We don't sell your data.
Full stop.

1. Overview

This Privacy Policy ("Policy") describes how Cephlon Inc. ("Cephlon", "we", "us", "our") collects, uses, stores, and protects personal information in connection with all Cephlon products and services, including Cephlon Cloud, Cephlon Phone System (CPS), Cephlon Voice, Cephlon Secure Connect, Cephlon Secure Vision, Cephlon AI, and any other services we offer or may offer in the future (collectively, the "Services").

By accessing or using any Cephlon Service, you acknowledge that you have read, understood, and agree to the collection and use of your information in accordance with this Policy. If you do not agree, please discontinue use of our Services immediately.

This Policy is incorporated by reference into our Terms of Service.

🏢

2. Who We Are

Cephlon Inc. is the data controller for all personal information collected in connection with our Services. Our India entity, Cephlon IT Solutions Pvt. Ltd., acts as a data processor under contractual obligations consistent with this Policy and applicable law.

For the purposes of the India Digital Personal Data Protection Act, 2023 (DPDP Act), Cephlon Inc. acts as the Data Fiduciary for all personal data of individuals located in India.

📋

3. What We Collect

3.1 Information You Provide Directly

• Account registration: Name, email address, and password (stored in hashed/encrypted form only). Payment information is handled exclusively by our payment processor and is never stored on Cephlon systems.
• Business accounts: Company name, billing address, VAT/GST number where applicable.
• Support communications: Content of messages you send to our support team.
• Waitlist and enquiry forms: Name, email, and any information you voluntarily provide.

3.2 Information Collected Automatically

• Service metadata: Login timestamps, account activity (e.g., storage usage, plan tier). This is necessary to provide and bill for Services.
• Technical data: IP address (used for security and fraud prevention only; not stored beyond 30 days), device type, operating system, and browser type at point of authentication.
• Aggregated, anonymised analytics: We use Cloudflare Web Analytics for website statistics. This system does not use cookies, does not track individuals, and does not transmit personal data to third parties. No individual user profiles are created.

3.3 What We Do NOT Collect

• Contents of files, documents, or photos stored in Cephlon Cloud (zero-knowledge encrypted)
• Tunnel traffic, connection metadata, browsing history, DNS queries or traffic data for Cephlon Secure Connect
• Contents of messages or call content transmitted via Cephlon Voice or Cephlon Phone System
• Decrypted backup data (all user backups are client-side encrypted before transmission)
• Real-time or historical location data
• Biometric identifiers
• Sensitive personal information (race, religion, health, political views) — we have no basis to collect this and do not do so

⚙️

4. How We Use Your Information

We use personal information only for the following purposes, all of which are necessary to provide, operate, and improve the Services you have subscribed to:

• To create, authenticate, and manage your account
• To process payments, generate invoices, and maintain billing records as required by law
• To provide customer support and respond to your enquiries
• To send service-critical notifications (security alerts, downtime notices, policy updates)
• To detect and prevent fraud, abuse, and security threats
• To comply with our legal obligations under applicable law
• To improve service reliability and performance using anonymised, aggregated data only

🔒

5. Data Storage & Security

5.1 Where Your Data Is Stored

All personal data is stored on infrastructure operated by or on behalf of Cephlon in Canada and India. We do not use general-purpose public cloud platforms (such as AWS, Google Cloud, or Microsoft Azure) as primary storage for personal data. Infrastructure is operated under NDA-protected agreements with our service partners.

5.2 Encryption Standards

• Data at rest: AES-256 encryption
• Data in transit: TLS 1.3 minimum for all connections
• User content (Cloud, backups): Client-side zero-knowledge encryption — encrypted before leaving your device. Cephlon holds no decryption keys.
• Encrypted communications (Voice, CPS): End-to-end encrypted. Content is not accessible to Cephlon.
• VPN tunnels (Secure Connect): Encrypted using a next-generation protocol. Zero connection logs maintained.
• Passwords: Stored as salted cryptographic hashes. Never stored in plaintext.

5.3 Access Controls

Access to personal data within Cephlon is strictly limited to personnel who require it to perform their job function. All staff are bound by confidentiality obligations. We conduct periodic access reviews and maintain audit logs of data access events.

