0) Overview

About this Policy. This Privacy Policy explains how DashScene collects, uses, discloses, and safeguards Personal Information in Canada. It applies to individuals who visit our websites, use the DashScene platform (DashScene Manager, DashServer, Dash Instances, and related QR-code redirection and analytics services), interact with our support team, scan a DashScene-generated QR code, or otherwise engage with our Services. This Policy works together with our Terms of Service (ToS), Acceptable Use Policy (AUP), and, for Business Customers (as defined in the ToS), our Data Processing Addendum (DPA). If there is any conflict, the DPA controls for processing we perform on Customer Personal Information in accordance with a Business Customer’s Documented Instructions within the Services; otherwise, the ToS controls. This preface is for clarity only and does not create additional obligations beyond the ToS and this Policy.

Nothing in this Privacy Policy or the Terms is intended to limit your rights or our obligations under PIPEDA, CASL, or other applicable privacy and data-protection laws. If there is a conflict between this Policy (or the Terms) and those laws, the laws govern for purposes of privacy and data protection.

1) Introduction

1.1 What this Policy Covers.

This Policy describes our practices for handling Personal Information across our websites (including the marketing site), the DashScene platform (DashScene Manager, DashServer, and Dash Instances), and related services and support (collectively, the “Services”).

1.2 Who We Are; Roles Under Canadian Law.

For most activities described here (e.g., websites, platform telemetry, billing, security, and support), DashScene acts as a PIPEDA “organization.” For Business Customers, when we process Customer Personal Information in accordance with their Documented Instructions within the Services, we act as a service provider/processor, and our DPA governs that processing.

DashScene is responsible for Personal Information under its control and has designated a Privacy Officer to oversee our compliance with this Policy and applicable privacy laws (see §18 Contact Us).

1.3 When This Policy Applies (Scope).

This Policy applies when you visit our websites, create or manage an account, configure and use the Services, interact with support, or scan a DashScene-generated QR code. It does not apply to third-party websites or QR Destinations controlled by our Customers or their providers; those parties’ privacy policies govern their handling of Personal Information.

As of the Effective Date, DashScene does not offer the Services to Customers whose usual place of residence or establishment is in the Province of Québec, or for deployments that are primarily directed at consumers in Québec, as described in the Terms of Service. However, individuals located in Québec may still visit our websites or scan DashScene-generated QR codes, and this Policy applies to our handling of their Personal Information as described below.

1.4 Consent.

By using the Services, you consent to our collection, use, and disclosure of Personal Information as described in this Policy, subject to your rights under PIPEDA and applicable provincial laws. Where required, we will seek express consent (e.g., certain marketing). For operational uses that are reasonable in the circumstances, we may rely on implied consent or other lawful grounds permitted under Canadian privacy laws. You may withdraw consent at any time, though this may limit our ability to provide parts of the Services.

1.5 Relationship to Our Contracts.

If you are a Business Customer, the Terms and the DPA (Schedule 2 to the Terms) set out additional contractual terms regarding our handling of Customer Personal Information (including security measures, retention, and deletion). If this Policy conflicts with the DPA regarding processing we perform on Customer Personal Information in accordance with that Business Customer’s Documented Instructions within the Services, the DPA controls; otherwise, this Policy applies alongside the Terms and AUP.

1.6 Children.

Our Services are intended for adults and are not directed to children. We do not knowingly collect Personal Information from children. If you believe a child has provided Personal Information to us, please contact privacy@dashscene.com so we can take appropriate steps.

2) Definitions

Capitalized terms used in this Privacy Policy but not defined here have the meanings given in the Terms of Service (the “Terms”).

“Personal Information”

Has the meaning given in the Terms. In general, this means information about an identifiable individual, as defined under PIPEDA and applicable provincial privacy laws (for example, name, email address, IP address, device identifiers, and similar data).

“Customer”

Has the meaning given in the Terms. In general, this means a business or individual who subscribes to or uses the Services under an account with DashScene (including any Authorized Users acting on that Customer’s behalf, as described in the Terms).

“User”

Any person who accesses or uses the Services, including Customer’s authorized users (e.g., admins) and display viewers who scan a QR code generated by a DashScene Instance.

“QR Scan”

An interaction where a viewer scans a QR code displayed by a DashScene Instance and is routed to the configured destination.

“QR Scan Metadata”

Technical and event data associated with a QR Scan (for example, timestamp, IP address, user-agent, internal asset or campaign identifier, and outcome codes).

“Customer Personal Information”

Has the meaning given in the Terms. In general, this means Personal Information relating to individuals (including Customer End Users) that a Business Customer uploads to, stores in, submits to, or otherwise processes through the Services, or configures the Services to collect, generate, or process, which DashScene then processes in accordance with that Business Customer’s Documented Instructions (i.e., in our role as a service provider/processor under the DPA).

“Service Data”

Has the meaning given in the Terms. In general, this means operational and technical data that DashScene collects and uses as a PIPEDA “organization” to operate, provide, secure, and improve the Services (for example, account registration details, subscription and billing information, telemetry and performance metrics, security and access logs, and support- or ticket-related records).

“Aggregated Data”

Has the meaning given in the Terms. In general, this means data derived from Customer Data and/or Service Data (for example, total QR scan counts, advertisement impressions, or total advertisement display time) that has been combined and/or de-identified so that it does not identify any individual or specific Customer. DashScene may use such data for analytics, service improvement, and to demonstrate or market the effectiveness of the Services, as described in this Policy.

“Subprocessor”

Has the meaning given in the Terms. In general, this means a third-party service provider engaged by DashScene to process Customer Personal Information on DashScene’s behalf in connection with the Services (for example, hosting, payment processing, or email delivery), subject to contractual safeguards as described in the Terms, the DPA, and this Policy.

“Services”

Has the meaning given in the Terms. In general, this means DashScene’s hosted services, websites, and platform components (including DashScene Manager, DashServer, and Dash Instances), together with related hosting and hardware integrations, interfaces/APIs, and support that DashScene provides to Customers.

“Dash Instance”

Has the meaning given in the Terms. In general, this means a single display endpoint or device session running DashScene software that renders real-time information and/or advertisements on a connected display.

“Customer End User”

Has the meaning given in the Terms. In general, this means an individual (other than a Customer’s own personnel) whose Personal Information is collected, observed, or otherwise processed by a Customer through its use of the Services — for example, viewers, riders, shoppers, or other members of the Customer’s audience who see or interact with the Customer’s content, advertisements, or QR Destinations.

“CASL”

Has the meaning given in the Terms. In general, this refers to Canada’s Anti-Spam Legislation, S.C. 2010, c. 23 and its associated regulations, which governs the sending of Commercial Electronic Messages (“CEMs”) in Canada.

“Commercial Electronic Message” or “CEM”

Has the meaning given in the Terms. In general, this means an electronic message that, having regard to its content or hyperlinks, has as one of its purposes encouraging participation in a commercial activity (for example, marketing emails about DashScene’s Services). “CEMs” refers to more than one Commercial Electronic Message.

“PIPEDA”

Has the meaning given in the Terms. In general, this refers to the Personal Information Protection and Electronic Documents Act (Canada), S.C. 2000, c. 5 and its associated regulations.

“QR Destination”

Has the meaning given in the Terms. In general, this means the URL, resource, or action configured by a Customer to be reached via a DashScene-generated QR Code (for example, a Customer-controlled landing page, timetable, booking page, or survey).

“OPC”

Means the Office of the Privacy Commissioner of Canada, which oversees compliance with PIPEDA and related federal privacy matters.

“Security Incident”

Has the meaning given in the Terms and, where applicable, the DPA. In general, this means a confirmed breach of security safeguards leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Information in DashScene’s possession or control. Unsuccessful attempts or incidents solely attributable to Customer’s failure to secure its accounts, credentials, networks, or Devices are excluded.

“Real Risk of Significant Harm” or “RROSH”

Has the meaning given under PIPEDA. In general, this refers to a risk of significant harm to an individual (such as reputational damage, identity theft, financial loss, or loss of employment opportunities) that is more than speculative, taking into account the sensitivity of the information and the probability of misuse.

3) What We Collect

We collect the minimum information needed to operate, secure, and improve the Services. Some data is handled by DashScene as a PIPEDA “organization” (e.g., account, billing, security logs), and some may be processed in accordance with the Customer’s Documented Instructions in our role as a service provider/processor (see the DPA).

3.1 Information You Provide

• Account & Profile. Name, email address, password (stored in hashed form), contact details, organization, and role. You may also provide preferences (e.g., communication or notification settings).
• Billing & Shipping. Company name, billing/shipping address, and tax details (e.g., HST/GST, where applicable). Card payments are entered into Helcim’s PCI-compliant system and stored there as needed for recurring billing and card-on-file payments. DashScene receives only limited billing information (for example, card type or last four digits) and does not store full card numbers or CVV codes.
• Content & Configuration. Advertisement assets (e.g., images/video/text), schedules/playlists, QR destinations, campaigns, tags, and related metadata that you upload or configure in the Services.
• Support & Communications. Messages you send to us (e.g., tickets, emails), attachments you provide, and notes related to phone interactions or surveys.

3.2 Information We Collect Automatically

• Usage & Device Telemetry (Platform/Admin Tools). Log timestamps, event types, IP address, device/OS/browser details, instance identifiers, app version, crash diagnostics, and performance metrics from DashScene Manager, DashServer, and Dash Instances. We also record authentication and security-relevant events (e.g., login attempts) to protect accounts.
• Cookies & Similar Technologies (Websites). Session and preference cookies, analytics cookies, and local storage on our public websites; see §7 (Cookies, Website Analytics & Remarketing) for details and choices.
• QR Scan Logs (Special Case). When a viewer scans a QR code generated by DashScene, we log the IP address, timestamp, user-agent, and the identifier of the QR asset solely for flood protection, abuse prevention, and analytics accuracy. Retention: IP addresses in QR scan logs are kept for seven (7) days and then deleted; aggregate counts derived from scans may be retained (see §6 Aggregated & De-Identified Analytics). We do not show individual QR scan records or IP addresses to Customers. Customers see only aggregated metrics (for example, total scan counts per advertisement or per Dash Instance over time). DashScene may further aggregate these non-identifying metrics across Customers to produce platform-level analytics that do not identify individuals or specific Customers.

3.3 Information From Third Parties

• Payments (Helcim). We receive limited payment confirmations and billing artifacts from Helcim to reconcile transactions; Helcim processes card data directly.
• Hosting/Operations (FullHost). Our production platform is hosted with FullHost in Canada.
• Marketing Website Analytics (Google Analytics). We use Google Analytics on the public marketing website (not within the authenticated platform) to understand site traffic and improve content; see §7 (Cookies, Website Analytics & Remarketing) for choices.

3.4 Accuracy

We take reasonable steps to keep Personal Information accurate, complete, and up to date for the purposes for which it is used, and we rely on Customers to help by providing current information and notifying us of any changes. Customers may request corrections as described in §13.3.

4) How We Use Personal Information (Purposes)

We use Personal Information for the purposes below, in ways that are reasonable in the circumstances and permitted by Canadian privacy laws, and consistent with this Policy, the Terms, and the DPA:

• Provide and maintain the Services.
  Create and manage accounts, authenticate users, deliver content and features to Dash Instances, process payments and manage billing, and provide customer support.
• Operate and secure the platform.
  Monitor and log usage; prevent, detect, investigate, and respond to fraud, abuse, or security threats (including the QR scan IP logs described in §3.2); and ensure the stability and integrity of the Services.
• Measure and improve the Services.
  Analyze usage and performance, troubleshoot issues, develop new features, and improve usability and reliability.
• Analytics and reporting for Customers.
  Provide Business Customers with metrics and reports about their deployments (for example, advertisement impression counts, advertisement display time, and QR scan totals), generally in aggregated or de-identified form as described in §6 and §8.4.
• Marketing our Services.
  Use Aggregated Data (as defined in §2 (Definitions) and described in §6) to demonstrate platform effectiveness and, where permitted, to inform outreach to prospective Customers, without identifying individuals or specific Customers.
• Communications.
  Send transactional notices, service and security updates, policy changes, and, where permitted, CASL-compliant marketing communications that you can opt out of as described in §5.6 and §13.6.
• Legal and compliance.
  Enforce our Terms and AUP, comply with legal and regulatory obligations, respond to lawful requests, and protect the rights, safety, and property of DashScene, our Customers, users, and the public.

We do not sell Personal Information or use it for third-party targeted advertising (see §6.5 and §8).

5) Legal Grounds & Consent (PIPEDA)

5.1 Purpose Identification.

We identify and document the purposes for which Personal Information is collected and limit use to those purposes, as described in §4 (How We Use Personal Information) and throughout this Policy.

5.2 Appropriate Consent.

We collect, use, and disclose Personal Information with appropriate consent (express or implied), or as otherwise permitted or required by law.

• Express consent is sought for activities that are not obvious or that may be more sensitive (e.g., certain marketing).
• Implied consent may apply for operational uses that are reasonable in the circumstances (e.g., account administration, security logging, service delivery, or when you voluntarily interact with our Services, such as scanning a DashScene-generated QR code).
• Consent may be obtained through account creation flows, in-product prompts, checkboxes, or through your voluntary use of features like QR codes, as well as other suitable methods.

5.3 When Consent May Not Be Required.

We may collect, use, or disclose Personal Information without consent where allowed by law (e.g., to investigate a breach of an agreement or law; to detect/prevent fraud; to comply with subpoenas, court orders, or lawful requests; for emergencies that threaten life, health, or security; or for debt collection). We may use aggregated/de-identified data for analytics and service improvement.

5.4 Customer-Directed Processing (DPA).

For Business Customers, when we process Customer Personal Information in accordance with the Customer’s Documented Instructions within the Services, the Customer is responsible for ensuring it has all notices and consents required by law (including for QR destinations the Customer controls). DashScene acts as a service provider/processor under the DPA and relies on the Customer’s instructions.

5.5 Withdrawing Consent.

You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. To withdraw consent or change preferences, use the unsubscribe mechanism in messages, adjust settings where available, or contact privacy@dashscene.com. Withdrawing consent generally affects non-essential uses (for example, marketing communications). We may still send you transactional or service-related communications that are reasonably necessary to operate the Services or meet legal obligations (for example, notices about failed payments, outstanding invoices, security alerts, or material changes to this Policy or the Terms). We may retain minimal records as required to meet legal, tax, audit, or security obligations.

5.6 Marketing & CASL.

Where consent is required under CASL, we obtain it before sending CEMs. You can withdraw consent at any time via the unsubscribe link in the message or by contacting privacy@dashscene.com. We may continue to send transactional or service-related communications necessary for the Services.

5.7 Cookies & Preferences.

For choices related to cookies and website analytics (e.g., Google Analytics on the marketing site only), see §7 (Cookies, Website Analytics & Remarketing) for information on managing preferences.

5.8 New or Additional Purposes.

If we intend to use Personal Information for a materially different purpose than those identified at collection, we will update our notices to describe the new purpose and will determine whether additional consent is required under applicable privacy laws. Where new consent is required, we will seek it before using Personal Information for that new purpose.

