Privacy Policy

1. Who We Are

Hexafusion IT Solutions ("Hexafusion," "we," "us," or "our") is the organization responsible for the collection, use, and disclosure of personal information described in this Privacy Policy. Our principal place of business is at 250 - 997 Seymour St, Vancouver, BC V6B 3M1, Canada.

We do not sell your personal information. We do not share it with third parties for their own marketing, advertising lists, or data brokerage. We collect and use information solely to operate our websites securely, to measure and improve our own business marketing, to respond when you contact us, and to protect our infrastructure and visitors from security threats. Service providers that process data on our behalf do so under appropriate contractual safeguards, as described in Section 6.

2. Scope

This policy applies to personal information collected through our public websites (including hexafusion.com and any preview or staging URLs we operate under the same brand), contact and quote request forms, interactive tools that collect identifiable input (such as a security checklist or quiz where you choose to submit results), and communications you initiate with us.

It does not replace or supplement a signed client agreement or data processing addendum that governs information handled in the course of delivering managed IT services. Those arrangements are governed by their respective contracts.

3. What We Collect

We may collect the following categories of personal information:

• Contact details: name, business name, email address, and phone number submitted through our contact or quote request forms.
• Quote and engagement context: when you request a quote, we may collect operational details you choose to provide, such as approximate user or device counts, office locations, industry, compliance or insurance selections, current IT arrangement, and free-text descriptions of goals or challenges. This information helps us scope a proposal and is treated as business contact information.
• Communications: the content of messages, notes, and form fields you send us.
• Technical and device data: IP address, web browser type and version, operating system, device type, screen resolution, preferred language, referring page, pages visited, time spent on pages, and approximate geographic location derived from your IP address. This data is collected automatically when you visit our websites.
• Geolocation data: we use your IP address to determine your approximate country, province or state, and city. We use this information to customize your experience on our website (for example, pre-selecting your region on forms), to enforce geographic service restrictions (Hexafusion serves organizations headquartered in Canada), and for security monitoring purposes as described in Section 4.
• Cookies and similar technologies: identifiers used for essential site operation, security, and measurement. See Section 8 for details.
• Security and threat assessment data: our automated security systems review each visitor’s technical profile, including IP address, geographic location, browser fingerprint, request patterns, and behavioural signals, to assess potential security risks and detect malicious intent. This assessment may include classifying traffic by risk level and logging activities that trigger security rules. See Section 4 for how this information is used.
• Bot and abuse signals: when you use forms protected by Cloudflare Turnstile, Cloudflare may process technical data and tokens to distinguish human visitors from automated abuse. We do not receive government identification or similar documents from Turnstile.
• Business domain enrichment: when you enter a business email address on our contact or quote forms, your browser may request publicly available company metadata from third-party services (such as Clearbit) so we can display a company name or logo. That request is made from your device. We may also store the business details you submit as part of your inquiry.

We do not intentionally collect sensitive personal information (such as health data, financial account numbers, or government identifiers) through our websites. Please do not submit such information in web forms unless we explicitly request it under a separate secure process.

4. How We Use Your Information

We use personal information for the following purposes:

4.1 Security and Threat Prevention

Protecting our infrastructure, our visitors, and our clients is a core priority. Our automated security systems continuously monitor website traffic to detect and prevent unauthorized access, fraud, abuse, spam, bot activity, and other security threats. As part of this process, we may:

• Analyse your IP address, geographic location, browser configuration, and browsing behaviour to assess the security risk associated with your visit.
• Log website activity, including pages visited, form interactions, request frequency, and technical identifiers, where our security systems determine that such logging is warranted based on risk indicators.
• Temporarily or permanently block access from IP addresses, geographic regions, or browser profiles that exhibit patterns consistent with malicious activity, automated scraping, or abuse.
• Use challenge mechanisms (such as Cloudflare Turnstile) on forms to verify that submissions originate from human visitors.
• Retain security logs for a reasonable period to support incident investigation and to comply with legal obligations.

These security measures are applied automatically and are necessary to protect the integrity of our websites and the safety of all visitors. Security logs collected for this purpose are used exclusively for threat detection, incident response, and compliance, and are not used for marketing or shared with third parties except as described in Section 6.

4.2 Customizing Your Experience

We use technical and geolocation data to personalize your experience on our website. For example, we may pre-select your country or province on forms based on your IP address, display content relevant to your region, or adjust form fields based on the nature of your inquiry. This customization is intended to make the website more relevant and efficient for business visitors.

4.3 Marketing and Analytics

• Measure whether our advertising drives useful visits to our site (for example, through Google Ads tags and conversion-related events). Where required, we rely on consent or legitimate interest as described in Section 5.
• Understand aggregate visitor patterns to improve website layout, content, and performance.

4.4 Communications and Service Delivery

• Respond to your inquiries and communicate with you about our services, including preparing quotes and following up as you would reasonably expect after a request.
• Comply with legal obligations applicable to our business in British Columbia and Canada.

We do not sell personal information. We do not share visitor data with third parties so they can market their own products to you. We do not use website form data to build consumer profiles for sale.