5.4 Retention Periods

• Active account data: Retained for the duration of your subscription
• Post-deletion: Personal data is permanently deleted within 30 days of account deletion, except where retention is required by law
• Payment records: Retained for 7 years as required by Canadian tax law
• Security logs (IP addresses): Retained for a maximum of 30 days, then permanently deleted
• Support communications: Retained for 24 months or until account deletion, whichever is sooner

🔗

6. Data Sharing

We may share personal information only in the following strictly limited circumstances:

6.1 Service Providers

We engage a small number of third-party service providers who process data on our behalf, including payment processors and transactional email providers. All service providers are:

• Contractually bound to process data only as instructed by Cephlon
• Prohibited from using your data for any purpose other than providing services to us
• Subject to equivalent or greater data protection obligations than those in this Policy

6.2 Legal Compulsion

We may disclose personal information if required to do so by a valid court order, subpoena, or lawful direction from a competent governmental authority in Canada or India. In such cases, we will:

• Notify you of the request to the extent permitted by law
• Provide only the minimum data required by the order
• Challenge overbroad or legally deficient requests

6.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity. We will notify affected users in advance and ensure that the acquiring entity is bound by obligations no less protective than this Policy.

6.4 With Your Consent

We may share information in other circumstances with your prior, explicit, and informed consent.

🔐

7. Zero-Knowledge Services

Certain Cephlon Services are designed with zero-knowledge architecture. This means:

• Cephlon cannot read your content. Files, documents, photos, and communications stored or transmitted through zero-knowledge Services are encrypted on your device before reaching Cephlon infrastructure. We store ciphertext only.
• Cephlon holds no decryption keys. Your encryption keys are derived from your credentials and remain under your control at all times.
• Loss of credentials = loss of access. If you lose your master password or encryption key for a zero-knowledge Service, Cephlon cannot recover your data. This is by design. We recommend maintaining secure backups of your credentials.
• Legal compulsion is technically limited. Even if compelled by a court order, Cephlon cannot produce decrypted content from zero-knowledge Services because we do not possess the means to decrypt it.

⚖️

8. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data. We will respond to all verified requests within 30 days.

8.1 Rights Available to All Users (PIPEDA)

• Access: Request a copy of all personal data we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Withdrawal of consent: Withdraw consent for non-essential processing (note: withdrawal may affect your ability to use certain Services)
• Challenge compliance: Challenge our compliance with this Policy or applicable law

8.2 Additional Rights for EU/EEA Residents (GDPR)

• Erasure ("Right to be Forgotten"): Request permanent deletion of your personal data, subject to legal retention obligations
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Restriction: Request that we limit processing in certain circumstances
• Supervisory authority complaint: Lodge a complaint with your local data protection authority

8.3 Rights for Indian Residents (DPDP Act)

• Access: Obtain a summary of personal data being processed and the processing activities undertaken
• Correction and erasure: Request correction of inaccurate data and erasure of data no longer necessary for the stated purpose
• Grievance redressal: Have your grievance redressed by our designated grievance officer within the timelines prescribed by law
• Nominate: Nominate another individual to exercise your rights on your behalf in the event of your death or incapacity
• Complaints to the Board: Lodge a complaint with the Data Protection Board of India if your grievance is not resolved to your satisfaction

To exercise any of these rights, contact us at [email protected]. We will verify your identity before processing any request. We do not charge fees for rights requests unless they are manifestly unfounded or excessive.

🍪

9. Cookies & Tracking

9.1 Our Cookie Philosophy

We use cookies with restraint. Our website and Services use only cookies that are technically necessary for authentication and security. We do not use advertising cookies, tracking pixels, or third-party analytics that identify individual users.

9.2 Cookies We Use

• Session cookies (essential): Temporary cookies that maintain your login session. Deleted when you close your browser. Required for the Services to function.
• Security cookies (essential): Used to detect and prevent cross-site request forgery (CSRF) and other security threats. Required for account security.
• Preference cookies (functional): Store your display preferences (e.g., language, notification settings). Can be disabled without affecting core functionality.

9.3 Analytics

Our website uses Cloudflare Web Analytics. This system is cookieless, does not track individual users, does not use fingerprinting, and does not transmit personal data to third parties. It provides us with aggregate statistics (page views, traffic sources) only. No personal data is involved.

9.4 Your Choices

You may control cookie preferences through your browser settings. Disabling essential (session and security) cookies will prevent you from logging in to your account. Preference and non-essential cookies can be disabled without affecting your ability to access the Services.

Under PIPEDA, we use implied consent for essential cookies. For any non-essential cookies we may introduce in the future, we will seek your explicit prior consent.

