Privacy Policy
Document ID: WBL-POL-PP-v1.0 Effective Date: [DATE] Last Revised: 2026-02-19
Data Controller / Business: Webility ([Legal Business Name]) [Registered Address, City, Province/State, Country] Email: privacy@webility.local Website: webility.local
Our Commitment to Your Privacy
Webility is committed to protecting your personal information. We collect only what we need, use it only for the purposes we describe, and never sell your data to third parties.
This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and what rights you have — whether you are a website visitor, a prospective client, or an active client.
We operate across multiple jurisdictions and are committed to compliance with applicable data protection laws including the GDPR (EU/UK), PIPEDA and Law 25 (Canada/Quebec), CCPA/CPRA (California, USA), and other applicable frameworks.
Table of Contents
- Who This Policy Applies To
- Data Controller Information
- What Personal Data We Collect
- How We Collect Personal Data
- Why We Use Your Data — Legal Bases
- How We Use Your Personal Data
- Who We Share Your Data With
- International Data Transfers
- How Long We Keep Your Data
- How We Protect Your Data
- Your Rights — All Jurisdictions
- GDPR-Specific Rights (EU/UK)
- Quebec Law 25 / PIPEDA Rights (Canada)
- CCPA / CPRA Rights (California, USA)
- Cookies & Tracking
- Children's Privacy
- AI Tools & Automated Processing
- Marketing Communications
- Changes to This Policy
- How to Contact Us
1. Who This Policy Applies To
This Privacy Policy applies to:
- Website visitors: Anyone who accesses webility.local
- Prospective clients: Individuals or businesses who submit inquiries, contact forms, or discovery questionnaires
- Active clients: Organizations and their representatives who have entered into a service agreement with Webility
- Newsletter subscribers: Anyone who opts into our marketing communications
- Job applicants: Individuals who apply for positions at Webility
- Business contacts: Individuals whose business contact information we hold for professional purposes
If you are an employee or end user of a Webility client whose personal data is processed as part of a service we deliver to that client, the client organization is the data controller for that data, and you should refer to that organization's privacy policy.
2. Data Controller Information
For the purposes of applicable data protection laws, the data controller is:
| Field | Details |
|---|---|
| Entity Name | [Legal Business Name] (trading as Webility) |
| Registration Number | [Business / Corporation Number] |
| Registered Address | [Full Address] |
| Privacy Contact | privacy@webility.local |
| Data Protection Officer | [Name, if appointed — or "Not required under current applicable law"] |
| EU/UK Representative | [Name and address, if required under GDPR Article 27] |
| Quebec Privacy Officer | [Name or title, as required under Law 25] |
3. What Personal Data We Collect
We collect the following categories of personal data, depending on how you interact with us:
3.1 Website Visitors (Automatic Collection)
| Data Type | Examples | Purpose |
|---|---|---|
| Technical data | IP address, browser type, operating system, device type | Security, analytics, fraud prevention |
| Usage data | Pages visited, time on site, referring URL, clicks | Understanding how users navigate our site |
| Cookie data | Session cookies, preference cookies, analytics identifiers | Functionality, analytics (see Cookie Policy) |
3.2 Prospective Clients (When You Contact Us)
| Data Type | Examples | Purpose |
|---|---|---|
| Identity data | Full name, company name, job title | Responding to your inquiry |
| Contact data | Email address, phone number, country/region | Communication |
| Business data | Industry, company size, budget range, project description | Scoping your project, preparing a proposal |
| Communication records | Content of emails, form submissions, call notes | Reference for the engagement |
3.3 Active Clients (During Service Delivery)
| Data Type | Examples | Purpose |
|---|---|---|
| Contract data | Signed agreements, statements of work | Fulfilling contractual obligations |
| Financial data | Billing address, invoice records | Invoicing and payment processing |
| Project data | Briefs, feedback, content, assets provided by the client | Delivering agreed services |
| Technical credentials | Hosting access, API keys (held temporarily) | Accessing systems to deliver services |
| Communication records | Emails, meeting notes, call recordings (with consent) | Project documentation |
3.4 Marketing & Newsletter Subscribers
| Data Type | Examples | Purpose |
|---|---|---|
| Identity data | First name, last name | Personalizing communications |
| Contact data | Email address | Sending newsletters and marketing |
| Preference data | Topics of interest, opt-in/opt-out history | Tailoring content to your interests |
3.5 Job Applicants
| Data Type | Examples | Purpose |
|---|---|---|
| Identity data | Full name, contact details | Processing your application |
| Professional data | CV, portfolio, work history, qualifications | Evaluating your application |
| Communication records | Interview notes, assessment results | Recruitment process documentation |
