Privacy Policy
Effective Date: [24/02/2026] | Last Updated: [23/02/2026]
Sonark Protection Solutions Inc. ("Sonark", "we", "us") is committed to protecting the personal information of all individuals who interact with our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information through the Sonark platform (accessible at app.sonark.ca) and our website (sonark.ca), in compliance with Quebec's Act respecting the protection of personal information in the private sector (Law 25) and the Personal Information Protection and Electronic Documents Act (PIPEDA).
1. Who We Are
Sonark Protection Solutions Inc.
375 University Avenue, Suite 1100
Toronto, ON, Canada, M5G 2J5
Privacy inquiries: support@sonark.ca
Sonark is a business-to-business (B2B) cybersecurity awareness platform. We provide our services to organizations ("Clients" or "Tenants"), who in turn enroll their employees ("End Users") on the platform. In this relationship, the Client is the controller of their employees' personal information, and Sonark acts as a processor on the Client's behalf.
2. Person Responsible for the Protection of Personal Information
In accordance with Law 25, we have designated a person responsible for the protection of personal information. Inquiries, access requests, and complaints may be directed to:
Privacy Officer
Sonark Protection Solutions Inc.
Email: support@sonark.ca
3. Personal Information We Collect
3.1 Information Provided by Clients
When a Client organization onboards onto Sonark, they provide us with employee information to set up accounts, including:
- Full names
- Business email addresses
- Department or team assignments
- Role within the organization (manager or employee)
3.2 Information Generated Through Platform Use
As End Users interact with the Sonark platform, we collect and generate the following data:
| Category | Examples |
|---|
| Phishing Simulation Data | Whether a simulated phishing email was opened, clicked, or reported; timestamps of interactions |
| Training Data | SCORM training module completion status, scores, time spent |
| Risk Assessment Data | Computed risk scores based on simulation and training performance |
| Login & Authentication Data | Login timestamps, multi-factor authentication status, session data |
| Deep Web Monitoring Data | Credential exposure alerts sourced from third-party intelligence feeds |
3.3 Technical Data Collected Automatically
- On the login page (app.sonark.ca): IP address and browser fingerprint data processed by Cloudflare Turnstile for bot protection purposes.
- Within the authenticated platform: Error logs and performance data sent to Sentry.io for application stability and debugging.
- Functional preferences: Language selection, theme preference, and notification timestamps stored locally on your device.
4. Purposes of Collection and Use
We collect and use personal information for the following purposes:
- Platform Operation: Providing authentication, account management, and access to platform features.
- Phishing Simulations: Conducting authorized simulated phishing campaigns on behalf of Clients to assess and improve employee security awareness.
- Security Training: Delivering cybersecurity awareness training modules and tracking completion.
- Risk Scoring: Computing individual and organizational risk scores to help Clients understand their security posture.
- Dark Web Monitoring: Monitoring third-party intelligence feeds for credential exposure associated with the Client's domain.
- Scam & Threat Alerts: Providing informational alerts about emerging threats.
- Platform Security: Bot detection (Cloudflare Turnstile), error tracking (Sentry.io), and abuse prevention.
- Platform Improvement: Diagnosing technical issues and improving platform reliability.
Phishing Simulation Disclosure: Sonark conducts simulated phishing campaigns as authorized by your employer (the Client). These simulations send realistic-looking test emails to employees. Whether you open, click, or report these emails is logged and used to compute your security awareness score. These simulations are conducted solely for cybersecurity awareness training purposes at the direction of your employer.
5. Consent
For B2B services, your employer (the Client) has authorized the processing of your personal information through their agreement with Sonark. The Client is responsible for ensuring they have the appropriate legal basis (including providing you with notice) to enroll you in the Sonark platform.
For technical data collected via Cloudflare Turnstile on the login page, processing is based on legitimate security interests (bot protection). Sentry.io error tracking is used for the legitimate purpose of maintaining platform stability.
6. Third-Party Service Providers (Sub-Processors)
Cross-Border Transfers: Some of our sub-processors are located in the United States. Under Law 25, before transferring personal information outside Quebec, we conduct a privacy impact assessment to ensure the receiving jurisdiction provides adequate protection. We also have contractual safeguards in place with each sub-processor.
7. Data Retention
We retain personal information only for as long as necessary to fulfill the purposes described in this policy or as required by law:
- Active account data: Retained for the duration of the Client's subscription.
- Phishing simulation results and training data: Retained for the duration of the Client's subscription, unless a shorter retention period is specified in the service agreement.
- Risk scores: Recalculated regularly and retained for the subscription period.
- Error logs (Sentry): Retained for up to 90 days.
- Upon contract termination: Client data is deleted within 30 days of contract termination, unless a longer retention period is required by law or requested by the Client. See our Data Processing Agreement for details.
8. Your Rights
Under Law 25 and PIPEDA, you have the following rights regarding your personal information:
- Right of Access: You may request a copy of the personal information we hold about you.
- Right of Rectification: You may request correction of inaccurate or incomplete information.
- Right of Deletion: You may request deletion of your personal information, subject to legal and contractual obligations.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time (note: for B2B services, your employer manages your account).
- Right to Data Portability: You may request your personal information in a commonly used technological format.
- Right to Be Informed of Automated Decisions: If automated decision-making (including risk scoring) is used, you have the right to be informed and to request human review.
How to exercise your rights:
- End Users (employees): Please contact your employer first, as they are the controller of your data. If your employer cannot resolve your request, contact us at support@sonark.ca.
- Clients (organizations): Contact us directly at support@sonark.ca.
We will respond to access requests within 30 days, as required by Law 25.
9. Data Security
We implement appropriate technical and organizational measures to protect personal information, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Multi-factor authentication support
- Role-based access controls and multi-tenant data isolation
- Regular security reviews
- Rate limiting and bot protection
10. Data Breach Notification
In the event of a confidentiality incident involving personal information that presents a risk of serious injury, we will:
- Notify the Commission d'accès à l'information du Québec (CAI) as required by Law 25.
- Notify the Office of the Privacy Commissioner of Canada as required by PIPEDA.
- Notify the affected individuals as soon as practicable.
- Notify the Client organization so they may fulfill their own notification obligations to their employees.
We maintain a breach incident register as required by law.
11. Cookies and Local Storage
The Sonark platform uses local storage on your device for functional purposes only. We do not use advertising cookies or third-party tracking cookies.
12. Children's Privacy
The Sonark platform is designed for use by adult employees in a business context. We do not knowingly collect personal information from individuals under the age of 18.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to Clients via email or platform notification. The "Last Updated" date at the top of this page indicates when the policy was most recently revised.
14. Contact Us & Complaints
If you have questions about this Privacy Policy or wish to file a complaint, contact us at:
Sonark Protection Solutions Inc.
375 University Avenue, Suite 1100
Toronto, ON, Canada, M5G 2J5
Email: support@sonark.ca
If you are not satisfied with our response, you may file a complaint with: