Request a Consultation

Legal

Privacy Policy.

How we collect, use, and protect personal information — written for humans, governed by PIPEDA.

Effective 17 May 2026

Last updated: 17 May 2026 — added §1.4 Google Analytics disclosure; honour DNT + GPC

ThinSky Inc. ("ThinSky", "we", "us", "our") is a Canadian cybersecurity firm headquartered in Toronto with operations in Vancouver and Montreal. We respect your privacy and handle personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

This policy explains what personal information we collect through thinsky.com, the ThinRecon audit flow at /audit, and direct correspondence with our team — why we collect it, how we use and store it, and the rights you have over it.

1. Information we collect

We collect only what we need to respond to you and to deliver the services you have requested.

1.1 Contact form (/contact)

When you submit the contact form on our site, we collect:

  • Your name and work email address
  • Your company name (optional)
  • The subject and body of your message
  • How you heard about us (optional)
  • The IP address of the request, used solely for rate limiting and abuse prevention

1.2 ThinRecon free audit (/audit)

When you request a free external audit through ThinRecon, we collect:

  • The domain or hostname you ask us to assess
  • The email address you provide to receive the report
  • Technical findings produced by the audit (DNS records, TLS configuration, exposed services, public security headers, and similar information that is observable from outside your network)

ThinRecon does not authenticate to your systems and does not perform intrusive scanning. We do not collect credentials, internal data, or any information that would require authorisation beyond what is publicly resolvable on the internet.

1.3 Server logs

Like most web services, our hosting infrastructure records standard request logs (IP address, timestamp, requested URL, user-agent string, and HTTP status). These logs are retained for up to 30 days and are used only for security monitoring, troubleshooting, and abuse prevention.

1.4 Cookies and analytics

thinsky.com uses Google Analytics 4 (measurement ID G-1G619E1DE4) to understand how visitors find and move through the site. Google Analytics is the only third-party analytics service running on thinsky.com. We do not run advertising pixels, retargeting trackers, or any other behavioural-advertising technology.

What Google Analytics collects on our behalf:

  • Page views, page paths, and time on page
  • Click and scroll events from Google's default enhanced-measurement set
  • Approximate geographic location derived from your IP address — we have IP anonymisation enabled, so your IP is truncated by Google before it is stored or processed (anonymize_ip: true). We also disable Google Signals and ad-personalisation at the gtag level (allow_google_signals: false, allow_ad_personalization_signals: false), so GA4 does not link your visits to a signed-in Google account or feed any ad-personalisation network
  • Device type, browser, operating system, and screen size
  • The referring URL that brought you to thinsky.com

Google Analytics sets two first-party cookies in your browser: _ga and _ga_1G619E1DE4, both with Google's default two-year lifetime and the security flags SameSite=None; Secure. We do not set any other tracking cookies. The only cookies that may originate from our infrastructure are those strictly necessary for the site to function (for example, a transient identifier on form submission for abuse prevention).

Where the data goes. Google Analytics processes events on Google's infrastructure, which is located in the United States and Google's global data-centre network. Google may retain GA4 event data for up to 14 months (Google's default for new GA4 properties). We do not link analytics data back to any personal information you submit through the contact form or ThinRecon.

How to opt out. You can stop Google Analytics from recording your visits in any of the following ways:

  • Enable Do Not Track or Global Privacy Control in your browser — we detect both signals client-side and, when either is set, we do not load Google Analytics, set its cookies, or send any requests to Google on your visit
  • Install Google's Google Analytics opt-out browser add-on, which blocks GA on every site you visit
  • Use a privacy-focused browser extension such as uBlock Origin or Privacy Badger, or a browser with built-in tracker blocking (Firefox, Brave, Safari)
  • Clear the _ga and _ga_1G619E1DE4 cookies in your browser settings at any time
  • Email privacy@thinsky.com and ask us to record a request to remove identifiers associated with your visits

We do not sell, share, or license your information to advertisers or data brokers. Aside from Google Analytics as described above, no other third-party analytics or advertising service runs on this site.

2. How we use your information

We use the information you provide to:

  • Respond to your enquiry from a real engineer's mailbox
  • Deliver the ThinRecon audit report you requested
  • Schedule and deliver paid engagements where one is in progress
  • Detect and block abuse of our infrastructure (rate limiting, honeypot enforcement)
  • Comply with legal obligations and respond to lawful requests from authorities

We do not use your information to train machine-learning models, profile you for marketing, or serve behavioural advertising.

Submitting the contact form or requesting a ThinRecon audit constitutes your express consent to the collection and use of the information described above for the stated purposes. You may withdraw consent at any time by emailing privacy@thinsky.com; withdrawal does not affect processing already performed.

Continued use of thinsky.com constitutes your implied consent to the Google Analytics processing described in §1.4. You can withdraw this consent at any time using any of the opt-out methods listed there, with no effect on your ability to use the site.

4. Where your information is stored

ThinSky is Canadian-owned and operated. To deliver this site reliably we use the following infrastructure providers:

  • AWS Lightsail (us-east-1) — static site hosting
  • AWS Route 53 — DNS for thinsky.com
  • AWS Simple Email Service (us-east-1) — outbound email from our domain
  • AWS API Gateway and Lambda (us-east-1) — contact form and ThinRecon audit endpoints
  • Google LLC (United States) — Google Analytics 4 event processing; see §1.4 for what is collected, the opt-out methods we provide, and the controls we apply (IP anonymisation, Google Signals disabled, ad-personalisation disabled)

Personal information processed by these services is stored on servers in the United States and is therefore subject to United States law, including lawful access requests by US authorities. By using the site or submitting a form, you acknowledge this cross-border transfer. Where a Canadian engagement requires data residency in Canada, we will sign a separate data-handling addendum and process the engagement on Canadian infrastructure.

5. How long we keep your information

  • Contact-form submissions: retained for up to 24 months from your last interaction with us, after which they are deleted.
  • ThinRecon audit requests and reports: retained for up to 12 months, after which the report and the associated email address are deleted unless you have become an active client.
  • Server logs: 30 days.
  • Engagement records: retained for the longer of 7 years or the period required by Canadian tax and corporate-records law, in accordance with the engagement contract.

6. How we protect your information

Security is the work — we hold our own posture to the same bar we hold our clients' to. Operationally that means TLS 1.2+ on every endpoint with HSTS and a 2-year preload commitment; DMARC at p=quarantine with SPF and DKIM aligned; rate limiting and honeypot enforcement on every public form; least-privilege IAM with credential rotation tracked in our release manifest; and authenticated, logged access to production by a small named team. No system is unbreakable, but the controls listed are concrete, current, and verifiable.

7. Your rights

Under PIPEDA and applicable provincial privacy laws, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of information we no longer have a legitimate basis to hold
  • Withdraw consent and have your active interactions ceased
  • File a complaint with the Office of the Privacy Commissioner of Canada if you are not satisfied with our response

To exercise any of these rights, email privacy@thinsky.com. We respond within 30 days, as required by PIPEDA.

8. Children

ThinSky's services are sold to organisations, not consumers. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has submitted information through our site, contact us and we will delete it.

9. Changes to this policy

We update this policy when our practices, infrastructure, or applicable law changes. The effective date at the top of this page is authoritative; material changes will also be announced on the homepage for at least 30 days.

10. How to contact us

Privacy enquiries: privacy@thinsky.com
General enquiries: sales@thinsky.com
Mail: ThinSky Inc., Toronto, Ontario, Canada

Our Privacy Officer is responsible for compliance with this policy and PIPEDA, and is the named point of contact for any complaint or access request.