3.6 What We Do Not Collect
We do not intentionally collect:
- Special category data (racial or ethnic origin, health data, political opinions, religious beliefs, biometric data) unless specifically required for a service and with explicit consent
- Payment card numbers (processed directly by our payment processors — we never see full card details)
- Personal data of children under [16] years old without verified parental consent
4. How We Collect Personal Data
We collect personal data through the following methods:
Directly from you:
- Contact and inquiry forms on our website
- Discovery questionnaires you complete
- Email, phone, and video communication
- Contracts and service agreements you sign
- Content and assets you provide for service delivery
- Newsletter sign-up forms
- Job application submissions
Automatically from your device:
- Cookies and similar tracking technologies (see our Cookie Policy)
- Web analytics tools (e.g., Google Analytics 4)
- Server logs
From third parties:
- Referrals from existing clients or partners (name and contact info only)
- Publicly available professional information (e.g., LinkedIn — for business contacts only)
- Business verification services (for fraud prevention, where applicable)
5. Why We Use Your Data — Legal Bases
Under data protection laws that require a legal basis for processing (including the GDPR and Quebec Law 25), we process your personal data on the following bases:
| Processing Activity | Legal Basis |
|---|---|
| Responding to your inquiry | Legitimate interests (to evaluate and respond to potential business relationships) |
| Delivering contracted services | Contract performance (necessary to fulfill our service agreement with you) |
| Sending invoices and processing payments | Contract performance and Legal obligation |
| Maintaining financial and business records | Legal obligation (tax, accounting, and regulatory requirements) |
| Sending marketing emails to existing clients | Legitimate interests (subject to opt-out right) |
| Sending marketing emails to newsletter subscribers | Consent (you opted in) |
| Website analytics and performance monitoring | Legitimate interests (improving our website) or Consent (for non-essential cookies) |
| Fraud prevention and security | Legitimate interests (protecting our business and users) |
| Processing job applications | Pre-contractual steps / Legitimate interests |
| Complying with legal obligations | Legal obligation |
6. How We Use Your Personal Data
We use personal data for the following purposes:
6.1 Providing Our Services
- Responding to inquiries and preparing proposals
- Delivering web design, development, branding, automation, and maintenance services
- Communicating about your project
- Billing and invoice management
- Processing payments (via our payment processors)
6.2 Running Our Business
- Managing client relationships
- Internal project management and documentation
- Improving our service quality based on client feedback
- Staff training and quality assurance (with appropriate data minimization)
6.3 Legal & Compliance
- Complying with tax, accounting, and regulatory requirements
- Maintaining records as required by law
- Defending legal claims or enforcing our contracts
- Responding to lawful requests from government authorities
6.4 Marketing & Communications
- Sending our newsletter to subscribers who have opted in
- Sharing relevant content, case studies, and service updates with prospective and existing clients
- Following up on proposals or inquiries where there is a legitimate interest
6.5 Website Improvement
- Analyzing how users interact with our website
- Identifying and fixing technical issues
- Improving user experience and conversion
7. Who We Share Your Data With
We do not sell, rent, or trade your personal data to third parties.
We share personal data only with:
7.1 Service Providers (Data Processors)
We engage trusted third-party service providers who process data on our behalf, under binding data processing agreements:
| Provider Category | Examples | Purpose |
|---|---|---|
| Email & communication | Google Workspace, Microsoft 365 | Business communication |
| Project management | Notion, Linear, ClickUp | Internal project tracking |
| CRM | HubSpot, Pipedrive | Client relationship management |
| Payment processing | Stripe, PayPal | Invoicing and payment |
| Cloud storage | Google Drive, Dropbox | Document storage |
| Contract signing | DocuSign, PandaDoc | Electronic signatures |
| Analytics | Google Analytics 4 | Website analytics |
| Marketing | Mailchimp, Brevo | Newsletter delivery |
| AI tools | Anthropic (Claude API), OpenAI | Service delivery assistance (see Section 17) |
| Hosting | Vercel, AWS, DigitalOcean | Website and infrastructure hosting |
| Video conferencing | Zoom, Google Meet | Client calls |
All third-party service providers are contractually required to protect your data and may only use it for the purposes specified by Webility.
7.2 Subcontractors
We may engage qualified freelancers or subcontractors to assist with specific projects. Subcontractors are bound by confidentiality agreements and may only access the minimum personal data necessary to perform their work.
