Effective date: April 17, 2026 · Last updated: April 17, 2026 · Version 1.0
HAWZ Inc. (“HAWZ,” “we,” “us”) is a Toronto-based company that builds, hosts, and evolves custom software for business customers. We take privacy seriously. This policy explains what personal information we collect, why we collect it, who we share it with, how long we keep it, and the choices you have. It applies to our website at hawz.net, any product account you create with us, and any communications we exchange with you.
TWO ROLES — READ THIS FIRST HAWZ acts in two different roles depending on the data. When you visit our marketing site, fill out a form, or manage a customer account, we act as a “controller” and this Privacy Policy applies. When HAWZ operates a custom application for one of our business customers, the data that their users put into that application belongs to our customer — we are a “processor”, and that data is governed by a separate Data Processing Addendum between HAWZ and that customer. If you are an end-user of an application we built for one of our customers, please review that customer's own privacy notice for your rights. |
1. Scope and who we are
HAWZ Inc. is a corporation incorporated in Ontario, Canada. Our registered office is in Toronto, Ontario, Canada. For privacy matters, HAWZ is the controller of the personal information described in this policy, and we are accountable for how it is handled in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, provincial privacy laws.
This policy does not cover: (a) personal information HAWZ processes on behalf of its business customers inside applications we build or host for them (see the Data Processing Addendum instead), (b) third-party websites or services we link to, or (c) personal information that is already in the public domain.
2. Personal information we collect
We only collect what we need to run our business. Depending on how you interact with us, we collect the following categories of personal information:
2.1 Website and marketing information
Browsing information — IP address, general location derived from IP, browser and device type, pages viewed, referring URL, and time stamps. Collected through cookies and similar technologies (see our Cookie Policy).
Contact and inquiry information — your name, work email, company name, team size, and whatever you write in our contact or workflow-audit form.
Marketing communications preferences — whether you have given consent to receive commercial electronic messages from us, and whether you later withdraw that consent.
2.2 Customer account information
Administrative contacts — names, email addresses, job titles, phone numbers, and company details of the people at customer organizations who sign up for, administer, or are billed for HAWZ services.
Authentication credentials — hashed passwords, single sign-on identifiers, session tokens, and multi-factor authentication metadata.
Usage and telemetry — logs of administrative actions taken in our platform, feature usage, error events, and technical diagnostics, used to operate, secure, and improve the service.
Billing information — company legal name, billing address, tax numbers, and transaction records. Payment card details are collected and stored by our payment processor (Stripe); HAWZ does not store your card number.
Support communications — messages you send us, tickets, Slack channel messages in channels we share with you, and meeting notes.
2.3 Information we do not collect
We do not intentionally collect sensitive categories of personal information (health data, genetic or biometric identifiers, government identifiers beyond business tax numbers, children's data, precise geolocation) for our own purposes. If our business customers choose to store such data inside applications we build or host for them, that data is governed by the Data Processing Addendum and our Acceptable Use Policy, not this policy.
3. Where we get your information
Directly from you — when you fill out a form, create an account, send us a message, or sign an Order Form.
Automatically — through cookies, server logs, and product telemetry when you visit our site or use our platform.
From people at your organization — for example, an administrator adding you to a customer account.
From third parties — payment processors (Stripe) for billing confirmations, authentication providers (e.g., Google Workspace SSO) if you choose to sign in that way, and publicly available business directories used for sales research.
