Privacy Protocol.

We collect information in two primary ways: data you provide directly, and data we collect automatically as you interact with our platform.

Information you provide directly:

• Work email address and professional contact information submitted via availability intake forms
• Company name, industry category, and GTM team size provided during onboarding
• Communications you send to us — including emails, support requests, and Slack messages exchanged as part of service delivery
• Content inputs you share for the purpose of narrative intelligence processing (e.g., Gong call transcripts, competitor intelligence, internal messaging briefs)
• Billing and payment information, processed exclusively through our PCI-DSS compliant payment processor

Information collected automatically:

• IP address, browser type, and device identifiers
• Pages visited, time spent, and interaction patterns on ideafridge.com
• Referring URLs and session data
• Timestamps of logins and platform actions where applicable

We use your information for the following purposes, each tied to a legitimate operational need:

• Service delivery: To onboard, configure, and operate your NarrativeOps engagement — including deploying weekly narrative sprints, processing market signals, and generating role-specific content assets.
• Communication: To send operational updates, Weekly Briefs, system deployment notifications, and account-related correspondence. We do not send unsolicited promotional emails.
• Availability verification: To confirm that no conflicting Client in your market category is currently under an active exclusivity agreement.
• Security and fraud prevention: To detect and prevent unauthorized access, spam submissions (including honeypot-filtered form entries), and abuse of platform resources.
• Platform improvement: Aggregated and anonymized usage data may be used to improve service quality and refine deployment cycle performance. No individually identifiable data is used for this purpose without consent.
• Legal compliance: To comply with applicable law, respond to lawful requests from public authorities, and enforce our agreements.

We will not use your information for automated decision-making that produces legal or similarly significant effects without your knowledge and consent, unless required by applicable law.

Under PIPEDA and BC PIPA, Ideafridge collects, uses, and discloses Personal Information only with your knowledge and consent, except where the law permits otherwise. Our processing is grounded in the following PIPEDA accountability principles:

• Consent: We obtain meaningful consent before or at the time of collection. For active clients, consent is obtained through your Subscription Agreement. For site visitors, consent is obtained through form submissions and cookie notices where applicable. You may withdraw consent at any time, subject to legal or contractual restrictions, on reasonable notice.
• Contractual necessity: Processing required to deliver services under your active Subscription Agreement — including onboarding, deployment, invoicing, and weekly sprint delivery — does not require separate consent beyond your agreement to these Terms.
• Legitimate business purposes: We process certain information for security, fraud prevention, and platform improvement where a reasonable person would consider it appropriate in the circumstances, consistent with PIPEDA's "reasonable purposes" standard.
• Legal obligation: Processing required to comply with applicable Canadian law, including tax, financial reporting, and regulatory obligations under federal and British Columbia statutes.

Ideafridge does not sell, rent, or trade your Personal Data. We do not share your data with advertising networks or data brokers. Data is disclosed only in the following limited circumstances:

• Service providers and sub-processors: We engage third-party vendors to support platform operations — including cloud hosting, payment processing, email delivery, and analytics. All vendors are bound by Data Processing Agreements (DPAs) and may not use your data for their own purposes.
• Professional advisors: Legal counsel, accountants, and auditors bound by confidentiality obligations, to the extent necessary to provide professional services to Ideafridge.
• Business transfers: In the event of a merger, acquisition, asset sale, or reorganization, your data may be transferred to a successor entity. We will provide notice prior to any such transfer and inform you of any changes to this Policy.
• Legal requirements: We may disclose your information where required by law, subpoena, court order, or governmental authority. Where legally permitted, we will notify you of such requests.

We retain your Personal Information only for as long as necessary to fulfill the purposes outlined in this Policy, or as required by applicable Canadian law. Under PIPEDA and BC PIPA, we are required to retain information used to make a decision about an individual for a minimum period to allow that individual to exercise their right of access.

• Active Client data: Retained for the duration of the Subscription Agreement and for 36 months following termination, to allow for dispute resolution, re-engagement, and legal compliance.
• Prospect and intake form data: Retained for 12 months from date of submission. If no Subscription Agreement is executed, data is deleted or anonymized thereafter.
• Communication records: Retained for 24 months unless a longer period is required for legal or contractual compliance.
• Billing and financial records: Retained for a minimum of 7 years in accordance with applicable tax and financial reporting requirements.
• Security logs: Retained for 90 days, unless an active security incident requires extended preservation.

Upon expiration of the applicable retention period, data is either securely deleted or irreversibly anonymized, at our discretion.