6) Aggregated & De-Identified Analytics

6.1 Purpose and Nature of Aggregation.

We may transform operational and usage data (including display metrics, telemetry, and QR scan counts) into aggregated or de-identified statistics that cannot reasonably be used to identify an individual or a specific Customer (for example, overall counts and trends across DashScene Instances rather than per-person records).

6.2 How We Use Aggregated Data.

DashScene may use these aggregated or de-identified metrics to:

1. operate, maintain, and improve the Services;
2. create usage reports or non-identifying insights for Customers and prospective Customers; and
3. market the platform by demonstrating overall performance and effectiveness.

6.3 Safeguards and Exclusions.

We apply reasonable technical and organizational measures to prevent re-identification. QR scan IP addresses are never included in aggregated analytics; they are retained only for seven (7) days for security/accuracy (flood/abuse protection) and then deleted as described in §3.2 (Information We Collect Automatically).

6.4 Ownership of Source Data vs. Derived Analytics.

Customers retain ownership of their underlying business and advertising data. DashScene owns the resulting aggregated or de-identified analytics derived from Service operation, provided such analytics contain no Personal Information and do not identify any Customer.

6.5 No Sale or Third-Party Targeted Advertising.

DashScene does not sell Personal Information or aggregated analytics and does not use Personal Information for third-party targeted advertising.

7) Cookies, Website Analytics & Remarketing

7.1 Where Cookies Are Used.

• Marketing website. We use cookies and similar technologies for essential operations, analytics (e.g., Google Analytics), and optional remarketing (showing DashScene ads after you visit our site).
• Authenticated platform (DashScene Manager). We use essential and security cookies only (e.g., session authentication, fraud prevention). We do not use third-party advertising cookies in the platform.

7.2 Types of Cookies/Technologies.

• Essential / Functional. Required for core site functionality and security (e.g., sign-in, session continuity, CSRF protection).
• Analytics (Marketing website only). Help us understand visits and improve content (e.g., page views, referrers, device/OS/browser patterns).
• Advertising/Remarketing (Marketing website only). May enable us to show you DashScene ads on third-party sites based on your visit to our site.

7.3 Your Choices & Controls.

• Browser Controls. Use your browser settings to block, clear, or limit cookies. If you disable certain cookies, some features may not work.
• Consent/Preferences. Where required, we obtain consent for non-essential cookies. If a cookie banner or preferences tool is available, use it to manage or withdraw consent at any time.
• Analytics Opt-Outs. You can use browser add-ons and built-in controls to limit analytics collection (e.g., tools offered by your browser or by analytics providers).
• Ads/Remarketing Choices. You can adjust ad personalization in your browser and device settings and through industry opt-out mechanisms (e.g., “AdChoices” programs).
• Marketing Emails. You can unsubscribe from Commercial Electronic Messages at any time using the link in the message; we may still send transactional or service-related messages necessary to provide the Services.

7.4 Third-Party Websites & QR Destinations.

Our cookies and this Policy apply to DashScene-controlled sites. Third-party websites and QR destinations configured by Customers have their own cookies and privacy practices; please review those sites’ policies.

7.5 Retention.

• Session cookies expire when you close your browser.
• Persistent cookies remain until they expire under their set lifespan or you delete them via your browser.

We may update cookie lifespans as services evolve.

7.6 Signals & Regional Requirements.

We honor consent requirements applicable in Canada and any legally recognized browser signals where required by law. Otherwise, please use the cookie preferences tool (if provided) or your browser settings to manage choices.

7.7 Updates.

We may update our cookie usage and providers from time to time. Material changes to non-essential cookie practices will follow the notice process described in §17 of the ToS and §17 of this Policy (Changes).

8) Sharing & Disclosure

DashScene does not sell Personal Information and does not share it with third parties so they can use it for their own targeted advertising or to deliver targeted ads for other companies. We may use service providers to help us measure or deliver our own marketing for DashScene, as described in this Policy, but we do not grant them the right to use your Personal Information for their own independent advertising purposes.

8.1 Service Providers (Processors).

We share Personal Information with trusted service providers who help us operate the Services, subject to contractual confidentiality and security obligations:

• FullHost (Canada) — hosting and infrastructure for the platform.
• Helcim — payment processing; Helcim processes card data directly (DashScene does not store full card numbers or CVV).
• Google Analytics — marketing website only (not within the authenticated platform).

As between DashScene and our Customers, we remain responsible for managing these processors, and we require them to protect Personal Information in a manner that is no less protective than this Policy and our DPA, subject to the exclusions and limitations of liability set out in the Terms. Material changes to subprocessors are notified as described in the ToS/DPA.

8.2 Customer-Directed Disclosures.

When a Customer configures QR destinations or connects third-party services, Personal Information may flow directly to those parties. Those destinations are controlled by the Customer (or its provider) and governed by their privacy policies, not this Policy.

8.3 Affiliates & Professional Advisors.

We may share Personal Information with DashScene affiliates (if any) and professional advisors (e.g., lawyers, auditors, accountants) who are bound by confidentiality and use the information only to provide contracted services to us.

8.4 Analytics; Aggregated/De-Identified Data.

We may disclose aggregated or de-identified metrics (e.g., total QR scans, ad impressions, total ad display time) to demonstrate platform effectiveness or improve the Services. These disclosures do not identify any individual or Customer.

8.5 Compliance, Safety & Legal Requests.

We may disclose Personal Information where necessary to:

1. comply with laws or lawful requests (e.g., subpoenas, court orders);
2. protect the rights, property, or safety of DashScene, our Customers, users, or the public; or
3. detect, prevent, or investigate fraud, security, or technical issues.

For copyright matters, DashScene follows Canada’s Notice-and-Notice regime and may forward conforming notices to the responsible Customer.

8.6 Business Transfers.

If DashScene is involved in a merger, acquisition, financing, reorganization, or sale of assets, Personal Information may be transferred to a successor or acquirer, subject to protections consistent with this Policy. We will provide notice where practicable.

8.7 With Your Direction or Consent.

We may share Personal Information with third parties when you request or consent to such sharing (e.g., optional integrations or referrals).

8.8 QR Scan Logs (Limited Disclosure).

We do not share raw QR-scan IP logs with third-party advertisers. QR-scan IP addresses are retained for seven (7) days for abuse/flood protection and analytics integrity (see §3.2) and may be shared only with our security service providers acting on our behalf or as required by law. Any external reporting uses aggregated/de-identified data.

9) Data Location & International Transfers

9.1 Primary Hosting (Canada).

Production systems for the DashScene platform (DashScene Manager, DashServer, and Dash Instances) are hosted in Canada.

9.2 Limited Cross-Border Processing (Ancillary Services).

Certain ancillary processing for the marketing website or communications/support tools may occur outside Canada by trusted service providers (e.g., email delivery tools, website analytics such as Google Analytics on the marketing site only, and payment processing via Helcim). See §8 (Sharing & Disclosure) for how we engage service providers.

9.3 Safeguards for Transfers.

When Personal Information is accessed or processed outside Canada, we use appropriate safeguards (contractual, technical, and organizational) designed to protect it, including confidentiality obligations, access controls, data minimization, and vendor due-diligence. Personal Information processed in another country may be subject to lawful access requests by authorities in that jurisdiction.

9.4 Subprocessors & Notice.

We use trusted service providers to help operate the Services (for example, hosting, payments, and email). We require them to protect Personal Information in a manner that is no less protective than this Policy and our DPA, and we manage our relationships with them as described in the Terms and DPA. As between DashScene and our Customers, we remain responsible for managing our service providers, subject to the exclusions and limitations of liability set out in the Terms. Material changes to subprocessors are notified as described in the ToS/DPA, and the current list is available on request.

9.5 Customer-Controlled QR Destinations.

QR destinations configured by Customers (and any subsequent redirects) may be hosted outside Canada and are governed by those parties’ privacy policies, not this Policy (see §3.3 and §8.2).

9.6 Requests About Location.

If you have questions about where your data is processed or wish to request more information about transfer safeguards, contact privacy@dashscene.com.

10) Security

10.1 Safeguards Appropriate to Sensitivity.

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the Personal Information we handle, consistent with PIPEDA. These safeguards are designed to protect against loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction.

10.2 Technical Measures.

Controls include, as applicable to the Service component: encryption in transit (TLS), access controls and least-privilege permissions, network segmentation, key/secret management, secure software development practices, vulnerability scanning, and patch management.

10.3 Administrative & Physical Measures.

We apply employee confidentiality obligations, role-based access, need-to-know restrictions, workforce security training, and vendor due-diligence. Hosting facilities (e.g., data centers) employ physical security controls administered by our service providers.

10.4 Logging & Monitoring.

Platform and security-relevant events (e.g., authentication attempts, configuration changes, service errors) are logged and monitored to help detect abuse, fraud, and performance issues. See §3.2 for telemetry details and QR scan log handling.

10.5 Incident Response & Breach Notification.

We maintain an incident-response process to investigate, mitigate, and remediate security events. If we experience a Security Incident affecting Customer Personal Information in our possession or control, we will notify affected Customer(s) without undue delay and as soon as feasible after a Security Incident, consistent with applicable law. Where required by law, we will notify individuals and/or regulators. (Business Customers: additional commitments appear in the Data Processing Addendum.)

10.6 Your Responsibilities.

You are responsible for maintaining the security of your accounts and credentials, implementing appropriate access controls for your users, and securing QR destinations or third-party integrations you control. Promptly notify us of any suspected unauthorized access or credential compromise.

10.7 No Absolute Security.

No method of transmission over the Internet or method of electronic storage is 100% secure. We continuously improve our controls to address evolving risks, but we cannot guarantee absolute security.

11) Breach Notification

11.1 Definition & Threshold.

A “breach of security safeguards” has the meaning under PIPEDA (unauthorized access to, or loss, use, disclosure, or disposal of, Personal Information). Where a breach presents a Real Risk of Significant Harm to an individual, as defined in §2 (Definitions), notification obligations apply.