5. Legal Bases (PIPEDA and BC PIPA)

Our primary privacy framework is Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia’s Personal Information Protection Act (PIPA). We collect, use, and disclose personal information with your consent (express or implied, including consent obtained through form submission and through cookie banners or browser controls where applicable) or as otherwise permitted by applicable law.

Certain data collection, particularly for security monitoring and threat prevention as described in Section 4.1, is carried out without individual consent where it is reasonable to do so for the purpose of detecting, investigating, or preventing fraud or other illegal activity, as permitted under PIPEDA section 7(1)(b) and BC PIPA section 12(1)(g). This exception is applied narrowly and only to the extent necessary to protect our websites, our visitors, and our infrastructure.

Where we use third-party measurement or advertising technologies, we configure them to align with Canadian expectations for business-to-business marketing and we honour applicable opt-out and browser controls to the extent technically feasible.

If you are located in the European Economic Area, United Kingdom, or certain U.S. states with comprehensive privacy laws, additional rights or disclosures may apply. Please contact us if you have questions about our legal basis for processing in your jurisdiction.

6. Sharing and Disclosure

We do not sell personal information. We do not share it with data brokers or unrelated companies for their own commercial marketing. Disclosures are limited to the following categories:

• Service providers acting on our behalf under contractual or operational safeguards, including website and application hosting, email and productivity tools, CRM or ticketing systems, backup providers, and IT security vendors.
• Google Ireland Limited / Google LLC (and affiliates) when you load pages that include Google Ads or Google Tag Manager scripts, for measurement, conversion reporting, and fraud prevention as described in Google’s policies.
• Cloudflare, Inc. when you interact with Turnstile or other Cloudflare security or content delivery features on our websites.
• Clearbit (or successor services) when your browser calls third-party APIs for company autocomplete or logo display tied to a domain you have entered.
• Professional advisors (lawyers, accountants) under confidentiality obligations.
• Law enforcement, regulatory authorities, or government agencies where disclosure is required or authorized by law, including in response to a subpoena, court order, search warrant, or other lawful request issued by a Canadian court or authority, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of Hexafusion, our clients, or the public.
• Successors in the event of a merger, acquisition, or asset sale, subject to the incoming party honouring this policy or providing notice of changes.

Cross-border processing: some of the organizations listed above may process or store data in the United States or other countries. Where personal information is transferred outside Canada, we use contractual, technical, and organizational measures appropriate to the risk, consistent with PIPEDA and BC PIPA expectations.

Except as described in this section, we do not disclose personal information for third parties’ independent marketing or monetization purposes.

7. Retention

We retain personal information only as long as necessary for the purposes for which it was collected, to fulfill our legal obligations, or as permitted by applicable law.

• Marketing and quote inquiries: typically retained for up to two years from last meaningful contact unless a client or vendor relationship continues, in which case retention follows the applicable agreement.
• Security logs and threat data: retained for the period necessary to support ongoing security monitoring, incident investigation, and compliance with applicable law, typically not exceeding one year unless an active investigation or legal proceeding requires longer retention.
• Server and access logs: retained for up to 90 days for operational and security purposes.

8. Cookies and Similar Technologies

Our websites use cookies, local storage, pixels, and similar technologies. These fall into three categories:

• Essential and functional: support navigation, form security, load balancing, session management, and remembering preferences needed to use the site. These are necessary for the website to function and cannot be disabled without affecting core functionality.
• Security (including Cloudflare): challenge and session cookies may be set when Turnstile or other Cloudflare features operate. These cookies help block automated abuse and are essential to our security measures described in Section 4.1.
• Measurement and advertising (Google): tags associated with Google Ads (for example, conversion measurement and remarketing where enabled) may set or read identifiers. Google’s use of data is described in Google’s partner policy and Google’s Privacy Policy. You can manage ad personalization through Google’s Ads Settings and industry tools such as the Digital Advertising Alliance of Canada.

You can control many cookies through your browser settings (blocking third-party cookies, clearing storage, or using private browsing). Blocking certain cookies may limit form submission or measurement features, but core reading of most pages should still function.

9. Your Rights

Subject to applicable law, you may have the right to:

• Request access to the personal information we hold about you.
• Request correction of inaccurate information.
• Withdraw consent for non-essential uses where consent is the legal basis, understanding that some services (such as ads measurement) rely on cookies you can disable in your browser.
• Request deletion of your information, subject to legal and contractual retention requirements and our obligation to retain security logs as described in Section 7.
• Lodge a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Information and Privacy Commissioner for British Columbia.

To exercise these rights, contact us using the details in Section 11. We will respond within the timelines required by applicable law.

10. Security

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the information and the risks involved, including encryption in transit, access controls, intrusion detection, automated threat monitoring, and regular security assessments. No method of transmission over the internet is completely secure. We cannot guarantee absolute security but commit to using reasonable measures consistent with industry standards and to notifying affected individuals as required by law in the event of a breach involving a real risk of significant harm, as defined under PIPEDA’s breach notification requirements.

11. Contact Us

Privacy inquiries, access requests, and complaints:

12. Changes to This Policy

We may update this policy from time to time. We will post the revised version with an updated effective date. Material changes will be communicated through a notice on our website or by email where required by law.