Privacy Policy - Cephlon

Last Updated: 08/02/2026

Cephlon Inc. (“Cephlon,” “we,” “us,” or “our”), a federally registered Canadian corporation committed to the principle that privacy is a fundamental right, maintains this Privacy Policy to explain transparently how we collect, process, use, disclose, transfer, store, retain, secure, and ultimately dispose of personal information.

This Policy applies to all personal information collected through:

Our website at cephlon.com and any other websites, subdomains, or web applications owned and operated by Cephlon Inc. (collectively, the “Site”)
Account registration, subscription, or service usage
Support interactions, sales inquiries, or contact forms
Our Services, including but not limited to private cloud storage, virtual machines and servers (VMs/VDS), VPN connectivity, secure data storage, remote management tools, encrypted backups, phone systems, and other customizable privacy-centric infrastructure solutions
Any other product, platform, or service offered by Cephlon Inc. or any of its subsidiaries and affiliates, whether currently existing or developed in the future (collectively, the “Services”)

We are fully subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and relevant provincial privacy legislation. For individuals in the European Union, European Economic Area, United Kingdom, or other jurisdictions with extraterritorial effect, we align our practices with applicable requirements (e.g., GDPR principles) to the extent they govern our processing activities.

1. Definitions

Personal Information — Any information about an identifiable individual, as defined under PIPEDA.
Processing — Any operation performed on personal information, including collection, use, disclosure, storage, and deletion.
Services — All privacy-focused hosting, storage, VPN, virtual server, phone system, remote access, and related solutions provided by Cephlon Inc. or any of its subsidiaries and affiliates, whether currently existing or introduced in the future.
Affiliate — Any entity that directly or indirectly controls, is controlled by, or is under common control with Cephlon Inc.

2. Personal Information We Collect

2.1 Information You Provide Voluntarily

Identification and contact: Full name, business name (if applicable), email address, phone number, mailing address (if provided).
Account credentials: Username, password (stored exclusively as salted cryptographic hashes; we never store plaintext passwords).
Billing and payment: Billing contact details, processed via PCI-DSS-compliant third-party payment gateways. Cephlon does not store full payment card numbers, CVVs, or other sensitive cardholder data.
Communications and support: Messages, attachments, ticket history, and preferences expressed during support interactions.
Service configuration data: Technical specifications or preferences you submit for custom VMs, storage quotas, VPN endpoints, phone system configurations, or server locations.

2.2 Automatically Collected Technical Data

Network and device: IP address (anonymized or truncated where technically feasible), browser and user-agent string, operating system, device type, and screen resolution.
Interaction metadata: Pages viewed, time spent on pages, referral URLs, and exit pages — collected in aggregate form only.
Security events: Failed login attempts, rate-limit triggers, and suspicious pattern indicators used exclusively for fraud detection and abuse prevention.

2.3 Cookies and Analytics

We may use cookies and similar technologies to support the functionality of the Site and to understand how visitors interact with it.

Essential cookies: Required for core Site functionality such as session management and authentication. These cannot be disabled.
Analytics cookies: We may use third-party analytics services (such as Google Analytics) to collect aggregated, anonymized usage data. These tools help us understand traffic patterns, popular pages, and general user behavior to improve our Services.
Your choices: You may control or disable non-essential cookies through your browser settings. Disabling cookies may affect certain features of the Site.

We do not use cookies for advertising, retargeting, or behavioral profiling of any kind.

2.4 No Third-Party Sourcing

We do not acquire personal information from data brokers, advertisers, social media platforms, or public databases. We only process personal information arising from your direct interaction with us.

3. Purposes, Legal Bases, and Data Minimization

We collect only the minimum personal information necessary and process it solely for the following purposes:

Purpose	Primary Legal Basis (PIPEDA / GDPR-Aligned)	Data Minimization Notes
Account creation, authentication, and service delivery	Performance of contract	Only fields required for functionality
Billing, subscription management, and renewals	Performance of contract	Limited to transaction metadata
Customer support and technical assistance	Performance of contract / legitimate interest	Retained only as long as needed for resolution
Fraud detection, abuse prevention, and security	Legitimate interest / legal obligation	Anonymized where possible; short retention
Service improvement and internal analytics	Legitimate interest	Strictly aggregated and anonymized data
Legal and regulatory compliance	Legal obligation	Retained per statutory minimums

We do not use your personal information for marketing, advertising, profiling, or any purpose unrelated to providing and securing the Services. We conduct legitimate interests assessments where applicable and prioritize data minimization at every stage.

4. Data We Do Not Collect or Sell

Cephlon is built on the principle that your data belongs to you. Accordingly:

We do not sell, rent, lease, or trade personal information under any circumstances.
We do not collect personal information beyond what is strictly necessary to provide and secure the Services.
We do not monetize user data in any form, including through advertising or data brokerage.
We do not access the contents of your hosted data (such as files stored on your VMs, cloud storage, or backups) unless expressly required to provide a service you have requested, to comply with a lawful order, or to address an imminent security threat.

5. Sharing, Disclosure, and Subprocessors

Disclosure of personal information occurs only under the following limited circumstances:

Subprocessors: To trusted subprocessors (e.g., payment processors, secure hosting infrastructure partners, email delivery services) bound by data processing agreements with protections equivalent to or stronger than those described in this Policy.
Legal obligations: Pursuant to lawful requests from courts, regulators, or law enforcement authorities, with notice to you where legally permitted.
Protection of rights: To protect Cephlon, our users, or the public from serious harm, fraud, or illegal activity.
Business transfers: In connection with a merger, acquisition, or reorganization, with reasonable advance notice to affected users.

