Legal
Privacy Policy
Effective date: April 25, 2026 · Last updated: April 25, 2026
1. Who we are
This Privacy Policy applies to CyberCheck, a cybersecurity assessment platform operated by Monarch Compass Inc. (“we”, “us”, or “our”), a company incorporated in Canada.
CyberCheck offers two products:
- CyberCheck Quick Screen (Quick-10): A free, 10-question cybersecurity screen completed by small and medium-sized businesses (SMBs) at the direction of their security advisor (Broker).
- CyberCheck Deep Assessment: A paid (~40-question) NIST CSF 2.0 assessment completed by self-serve users, resulting in a scored PDF report.
For privacy questions or to exercise your rights, contact our Privacy Officer at: info@monarchcompass.ca
2. Information we collect
2.1 Account and identity information
When you create an account or sign in for a Deep Assessment, we collect:
- Your email address
- Your name and profile picture, if you sign in using Google OAuth
- Passkey credentials (If you sign in with a passkey, we store only the public portion of your credential — a public key, credential ID, and related metadata your browser sends us during sign-in. The private key that actually authenticates you stays on your device (protected by your fingerprint, face scan, or PIN) and is never transmitted to us. A passkey is a passwordless sign-in method; you don't have a password for us to store or leak.)
We do not require a password. Authentication is handled via email magic links, Google OAuth, or passkeys.
2.2 Assessment answers and results
When you complete a CyberCheck assessment, we collect your answers to cybersecurity questions, your computed score and grade, and the date and time of completion. For Quick-10 assessments initiated by a Broker, we also collect business information: business name, contact email and phone, industry sector, employee count, province or territory, and revenue band.
2.3 Payment information
If you purchase a Deep Assessment report ($50 CAD), payment is processed by Stripe, Inc., a third-party payment processor based in the United States. We do not collect or store your credit card number, expiry date, or CVV. We receive from Stripe a confirmation of payment and a transaction reference.
2.4 Generated reports
We store the data from your Deep Assessment and make it available for download from your account.
2.5 Technical and session data
We automatically collect a session identifier (stored in an encrypted cookie) and the date and time of your activity. We do not use third-party analytics trackers, advertising pixels, or behavioural tracking cookies.
2.6 Research use of de-identified data
Aggregated, fully anonymized assessment data — with all names, email addresses, company identifiers, and personal identifiers permanently removed — may be used in academic research publications. Because this data cannot reasonably be linked back to any individual or organization, it is no longer “personal information” under PIPEDA at the time of research use. No individual scores, company names, or contact details are ever disclosed in research outputs.
3. Why we collect your information
| Purpose | Information used | Legal basis (PIPEDA) |
|---|---|---|
| Creating and managing your account | Email, passkey credential | Consent (at sign-up) |
| Delivering your assessment results | Assessment answers, scores | Performance of contract / consent |
| Processing payment | Payment confirmation from Stripe | Performance of contract |
| Storing and providing access to your report | PDF report | Performance of contract |
| Sending authentication emails (magic links) | Email address | Performance of contract |
| Aggregated academic research (anonymized only) | Fully de-identified scores | Not personal information at point of use |
| Security and fraud prevention | Session data, authentication events | Implied consent / necessary for security of service |
Automated scoring notice: Assessment scores and grades (GREEN / AMBER / RED) are generated by automated computation. They are informational only and do not constitute a professional cybersecurity audit, binding certification, or legal compliance determination. We do not make legally significant decisions about you based solely on automated scoring.
We do not sell your personal information.
4. How long we keep your information
| Information | Retention period |
|---|---|
| Account data (email, OAuth identifiers) | Until you request deletion, or 3 years after your last sign-in (to allow access to historical assessments), whichever comes first |
| Assessment answers and scores | Until you request deletion, or 3 years after completion |
| Generated PDF reports | Until you request deletion, or 3 years after generation |
| Payment transaction records | 7 years (required under the Income Tax Act (Canada)) |
| Session tokens | Until expiry (30 days) or sign-out |
| Passkey credentials | Until you remove the device or request deletion |
Where a deletion request conflicts with a mandatory legal retention obligation (such as the 7-year financial record requirement), we will delete all personal identifiers from the record while retaining only the financial data required by law.
5. Who we share your information with
We do not sell your personal information.
5.1 Your security advisor (Broker) — Quick-10 only
If you completed a Quick-10 assessment through a security advisor (Broker), your results — including score, grade, answers, and business information — are visible to that Broker. Before starting a Broker-initiated assessment, you will be shown a notice explaining this and asked to confirm your consent. Your assessment is not visible to other Brokers.
Brokers are required under our platform Terms of Service to handle your information in accordance with applicable Canadian privacy law. You may also review your Broker’s own privacy policy.
5.2 Service providers
We use the following third-party providers to operate the platform. Each processes personal information on our behalf under written data processing agreements.
| Provider | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | United States |
| Neon, Inc. | Database hosting | United States |
| Google LLC | OAuth sign-in (if you choose Google) | United States |
| Resend, Inc. | Transactional email (magic links) | United States |
Your personal information is stored and processed in the United States by the providers above. We address the difference in privacy laws by contractually requiring all providers to protect your data to a standard consistent with Canadian privacy law. If you are a Quebec resident, we have conducted a Privacy Impact Assessment as required by Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25) before transferring your information outside Quebec.
5.3 Legal and safety disclosures
We may disclose your information if required by a court order, statutory obligation, or governmental authority, or if we reasonably believe disclosure is necessary to prevent harm or illegal activity. We will notify you where legally permitted to do so.
6. Your privacy rights
Under PIPEDA, applicable provincial privacy laws, and Quebec’s Law 25, you have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information — we maintain the accuracy of your data and will correct it promptly on request
- Request deletion of your personal information (subject to legal retention obligations in Section 4)
- Withdraw consent at any time where consent is the basis — this may limit your ability to use the platform
- Data portability (Quebec residents): receive your personal information in a structured, commonly-used technological format
- File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca
To exercise any of these rights, contact our Privacy Officer at info@monarchcompass.ca. We will respond within 30 days. We may need to verify your identity before processing your request.
7. Cookies and session storage
We use a single session cookie to keep you signed in. This cookie:
- Is strictly necessary for the platform to function
- Does not track you across other websites
- Expires when your session ends or within 30 days
We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.
8. Security
We protect your personal information using industry-standard safeguards including encrypted connections (TLS) for all data in transit, encrypted session tokens, access controls limiting who can access production data, and a managed cloud database with encryption at rest.
In the event of a breach that poses a real risk of significant harm to you, we will notify the Office of the Privacy Commissioner of Canada and notify affected individuals as required by PIPEDA and the Security Breach Notification Regulations (SOR/2018-64).
9. Children
CyberCheck is designed for use by businesses and adults. We do not knowingly collect personal information from individuals under 18 years of age. If you believe we have inadvertently collected information from a minor, please contact us and we will delete it promptly.
10. Changes to this policy
We may update this policy from time to time. When we make material changes:
- We will update the “Last updated” date at the top of this page.
- If the change affects how we use personal information we have already collected, we will notify affected users by email before the change takes effect and obtain fresh consent where required.
- For personal information collected after a change takes effect, your continued use of the platform constitutes acceptance of the updated policy.
11. Contact us
Privacy Officer
Monarch Compass, Inc.
Antigonish, Nova Scotia
info@monarchcompass.ca
If you are not satisfied with our response, you may contact:
Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
www.priv.gc.ca