Privacy Policy
A complete account of how Thread Processor Corp collects, processes, stores, secures, transfers, and ultimately deletes the personal data you entrust to us. Written in plain English where possible — and with full legal precision where required by GDPR, UK-GDPR, PIPEDA, CCPA, and other applicable privacy law.
Effective · January 2026
Who We Are
Thread Processor Corp ("we", "us", "our", or "the Company") is the data controller for personal data collected via threadprocessor.corp, its subdomains, mobile applications, customer-support channels, and any other digital or offline touchpoint operated by the Company. We are incorporated under the laws of the Province of Ontario, Canada.
Our Data Protection Officer (DPO) can be contacted at dpo@threadprocessor.corp for any privacy-related enquiry, including data-subject access requests (DSARs), right-to-be-forgotten requests, consent withdrawal, and complaints regarding our processing activities.
Data We Collect
Account data: full legal name, preferred display name, email address, hashed password (Argon2id, never stored in plaintext), telephone number (optional), date of birth (for age-verification only, never displayed or shared), shipping and billing addresses, and order history.
Transaction data: payment method type (Visa, Mastercard, Apple Pay, etc.), card brand, last four digits of card number, billing postal code, transaction timestamp, transaction amount, currency, and a tokenized payment-method reference. Full card numbers, expiry dates, and CVV codes are tokenized by our PCI-DSS Level 1 certified processor and never reach our servers, logs, or backups.
Behavioural data: pages visited, products viewed, cart additions, search queries, filter selections, time on page, click paths, and aggregated funnel telemetry used for catalogue optimization, fraud prevention, and product recommendations.
Technical data: IP address, approximate geographic location (city-level), browser type and version, operating system, device type, screen resolution, time zone, language preference, referring URL, user-agent string, and device fingerprint for fraud-detection and security purposes.
Communications data: contents of contact-form submissions, support tickets, RMA correspondence, chat transcripts, email replies, and any voluntary feedback or survey responses.
Marketing data: opt-in status for promotional email, push notification, and SMS channels; engagement metrics on marketing emails (opens, clicks); and preference signals from your interaction with promotional content.
How We Collect Data
Directly from you: when you register, place an order, contact support, complete a form, post a review, or subscribe to communications.
Automatically: via cookies, server logs, analytics tags, and the embedded telemetry pipelines documented in our Cookie Policy.
From third parties: from your chosen payment provider (transaction status), shipping carriers (delivery confirmation), credit-card-fraud-prevention networks (risk score), and from publicly available sources where strictly necessary for fraud prevention.
Lawful Basis for Processing
Contract performance: processing necessary to fulfil your order, deliver products, provide customer support, and operate your account.
Legitimate interests: fraud prevention, network security, catalogue improvement, and aggregated analytics — assessed and documented in legitimate-interest assessments (LIAs) available on request.
Legal obligation: tax-record retention, accounting law compliance, anti-money-laundering checks, and lawful disclosures to authorities.
Consent: marketing communications, non-essential cookies, and any optional data collection — always granular, always withdrawable.
How We Use Your Data
To process orders, dispatch shipments, issue refunds, and provide customer support.
To send transactional communications: order confirmations, shipping updates, RMA correspondence, password resets, and security alerts. These are essential to the service and cannot be opted out of while an account is active.
To prevent and detect fraud, abuse, and unauthorized access. This includes pattern analysis, device fingerprinting, IP-reputation checks, and review of suspicious account activity.
To improve the service: A/B testing, funnel analysis, search-result tuning, and product-recommendation modelling, all conducted on aggregated or pseudonymized data wherever feasible.
To send marketing communications — but only with your explicit opt-in, and only via the channels you have authorized. You may withdraw consent at any time via the unsubscribe link in every marketing email or via your account settings.
To comply with legal obligations including tax filings, consumer-protection regulations, response to lawful court orders, and regulatory enquiries.
Sharing & Sub-Processors
We share data only with sub-processors strictly necessary to operate the service, and only the minimum data each requires. Key categories include payment processors (Stripe, PayPal, Coinbase Commerce), shipping carriers (FedEx, UPS, Canada Post, DHL), email delivery (Postmark, Resend), cloud infrastructure (Vercel, AWS, Cloudflare), error monitoring (Sentry), and aggregated analytics (self-hosted).
A complete and current sub-processor list, including processing location, data categories, and DPA references, is available at threadprocessor.corp/sub-processors and is updated whenever sub-processors change.
We never sell personal data to third parties for monetary or other valuable consideration. We do not engage in cross-context behavioural advertising of the kind regulated by CCPA, CPRA, or similar statutes.
We may disclose personal data when required by lawful court order, subpoena, or regulatory request, after evaluating the legitimacy of the request and, where lawful, notifying the affected data subject before disclosure.
International Transfers
Personal data may be transferred to, processed in, and stored in countries outside your country of residence — most commonly Canada, the United States, and the European Union — for sub-processor operations.
Where data is transferred from the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, the UK International Data Transfer Agreement (IDTA), or adequacy decisions where applicable. Supplementary measures including encryption in transit and at rest, pseudonymization, and contractual restrictions on third-party access are applied as recommended by EDPB guidance.
Cookies & Tracking Technologies
We use cookies, local storage, and similar technologies as described in detail in our Cookie Policy. You can manage your preferences via the cookie consent banner on first visit, the privacy panel in your account settings, or via your browser's native cookie controls.
Your Privacy Rights
Subject to applicable law, you have the right to: access your personal data; correct inaccurate or incomplete data; receive a portable copy of data you provided to us in a machine-readable format; restrict or object to certain processing; withdraw consent at any time; and request deletion of your personal data (subject to legal retention obligations).
Residents of the European Economic Area and the United Kingdom have additional rights under GDPR and UK-GDPR, including the right to object to automated decision-making, the right to be informed about profiling, and the right to lodge a complaint with your local supervisory authority.
Canadian residents have rights under PIPEDA and applicable provincial privacy law (notably Québec Law 25), including the right to know what data is held and the right to challenge accuracy.
California residents have rights under the CCPA and CPRA, including the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing, and the right to limit use of sensitive personal information. We do not sell or share personal data within the CCPA/CPRA definition of those terms.
To exercise any right, contact dpo@threadprocessor.corp. We will respond within thirty (30) days, with one possible thirty-day extension for complex requests. Identity verification may be required before fulfilling requests involving sensitive data.
Data Retention
Account data: retained while your account is active and for ninety (90) days after closure to permit account recovery and dispute resolution.
Order records: retained for seven (7) years following the order date to comply with Canadian tax-record and consumer-protection legislation.
Communications: support tickets and chat transcripts retained for two (2) years for quality-assurance and dispute resolution.
Marketing-list entries: retained until you unsubscribe, plus thirty (30) days for suppression-list maintenance to prevent accidental re-enrolment.
Server logs and security logs: retained for ninety (90) days, then automatically purged.
Backups: encrypted backups retained for thirty-five (35) days on a rolling basis, then overwritten.
Where data is retained for longer than the active-account window, it is access-restricted, encrypted, and used only for the specific compliance, legal, or security purpose justifying retention.
Security Measures
Encryption: AES-256 at rest for all databases and backups, TLS 1.3 in transit for all client-server communication, and end-to-end encryption for credential transmission.
Access control: principle of least privilege, role-based access control (RBAC), enforced single sign-on (SSO) with phishing-resistant FIDO2 multi-factor authentication for all staff with access to personal data, and quarterly access reviews.
Key management: hardware-backed key management via AWS KMS / Cloudflare Keyless SSL, with key rotation every ninety (90) days and split-knowledge ceremony for master-key changes.
Application security: secure-by-default frameworks, automated dependency scanning, static and dynamic application security testing in CI, and OWASP Top 10 coverage in our security review checklist.
Operational security: SOC 2 Type II controls, ISO 27001-aligned ISMS, quarterly external penetration testing, annual red-team engagement, and a public bug-bounty program.
Incident response: documented incident-response plan with defined roles, escalation paths, and notification timelines. In the event of a personal-data breach we will notify affected data subjects and the relevant supervisory authority within seventy-two (72) hours where required by law.
Despite these controls, no system is impenetrable. We continue to invest in our security posture and welcome responsible disclosure of vulnerabilities at security@threadprocessor.corp.
Children's Privacy
The service is not directed to children under the age of sixteen (16). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact dpo@threadprocessor.corp and we will delete the data promptly.
Automated Decision-Making
We employ automated systems for fraud detection that may delay or block transactions flagged as high-risk. These decisions are reviewable by a human; you have the right to obtain human review, express your point of view, and contest the outcome by contacting dpo@threadprocessor.corp. We do not use solely-automated decision-making with legal or similarly significant effect on you within the meaning of GDPR Article 22.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered users at least thirty (30) days before they take effect, and by prominent notice on the service.
Minor changes (clarifications, typo corrections, updated sub-processor list) are noted by updating the Effective Date at the top of this page. Historical versions are archived and available on request.
Contact & Complaints
For any privacy enquiry, data-subject request, or to withdraw consent, contact our Data Protection Officer at dpo@threadprocessor.corp. We aim to respond within seven (7) business days and to fully resolve requests within thirty (30) days.
If you believe we have not handled your personal data in accordance with applicable law you have the right to lodge a complaint with your local supervisory authority — for example, the Office of the Privacy Commissioner of Canada (OPC), the Commission d'accès à l'information du Québec (CAI), the UK Information Commissioner's Office (ICO), your EEA national data-protection authority, or the California Privacy Protection Agency (CPPA).