Under PIPEDA and BC PIPA, you have the following rights with respect to your Personal Information. We respond to all verifiable requests within 30 calendar days of receipt, or notify you if additional time is required.

• Right of Access: You may request access to the Personal Information we hold about you, including information about how it has been used and to whom it has been disclosed. We will provide this in an understandable form, subject to limited exceptions permitted by law (e.g., solicitor-client privilege, third-party personal information).
• Right to Correction: If you believe Personal Information we hold about you is inaccurate, incomplete, or outdated, you may request that we correct it. Where we disagree with the correction, we will note your request in the file.
• Right to Withdraw Consent: You may withdraw consent to the collection, use, or disclosure of your Personal Information at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal may affect our ability to continue delivering services.
• Right to Challenge Compliance: You have the right to challenge our compliance with PIPEDA or BC PIPA by contacting us directly. If we cannot resolve your concern, you may escalate to the relevant Commissioner (see below).

To exercise any of these rights, contact us at privacy@ideafridge.com. We may require verification of your identity before processing your request.

We implement technical and organizational measures designed to protect your Personal Information against unauthorized access, disclosure, alteration, and destruction, consistent with our obligations under PIPEDA and BC PIPA. These measures include, but are not limited to:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of sensitive data at rest using AES-256
• Role-based access controls limiting data access to personnel with a documented operational need
• Regular vulnerability assessments and penetration testing of platform infrastructure
• Incident response procedures with defined SLAs for breach detection and notification

In the event of a breach of security safeguards involving Personal Information that poses a real risk of significant harm to an individual (as defined under PIPEDA), we will notify affected individuals and the Office of the Privacy Commissioner of Canada as soon as feasible. We also maintain a record of all security breaches for a minimum of 24 months, as required by law.

Our website uses a minimal set of cookies and tracking technologies. We do not use advertising cookies or cross-site tracking pixels. The technologies we deploy are limited to:

• Strictly necessary cookies: Required for core site functionality such as session management and security. These cannot be disabled.
• Analytics cookies: Aggregated, anonymized data used to understand how visitors interact with our site (e.g., pages visited, session duration). These are deployed only with your consent in jurisdictions that require it.

You may manage cookie preferences through your browser settings or through any consent banner displayed upon your first visit. Note that disabling certain cookies may impact site functionality.

We do not use cookies to build advertising profiles, retarget users across third-party sites, or sell behavioral data to data brokers.

Ideafridge is a B2B platform designed exclusively for business professionals and organizations. Our services are not directed to, and we do not knowingly collect Personal Data from, individuals under the age of 16 (or the applicable age of digital consent in their jurisdiction).

If we become aware that we have inadvertently collected Personal Data from a minor, we will take immediate steps to delete that data. If you believe we may have collected information from a minor, please contact us at [email protected].

Ideafridge is based in British Columbia, Canada. Personal Information is collected and primarily processed in Canada. However, some of our third-party service providers — including cloud hosting, payment processing, and analytics tools — may process data in the United States or other countries.

When Personal Information is transferred outside Canada, it becomes subject to the laws of the receiving country, which may differ from Canadian privacy law. We take contractual steps to require that all third-party processors apply protections substantially equivalent to those required under PIPEDA and BC PIPA.

For clients located in the United Kingdom: Canada is recognized by the UK as providing adequate data protection, meaning transfers from the UK to Canada do not require additional safeguards. Where we further transfer UK client data to sub-processors in countries without an adequacy finding, we rely on the UK's International Data Transfer Agreement (IDTA) or equivalent mechanisms.

For clients located in the United States: Your Personal Information is processed in Canada under Canadian law. You may request information about the specific countries in which your data is processed by contacting privacy@ideafridge.com.

We reserve the right to update this Privacy Protocol at any time. When we make material changes, we will provide notice through one or more of the following methods: email to your registered address, a prominent notice on our website, or an in-platform notification.

The effective date at the top of this Policy reflects the most recent revision. Your continued use of Ideafridge services following notice of material changes constitutes your acceptance of the updated Policy. If you do not agree to the changes, you must discontinue use of our services and notify us of your intent to terminate your subscription in accordance with your Subscription Agreement.

We encourage you to review this Policy periodically. For non-material changes — such as corrections of typographical errors, formatting updates, or clarifications that do not alter your rights — we will update the Policy without separate notice.

Ideafridge, Inc. is the data controller for Personal Data processed in connection with our website and platform. If you have questions, concerns, or wish to exercise your data rights, you may reach us through the following channels: