Legal
Privacy Policy
Last updated: 24 June 2026
This policy explains what personal data Azon Labs collects when you visit our website or interact with us, why we collect it, how we use and protect it, who we share it with, how long we keep it, and what rights you have over it. We have written it in plain English. If anything is unclear, or if you have a question not covered here, please email us at privacy@azonlabs.com and we will be happy to explain.
1. Who we are
Azon Labs Limited ("Azon Labs", "we", "us", "our") is a company incorporated under the laws of Ontario, Canada. We design and build agentic systems for mid-market operators. Our registered address is 1300 Cornwall Road, Oakville, Ontario, L6J 7W5, Canada.
For the purposes of applicable data protection law — including the EU General Data Protection Regulation (GDPR), the UK GDPR, and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) — Azon Labs Limited is the data controller in respect of the personal data described in this policy. As data controller, we are responsible for deciding how and why personal data is processed.
For any privacy-related questions, requests, or concerns, the fastest route is privacy@azonlabs.com. Postal enquiries may be directed to the address above, marked for the attention of the Privacy Officer.
2. What data we collect
We collect two categories of personal data: information you provide to us directly, and limited technical data collected automatically when you use our website. We do not purchase or obtain personal data from third-party data brokers.
Data you provide directly
Depending on how you interact with us, you may provide some or all of the following:
Your full name
Your work or personal email address
Your company or organisation name
A short description of what you are trying to build or the challenge you are facing
Your phone number — only if you voluntarily provide it when requesting the Agentic Ops Playbook
Any additional information you choose to include in a free-text field
Data collected automatically
When you visit our website, our privacy-preserving analytics provider automatically collects certain technical information to help us understand how the site is used in aggregate. This may include:
Pages visited, scroll depth, and time spent on each page
General geographic region at city or country level, derived from a truncated IP address (we do not store your full IP address)
Device type, operating system, and browser version
Referring website, search engine, or campaign source
Anonymous session identifiers used to link events within a single visit
On-page interactions such as button clicks, link clicks, and form field focus events
This data is collected in anonymised or pseudonymised form. We do not use it to identify individual visitors and it is not combined with any data you provide directly unless you take a specific action (such as submitting a form) that allows us to associate a session with a contact record.
Data we do not collect
We do not collect, and have no legitimate need for, the following:
Sensitive personal data such as racial or ethnic origin, religious beliefs, health or medical information, biometric data, or financial account numbers
Precise geolocation data (GPS coordinates)
The contents of any private communications not directed to us
Data about minors under 16 years of age
We do not use third-party advertising trackers, social media pixels, or cross-site fingerprinting technologies. We do not sell, rent, or trade your personal data to any third party for their own purposes.
3. Cookies and tracking technologies
Our website uses cookies — small text files placed on your device — and similar browser storage technologies. We use two categories only:
Strictly necessary cookies
These cookies are essential for the website to function correctly and cannot be switched off. They do not store any information that could be used to identify you across other websites. Examples include:
Session management cookies that maintain the state of your interaction with the site (for example, remembering that you have dismissed a consent notice)
Security tokens that protect form submissions from cross-site request forgery
Load-balancing cookies that route your requests consistently to the same server during a session
Analytics cookies
These cookies allow us to count visits and understand how visitors move around the website so that we can measure and improve its performance. All data collected via these cookies is anonymised before storage. We use it only to:
Aggregate page-view and session counts to understand which content is most useful
Click-map data to understand where visitors focus their attention
Funnel analysis to identify where users drop off during key flows (for example, the partnership application)
Referring-source analysis so we can understand how visitors find us
We do not use advertising cookies, social-media tracking pixels, retargeting cookies, or any technology designed to build a profile of your behaviour across third-party websites.
You can control or delete cookies at any time through your browser settings. Instructions for the most common browsers are available at aboutcookies.org. Disabling strictly necessary cookies may impair site functionality. Disabling analytics cookies will have no effect on your ability to use any feature of the site.
Where required by applicable law (for example, the EU ePrivacy Directive as implemented in relevant member states), we will ask for your consent before placing non-essential cookies.
4. Why we collect your data and our legal basis
We collect and process personal data only for specific, legitimate purposes and only to the extent necessary for those purposes. We do not use personal data for any purpose incompatible with the purpose for which it was originally collected without first obtaining your consent.
Purposes
Partnership applications — to read and evaluate your submission, determine whether your situation is a suitable fit for our services, and to contact you to schedule a follow-up call if it is. We do not sell leads or share application data with third parties for their own marketing purposes.
Agentic Ops Playbook requests — to authenticate and deliver the requested resource to you via email, and to record the fulfilment event so we can confirm delivery and follow up if something goes wrong. Requesting the playbook does not subscribe you to any newsletter or marketing list.