A current list of subprocessors, including payment processing partners, is available upon verified request to [email protected] (subject to confidentiality obligations).

6. International Data Transfers and Adequacy

Primary Processing Jurisdiction: Canada, which is recognized as adequate under EU adequacy decisions with respect to PIPEDA.
Safeguards for Transfers: Where personal information is transferred outside of Canada, we employ standard contractual clauses (SCCs), binding corporate rules (where applicable), or other approved transfer mechanisms to ensure equivalent protections.
Avoidance of High-Risk Jurisdictions: We do not route or store personal data in jurisdictions known for systemic surveillance without explicit user-configured options and informed consent.

7. Data Retention

We retain personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected:

Data Category	Retention Period
Account information	Duration of account plus 30 days after deletion request
Billing and transaction records	As required by applicable tax and financial regulation (typically up to 7 years)
Support ticket history	Up to 2 years after ticket closure, unless longer retention is required for legal purposes
Security event logs	Up to 12 months, anonymized where possible
Analytics data	Retained only in aggregated, anonymized form with no individual identifiers

When personal information is no longer required, it is securely deleted or irreversibly anonymized in accordance with industry-standard practices.

8. Data Security and Breach Response

We maintain a layered security program including:

Encryption in transit (TLS 1.3) and at rest (AES-256 where applicable)
Strict logical and physical access controls with role-based permissions
Regular penetration testing, vulnerability scanning, and third-party security audits
Incident detection, response, and notification procedures

In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities without undue delay, in accordance with PIPEDA and applicable law.

9. Your Privacy Rights and How to Exercise Them

Depending on your jurisdiction and applicable law, you may have the following rights:

Right to be informed — To know how your personal information is collected and used.
Right of access — To request a copy of the personal information we hold about you.
Right to rectification — To request correction of inaccurate or incomplete information.
Right to erasure (“right to be forgotten”) — To request deletion of your personal information where it is no longer necessary.
Right to restrict processing — To request that we limit how we use your information in certain circumstances.
Right to data portability — To receive your personal information in a structured, commonly used, and machine-readable format.
Right to object — To object to processing based on legitimate interests.
Right not to be subject to automated decision-making — To not be subject to decisions made solely by automated means that produce legal or similarly significant effects.

To exercise your rights:

Submit a written request to [email protected].
Provide sufficient information to verify your identity (e.g., account email and recent activity confirmation).
Clearly specify the right(s) you wish to exercise.

We will respond within 30 days. For complex requests, this period may be extended by an additional 30 days with notice to you. There is no charge for standard requests unless they are manifestly unfounded or excessive.

10. Withdrawal of Consent

Where processing is based on your consent (limited cases), you may withdraw consent at any time by contacting [email protected] or through your account settings where available. Withdrawal of consent does not affect the lawfulness of any processing carried out before withdrawal.

11. No Automated Decision-Making or Profiling

We do not carry out automated individual decision-making, including profiling, that produces legal effects or similarly significant consequences concerning you.

12. Third-Party Websites and Services

The Site or Services may contain links to external websites or services. Cephlon is not responsible for the privacy practices, content, or security of any third-party site. We encourage you to review the privacy policies of any external site you visit independently.

13. Children’s Privacy

The Site and Services are not intended for individuals under the age of 18. We do not knowingly collect or process personal information from children. If we become aware that we have collected personal information from a child, such data will be promptly and securely deleted.

14. Scope — Products and Affiliates

This Privacy Policy applies to all products, platforms, and services offered by Cephlon Inc. and its subsidiaries and affiliates, whether currently existing or introduced in the future. This includes, without limitation:

Private cloud storage and secure data hosting
Virtual machines and virtual dedicated servers (VMs/VDS)
VPN connectivity services
Encrypted backup solutions
Remote management and access tools
The Cephlon Phone System (CPS) and related telecommunications services
Any additional products, features, or services released under the Cephlon name or brand

Where a specific product or service has its own supplemental terms, conditions, or privacy disclosures, those supplemental terms will be read together with this Policy. In the event of a conflict between this Policy and any product-specific terms, the product-specific terms will govern to the extent of the inconsistency.

15. Accountability and Governance

Cephlon designates a Privacy Officer responsible for overseeing compliance with this Policy and applicable privacy legislation. We maintain records of processing activities, conduct privacy impact assessments for high-risk activities, and provide regular training to staff on their privacy obligations.

16. Complaints and Supervisory Authorities

If you believe your privacy rights have been violated, please contact our Privacy Officer first. We are committed to resolving complaints promptly and fairly. If you are not satisfied with our response, you may lodge a complaint with:

The Office of the Privacy Commissioner of Canada (for PIPEDA matters)
The relevant supervisory authority in your jurisdiction (e.g., the ICO in the United Kingdom, the CNIL in France)

17. Changes to This Privacy Policy

We may amend this Policy to reflect legal, technical, or operational changes. The “Last Updated” date at the top of this page reflects the most current version. Material changes will be communicated via email (if available), a Site banner, or an in-Service announcement. Your continued use of the Site or Services after such notification constitutes acceptance of the updated Policy.

18. Contact Our Privacy Officer

If you have any privacy-related questions or concerns, you may reach our Privacy Officer at:

Cephlon Inc. Email: [email protected] Phone: +1 (877) 236-4566 | +1 (877) CEPHLON Mailing Address: Available upon verified request

We are committed to resolving privacy concerns promptly, respectfully, and in full compliance with the law.

Thank you for choosing Cephlon — where privacy is engineered by design.