Privacy Policy – predictively.ca

Section 01

Who We Are

Predictively Inc. ("Predictively", "we", "our", or "us") is a corporation incorporated under the laws of British Columbia, Canada. We operate the Predictively platform, accessible at predictively.ca, which delivers structured market intelligence derived from publicly released iGaming Ontario market data combined with our proprietary analytical frameworks.

Predictively is the "organization" responsible for personal information under the Personal Information Protection and Electronic Documents Act, SC 2000, c. 5 ("PIPEDA") and the Personal Information Protection Act, SBC 2003, c. 63 ("BC PIPA").

Our Designated Privacy Officer Our Privacy Officer is the primary point of contact for all privacy inquiries. Contact details are set out in Section 15 of this Policy.

Section 02

Scope of This Policy

This Policy applies to all personal information collected by Predictively in connection with the provision of our platform, including information collected through:

Our website at predictively.ca and all sub-pages;
User account registration and subscription management;
Our application programming interface (the "API");
Customer support and correspondence; and
Any other channel through which you communicate with us.

This Policy does not apply to the publicly released market data published by iGaming Ontario, which is subject to iGaming Ontario's own data transparency program. Predictively processes iGaming Ontario market data solely as aggregate, non-personal statistical information for the purpose of producing intelligence reports.

Our platform is designed for use by businesses and their authorized personnel ("Business Subscribers"). This Policy governs our treatment of the personal information of natural persons associated with those Business Subscribers.

Section 03

Information We Collect

We collect only the personal information that is necessary for the identified purposes set out in this Policy, in accordance with the principle of data minimization.

3.1 — Information You Provide Directly

Account Data Name, business email address, job title, and organization name collected at registration and account management.

Billing Data Payment method details, billing address, and transaction records. Payment processing is handled by our PCI-DSS-compliant payment processor. We do not store full card numbers on our systems.

Communications Correspondence, support requests, feedback, and enquiry content submitted through our platform or by email.

API Credentials API keys issued to authorized account holders. Keys are cryptographically hashed after initial display. We store only the hash.

3.2 — Information Collected Automatically

Log Data IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and HTTP status codes collected by our server infrastructure.

Usage Data Feature interactions, report access events, API call frequency and endpoint usage, and session duration data, collected for service improvement and security purposes.

Device Data Device identifiers, screen resolution, and browser configuration, collected to deliver a properly rendered user experience.

Cookie Data Information stored in or accessed from cookies and similar technologies, as described further in Section 10 of this Policy.

3.3 — Information We Do Not Collect

We do not collect sensitive personal information as defined by PIPEDA Schedule 1 Clause 4.3.4, including health information, financial account credentials, government-issued identification numbers, or any special category personal data, unless such information is expressly provided by you in written correspondence to us.

Section 04

Legal Basis for Processing

Under PIPEDA and BC PIPA, personal information may be collected, used, or disclosed only with the knowledge and consent of the individual, except where the law permits otherwise. Our legal bases for processing are as follows:

Express Consent Account registration, subscription enrolment, and opt-in electronic communications. Consent may be withdrawn at any time subject to legal or contractual restrictions.

Implied Consent Routine service delivery, technical support, and security logging, where consent is reasonably inferred from the context of the business relationship.

Contractual Necessity Processing required to perform obligations under our Terms of Use or a subscription agreement to which you are a party.

Legal Obligation Processing required by applicable law, court order, regulatory requirement, or lawful government authority.

Legitimate Interest Fraud prevention, platform security, product improvement, and aggregate analytics, where our interests do not override your fundamental privacy rights.

Section 05

How We Use Your Information

We use personal information only for the purposes for which it was collected, or for consistent purposes that you would reasonably expect. Specifically, we use personal information to:

Provision of Services: Create and manage your account, authenticate your identity, deliver reports and API access, and process subscription payments;
Service Communications: Send transactional notices, account alerts, security notifications, and service updates that are necessary to the operation of your account;
Customer Support: Respond to inquiries, troubleshoot technical issues, and resolve billing disputes;
Security & Fraud Prevention: Detect, investigate, and prevent unauthorized access, fraudulent activity, abuse of our API, or other security incidents;
Service Improvement: Analyze usage patterns in aggregate to improve platform functionality, report quality, and user experience;
Legal Compliance: Meet our obligations under applicable law, respond to lawful government requests, and enforce our agreements; and
Marketing (with consent): Where you have provided express consent, send information about new reports, product features, or related services. You may withdraw consent at any time.

