Request a Consultation

Legal

Privacy Policy.

How we collect, use, and protect personal information — written for humans, governed by PIPEDA.

Effective 7 June 2026

ThinSky Inc. ("ThinSky", "we", "us", "our") is a Canadian cybersecurity firm headquartered in Toronto with operations in Vancouver and Montreal. We respect your privacy and handle personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

This policy explains what personal information we collect through thinsky.com, the ThinRecon audit flow at /audit, and direct correspondence with our team — why we collect it, how we use and store it, and the rights you have over it.

1. Information we collect

We collect only what we need to respond to you and to deliver the services you have requested.

1.1 Contact form (/contact)

When you submit the contact form on our site, we collect:

  • Your name and work email address
  • Your company name (optional)
  • The subject and body of your message
  • How you heard about us (optional)
  • The IP address of the request, used solely for rate limiting and abuse prevention

1.2 ThinRecon free audit (/audit)

When you request a free external audit through ThinRecon, we collect:

  • The domain or hostname you ask us to assess
  • The email address you provide to receive the report
  • Technical findings produced by the audit (DNS records, TLS configuration, exposed services, public security headers, and similar information that is observable from outside your network)

ThinRecon does not authenticate to your systems and does not perform intrusive scanning. We do not collect credentials, internal data, or any information that would require authorisation beyond what is publicly resolvable on the internet.

1.3 Server logs

Like most web services, our hosting infrastructure records standard request logs (IP address, timestamp, requested URL, user-agent string, and HTTP status). These logs are retained for up to 30 days and are used only for security monitoring, troubleshooting, and abuse prevention.

1.4 Cookies and analytics

thinsky.com uses Google Analytics 4 (measurement ID G-YG33DDT524) to understand how visitors find and move through the site. Google Analytics is the only third-party analytics service running on thinsky.com. We do not run advertising pixels, retargeting trackers, or any other behavioural-advertising technology, and we do not sell, share, or license your information to advertisers or data brokers.

What Google Analytics collects on our behalf:

  • Truncated/anonymised IP address (anonymize_ip: true)
  • Pages viewed, navigation path, time on page, and scroll depth
  • Browser, device category, operating system, and approximate region
  • Referrer (the page that linked you here) and UTM campaign parameters

The implementation enforces Google Consent Mode v2 with ad_storage, ad_user_data, and ad_personalization set to denied before any Google script loads. allow_google_signals and allow_ad_personalization_signals are disabled. As a result, no advertising identifiers are collected and no data is shared with the Google Ads ecosystem.

The tracker honours Do Not Track (DNT) and Global Privacy Control (GPC) signals: if your browser sends either header, no Google Analytics script is loaded and no request is sent. The only cookies set by Google Analytics are _ga and _ga_<property-id>, used to distinguish unique visits and sessions. They expire after 24 months. Site-functional cookies (for example, a session identifier on form submission) may also be set; these are strictly necessary and not used for tracking.

2. How we use your information

We use the information you provide to:

  • Respond to your enquiry from a real engineer's mailbox
  • Deliver the ThinRecon audit report you requested
  • Schedule and deliver paid engagements where one is in progress
  • Detect and block abuse of our infrastructure (rate limiting, honeypot enforcement)
  • Comply with legal obligations and respond to lawful requests from authorities

We do not use your information to train machine-learning models, profile you for marketing, or serve behavioural advertising.

Submitting the contact form or requesting a ThinRecon audit constitutes your express consent to the collection and use of the information described above for the stated purposes. You may withdraw consent at any time by emailing privacy@thinsky.com; withdrawal does not affect processing already performed.

4. Where your information is stored

ThinSky is Canadian-owned and operated. To deliver this site reliably we use the following infrastructure providers:

  • AWS Lightsail (us-east-1) — static site hosting
  • AWS Route 53 — DNS for thinsky.com
  • AWS Simple Email Service (us-east-1) — outbound email from our domain
  • AWS API Gateway and Lambda (us-east-1) — contact form and ThinRecon audit endpoints

Personal information processed by these services is stored on servers in the United States and is therefore subject to United States law, including lawful access requests by US authorities. By using the site or submitting a form, you acknowledge this cross-border transfer. Where a Canadian engagement requires data residency in Canada, we will sign a separate data-handling addendum and process the engagement on Canadian infrastructure.

5. How long we keep your information

  • Contact-form submissions: retained for up to 24 months from your last interaction with us, after which they are deleted.
  • ThinRecon audit requests and reports: retained for up to 12 months, after which the report and the associated email address are deleted unless you have become an active client.
  • Server logs: 30 days.
  • Engagement records: retained for the longer of 7 years or the period required by Canadian tax and corporate-records law, in accordance with the engagement contract.

6. How we protect your information

Security is the work — we hold our own posture to the same bar we hold our clients' to. Operationally that means TLS 1.2+ on every endpoint with HSTS and a 2-year preload commitment; DMARC at p=quarantine with SPF and DKIM aligned; rate limiting and honeypot enforcement on every public form; least-privilege IAM with credential rotation tracked in our release manifest; and authenticated, logged access to production by a small named team. No system is unbreakable, but the controls listed are concrete, current, and verifiable.

7. Your rights

Under PIPEDA and applicable provincial privacy laws, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of information we no longer have a legitimate basis to hold
  • Withdraw consent and have your active interactions ceased
  • File a complaint with the Office of the Privacy Commissioner of Canada if you are not satisfied with our response

To exercise any of these rights, email privacy@thinsky.com. We respond within 30 days, as required by PIPEDA.

8. Children

ThinSky's services are sold to organisations, not consumers. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has submitted information through our site, contact us and we will delete it.

9. Changes to this policy

We update this policy when our practices, infrastructure, or applicable law changes. The effective date at the top of this page is authoritative; material changes will also be announced on the homepage for at least 30 days.

10. How to contact us

Privacy enquiries: privacy@thinsky.com
General enquiries: sales@thinsky.com
Mail: ThinSky Inc., Toronto, Ontario, Canada

Our Privacy Officer is responsible for compliance with this policy and PIPEDA, and is the named point of contact for any complaint or access request.