Master NetFlow

Legal · Privacy

Privacy Policy

Effective document Last updated: July 3, 2025

1Overview & Scope

Welcome to the Master Netflow Security Platform — a multi-tenant SaaS platform providing cybersecurity awareness training, security simulations, and risk assessment tools to organizations and their employees.

This Privacy Policy explains how Master Netflow Inc. ("Master Netflow," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with our platform and services.

This Policy applies to:

  • Client Organizations — businesses and institutions that subscribe to our platform
  • Users / Employees — individuals whose accounts are managed by a Client Organization
  • Website Visitors — anyone visiting masternetflow.com

By accessing or using the Platform, you acknowledge that you have read and understood this Policy. If you are using the Platform on behalf of a Client Organization, your organization's agreement with us also governs the use of personal data.

2Our Role: Controller & Processor

Master Netflow operates in two distinct legal capacities depending on context. Understanding this distinction is important for knowing your rights and who is responsible for your data.

Data Controller

We act as a Data Controller for personal data we collect directly for our own business purposes, including:

  • Website visitors and marketing contacts
  • Billing and subscription contacts
  • Direct signups and account registration
  • Our own analytics and platform improvement
  • Communications with prospective customers

As Controller, we determine the purposes and means of processing and are fully responsible for that data.

Data Processor

We act as a Data Processor when processing personal data on behalf of Client Organizations, including:

  • Employee accounts created or managed by the Client
  • Training progress, results, and completion records
  • Security awareness simulation data and outcomes
  • Department-level risk scores and campaign analytics
  • Awareness campaign participation data

As Processor, we act only on the Client's documented instructions. The Client Organization is the Data Controller for this data and is responsible for its lawful collection and use.

Note for Employees: If you are using this platform because your employer enrolled you, your employer (the Client Organization) is the Data Controller for your training and simulation data. Please contact your employer's HR or IT department for questions about how your data is used within the platform. You may also contact us at privacy@masternetflow.com.

3Information We Collect

3.1 Information Provided by Client Organizations

When a Client Organization subscribes to our platform and enrolls their employees, we may receive and process the following categories of data on the Client's behalf:

CategoryExamples
Employee IdentityFull name, work email address, employee ID
Organizational DataDepartment, job title, reporting structure, office location
Training & Assessment DataCourse completion status, quiz scores, time-on-module, certification records
Simulation DataParticipation in security awareness simulations, click/open events on simulated campaigns, responses and outcomes
Risk & Behavioral DataRisk scores, vulnerability indicators, historical training performance

3.2 Information You Provide Directly

When you register for an account, subscribe to the platform, or contact us, we collect:

  • Account credentials (name, email address, password)
  • Profile details (job title, company name, professional biography)
  • Billing information (processed securely via Stripe — we do not store full card details)
  • Communication preferences and support requests
  • Authentication data (two-factor authentication setup, session identifiers)

3.3 Information Collected Automatically

When you use the Platform, we automatically collect:

  • Usage Data: Pages visited, features used, session duration, navigation paths, and engagement patterns
  • Device & Browser Information: IP address, browser type and version, operating system, screen resolution, and device identifiers
  • Location Data: General geographic location inferred from IP address. We do not collect precise GPS location.
  • Log Data: Login/logout events, session identifiers, error logs, and security event records
  • Cookie Data: See Section 13 (Cookie Policy) for full details

3.4 Information from Third Parties

We may receive information about you from:

  • Client Organizations: When your employer provides a list of employees to enroll in the platform
  • Identity Verification Services: To verify identity during account registration
  • Threat Intelligence Providers: Domain, URL, and IP reputation data used to support security tooling (see Section 7)

4Security Awareness Simulations & Campaigns

At the direction of Client Organizations, Master Netflow conducts security awareness simulations and campaigns, which may include simulated phishing exercises, ransomware awareness scenarios, social engineering training, and other cybersecurity educational activities. These simulations are conducted solely for educational and organizational risk assessment purposes.

4.1 How Simulations Work

When a Client Organization activates a simulation campaign, we may:

  • Send simulated security threat emails (e.g., phishing, credential harvesting scenarios) to enrolled employees on the Client's behalf
  • Record employee interactions with simulation content, including whether links were clicked or credentials submitted
  • Generate individual and aggregate risk scores based on simulation outcomes
  • Provide Client administrators with detailed campaign reports and department-level analytics
  • Automatically enroll employees in follow-up training based on simulation results, if configured by the Client

4.2 Data Processed During Simulations

Simulation data is processed on behalf of and under the instructions of the Client Organization. This data includes interaction timestamps, device/browser metadata, click events, and training completion records linked to individual employees.