🌐

10. Data Sovereignty Statement

10.1 Our Commitment

Cephlon's infrastructure is operated in Canada and India. All personal data and user content is stored and processed on Cephlon-controlled or Cephlon-contracted infrastructure in these jurisdictions. We have deliberately structured our services to avoid routing user data through jurisdictions with expansive government surveillance powers.

10.2 Canadian Jurisdiction

As a Canadian federal corporation, Cephlon is subject to Canadian privacy law (PIPEDA) and Canadian court orders. Canada has been granted EU adequacy status under GDPR, meaning Canadian privacy standards are recognised as equivalent to European standards. We are not subject to the United States CLOUD Act, UK Investigatory Powers Act, or equivalent laws of other jurisdictions — absent specific treaty obligations that apply directly to us.

10.3 India Operations

Our India entity (Cephlon IT Solutions Pvt. Ltd.) operates as a data processor under contractual obligations with Cephlon Inc. Personal data of users is not stored on India-based infrastructure except as necessary for the provision of services to Indian users, and only under the same security and confidentiality obligations as all other Cephlon infrastructure. We are preparing for full compliance with India's DPDP Act by the May 2027 enforcement deadline.

10.4 Limits of Our Commitment

We cannot guarantee immunity from all government requests globally. If a court of competent jurisdiction in Canada or India issues a lawful and technically executable order, we will comply with that order in the minimum scope required. We will notify affected users to the extent the law permits. For zero-knowledge Services, our technical architecture limits what we can produce even in response to such orders — see Section 7.

✈️

11. International Data Transfers

Cephlon serves users in Canada, India, the United States, and internationally. Personal data may be transferred between our Canada and India entities in order to provide the Services.

• Canada → India transfers: Governed by a Data Processing Agreement between Cephlon Inc. and Cephlon IT Solutions Pvt. Ltd., imposing PIPEDA-equivalent protections.
• EU/EEA users: Canada holds EU adequacy status under GDPR Article 45. Transfers to Canada are therefore lawful without additional safeguards. For any transfers to India, we rely on standard contractual obligations and the DPDP Act framework.
• India → other countries: As of March 2026, India's DPDP Act operates on a negative-list basis for cross-border transfers. No countries have been designated as restricted by the Indian government. We will update this section if restrictions are imposed.
• US users: Cephlon is not incorporated in the United States and is not subject to the CLOUD Act or FISA Section 702 as a direct target. US personal data is processed under the same standards as all other users.

👶

12. Children's Privacy

Our Services are not directed to, and we do not knowingly collect personal information from, individuals under the age of 16 (or such higher age as required by applicable law in your jurisdiction).

Under India's DPDP Act, we will obtain verifiable parental or guardian consent before processing any personal data of a child (defined as a person under 18 in India). We implement age verification mechanisms reasonably designed to prevent collection of personal data from children without appropriate consent.

If you believe we have inadvertently collected personal information from a child without proper consent, please contact us immediately at [email protected]. We will promptly delete such information.

🚨

13. Data Breach Notification

In the event of a personal data breach that creates a real risk of significant harm to affected individuals, Cephlon will:

• Notify the Office of the Privacy Commissioner of Canada as required by PIPEDA as expeditiously as possible
• Notify affected individuals directly, with sufficient information to allow them to take protective action
• Report to the Data Protection Board of India within 72 hours where Indian users are affected, as required by the DPDP Act
• Notify EU supervisory authorities within 72 hours where EU/EEA residents are affected, as required by GDPR Article 33
• Maintain a breach record for a minimum of 24 months

Notifications will describe the nature of the breach, the categories of personal data involved, likely consequences, and measures taken or proposed to address the breach.

📝

14. Policy Changes

We may update this Privacy Policy periodically to reflect changes in our Services, legal obligations, or privacy practices. We will notify you of material changes by:

• Sending an email to your registered address at least 14 days before the change takes effect
• Displaying a prominent notice on our website and in the product interface
• Updating the "Last Updated" date at the top of this Policy

For non-material changes (e.g., corrections of typographical errors, clarifications that do not affect your rights), we will update the Policy without individual notice. Continued use of the Services after the effective date of any updated Policy constitutes your acceptance of the updated terms.

📬

15. Contact Us

For any privacy-related questions, requests, or complaints:

If you are located in the European Economic Area and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

If you are located in India and are not satisfied with our response, you may lodge a complaint with the Data Protection Board of India once the Board's complaint portal is operational (expected 2026–2027).