.1 Technical Safeguards

• Encryption in Transit: All data transmitted to and from our Service uses TLS 1.2 or higher encryption
• Encryption at Rest: Sensitive credentials (API tokens, server passwords, Cloudflare credentials) are encrypted at rest using AES-256 encryption
• Secure Communications: All communications between your servers and our platform use encrypted channels (Tailscale VPN, HTTPS, SSH)
• Database Security: Production databases are encrypted and access is restricted to authorized systems only
• Network Segmentation: Our infrastructure uses network segmentation to limit the impact of potential breaches

8.2 Organizational Safeguards

• Access Controls: Access to personal information is restricted to authorized personnel on a need-to-know basis
• Authentication: Multi-factor authentication (MFA) is required for all administrative access
• Audit Logging: All access to personal information is logged and regularly audited
• Employee Training: All employees and contractors receive regular training on privacy and security best practices
• Confidentiality Agreements: All personnel with access to personal information sign confidentiality agreements

8.3 Ongoing Security Practices

• Regular security assessments and penetration testing
• Prompt application of security patches and updates
• Continuous monitoring for security threats and anomalies
• Incident response procedures for security breaches
• Annual review and update of security practices

8.4 Limitations

While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your personal information. You use the Service at your own risk and are responsible for maintaining the security of your account credentials.

9. Data Breach Notification

In the event of a data breach that poses a real risk of significant harm to affected individuals:

• We will notify the Office of the Privacy Commissioner of Canada as soon as feasible, and in any event within 72 hours of becoming aware of the breach (as required under PIPEDA)
• We will notify affected individuals directly via email within 72 hours of discovering the breach
• Notifications will include: the nature of the breach, the personal information affected, steps we are taking to mitigate harm, steps you can take to protect yourself, and contact information for questions
• We will maintain a record of all breaches and our response actions
• We will cooperate fully with privacy authorities in investigating and remediating breaches

10. Your Privacy Rights Under Canadian Law (PIPEDA & BC PIPA)

Under PIPEDA and BC PIPA, you have the following rights:

10.1 Right of Access

You have the right to request a copy of the personal information we hold about you. We will provide this information within 30 days of your request, in a commonly used electronic format where possible. We may charge a reasonable fee for access requests that require significant effort or resources. You may also request a portable copy (CSV/JSON) under the right to data portability (see §10.5).

10.2 Right to Correction

You may request correction of inaccurate or incomplete personal information. We will correct or complete the information within 30 days and notify any third parties to whom the information was disclosed, where appropriate.

10.3 Right to Deletion (and Right to be Forgotten where applicable)

You may request deletion of your personal information, subject to legal exceptions such as:

• Information required for legal or tax purposes (e.g., 7‑year retention of billing records as required by the Canada Revenue Agency).
• Information necessary to complete an ongoing transaction or fulfill a contract.
• Information required for legal claims or defense.

Where BC PIPA provides a “right to be forgotten” (e.g., for information that is no longer necessary for the purpose for which it was collected), we will honor such requests unless a legal retention period applies.

10.4 Right to Withdraw Consent

You may withdraw consent for processing at any time. We will explain any consequences of withdrawal (such as inability to provide the Service) and will cease processing unless we have another legal basis to continue.

10.5 Right to Data Portability

You may request a copy of your personal information in a structured, commonly used, and machine-readable format (such as CSV or JSON) to facilitate transfer to another service provider.

10.6 Right to Lodge a Complaint

If you believe we have not complied with Canadian privacy law, you have the right to lodge a complaint with:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
Website: www.priv.gc.ca

For British Columbia residents, you may also contact:

Office of the Information and Privacy Commissioner for British Columbia
Website: www.oipc.bc.ca

10.7 How to Exercise Your Rights

To exercise any of these rights, please contact our Privacy Officer at [email protected] with:

• Your full name and account email address
• A clear description of your request
• Proof of identity (to protect your information from unauthorized access)

We will respond to your request within 30 days. If we need additional time, we will notify you and explain the reason for the delay.

11. Cookies and Tracking Technologies

11.1 Essential Cookies

We use only essential cookies that are strictly necessary for the operation of the Service:

• Session Management: To maintain your login session and keep you signed in
• Security: To implement CSRF (Cross-Site Request Forgery) protection and prevent security attacks
• Preferences: To remember your dashboard settings and preferences

11.2 What We Do NOT Use

We do NOT use:

• Advertising cookies or tracking pixels
• Third-party analytics services (such as Google Analytics) that track you across websites
• Social media tracking or sharing cookies
• Behavioral advertising or retargeting technologies

11.3 Managing Cookies

You can configure your browser to refuse cookies, but this may affect your ability to use the Service. Most browsers allow you to view and delete cookies through their settings.

12. Third-Party Services

The Service integrates with third-party services that have their own privacy policies. We encourage you to review their policies:

• Stripe (payment processing): stripe.com/privacy
• Cloudflare (DNS and tunnel services): cloudflare.com/privacypolicy
• Supabase (authentication services): supabase.com/privacy

When you use these services through our platform, you are also subject to their privacy policies. We select service providers that maintain high privacy and security standards, but we are not responsible for their privacy practices.

13. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected]. We will promptly delete such information from our systems.

14. Privacy by Design and Default

We incorporate privacy considerations into the design and operation of our Service:

• Data Minimization: We collect only the minimum personal information necessary to provide the Service
• Purpose Limitation: We use personal information only for the purposes for which it was collected
• Security by Default: Privacy-protective settings are enabled by default
• Transparency: We provide clear information about our data practices
• End-to-End Protection: Privacy is maintained throughout the data lifecycle, from collection to deletion

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. We will:

• Post the updated Privacy Policy on our website at tergum.ca/privacy
• Update the "Last Updated" date at the top of this policy
• Notify you of material changes by email at least 30 days before they take effect
• Display a prominent notice in the dashboard for significant changes

Material changes include: changes to the purposes for which we use personal information, sharing with new categories of third parties, transfers to new countries, or reduction of your rights. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer:

Privacy Officer
Tergum
Email: [email protected]
Website: https://tergum.ca

For general support inquiries: [email protected]
For legal inquiries: [email protected]

We will respond to all privacy-related inquiries within 30 days.