4.3 Client Responsibility

Important: Client Organizations are responsible for determining the appropriateness of security simulations for their workforce and for informing their employees of applicable workplace monitoring and security testing policies in accordance with applicable employment and privacy laws. Master Netflow conducts simulations only as directed by the Client and does not independently determine which employees to target or which scenarios to deploy.

5How We Use Your Information

Platform Operation

To provide, maintain, and improve the Platform, including processing transactions, managing accounts, and delivering requested features and training content.

Security & Fraud Prevention

To detect, investigate, and prevent unauthorized access, security incidents, abuse, and fraudulent activity on the Platform.

Analytics & Improvement

To analyze usage patterns, measure feature adoption, identify performance issues, and improve the Platform experience over time.

Communications

To send administrative notices, security alerts, support messages, billing notifications, and updates about our services.

Billing & Payments

To process subscription payments, manage invoicing, apply taxes, and handle billing disputes through our payment processor, Stripe.

Legal Compliance

To comply with applicable laws and regulations, respond to lawful government requests, enforce our agreements, and protect our legal rights.

Legal Basis (PIPEDA & Privacy Act): We process personal data on the basis of consent, contractual necessity, legitimate interests, and legal obligations as applicable under the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act of Canada. Where we act as a Data Processor on behalf of a Client Organization, we process data based on the Client's lawful instructions.

6Information Sharing & Disclosure

We do not sell your personal information. We may share personal information in the following circumstances:

Client Organizations (Administrators)

If you use the Platform as an employee enrolled by your organization, authorized administrators of that organization may have access to your training records, simulation results, risk scores, and campaign participation data. This is at the direction of your employer as Data Controller.

Subprocessors & Service Providers

We share data with carefully vetted third-party service providers who process data on our behalf to deliver the Platform. See Section 7 for the full subprocessor list. All subprocessors are bound by data processing agreements and may not use your data for their own purposes.

Legal & Regulatory Requirements

We may disclose personal information if required by law, court order, regulatory authority, or to protect the rights, safety, or property of Master Netflow, our clients, or the public.

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice before personal information is transferred and becomes subject to a different privacy policy.

With Your Consent

We may share your information for other purposes with your explicit consent, or at your direction.

Aggregated & Anonymized Data

We may share aggregated or de-identified data that cannot reasonably be used to identify you, for industry research, benchmarking, or platform analytics purposes.

Our Commitment: We require all subprocessors and service providers to maintain appropriate technical and organizational security measures and to process personal information only as instructed. We do not permit them to use your data for their own marketing or commercial purposes.

7Third-Party Subprocessors

We use third-party service providers ("Subprocessors") to help operate and deliver the Platform. The following categories and current providers may process personal data on our behalf:

CategoryProvider(s)PurposeLocationData Transferred
Primary Hosting Hostinger Application hosting, primary web servers and databases Phoenix, United States All platform application data and primary database content
Cloud Infrastructure Mailgun (Sinch) Phishing simulation email delivery United States Recipient email addresses, email metadata and content
Email Delivery Mailgun, MailerSend Transactional emails, platform notifications, and phishing simulation campaign messages United States (Mailgun); varies by delivery network (MailerSend) Recipient email addresses, email content
Payment Processing Stripe Subscription billing, invoicing, payment handling United States Billing contact details, payment method metadata
AI & Analysis OpenAI AI-powered content generation, risk analysis, training personalization United States Anonymized or pseudonymized content inputs; no raw personal data sent unless necessary and disclosed
Threat Intelligence VirusTotal, Google Safe Browsing URL/domain reputation checks, malware scanning, simulation validation United States URLs, domains, IP addresses (no names or emails)
Error Monitoring Sentry Application error tracking, performance diagnostics United States IP address, user ID, browser info, error stack traces
Subprocessor Updates: We may update or replace subprocessors from time to time as our infrastructure evolves. We will provide advance notice of material changes that affect the processing of personal data on behalf of Client Organizations. The most current subprocessor list is always available upon request at privacy@masternetflow.com.