11.2 Notice to Individuals & Regulators (PIPEDA).

If we confirm a breach of security safeguards involving Personal Information in our possession or control that presents a Real Risk of Significant Harm, we will notify affected individuals and report to the Office of the Privacy Commissioner of Canada (OPC) and/or applicable provincial regulators as soon as feasible, in accordance with PIPEDA.

11.3 Business Customers (Controller/Organization Role).

For incidents affecting Customer Personal Information that we process in accordance with the Customer’s Documented Instructions (i.e., in our service-provider/processor role under the DPA), DashScene will notify the Customer’s designated contact without undue delay and as soon as feasible after a Security Incident. Unless otherwise required by law or agreed in the DPA, the Customer (organization) is responsible for notifying individuals and/or regulators, and DashScene will cooperate reasonably with the Customer’s investigation and required notices.

11.4 Content & Method of Notices.

Notices will include details available at the time (e.g., a summary of what happened, date(s), categories of information affected, steps taken or planned to address the breach, and recommended measures individuals can take), and contact information for follow-up. We may deliver notices via email, in-product messages, website posting, or other reasonable means, consistent with applicable law.

11.5 Law-Enforcement Delay.

If a law-enforcement or regulatory authority determines that notice would impede an investigation, DashScene may delay notification for the period requested or permitted by law.

11.6 Records of Breaches.

DashScene will maintain a record of all breaches of security safeguards as required by PIPEDA (for at least 24 months) and provide the record to the OPC upon request.

11.7 Exclusions & Customer-Controlled Incidents.

For clarity, “breach” does not include unsuccessful attempts or activities that do not compromise data (e.g., pings, port scans, credential-stuffing without account takeover). Incidents solely attributable to Customer’s failure to secure accounts, credentials, QR destinations, networks, or Devices are the Customer’s responsibility; DashScene will reasonably cooperate where feasible. See also ToS §8 (Data & Privacy) and Schedule 2 (Data Processing Addendum).

12) Retention

12.1 Principle of Limiting Retention.

We retain Personal Information only for as long as necessary to fulfill the purposes described in this Policy or as required by law (e.g., tax, audit, regulatory, or security obligations). Retention periods are determined by the type of data, the sensitivity, and the operational/legal purpose.

12.2 Specific Practices.

• QR Scan IP Addresses. Retained for seven (7) days solely for flood/abuse prevention and analytics accuracy, then deleted. Aggregate counts derived from scans may be retained (see §6 Aggregated & De-Identified Analytics).
• Account, Subscription & Billing Records. Retained for the subscription term and for a reasonable period thereafter to meet legal and operational requirements (e.g., tax/audit, dispute resolution, fraud prevention).
• Operational Logs & Telemetry. Retained for limited periods to support security, troubleshooting, and service quality, consistent with the principle of limiting retention.
• Support Tickets & Communications. Retained for a period necessary to resolve issues and maintain service records, then archived or deleted per our schedules.

12.3 Backups.

System backups are retained and purged on rolling schedules. Deleted items may persist in encrypted backups until those backups cycle out in the ordinary course.

12.4 Deletion & De-Identification.

When Personal Information is no longer required, we delete it or de-identify it using reasonable technical measures. De-identified or aggregated data that does not identify an individual or specific Customer may be retained for analytics and service improvement (see §6).

12.5 Contractual & Legal Holds.

If a legal obligation, dispute, or investigation requires us to preserve data, we may retain relevant information beyond normal schedules and will delete it when the hold ends.

12.6 Business Customers (DPA).

For Customer Personal Information we process in accordance with the Customer’s Documented Instructions, retention and deletion follow the DPA and the ToS (including post-termination export and deletion commitments). Upon request, we will support Customer’s deletion or export in accordance with those terms.

13) Your Rights & Choices

13.1 Scope.

Subject to exceptions under PIPEDA and applicable provincial laws, you have the rights described below.

13.2 Access.

Request confirmation that we hold Personal Information about you and obtain access to it, along with information about how it has been used or disclosed.

13.3 Correction (Rectification).

Request that we correct or update inaccurate or incomplete Personal Information.

13.4 Withdraw Consent.

Withdraw consent to non-essential uses or disclosures (e.g., marketing), subject to legal/contractual restrictions and reasonable notice. Withdrawing consent may limit our ability to provide some Services or features.

13.5 Deletion / Account Closure.

Request deletion of Personal Information in our custody/control where appropriate (for example, where it is no longer needed for the identified purposes or to meet legal obligations). We will explain any legal or operational limits (e.g., required retention, backups, or dispute holds).

13.6 Marketing Preferences (CASL).

Opt out of Commercial Electronic Messages at any time via the unsubscribe link in the message or by contacting privacy@dashscene.com. We may continue to send transactional or service-related communications necessary to operate the Services.

13.7 Cookies & Analytics Choices.

Manage non-essential cookies and analytics choices as described in §7 (Cookies, Website Analytics & Remarketing) and via your browser/device settings.

