Full engagement
Full consultation
Discuss your complete cloud and security strategy with the principal consultant. For comprehensive transformations and multi-quarter engagements.
Privacy Policy
Effective Date: January 1, 2025
Last Updated: June 8, 2026
Pilotcore ("we," "our," or "us") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, share, and safeguard your information when you interact with our website and services.
1. Data Collection
We collect the following personal information when you use our services:
Information You Provide Directly
- Email address: Required for guide downloads, consultation requests, and email communications
- Name: First and last name for personalised communications
- Company information: Company name and role for business context
- Survey responses: Readiness assessment answers to understand your needs
- Consultation details: Service interests and context you provide in consultation forms
Information We Collect Automatically
- Email engagement data: Whether you open our emails, click links, or unsubscribe
- Timestamps: When you submit forms, download guides, or engage with our emails
- IP address: Automatically collected by our infrastructure provider (AWS)
- Website measurement data: Page paths, consent choices, browser-level privacy signals, and aggregated usage metrics collected through the tracking tools listed below
Information We Do Not Collect
We do not collect your browsing history outside Pilotcore, demographic profiles, or precise location data. We avoid collecting sensitive information in guide and consultation forms.
2. Purpose and Use of Your Information
We use your personal information for the following legitimate business purposes:
Marketing Communications
- Sending educational email sequences about cloud architecture, DevSecOps, and security compliance
- Delivering compliance guides (CMMC, CPCSC) you've requested
- Sharing relevant blog posts and expertise demonstrations
Lead Qualification
- Assessing your readiness for consulting services through survey responses
- Personalizing follow-up communications based on your interests
- Scheduling consultation calls when you express interest
Service Delivery
- Processing consultation requests and booking calendar appointments
- Responding to inquiries submitted through contact forms
- Providing customer support
Business Operations
- Improving our email content and website based on engagement metrics
- Measuring ads, page performance, and website paths so we can understand which public pages and campaigns work
- Using session replay signals to find broken interactions and usability issues without asking you for sensitive data
- Maintaining records for tax and accounting purposes (consultation records only)
- Complying with legal obligations
3. Legal Basis for Processing
Canadian Law (PIPEDA)
We process your personal information based on your express consent:
- Downloading a guide constitutes consent to receive related email communications
- Submitting a consultation request constitutes consent to contact you about services
- You may withdraw consent at any time by unsubscribing or contacting us
United States Law (CAN-SPAM)
We comply with CAN-SPAM requirements:
- You have an established business relationship when you request our guides or consultations
- All emails include a clear unsubscribe mechanism
- All emails identify Pilotcore as the sender
- Our physical business address is included in email footers
Anti-Spam Legislation (CASL)
We comply with Canada's Anti-Spam Legislation:
- Express consent is obtained before sending commercial electronic messages
- All emails clearly identify Pilotcore as the sender
- Unsubscribe mechanisms are provided in every email
- Unsubscribe requests are processed within 10 business days
4. Controller Identity, Data Sharing, and Disclosure
For personal information covered by this policy, the controller is Pilotcore Systems Inc. You can contact the controller at privacy@pilotcore.io.
We share your personal information only in the following limited circumstances:
Service Providers and Sub-Processors
Material additions or replacements to this list are posted here with 30 days' notice. Where required, we also email active leads with nurture consent.
| Processor | Role | Transfer mechanism |
|---|---|---|
| AWS | SES, DynamoDB, Lambda, S3, CloudFront, and SNS infrastructure. | AWS GDPR Data Processing Addendum and Standard Contractual Clauses. Primary processing region is us-east-1; some governance services use ca-central-1. |
| Fathom Analytics | Cookieless website analytics for page views, referrals, and aggregated usage trends. | Service-provider processing under Fathom terms. Loaded only when configured for production and not when a browser sends an explicit DNT or GPC opt-out signal. |
| Google Tag Manager | Consent-mode tag loading for Google Analytics and Google Ads measurement on production Pilotcore pages. | Google Cloud DPA and SCCs. Tracking tags are gated by the cookie preferences stored in pilotcore.consent.tracking.v3. |
| Google Ads | Ad conversion measurement, campaign attribution, and retargeting exclusions when advertising consent is granted. | Google Ads Data Protection Terms and SCCs. Advertising storage, ad user data, and ad personalization stay denied unless the Advertising category is enabled. |
| Microsoft Clarity | Session replay and interaction analytics used to diagnose page friction, consent-banner behavior, and broken website flows. | Microsoft Products and Services Data Protection Addendum. Clarity Consent API V2 is set to denied before the Clarity script loads, then updated from your cookie preferences. |
| Google reCAPTCHA | Necessary anti-fraud checks for guide download forms, consultation forms, and pilot-project assessment forms. | Google Cloud DPA and SCCs. reCAPTCHA runs when you interact with or submit protected forms; it is treated as a necessary anti-abuse control, not as an analytics or advertising preference. |
| Cal.diy (self-hosted) | Scheduling application at cal.pilotcore.io for slot selection, booking records, attendee invites, and booking emails. | Operated by Pilotcore. No commercial Cal.com SaaS is used for new bookings; hosting is provided by Hetzner and calendar/meeting artifacts use Google Workspace and Zoom integrations. |
| Hetzner Online GmbH | VPS hosting, networking, and storage for the self-hosted Cal.diy instance at cal.pilotcore.io. | EU processing under Hetzner's data processing terms; SCCs apply where required. |
| Google Calendar | Attendee invites and booking calendar events. | Google Workspace DPA and SCCs. |
| Zoom | Meeting links and video call delivery when a consultation is booked through the scheduling flow. | Zoom Data Processing Addendum and SCCs. |
Selling, Renting, and Service Providers
We do not sell or rent your personal information. We do use service providers for analytics, anti-fraud, ad measurement, scheduling, hosting, and communications as listed above. Those providers process data for the purposes described in this policy.