8Data Security

We implement appropriate technical, organizational, and physical safeguards to protect the security, confidentiality, and integrity of personal information processed on our Platform. Our security measures include:

  • Encryption of data in transit (TLS 1.2+) and at rest using industry-standard protocols
  • Multi-tenant data isolation to prevent cross-client data access
  • Role-based access controls and principle of least privilege
  • Multi-factor authentication support for all user accounts
  • Regular security assessments, vulnerability scanning, and penetration testing
  • Secure software development lifecycle (SDLC) practices
  • Audit logging for administrative and security-sensitive actions
  • Incident response and breach notification procedures
  • Regular security training for all Master Netflow personnel

No method of transmission over the Internet or electronic storage is 100% secure. While we employ commercially reasonable safeguards, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your credentials and notifying us immediately of any unauthorized access to your account.

9Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

Data CategoryRetention PeriodRationale
Account & Profile Information Duration of subscription + 12 months Service continuity; allows reactivation
Employee Training Records Up to 7 years after completion Certification verification; compliance recordkeeping
Simulation & Campaign Data Duration of Client subscription + 24 months Client reporting; trend analysis; dispute resolution
Billing & Payment Records Up to 10 years Tax obligations; accounting requirements under Canadian law
Communication Records Up to 3 years Service quality; dispute resolution
Security & Audit Logs Up to 2 years Security incident investigation; compliance audits
Cookie & Analytics Data Up to 26 months Platform analytics and improvement

When retention periods expire, we securely delete or anonymize personal information. If immediate deletion is not technically possible (e.g., data in backup archives), we isolate the data from active processing until deletion is feasible.

Client-Controlled Deletion: Client Organizations may request deletion of employee data at any time by contacting privacy@masternetflow.com. We will action such requests in accordance with our Data Processing Agreement and applicable law.

10Your Rights

Depending on your location and role, you may have the following rights regarding your personal information. To exercise any of these rights, contact us at privacy@masternetflow.com.

Right to Access

Request a copy of the personal information we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete personal information.

Right to Erasure

Request deletion of your personal information, subject to legal retention obligations.

Right to Data Portability

Receive your personal information in a structured, machine-readable format.

Right to Object / Withdraw Consent

Object to or withdraw consent for certain types of processing, including direct marketing.

Right to Lodge a Complaint

File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

Employee Note: If you are an employee enrolled by your organization, your rights over simulation and training data may be subject to your employer's policies. We recommend first contacting your employer. We will always direct requests appropriately and respond within 30 days.

11Infrastructure, Hosting & Data Transfers

11.1 Infrastructure & Data Hosting

The Master Netflow Platform is hosted using secure infrastructure operated by third-party providers. Our current hosting environment is as follows:

ProviderRoleLocation
Hostinger Primary web hosting — application servers and primary databases Phoenix, United States
Mailgun (Sinch) Phishing simulation email delivery United States

Personal information may therefore be processed or stored in Canada or the United States depending on the service being accessed. We ensure that appropriate contractual and technical safeguards are implemented whenever personal information is processed by our infrastructure providers.

Infrastructure Flexibility: We may update or migrate hosting providers from time to time in line with evolving infrastructure needs and security requirements. Any change that materially affects the location or nature of personal data processing will be reflected in an updated version of this Policy. The most current hosting details are available upon request at privacy@masternetflow.com.

11.2 Email Delivery Infrastructure

Email communications — including transactional emails, platform notifications, and awareness campaign messages — may be delivered through one or more of the following providers:

  • Mailgun — operated by Sinch, infrastructure located in the United States; used exclusively for phishing simulation emails sent from sim.masternetflow.com
  • MailerSend — infrastructure location may vary depending on the delivery network used; used for transactional emails and platform notifications

11.3 International Data Transfers

Master Netflow is headquartered in Burnaby, British Columbia, Canada. Because our infrastructure providers and subprocessors operate in multiple countries — including Canada and the United States — personal information may cross international borders during processing.

When personal information is transferred internationally, we ensure appropriate safeguards are in place, including:

  • Standard contractual clauses with subprocessors and hosting providers
  • Data processing agreements requiring equivalent privacy protections
  • Transfers only to jurisdictions recognized as providing adequate protection, or with explicit safeguards where required

By using the Platform, you acknowledge that your personal information may be transferred to and processed in Canada, the United States, or other countries where our subprocessors and infrastructure providers operate.