13.8 How to Exercise Your Rights.

Submit requests to privacy@dashscene.com. We may ask you to verify your identity and to specify the information at issue. We respond within timelines required by law (typically 30 days), and may extend once where permitted due to complexity or volume; if extended, we will notify you with reasons.

13.9 Fees.

We generally provide access free of charge. Where permitted by law, we may charge a reasonable fee (e.g., for copies or extensive retrieval) and will provide an estimate in advance.

13.10 Limits & Exceptions.

We may decline a request where an exception applies (e.g., solicitor-client privilege, confidential commercial information, information about other individuals that cannot reasonably be severed, safety/security concerns, or information collected in the course of an investigation). If we deny your request, we will provide the reasons, subject to legal constraints.

13.11 Requests Involving Customer Personal Information (Business Customers).

When Personal Information is processed in accordance with a Customer’s Documented Instructions within the Services (our service-provider/processor role), we may refer your request to that Customer (the “organization” under PIPEDA), because they control how your information is used in their deployment. In those cases, we may provide the Customer with reasonable assistance in handling your request to the extent described in, and subject to the limits of, our DPA (see DPA §7) (for example, by making relevant logs or configuration information available). We are not responsible for the Customer’s own decisions about how to respond to your request.

13.12 Complaints.

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada (OPC) or your provincial privacy regulator. You can also raise concerns with us directly at privacy@dashscene.com.

14) Children

14.1 Not Directed to Children.

The Services are intended for adults and are not directed to individuals under 18 (or the age of majority in their province/territory, if higher). We do not knowingly collect Personal Information from children.

14.2 Accounts & Submissions.

We do not knowingly permit children to create accounts or submit Personal Information to DashScene. If you are a parent or guardian and believe a child has provided Personal Information to us, please contact privacy@dashscene.com and we will take appropriate steps to delete it.

14.3 QR Scans by Minors.

DashScene’s displays are non-interactive. When any viewer scans a DashScene-generated QR code, we log limited QR scan metadata (e.g., IP address, timestamp, user-agent, asset ID) for abuse prevention and analytics integrity, and we delete IP addresses after seven (7) days (see §3.2). We do not attempt to identify viewers or determine their age.

14.4 Customer-Controlled Destinations.

QR destinations configured by Customers are governed by those parties’ own privacy policies and compliance obligations (including any notices/consents required when children may be present). Customers are responsible for ensuring their destinations comply with applicable laws.

15) Third-Party Links & QR Destinations

15.1 Customer-Controlled Destinations.

DashScene-generated QR codes and certain links in the Services may lead to third-party destinations that are controlled by Customers or their service providers. Those destinations have their own privacy practices and terms. This Policy does not apply to those sites; their privacy policies govern.

15.2 What We Collect at Scan/Click Time.

When a viewer scans a DashScene QR code or follows a link we generate, DashScene may record limited event metadata (e.g., timestamp, IP address, user-agent, and an internal asset/campaign identifier) for flood/abuse protection and analytics integrity (see §3.2). We do not control what the destination site collects once the viewer leaves our Services.

15.3 Third-Party Cookies, Analytics & Ads.

Third-party destinations may use their own cookies, pixels, scripts, analytics, or advertising technologies. DashScene does not control these technologies and is not responsible for their operation or compliance.

15.4 No Endorsement; Safety Measures.

Links or QR codes routed through the Services do not imply endorsement by DashScene. We may block, disable, or warn about destinations we reasonably believe are unsafe, unlawful, or misleading, but we are not obligated to do so and cannot guarantee third-party content or availability.

15.5 Customer Responsibilities (Business Customers).

Where a Customer configures a QR destination or third-party integration, the Customer is responsible for ensuring it has all required notices/consents, that the destination complies with applicable laws (including PIPEDA and CASL), and that it aligns with our ToS/AUP. See also §8.2 (Customer-Directed Disclosures).

16) Business Customers & Data Processing (DPA)

16.1 Applicability & Contract Structure.

For Business Customers, our Data Processing Addendum (DPA) (if applicable to your subscription) form part of your contract and govern how DashScene processes Customer Personal Information on your behalf within the Services. Read the DPA together with the Terms of Service (ToS) and this Privacy Policy.

16.2 Roles & Instructions.

Where the DPA applies (i.e., for Business Customers in respect of Customer Personal Information processed through the Services), the Business Customer is the “organization” under PIPEDA and applicable provincial laws and determines the purposes of that processing. In those cases, DashScene acts as a service provider/processor and processes Customer Personal Information only in accordance with the Customer’s Documented Instructions and as permitted by law and the DPA. This does not affect DashScene’s role as a PIPEDA “organization” for Service Data or for individuals who use the Services for their own purposes (see §1.2 and §2 (Definitions)).

16.3 Subprocessors.

DashScene may engage Subprocessors to support the Services under written contracts that impose protections no less protective than the DPA. We maintain an up-to-date list of our current platform Subprocessors on a DashScene-designated Subprocessor List, which is incorporated by reference into the Terms and DPA and is available on request. DashScene will provide advance notice of material additions or replacements of platform Subprocessors by updating the Subprocessor List and/or notifying Customer administrators as described in the ToS/DPA.