We do not use personal information to make automated decisions that produce legal or similarly significant effects, and we do not sell, rent, or trade personal information to third parties for their own marketing purposes.

Section 06

Disclosure to Third Parties

We do not disclose personal information to third parties except in the following limited circumstances:

6.1 — Service Providers

We engage third-party service providers who process personal information on our behalf as our agents. These providers are contractually bound to: (a) use personal information only as directed by us; (b) implement appropriate security safeguards; and (c) return or destroy personal information upon termination of the engagement. Categories of service providers include cloud infrastructure providers, payment processors, email delivery services, and security and monitoring vendors.

6.2 — Legal Disclosure

We may disclose personal information without consent where we are required or authorized to do so by: (a) applicable law or regulation; (b) a court order, subpoena, or other judicial or administrative process; (c) a governmental authority exercising a lawful power; or (d) where necessary to prevent, detect, or suppress fraud or other illegal activity, as permitted by PIPEDA section 7(3).

6.3 — Business Transfers

In the event of a merger, acquisition, asset sale, amalgamation, or reorganization involving Predictively, personal information held by us may be transferred to the successor entity, provided that the receiving party agrees to treat that information consistently with this Policy. We will notify affected individuals where required by law.

6.4 — Aggregate Data

We may share de-identified, aggregated, or anonymized information that cannot reasonably be used to identify any individual. Such information is not personal information and is not subject to this Policy.

Section 07

Data Retention

We retain personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our general retention schedules are as follows:

Account Data Retained for the duration of the account relationship and for seven (7) years following account closure, as required for tax, audit, and commercial record-keeping purposes under applicable law.

Billing Records Retained for seven (7) years from the date of the transaction, consistent with obligations under the Income Tax Act, RSC 1985, c. 1 (5th Supp.) and applicable provincial tax legislation.

Server & Access Logs Retained for a maximum of ninety (90) days for security investigation purposes, after which they are deleted or irreversibly anonymized.

Support Communications Retained for three (3) years from the date of the last communication, to facilitate ongoing service and dispute resolution.

Marketing Consent Records Retained for three (3) years following consent withdrawal, as required by the Canada's Anti-Spam Legislation, SC 2010, c. 23 ("CASL").

When personal information is no longer required, we securely destroy or anonymize it using methods appropriate to the sensitivity of the information.

Section 08

Cross-Border Transfers

Some of our service providers are located outside of Canada, including in the United States. When personal information is transferred to a service provider in a foreign jurisdiction, that information may be subject to the laws of that jurisdiction, including disclosure requirements applicable to foreign governments.

Before transferring personal information outside Canada, we require the receiving party to provide a comparable level of protection by means of: (a) contractual data processing agreements that include obligations equivalent to those imposed by PIPEDA and BC PIPA; or (b) other legally recognized transfer mechanisms.

By using our platform, you acknowledge that your personal information may be transferred to and processed in jurisdictions outside Canada. Where required by BC PIPA section 33.1, we will advise you of the country or countries to which personal information may be disclosed upon request.

Section 09

Security Safeguards

We protect personal information using physical, organizational, and technical safeguards appropriate to the sensitivity of the information and the risk of unauthorized access, collection, use, disclosure, copying, modification, disposal, or destruction. Our safeguards include:

Encryption of data in transit using Transport Layer Security (TLS 1.2 or higher);
Encryption of sensitive data at rest using industry-standard encryption algorithms;
HMAC-signed, time-limited access tokens for report delivery;
Cryptographic hashing of API keys; keys are displayed only once at creation and cannot be recovered thereafter;
Role-based access controls limiting staff access to personal information to those with a legitimate need;
Regular security assessments and vulnerability monitoring; and
Incident response procedures for detecting and responding to personal information breaches.

Security Breach Notification In the event of a security breach involving personal information that creates a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as required by PIPEDA and Breach of Security Safeguards Regulations, SOR/2018-64.

No method of electronic transmission or storage is completely secure. While we implement industry-standard safeguards, we cannot guarantee absolute security.

Section 10

Cookies & Tracking Technologies

Our platform uses cookies and similar technologies to enable core functionality and improve your experience. A "cookie" is a small text file placed on your device by a web server.

