Home Web Design AI Automation Our Work Blog Book a Free Call →
Home/Privacy Policy
Legal

Privacy Policy

How we collect, use, disclose, and protect personal information when you use craigmillarstudio.ca and our services.

Effective date: March 26, 2026  ·  Last updated: March 26, 2026

This policy summarizes our privacy practices in plain language. It is not legal advice. If you need advice about your specific situation, consult a qualified professional.

Who we are

Craigmillar Studio (“we,” “us,” “our”) provides custom website design, AI automation, and related digital services for businesses, primarily in Ontario, Canada. We operate from Toronto, Ontario.

This policy applies to personal information we handle in the course of operating our website at craigmillarstudio.ca and delivering our services to clients.

Scope

This policy does not apply to third-party websites, applications, or services that we link to or that integrate with projects we build for clients. Those services have their own privacy policies.

Information we collect

Depending on how you interact with us, we may collect the following categories of information:

Information you provide directly

  • Contact and scheduling: When you book a call through our scheduling provider, you may provide your name, email address, phone number, and other details you choose to include in the booking form.
  • Communications: Information you include in emails, messages, or calls with us (for example, business needs, project requirements, or feedback).
  • Client work: If you become a client, we may process account details, billing information, and content you supply for your project (website copy, images, branding credentials, access credentials for third-party tools when needed for delivery, and similar materials).

Information collected automatically

  • Technical data: Such as browser type, device type, general geographic region derived from IP address (for example, country or region), referring pages, and timestamps. This helps us maintain security and understand how the site is used.
  • Essential cookies: Small text files or similar technologies that support core site functionality (for example, remembering preferences or load distribution). See Cookies and similar technologies below.

How we use information

We use personal information for purposes that include:

  • Responding to inquiries and operating our scheduling and booking flows;
  • Delivering, managing, and improving our services and client projects;
  • Sending service-related communications (for example, project updates or invoices);
  • Where permitted by law, sending marketing or educational messages you have consented to receive;
  • Analyzing aggregate or de-identified usage to improve our website and offerings;
  • Protecting the security and integrity of our systems, detecting fraud or abuse, and complying with legal obligations;
  • Enforcing our Terms of Service and resolving disputes.

We do not sell your personal information.

Where applicable Canadian privacy law requires a legal basis, we rely on one or more of the following: consent (where required), performance of a contract with you, our legitimate interests in operating and improving our business (balanced against your rights), and compliance with law.

For clarity, Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws apply to many commercial activities. We aim to align our practices with these frameworks.

Cookies and similar technologies

We may use cookies and similar technologies that are strictly necessary for the site to function, and we may add analytics or performance cookies in the future. If we introduce non-essential cookies, we will update this policy and, where required, obtain consent before placing them.

You can control cookies through your browser settings. Blocking some cookies may affect how certain features work.

Sharing and service providers

We may share personal information with:

  • Service providers who assist us in hosting, email, scheduling, payments, project management, or other operational functions, subject to contractual confidentiality and data protection expectations;
  • Scheduling: When you book through our scheduling link, your information is collected and processed by the scheduling provider under their terms and privacy policy;
  • Professional advisers (for example, lawyers or accountants) when required;
  • Authorities when we believe disclosure is required by law, court order, or legal process, or to protect rights, safety, or security.

We do not authorize service providers to use your personal information for their own marketing unrelated to our services.

AI and automation projects

When we configure AI, messaging, chat, or workflow automation for your business, we may process personal information that you instruct us to use (for example, contact lists, CRM records, message content, or integration data). In those cases, you are responsible for determining the lawful basis for collecting and using your customers’ and end users’ information, for obtaining any required consent, and for how you use automated communications under CASL’s consent and identification rules and applicable privacy laws.

We process such information on your instructions as a service provider to deliver the project, in line with our contract with you and this policy. Where we host or process data on behalf of your business, we will implement reasonable safeguards as described in Security and your project agreement.

Cross-border processing

Some of our service providers may process or store information in Canada, the United States, or other countries. Where information is transferred outside Canada, it may be subject to the laws of that jurisdiction, including lawful access requests. We take steps to protect personal information in line with this policy and applicable law.

If you or your customers are in Quebec, certain provincial requirements (including the Act respecting the protection of personal information in the private sector) may apply in addition to federal requirements. We design our practices to align with Canadian privacy expectations, including transparency and accountability.

Retention

We retain personal information only as long as necessary for the purposes described in this policy, including legal, accounting, or reporting requirements. When retention is no longer needed, we delete or anonymize the information, subject to limited exceptions (for example, backup archives for a reasonable period).

Security

We implement reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the information we handle, including access controls, secure transmission where appropriate, and vendor review for material providers. No method of transmission over the Internet or electronic storage is completely secure; we cannot guarantee absolute security.

Security incidents

We maintain procedures to assess and respond to suspected security incidents. If we determine that a breach of security safeguards creates a real risk of significant harm to individuals, we will notify affected individuals and applicable regulators as required by applicable Canadian law (including, where applicable, breach notification obligations under PIPEDA or substantially similar provincial statutes). Notifications may describe the nature of the incident, the type of information involved, steps we are taking, and what you can do to reduce risk.

Your rights

Subject to applicable law, you may have the right to:

  • Request access to the personal information we hold about you;
  • Request correction of inaccurate or incomplete information;
  • Withdraw consent where processing is based on consent (without affecting the lawfulness of processing before withdrawal);
  • Challenge our compliance with applicable privacy law (for example, through the Office of the Privacy Commissioner of Canada or a provincial privacy regulator, where applicable).

To exercise these rights, contact us using the information in Contact us below. We may need to verify your identity before responding.

Regulatory complaints

If you have concerns about how we handle personal information, we encourage you to contact us first so we can try to resolve the matter. You may also have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC), or with a provincial privacy commissioner or ombudsman, depending on where you live and the nature of your concern (for example, provincial private-sector laws in Alberta, British Columbia, or Quebec).

Children

Our services are directed at businesses and adults. We do not knowingly collect personal information from children under 16 years of age. If you believe we have collected such information, please contact us and we will take steps to delete it.

Commercial electronic messages (CASL)

If we send commercial electronic messages (such as marketing emails) to Canadian recipients, we do so in accordance with Canada’s Anti-Spam Legislation (CASL), including where required consent, identification, and unsubscribe mechanisms.

Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the “Last updated” date. Material changes may be communicated through additional notice where appropriate. Your continued use of the site after changes take effect constitutes acceptance of the updated policy, except where prohibited by law.

Contact us

For questions about this Privacy Policy or our privacy practices, or to exercise your rights, please contact us through our scheduling page: https://calendly.com/hillraluc/30min (note “Privacy inquiry” in your message), or reach out through the same channels you use to communicate with us for your project.

Related: Terms of Service

Questions about privacy?

Book a short call and we will walk through how we handle data for your project.

Book a Free Call →

No pitch deck  ·  No pressure  ·  No obligation