We do not disclose your personal information to:
- Data brokers
- Social media platforms for their own independent marketing
- Unaffiliated commercial entities for their own direct outreach
Legal Disclosures
We may disclose your information if required by law, court order, or government regulation, or to protect our legal rights.
5. Right of Access, Erasure, and Portability
You may request access to your personal information, a portable export, correction of inaccurate information, or erasure where the law allows it.
Self-Service Requests
The self-service request page at /privacy/data-request verifies your email and then calls the GDPR-001/002 endpoints: GET /api/gdpr/data-export for access and portability, and DELETE /api/gdpr/delete-account for erasure.
We respond within 30 days from token verification. Exports are normally returned within 5 minutes, erasure can take up to 30 days when archived records must be processed, and rectification normally completes within 24 hours.
Identity Verification
Email-token verification is the primary identity check. High-risk requests, including erasure of older records or suppression-list entries, may require a secondary challenge based on your lead history.
Partial Retention
Erasure is subject to lawful partial-retention exceptions. Business records, deletion audit logs, and suppression evidence may be retained where tax, accounting, CAN-SPAM, CASL, GDPR Article 17(3)(b), or legal-hold obligations require it.
6. Other Privacy Rights
You also have the following rights regarding your personal information:
Right to Correction
Request correction of inaccurate or incomplete personal information.
Right to Withdraw Consent
Withdraw your consent to marketing communications at any time by:
- Clicking the "Unsubscribe" link in any email
- Emailing privacy@pilotcore.io with "UNSUBSCRIBE" in the subject line
- Contacting us through the website contact form
Right to Opt-Out
Opt out of specific email sequences while remaining subscribed to others (contact us to customise preferences).
You can also reopen website cookie preferences from the footer on public pages. The banner lets you control analytics, Microsoft Clarity session replay, and Google Ads measurement categories. Necessary anti-fraud controls, including reCAPTCHA on protected forms, remain active because they help keep forms usable and secure.
7. Data Retention
We retain personal information according to the accepted DEC-004 retention policy:
| Record | Retention fields |
|---|---|
| leads_table |
hot_storage: 180 days from last engagement cold_storage: 5 years from lead creation permanent_deletion: 5 years + 30 days (grace period) |
| nurture_sequences_table |
active_sequences: Retain while status != 'completed' completed_sequences: 365 days after completion unsubscribed_sequences: 90 days after unsubscribe (audit trail) |
| global_unsubscribes_table |
retention: PERMANENT (compliance requirement) note: Suppression list must persist to honor opt-outs |
| email_events_table |
retention: 90 days (CloudWatch Logs for audit) aggregated_metrics: 2 years |
| consultation_bookings_table | retention: 7 years (business records requirement) |
Exceptions
Records flagged for legal hold (e.g., ongoing dispute, regulatory inquiry) are exempt from automatic deletion.
This retention policy ensures we balance our legitimate business needs with your privacy rights and data minimization principles.
8. Complaint Pathways
If we do not resolve your privacy concern, you may contact the Office of the Privacy Commissioner of Canada (OPC) for Canadian privacy complaints or the Information Commissioner's Office (ICO) for UK data-protection complaints.
- OPC: Office of the Privacy Commissioner of Canada complaint process.
- ICO: Information Commissioner's Office complaint process.
9. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:
- Email: privacy@pilotcore.io
- Response Time: Within 30 days
- Subject Line: For faster processing, use "Privacy Request" in your subject line
For general inquiries, you may also use our website contact form.
Additional Information
Data Security
We implement industry-standard security measures to protect your personal information:
- Encrypted data transmission (HTTPS/TLS)
- Access controls limiting who can view your data
- Regular security assessments of our infrastructure
- Automated backups and disaster recovery procedures
However, no internet transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
International Data Transfers
Your personal information may be processed in us-east-1 and ca-central-1 for AWS-hosted services, by EU-hosted scheduling infrastructure, and by Google, Microsoft, Fathom, and Zoom services where their listed features are used. The processor table above lists the applicable DPA and Standard Contractual Clauses for each transfer.
Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will post the updated policy on this page with a new "Last Updated" date. If we make material changes, we will notify active subscribers by email.
Children's Privacy
Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us immediately.
Your Consent
By providing your email address to download guides or request consultations, you consent to this Privacy Policy and our use of your information as described herein.
This Privacy Policy is written in plain language to ensure accessibility and understanding. If any provision is unclear, please contact us for clarification.