10.1 — Types of Cookies We Use

Strictly Necessary Required for authenticated session management, CSRF protection, and access token validation. Cannot be disabled without impairing platform function. No consent required under applicable law.

Functional Remember your display preferences (e.g., light or dark mode) and regional settings across sessions.

Analytics Collect pseudonymized usage data to help us understand platform performance. Where used, analytics are configured to anonymize IP addresses and not to share data with third-party advertisers.

10.2 — Managing Cookies

You may configure your browser to reject cookies or to alert you before a cookie is stored. Disabling strictly necessary cookies will impair your ability to use authenticated features of our platform. Instructions for managing cookies are available through your browser's settings.

We do not use cookies for cross-site advertising, behavioural profiling for third-party advertising networks, or any purpose that would constitute a sale of personal information.

Section 11

Your Privacy Rights

Subject to applicable law, you have the following rights with respect to your personal information held by Predictively:

11.1 — Right of Access

You may request access to the personal information we hold about you and receive information about how we use and disclose it, as provided in PIPEDA Principle 9 and BC PIPA section 23. We will respond to access requests within thirty (30) days of receipt, unless an extension is necessary and permitted by law.

11.2 — Right of Correction

If you believe that personal information we hold about you is inaccurate or incomplete, you may request that we correct or annotate it. We will correct or annotate the record as promptly as practicable.

11.3 — Right to Withdraw Consent

You may withdraw consent to non-essential processing (including marketing communications) at any time by contacting our Privacy Officer or using the unsubscribe mechanism in any marketing email we send. Withdrawal of consent will not affect the lawfulness of processing prior to withdrawal.

11.4 — Complaints

If you believe we have not complied with this Policy or your rights under applicable privacy legislation, you may file a complaint with our Privacy Officer. If you are not satisfied with our response, you may escalate your complaint to:

Office of the Privacy Commissioner of Canada: www.priv.gc.ca — Tel: 1-800-282-1376
Office of the Information and Privacy Commissioner for BC: www.oipc.bc.ca — Tel: 1-800-663-7867

Identity Verification To protect your privacy, we will verify your identity before processing any access, correction, or withdrawal request. We will not charge a fee for access requests unless the request is manifestly excessive, in which case we will notify you of the estimated fee in advance.

Section 12

Children's Information

Our platform is designed exclusively for use by businesses and their adult authorized personnel. We do not knowingly collect personal information from individuals under the age of majority in their province or territory of residence. Our services are not directed at, marketed to, or intended for minors.

If we become aware that we have collected personal information from a minor without appropriate consent, we will take reasonable steps to delete that information promptly. If you believe that a minor has provided personal information to us, please contact our Privacy Officer immediately.

Section 13

Electronic Communications (CASL)

Where we send commercial electronic messages ("CEMs"), we do so in compliance with the Canada's Anti-Spam Legislation, SC 2010, c. 23 ("CASL"). Specifically:

We obtain express or implied consent before sending CEMs, as required by CASL section 6;
Every CEM includes a valid physical mailing address and an unsubscribe mechanism that is functional for a minimum of sixty (60) days following dispatch;
We process unsubscribe requests within ten (10) business days, as required by CASL section 11(3); and
We maintain records of consent, as required by CASL and its Electronic Commerce Protection Regulations.

Transactional messages relating to your account (such as security alerts, billing confirmations, and password resets) are not commercial electronic messages and are not subject to CASL opt-in requirements.

Section 14

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Post the updated Policy on this page with a revised effective date;
Provide notice through your account dashboard or by email where the changes are material; and
Where required by applicable law, seek your consent to the revised terms.

Your continued use of the platform following notice of a material change constitutes your acknowledgment of the updated Policy. If you do not agree with the changes, you must discontinue use of our platform and may request deletion of your account.

Section 15

Contact Our Privacy Officer

All privacy inquiries, access requests, correction requests, and complaints should be directed to our designated Privacy Officer. We will acknowledge receipt of your inquiry within five (5) business days and provide a substantive response within thirty (30) days, unless an extension is required.

Organization Predictively Inc.

Attention Privacy Officer

Email privacy@predictively.ca

Website predictively.ca

We are committed to resolving privacy concerns in a timely, transparent, and fair manner. All complaints are investigated and responded to in accordance with PIPEDA's accountability principle.