12Children's Privacy

Age Restriction: The Master Netflow Platform is intended for use by individuals who are 16 years of age or older. We do not knowingly collect personal information from individuals under the age of 16. If you believe a minor under 16 has provided us with personal information, please contact privacy@masternetflow.com and we will promptly delete it.

13Cookie Policy

We use cookies and similar tracking technologies to operate and improve the Platform. A cookie is a small text file stored on your device when you visit a website.

Essential Cookies

Required for the Platform to function. These cannot be disabled.

  • Session authentication
  • Security tokens
  • CSRF protection

Functional Cookies

Enable personalization and remember your preferences.

  • Language & region preferences
  • UI customization settings
  • Remember-me tokens

Analytics Cookies

Help us understand how the Platform is used so we can improve it.

  • Page visit tracking
  • Feature usage analytics
  • Performance monitoring

Third-Party Cookies

Set by our service providers for operational purposes.

  • Stripe (payment security)
  • Error monitoring (Sentry)

You can control cookies through your browser settings. Disabling essential cookies may impair Platform functionality. For more information, visit allaboutcookies.org.

14Data Processing Agreement (DPA)

For Client Organizations that act as Data Controllers under applicable privacy laws, Master Netflow will enter into a Data Processing Agreement (DPA) that governs the processing of personal data on behalf of the Client.

Our DPA addresses:

  • Scope and nature of data processing
  • Data subject rights and how they are supported
  • Security obligations and incident notification timelines
  • Subprocessor management and change notification
  • Data return and deletion upon contract termination
  • Audit rights and compliance evidence
To request a Data Processing Agreement, contact our team at privacy@masternetflow.com or your account manager.

15Regulatory Compliance

Master Netflow is committed to complying with applicable Canadian and international privacy and data protection laws. Our primary compliance framework is based on Canadian law, with operational consideration of relevant international standards where our clients require it.

PIPEDA

Personal Information Protection and Electronic Documents Act — Canada's federal private-sector privacy law. Our primary compliance framework governing the collection, use, and disclosure of personal information in Canada.

BC PIPA

Personal Information Protection Act (British Columbia) — Provincial privacy law applicable to our operations as a BC-headquartered organization.

GDPR (Reference)

General Data Protection Regulation (EU) — We apply GDPR-aligned practices for international clients and data subjects in the EU/EEA where applicable.

CCPA / CPRA (Reference)

California Consumer Privacy Act — We apply CCPA-aligned rights for California residents where applicable.

We regularly review our privacy and security practices to ensure ongoing regulatory compliance. Enterprise clients with specific compliance requirements (SOC 2, ISO 27001, HIPAA) should contact us to discuss applicable controls and documentation.

16Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this page.

For material changes, we will provide at least 30 days' advance notice by email (to the address associated with your account) or through a prominent notice on the Platform. Your continued use of the Platform after the effective date constitutes acceptance of the revised Policy.

March 16, 2026 Updated email delivery infrastructure — replaced Amazon SES (AWS Canada Central) with Mailgun (Sinch, United States) for phishing simulation emails; updated subprocessor table and Section 11.2 accordingly
July 3, 2025 Updated infrastructure and hosting details — added Hostinger (Phoenix, US) as primary hosting provider, clarified AWS Canada Central (ca-central-1) for cloud services, expanded subprocessor table to include hosting locations, expanded Section 11 to cover Infrastructure & Data Hosting, Email Delivery, and International Transfers as distinct subsections
May 6, 2025 Comprehensive rewrite — added multi-tenant SaaS structure, Controller/Processor distinction, simulation disclosures, subprocessor list, and Canadian law alignment
January 15, 2025 Updated to reflect changes in data processing practices
June 10, 2024 Initial policy published

17Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a concern about our data practices, please contact us:

Privacy Contact

For privacy-related inquiries and rights requests:

privacy@masternetflow.com

Mailing Address

Master Netflow Inc.
Attn: Privacy Contact
7090 Edmonds Street, Suite 1807
Burnaby, BC V3N 0C6
Canada

Phone

+1 (604) 417-6062

Monday–Friday, 9am–5pm PT

Regulator

You may also file a complaint with Canada's federal privacy regulator:

Office of the Privacy Commissioner of Canada

We will respond to all privacy inquiries within 30 days. If additional time is required, we will notify you of the extension and estimated response date.