Agentic Transformation Brief subscriptions — to send you each new edition of the Brief and any directly related operator content. Every email we send includes a one-click unsubscribe link.
Website analytics — to understand in aggregate how visitors discover, navigate, and interact with our website so that we can improve its content, structure, and performance. Analytics data is collected in a privacy-preserving manner: IP addresses are anonymised before storage, and no cross-site tracking or advertising profiling takes place.
Business communications — if you contact us directly by email or through any contact mechanism on the site, we process the information you provide to respond to your enquiry and to keep a record of the conversation.
Legal basis (EU and UK residents)
Where the GDPR or UK GDPR applies, we rely on one of the following legal bases for each processing activity:
Consent (GDPR Article 6(1)(a)) — where you have given us a clear, specific, informed, and freely given consent prior to processing. This applies to Brief subscriptions, where you actively opt in to receive marketing communications from us. You may withdraw consent at any time without affecting the lawfulness of processing that took place before withdrawal.
Legitimate interests (GDPR Article 6(1)(f)) — where processing is necessary for the purposes of our legitimate interests as a B2B services business, provided those interests are not overridden by your fundamental rights and freedoms. This covers: processing partnership application and playbook-request data to operate our service, and collecting anonymised analytics data to improve our website. We have conducted a balancing test and concluded that the impact on individuals is low given the B2B context and the privacy-preserving nature of our analytics.
Contract (GDPR Article 6(1)(b)) — where processing is necessary to take steps at your request prior to entering into a contract, or to perform a contract to which you are a party. This applies where a partnership engagement is agreed.
Legal obligation (GDPR Article 6(1)(c)) — where we are required to process or retain personal data to comply with a legal requirement, such as applicable tax or corporate record-keeping laws.
If you are a resident of Canada, our processing is governed by PIPEDA, which requires us to obtain your consent for the collection, use, and disclosure of personal information except where otherwise permitted by law. We rely on express consent for newsletter subscriptions and on implied consent or legitimate business purposes for partnership applications, playbook delivery, and website analytics.
5. How we share your data
We do not sell, rent, or trade your personal data. We share it only in the limited circumstances described below.
Service providers (data processors)
We use a small number of carefully selected third-party service providers to operate our business. Each provider processes personal data only on our behalf, under a written data processing agreement, and is contractually prohibited from using your data for any purpose other than providing their service to us. Our current categories of processor include:
A customer relationship management (CRM) provider — stores contact records created from partnership applications, playbook-delivery requests, and Brief subscriptions. This provider operates under a data processing agreement and may not use your data for its own purposes.
A transactional email delivery provider — used to reliably deliver playbook fulfilment emails and Brief newsletter editions. Email delivery metadata (such as delivery and open status) is retained to enable us to confirm receipt and troubleshoot delivery failures.
A cloud infrastructure and hosting provider — hosts the website and any server-side application logic. Your data transits through this provider's infrastructure when you use the site.
A privacy-preserving website analytics provider — collects anonymised, aggregated data about how visitors interact with our website. This provider is configured to anonymise IP addresses before storage, to avoid storing personally identifiable information in event payloads, and to refrain from cross-site tracking.
Data we do not share
We never share personal data with:
Third-party advertisers or advertising networks
Data brokers or list-rental companies
Social media platforms for retargeting or profiling purposes
Any entity that would use your data for purposes other than providing a service to us
Legal and regulatory disclosure
We may disclose personal data if required to do so by applicable law, court order, binding regulatory request, or lawful demand from a public authority. Where we are legally permitted to do so, we will notify you of such a request before disclosing your data and will limit our disclosure to what is strictly required.
Business transfers
If Azon Labs is involved in a merger, acquisition, corporate restructuring, financing, or sale of all or a material portion of its business or assets, personal data may be transferred as part of that transaction. We will notify affected individuals via the email address on file, or by a prominent notice on our website, no later than 30 days before your data becomes subject to a materially different privacy policy as a result of such a transaction.
6. International data transfers
Azon Labs is based in Canada. The European Commission has issued an adequacy decision recognising Canada as providing an adequate level of personal data protection for commercial organisations subject to PIPEDA. Accordingly, transfers of personal data from the EU and UK to Azon Labs as data controller do not require additional transfer mechanisms under the GDPR or UK GDPR.