Certain third-party tools used solely for the public marketing website (for example, web analytics services) are described elsewhere in this Privacy Policy. Because they process Service Data about visitors to our marketing site and do not process Customer Personal Information on behalf of Business Customers, they are not treated as platform Subprocessors for purposes of the DPA.

16.4 Security & Breach Notice.

DashScene implements administrative, technical, and physical safeguards appropriate to the sensitivity of the data (see §10 Security). If we confirm a breach of security safeguards affecting Customer Personal Information, DashScene will notify the Customer without undue delay and, where feasible, within seventy-two (72) hours after confirmation, and will cooperate with the Customer’s investigation and required notices (see §11 Breach Notification and the DPA).

16.5 Data Subject Requests.

Where DashScene receives privacy requests about Customer Personal Information processed on the Customer’s instructions, DashScene may refer the request to the Customer (the “organization” under PIPEDA) and will provide reasonable assistance in accordance with the DPA (see §13 Your Rights & Choices).

16.6 Return/Deletion at Termination.

At service termination or upon Customer request, DashScene will enable self-service export (e.g., CSV) of Customer Personal Information and then delete it from active systems within a reasonable period, subject to legal retention requirements and routine backup cycles (see §12 Retention and the DPA).

16.7 Priority in Case of Conflict.

If this Privacy Policy conflicts with the DPA regarding DashScene’s processing of Customer Personal Information on the Customer’s behalf, the DPA controls for that processing. Otherwise, this Privacy Policy applies alongside the ToS and AUP.

16.8 Consumer/Non-Business Accounts.

If you use the Services in your own personal, family, or household capacity (and not on behalf of a Business Customer), the DPA does not apply to that use. In this context, DashScene acts as an “organization” under PIPEDA for your Personal Information, and this Privacy Policy (together with the Terms) describes how we handle it.

For Business Customers, DashScene may act both

1. as an “organization” for its own Service Data (see §1.2 and §2 (Definitions)) and
2. as a service provider/processor for Customer Personal Information under the DPA, as described in §16.2–§16.7.

17) Changes to this Policy

DashScene may update this Privacy Policy from time to time to reflect changes to the Services, our data-handling practices, or applicable legal requirements. The updated Policy will include a revised “Last Updated” date at the top of the document.

• Minor changes (e.g., clarifications, formatting, or non-substantive updates) take effect upon posting.
• Material changes (those that materially affect how we handle Personal Information or your privacy rights) will be accompanied by reasonable advance notice, such as by email or in-product notification, unless a shorter notice period is required to comply with law or respond to security or operational exigencies.

If a material update materially and adversely affects your legitimate interests, you may notify DashScene and we will work in good faith to address the concern. For Business Customers, any additional rights or remedies (e.g., termination or refund options) are governed by ToS §17 (Modifications to Terms).

Your continued use of the Services after the effective date of the updated Policy constitutes your acceptance of the changes. Updates do not apply retroactively to events or disputes that pre-date the effective date unless required by law.

18) Contact Us

Privacy Officer — DashScene Systems Incorporated

• Email: privacy@dashscene.com
• Mailing Address:
  DashScene Systems Incorporated
  10-1338 Wellington Street West
  c/o Wellington Cowork
  Ottawa, ON K1Y 3B7
  Canada

If you have unresolved concerns, you may contact the Office of the Privacy Commissioner of Canada (OPC) or your applicable provincial privacy regulator.

Office of the Privacy Commissioner of Canada (OPC)

• Website: https://www.priv.gc.ca/
• Phone: 1-800-282-1376
• Mail: 30 Victoria Street, Gatineau, Quebec K1A 1H3

This summary is for convenience only. It does not replace the full Privacy Policy. If there is any conflict or ambiguity, the Privacy Policy controls. This appendix does not create contractual rights, does not modify the DPA, and is not a notice of collection for third-party QR destinations.

• QR scans (what we log).
  IP address, timestamp, user-agent, and an internal asset/campaign ID are logged solely for flood/abuse protection and analytics integrity. Retention: IP addresses are kept 7 days and then deleted; aggregate counts may be retained. See §3.2 and §6.
• Aggregated / de-identified analytics.
  We may use non-identifying metrics (e.g., total QR scans, total ad impressions, total ad display time) to operate, improve, and market the platform. These analytics do not identify individuals or Customers. See §6.
• No sale of Personal Information.
  We do not sell Personal Information or share it for third-party targeted advertising. See §4 and §8.
• Data location.
  Production platform hosted in Canada; limited ancillary processing for the marketing website/communications may occur outside Canada with safeguards. See §9.
• Security & incidents.
  We use administrative, technical, and physical safeguards appropriate to data sensitivity. If we confirm a breach presenting a real risk of significant harm, we notify individuals/regulators as soon as feasible (PIPEDA). For Business Customers, we notify the designated contact without undue delay and, where feasible, within 72 hours of confirmation. See §10–§11.
• Your choices & rights.
  Access, correction, withdrawal of consent (subject to limits), cookie/analytics controls (marketing website), and CASL unsubscribe for marketing messages. See §7 and §13.
• Contact.
  Privacy Officer: privacy@dashscene.com. See §18.