4. Why we collect and use personal information
We use personal information for the purposes below. We identify these purposes to you at or before the time we collect the information, as required by PIPEDA.
| Run the website and platform | Host hawz.net, display content, authenticate you, remember preferences, keep the service secure. |
| Respond to inquiries and audits | Contact you back, schedule workflow audits, prepare proposals and Order Forms. |
| Deliver contracted services | Design, build, deploy, host, and evolve your custom application; provide support; generate reports; operate integrations. |
| Bill and collect payment | Issue invoices, collect payment, manage refunds, handle disputes and chargebacks. |
| Protect ourselves and others | Detect fraud and abuse, enforce our Terms of Service and Acceptable Use Policy, protect legal rights, comply with law. |
| Improve our services | Measure feature adoption, diagnose bugs, train internal team members, conduct aggregated analytics (we do not use personal information to train third-party AI models). |
| Send commercial communications | With your consent, send product updates, release notes, and marketing emails. Every marketing message includes an unsubscribe link. |
5. Consent
Under PIPEDA we rely on your consent (express or implied) to collect, use, and disclose your personal information, unless an exception in the statute permits us to do otherwise (for example, for investigation of fraud, to comply with a subpoena, or to respond to an emergency threatening life, health, or security).
Express consent is what we rely on for marketing emails, for storing information that is sensitive, and for publishing customer testimonials that identify you.
Implied consent is what we rely on when you voluntarily provide information for a clearly necessary purpose — for example, sending us your email to request a demo implies consent to contact you about that demo.
You can withdraw your consent at any time by contacting our Privacy Officer (see Section 13). Withdrawing consent may mean we can no longer provide you with a service that depends on that information; we will let you know if that is the case.
Separately, Canada's Anti-Spam Legislation (CASL) requires us to have express or implied consent before sending a commercial electronic message to an email, SMS, or similar address. Implied consent under CASL lasts 24 months after you purchase from us, or 6 months after you make an inquiry. After that, we rely on express consent. Every commercial message we send identifies us, includes our mailing address, and has a one-click unsubscribe mechanism.
6. Who we share personal information with
We do not sell personal information. We share it only in the circumstances below:
6.1 Service providers (processors)
We rely on trusted third parties to run our business. We enter into contracts that require them to handle personal information only on our instructions, keep it confidential, and protect it with comparable safeguards. Our current subprocessors include:
| Vercel Inc. | Hosting and deployment of hawz.net and customer applications. United States. |
| Amazon Web Services, Inc. | Underlying compute, storage, and databases for applications we host (via Vercel and, where applicable, directly). United States (primary region) or Canada (by request). |
| Stripe, Inc. | Payment processing, tax calculation, and billing. United States. |
| Google LLC (Workspace) | Business email, document storage, and calendaring. United States. |
| Slack Technologies, LLC | Shared support channels with customers. United States. |
| Anthropic PBC / OpenAI, L.L.C. | Where used inside internal tooling, large language model inference. United States. We do not transmit customer personal information to these providers for the purpose of model training. |
A current, version-controlled list of subprocessors is available on request. We maintain at least thirty (30) days' notice to affected customers before adding or replacing a subprocessor that processes their data.
6.2 Business transfers
If HAWZ is involved in a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of the transaction. We will notify you (by email or a prominent notice on our site) before your personal information becomes subject to a different privacy policy.
6.3 Legal and safety
We may disclose personal information when we believe in good faith that it is required by law, by a valid court order or subpoena, to enforce our agreements, to protect the rights, property, or safety of HAWZ, our customers, or others, or to prevent or investigate fraud or abuse.
6.4 With your direction
We share personal information with any additional party you specifically direct us to — for example, a third-party integration you enable inside our platform, or a consultant you ask us to loop into a project.
7. International transfers — important notice
HAWZ STORES AND PROCESSES DATA OUTSIDE OF CANADA HAWZ is based in Canada but our primary hosting provider (Vercel) processes data principally in the United States. Several other service providers we use (Stripe, Google Workspace, Slack, and LLM vendors) are also based in the United States. That means your personal information may be transferred to, stored in, and accessed from the United States and, in limited cases, other jurisdictions where our service providers operate. When your personal information is outside Canada, it is subject to the laws of that jurisdiction, including lawful access requests by foreign courts, law enforcement, and government agencies. We use contractual safeguards (including data processing agreements and, where applicable, standard contractual clauses) to require comparable protection. |
If you are located in the European Economic Area, the United Kingdom, Switzerland, or the United Arab Emirates, you may have additional rights regarding international transfers. In those cases we rely on a lawful transfer mechanism (for example, the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or your explicit consent) and will provide a copy of the relevant mechanism on request.
