GDPR Compliance

Last updated: June 2026

magenta-geyser is committed to protecting the personal data of all individuals, including those residing in the European Economic Area (EEA), United Kingdom, and Switzerland. This page outlines how we comply with the General Data Protection Regulation (GDPR) and related data protection laws.

Our Role as Data Controller

For the personal data we collect and process, magenta-geyser acts as the data controller. This means we determine the purposes and means of processing your personal data and are responsible for ensuring that processing is carried out in compliance with applicable data protection laws.

Legal Basis for Processing

We process personal data only when we have a valid legal basis to do so. The legal bases we rely on include:

Consent

For marketing communications and certain analytics cookies, we rely on your explicit consent. You may withdraw consent at any time by contacting us or using the unsubscribe links in our communications.

Contractual Necessity

When you enroll in our programs, we process your data as necessary to fulfill our contractual obligations to you, including providing access to program materials and communications related to your enrollment.

Legitimate Interests

We may process data based on our legitimate interests, such as improving our services, ensuring website security, and communicating with you about your inquiries. We balance these interests against your rights and freedoms.

Legal Obligation

We may process data when required by law, such as for tax and accounting purposes or in response to valid legal requests.

Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this information in a commonly used electronic format.

Right to Rectification

You have the right to request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.

Right to Restriction

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we demonstrate compelling legitimate grounds.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your rights have been violated.

Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month. In complex cases, we may extend this period by up to two additional months, but we will inform you of any extension and the reasons for it.

We may need to verify your identity before processing your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.

International Data Transfers

As we are based in Canada, your data may be transferred to and processed in Canada. Canada has been recognized by the European Commission as providing adequate protection for personal data. For any transfers to countries without an adequacy decision, we implement appropriate safeguards such as standard contractual clauses.

Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected. Retention periods vary depending on the type of data and our legal obligations:

• Inquiry data: 2 years after last contact
• Program enrollment data: Duration of program plus 7 years
• Financial records: As required by tax laws (typically 7 years)
• Marketing consent records: Until consent is withdrawn plus 2 years

Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Access controls limiting who can access personal data
• Regular security assessments
• Staff training on data protection
• Incident response procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours. If the breach is likely to result in a high risk to you, we will also notify you directly.

Children's Data

Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete it.

Automated Decision-Making

We do not currently engage in automated decision-making that produces legal effects or similarly significantly affects you.

Contact Our Data Protection Team

For any questions about this GDPR notice or our data protection practices, please contact:

Data Protection Contact
magenta-geyser
147 Spadina Avenue, Suite 302
Toronto, Ontario M5V 2L7
Canada
[email protected]

Updates to This Notice

We may update this GDPR compliance notice from time to time. We will notify you of significant changes through our website or by email if you have provided one.