OBSIDIANSECURITY
Sign inRequest a quote
Request a quote
Placeholder text. This document is a safe-by-default working draft and will be replaced by counsel-reviewed copy. Last updated June 10, 2026.
LEGAL · PRIVACY

Privacy policy.

Obsidian Security (“Obsidian”, “we”, “us”) is a security-services company based in British Columbia, Canada. This policy explains what personal information we collect, how we use it, and the rights you have over it under BC's Personal Information Protection Act (PIPA) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Information we collect

We collect personal information in three categories:

  • Contact-form submissions: name, company, email, phone, and the free-text description you provide when requesting a quote.
  • Portal accounts (clients and staff): name, email, role, hashed password, and any additional fields needed to operate your portal access.
  • Operational records: shift, patrol, incident, and check-in data generated while delivering security services — visible only to the client whose sites it concerns and to our authorized staff.

How we use it

We use personal information to operate the services you request: respond to inquiries, deliver guard services, run the client and staff portals, send daily activity reports to clients, invoice for our services, and meet legal / regulatory obligations.

We do not sell personal information. We do not use it for advertising. We do not share it with third parties except as listed below.

Service providers

We rely on a small set of vetted processors to run the business. Each is bound by a written data-processing agreement and by their own published privacy commitments:

  • Stripe (United States, Ireland) — invoice payment processing.
  • Resend (United States) — transactional email delivery (portal access, invoices, dispatch).
  • Cloudflare R2 / AWS S3 (Canada region)— file storage for incident photos, daily activity reports, and exports.
  • Sentry (United States) — application error monitoring. PII is filtered before transmission.

Data residency

Portal-account, operational, and file-storage data is stored in Canadian regions of our cloud providers wherever the provider offers them. Transactional email and payment processing necessarily transit US infrastructure; transfers occur under contractual safeguards consistent with PIPEDA cross-border guidance.

Retention

Contact-form messages: 24 months from submission, then purged. Portal-account data: kept while the related services engagement is active and for 12 months after it ends for invoicing and audit continuity, then purged or anonymized. Operational records: retained per the services agreement signed with each client; we honour client retention preferences within regulatory limits.

Your rights

Under PIPA / PIPEDA you have the right to:

  • Know what personal information we hold about you.
  • Access a copy of that information.
  • Request correction of inaccurate information.
  • Request deletion or anonymization (subject to regulatory retention obligations).
  • Withdraw consent for any optional processing.
  • File a complaint with the Office of the Information and Privacy Commissioner for BC (OIPC) or the federal Office of the Privacy Commissioner of Canada (OPC).

How to reach us

Privacy questions, access requests, or complaints — email hello@obsidiansecurity.ca with subject line “Privacy”. We respond within 30 days as required by PIPEDA.

Or write to us at: 701 West Georgia Street, Suite 1500, Vancouver, British Columbia, V7Y 1C6, Canada.

Changes to this policy

We may update this policy. Material changes will be announced via email to active customers and via a banner on this page for 30 days. The current version is always available at this URL.

See also our Terms of Service.