However, some of our third-party service providers operate infrastructure in countries outside Canada, the EU, or the UK — most commonly in the United States. Where we transfer personal data to such providers, we ensure the transfer is lawful and subject to appropriate safeguards. Safeguards we use may include:
Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our data processing agreements with relevant providers
Adequacy decisions issued by the European Commission (for example, transfers to Canada are covered by the existing adequacy decision for commercial organisations subject to PIPEDA)
The EU–US Data Privacy Framework (DPF) or its successor, where our providers have self-certified under that framework
Binding Corporate Rules, where applicable to a provider's corporate group
Supplementary technical measures such as end-to-end encryption, where appropriate to the risk level
We maintain an internal record of all cross-border transfers and the safeguards applied to each. You may request a copy of the relevant transfer safeguard documentation (such as the applicable Standard Contractual Clauses) by contacting us at privacy@azonlabs.com.
7. How long we keep your data
We retain personal data only for as long as necessary to fulfil the purposes described in this policy, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. The following retention schedules apply:
Partnership application data — retained for as long as it is reasonable to follow up on the conversation (typically up to 12 months from the date of the last meaningful contact), and for up to three years in total for business record-keeping. You can request earlier deletion at any time.
Agentic Ops Playbook request data — retained for as long as it is reasonable to confirm fulfilment or follow up (typically up to six months from delivery), and for up to three years for record-keeping. You can request earlier deletion at any time.
Brief subscriber data — retained while you remain an active subscriber. On unsubscription we remove your email address from active sending lists within seven business days. We may retain a suppression record (a one-way hash of your email address) indefinitely to ensure we do not inadvertently email you again.
Website analytics data — event-level (session) data is retained for a maximum of 24 months. After that period it is aggregated or deleted. Aggregate statistical reports derived from analytics data may be retained indefinitely, as they contain no personal data.
General correspondence data — emails and other direct communications are retained for up to three years from the date of the last exchange, unless a longer period is required by law or the correspondence forms part of a contractual relationship.
At the end of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Where immediate deletion is not technically practicable — for example, because data is held in encrypted backup archives — we isolate the data from active processing and delete it as part of the next scheduled backup purge cycle.
If you request deletion of your personal data before the end of the applicable retention period, we will action that request within 30 days unless we are required or permitted by law to retain it for longer, in which case we will explain the specific legal basis for continued retention.
8. How we protect your data
We implement a combination of technical and organisational measures designed to protect personal data against unauthorised access, accidental loss, alteration, or disclosure. Our measures include:
Encryption in transit — all data exchanged between your browser and our website is encrypted using TLS 1.2 or higher (HTTPS). We enforce HTTPS site-wide and use HSTS headers to prevent protocol downgrade attacks.
Encryption at rest — personal data stored by our service providers is encrypted at rest using industry-standard algorithms (AES-256 or equivalent).
Access controls — access to systems and data is restricted on a need-to-know basis. Administrative accounts require strong, unique credentials and multi-factor authentication.
Data processing agreements — we execute written data processing agreements with all third-party providers that process personal data on our behalf, contractually obligating them to protect that data and to process it only as instructed.
Principle of least privilege — service accounts and integrations are granted only the minimum permissions required to perform their function. Permissions are reviewed periodically.
Vendor due diligence — we evaluate the security posture of prospective service providers before engaging them and monitor for significant changes during the relationship.
Incident response — we maintain a documented process for identifying, containing, and notifying affected parties in the event of a personal data breach, consistent with our obligations under GDPR Article 33, UK GDPR, and PIPEDA.
No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. We encourage you to use a strong, unique password for any accounts you hold and to keep your own devices and browsers up to date.
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and, where required, will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with our obligations under GDPR Article 33 and Article 34.
9. Your rights
Depending on where you live and the applicable data protection law, you have specific rights regarding your personal data. We are committed to honouring these rights regardless of your jurisdiction. To exercise any right, please email privacy@azonlabs.com. We will acknowledge your request within five business days and provide a substantive response within 30 days. We will not charge a fee unless a request is manifestly unfounded or excessive, in which case we will explain the basis for any fee before proceeding.
To protect your privacy and security, we may need to verify your identity before actioning a request. We will only ask for information that is reasonably necessary to confirm you are the person to whom the data relates.
EU and UK residents — GDPR and UK GDPR rights
Right of access (Article 15) — obtain a copy of the personal data we hold about you, together with supplementary information about how we use it.
Right to rectification (Article 16) — ask us to correct inaccurate or incomplete personal data without undue delay.
Right to erasure / "right to be forgotten" (Article 17) — ask us to delete your personal data where it is no longer necessary for the purpose for which it was collected, you withdraw consent, you object and we have no overriding legitimate grounds, or we have processed it unlawfully.
Right to restriction of processing (Article 18) — ask us to restrict processing while a dispute about accuracy or legitimacy is resolved.
Right to data portability (Article 20) — receive personal data you have provided to us in a structured, commonly used, machine-readable format, and transmit it to another controller where technically feasible.
Right to object (Article 21) — object at any time to processing based on legitimate interests or to processing for direct marketing, including profiling related to direct marketing.