If you are located in Iraq or another jurisdiction subject to economic sanctions administered by Canada or our service providers, we may not be able to provide services to you and will notify you if that is the case.
8. How long we keep personal information
We keep personal information only as long as we reasonably need it for the purposes it was collected, or as required by law. Specifically:
Active customer data — for the duration of your account plus the periods set out in the Refund & Cancellation Policy (typically a 14-day export window and a 30-day hosting grace, then deletion within 60 days).
Inquiry and prospect data — up to 24 months after your last interaction, unless you ask us to delete it sooner.
Billing and tax records — a minimum of seven (7) years, as required by Canadian tax law.
Security and audit logs — up to 24 months, then aggregated or deleted.
Backups — rolling backups overwrite themselves, typically within 30 days.
When the retention period ends, we delete or irreversibly de-identify the information.
9. Cookies and similar technologies
We use cookies and similar technologies to operate our website and platform, remember your preferences, measure usage, and — only with your consent — to support marketing. Our Cookie Policy describes the specific cookies we use, their purposes, and how you can manage them.
10. Your rights
Under PIPEDA and related laws, you have the following rights. We respond to verified requests within 30 days, or explain why we need additional time (up to an additional 30 days) and the reason for the delay.
Access — request confirmation that we hold personal information about you, and a copy of it.
Correction — ask us to correct information that is inaccurate or out of date.
Withdrawal of consent — withdraw your consent to our collection, use, or disclosure of personal information, subject to legal and contractual restrictions.
Complaint — challenge our handling of your personal information.
Unsubscribe — stop receiving commercial electronic messages from us at any time (use the link in any message).
To exercise these rights, contact our Privacy Officer at the email in Section 13. We verify identity before releasing information. Access requests are free; if a request is excessive or repetitive, we may charge a reasonable fee and will give you an estimate before proceeding.
If you are located in a jurisdiction with additional data subject rights (for example, the right of erasure or data portability under the GDPR, or the UAE PDPL rights), we will honour those rights where they apply.
11. How we protect personal information
We use physical, technical, and administrative safeguards appropriate to the sensitivity of the information, including:
Encryption in transit using TLS 1.2 or better, and encryption at rest for databases and backups.
Role-based access controls with least-privilege defaults, multi-factor authentication for production systems, and quarterly access reviews.
Logging and monitoring of administrative access, with alerting on anomalous patterns.
Subprocessors that are independently audited under frameworks such as SOC 2 Type II (Vercel, Stripe, AWS). HAWZ does not itself hold a SOC 2 attestation today; we are working toward one.
An incident response plan. If we confirm a breach of security safeguards that creates a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada and affected individuals without unreasonable delay, as PIPEDA requires.
No security is perfect. You share information with us at your own risk, and you are responsible for keeping your account credentials confidential.
12. Children
HAWZ is a business-to-business service. We do not knowingly collect personal information from anyone under 18 for our own purposes. If you believe a child has provided personal information to us, contact our Privacy Officer and we will delete it.
13. How to contact us
Our Privacy Officer is responsible for HAWZ's compliance with this policy. You can reach us at:
| Privacy Officer | Hassan Wattar |
| privacy@hawz.net | |
| Mailing address | HAWZ Inc., [Registered Office Address — placeholder: fill in], Toronto, Ontario, Canada |
If you are not satisfied with our response to a privacy concern, you may file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, where applicable, the privacy regulator in your province (for example, the Information and Privacy Commissioner of Ontario for certain matters) or your country of residence.
14. Changes to this policy
We may update this policy from time to time. If we make material changes, we will post the updated policy on our website and, for customers with active accounts, notify the administrative contact by email at least 30 days before the change takes effect. The “Effective date” at the top of this policy shows the current version.
This policy is provided in English. A translated version may be made available; in the event of a conflict between versions, the English version controls.