Rights related to automated decision-making (Article 22) — we do not make solely automated decisions that produce legal or similarly significant effects about you. If this changes, we will update this policy and provide appropriate safeguards.
Right to withdraw consent — withdraw consent for any processing based on consent (such as the Brief subscription) at any time via the unsubscribe link in any email or by contacting us directly.
Right to lodge a complaint — you may lodge a complaint with the supervisory authority in the EU member state where you habitually reside or work, or where the alleged infringement occurred.
If you are in the EU, you may lodge a complaint with the supervisory authority in your member state of habitual residence or the authority where the alleged infringement occurred. If you are in the UK, you may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
California residents — CCPA and CPRA rights
Right to know — the right to know what categories of personal information we have collected about you, the purposes for which we use it, the categories of third parties with whom we share it, and whether we have sold or disclosed it for a business purpose. We do not sell personal information.
Right to delete — request deletion of personal information we have collected, subject to certain exceptions (for example, information we are legally required to retain).
Right to correct — request correction of inaccurate personal information we maintain.
Right to opt-out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising, so there is nothing to opt out of. If this changes, we will add a "Do Not Sell or Share My Personal Information" link to our website.
Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined under CPRA.
Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA/CPRA rights, including by denying services, charging different prices, or providing a different level of service.
To submit a verifiable consumer request under the CCPA/CPRA, email privacy@azonlabs.com with the subject line "CCPA Request". You may also designate an authorised agent to submit a request on your behalf; we may require written proof of the agent's authorisation.
Canadian residents — PIPEDA rights
Right of access — request access to the personal information we hold about you and receive an account of how it has been used and to whom it has been disclosed.
Right to correction — challenge the accuracy and completeness of your personal information and request that it be corrected, annotated, or deleted as appropriate.
Right to withdraw consent — withdraw consent for collection, use, or disclosure of your personal information, subject to legal or contractual restrictions and reasonable notice.
Right to complain — lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca if you are not satisfied with our response to your request.
Complaints to the OPC may be submitted at priv.gc.ca. We ask that you contact us first so that we have the opportunity to resolve your concern directly.
Residents of other jurisdictions may have additional or different rights under their applicable local law. We will endeavour to accommodate reasonable requests regardless of jurisdiction, in line with our commitment to responsible data stewardship.
10. Children
Our website and services are directed exclusively at businesses and business professionals. They are not intended for use by, and we do not knowingly solicit or collect personal data from, anyone under the age of 16.
If you have reason to believe that a child under 16 has submitted personal data to us without appropriate parental or guardian consent, please contact us immediately at privacy@azonlabs.com. We will investigate and, where confirmed, delete the data promptly and take steps to prevent recurrence.
11. Links to other websites
Our website may contain links to third-party websites, applications, or services that are not operated by us. These links are provided for your convenience and reference only. When you click on a third-party link, you will be directed to that third party's site and will be subject to their privacy policy and terms.
We have no control over, and assume no responsibility for, the content, privacy practices, or data-handling of any third-party site or service. The inclusion of a link on our website does not imply our endorsement of, or any association with, the linked site or service.
We encourage you to review the privacy policy of every website you visit before submitting any personal information.
12. Changes to this policy
We may update this policy from time to time to reflect changes in our data practices, the services we offer, the technology we use, applicable legal or regulatory requirements, or other factors. The "Last updated" date at the top of this page will always reflect the date of the most recent revision.
For non-material changes — such as minor clarifications of existing language or administrative updates — we will update this page without additional notice beyond the revised date.
For material changes — those that significantly affect your rights, the categories of data we collect, the purposes for which we use it, or the parties with whom we share it — we will provide at least 14 days' advance notice via a prominent notice on this page and, where you are a Brief subscriber, by email to the address you have provided. The effective date of material changes will be stated clearly.
Your continued use of our website or services after the effective date of any change constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you should stop using our services and, where applicable, contact us to request deletion of your personal data.
13. Contact us
If you have any questions, concerns, or requests relating to this policy or to how we handle your personal data, please contact us:
Email: privacy@azonlabs.com
Postal address: Privacy Officer, Azon Labs Limited, 1300 Cornwall Road, Oakville, Ontario, L6J 7W5, Canada
We aim to respond to all privacy enquiries within five business days. Complex requests — such as subject access requests — will receive a substantive response within 30 calendar days. If we need more time, we will notify you of the extension and the reason for it within the initial 30-day period.
If you are in the EU or UK and are not satisfied with our response, you have the right to escalate your complaint to your local data protection supervisory authority. In the UK this is the ICO at ico.org.uk. In Canada, you may contact the Office of the Privacy Commissioner at priv.gc.ca.