7.3 Legal Obligations
We may disclose personal data if required to do so by law, regulation, court order, or government authority. Where possible, we will notify you of such a requirement unless prohibited by law.
7.4 Business Transfers
In the event of a merger, acquisition, sale of assets, or similar corporate transaction, personal data may be transferred as part of that transaction. We will notify affected individuals in advance where legally required.
8. International Data Transfers
Webility operates internationally and uses service providers located in various countries. Your personal data may be transferred to and processed in countries outside your country of residence.
8.1 For EU/UK Users (GDPR)
When transferring personal data outside the European Economic Area (EEA) or the United Kingdom, we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) (EU Commission Decision 2021/914)
- UK International Data Transfer Agreements (IDTAs)
- Transfers to countries with an adequacy decision from the European Commission
- Other approved transfer mechanisms under applicable law
A list of countries to which we transfer data and the applicable safeguards is available upon request at privacy@webility.local.
8.2 For Canadian Users (PIPEDA / Law 25)
We take reasonable steps to ensure that personal data transferred outside Canada receives comparable protection. We enter into data processing agreements with foreign service providers that impose equivalent privacy standards.
Under Quebec Law 25, we conduct privacy impact assessments (PIAs) before transferring personal information outside Quebec to jurisdictions with significantly different privacy laws.
8.3 For California Users (CCPA/CPRA)
Our data sharing practices are described in Section 7. We do not sell personal information or share it for cross-context behavioral advertising purposes. California residents' rights are described in Section 14.
9. How Long We Keep Your Data
We retain personal data only for as long as necessary for the purposes for which it was collected, subject to legal and regulatory requirements.
| Data Category | Retention Period | Basis |
|---|---|---|
| Inquiry / contact form data (no engagement) | 2 years from last contact | Legitimate interests |
| Proposal data (engagement did not proceed) | 3 years | Limitation periods |
| Active client data (contracts, project files) | 7 years after project close | Legal / tax obligations |
| Financial records (invoices, payments) | 7–10 years | Tax and accounting law |
| Marketing communications | Until you unsubscribe + 1 year | Consent-based |
| Website analytics data | 26 months (Google Analytics 4 default) | Legitimate interests |
| Cookie data | Per cookie lifespan — see Cookie Policy | Consent / Legitimate interests |
| Job application data (unsuccessful) | 1 year | Potential future opportunities (with consent) or immediately upon request |
| Job application data (successful → hired) | Duration of employment + applicable statutory period | Contract / Legal obligation |
When retention periods expire, we securely delete or anonymize personal data.
10. How We Protect Your Data
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction:
Technical measures:
- HTTPS encryption on all website communications (TLS 1.3)
- Encryption of data at rest for sensitive databases
- Access controls and role-based permissions — minimum access principle
- Regular security audits and vulnerability assessments
- Secure credential management (no plain-text credential storage)
- Two-factor authentication on all critical accounts
Organizational measures:
- Staff confidentiality obligations (all team members and subcontractors)
- Privacy and security training for relevant personnel
- Documented data processing procedures
- Incident response plan for data breaches
Breach notification: If we become aware of a data breach that is likely to result in risk to individuals' rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours (where required under GDPR)
- Notify affected individuals without undue delay (where the breach creates high risk)
- In Canada: notify affected individuals and the Office of the Privacy Commissioner as required under PIPEDA
11. Your Rights — All Jurisdictions
Regardless of where you are located, you have the following general rights with respect to your personal data:
| Right | What It Means |
|---|---|
| Right to know | You can ask what personal data we hold about you |
| Right of access | You can request a copy of your personal data |
| Right to correction | You can ask us to correct inaccurate or incomplete data |
| Right to deletion | You can ask us to delete your data (subject to legal retention obligations) |
| Right to object to marketing | You can opt out of marketing communications at any time |
| Right to complain | You can lodge a complaint with the relevant supervisory authority |
12. GDPR-Specific Rights (EU/UK)
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following additional rights under the GDPR / UK GDPR:
| Right | Description |
|---|---|
| Right to Erasure ("Right to be Forgotten") | Request deletion of your personal data where there is no compelling reason for continued processing |
| Right to Restriction of Processing | Request that we limit how we use your data while a dispute is resolved |
| Right to Data Portability | Receive your personal data in a structured, machine-readable format, and transmit it to another controller |
| Right to Object | Object to processing based on legitimate interests, including profiling |
| Rights related to Automated Decision-Making | Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects |
| Right to Withdraw Consent | Where processing is based on consent, withdraw that consent at any time without affecting prior lawfulness |
How to exercise these rights: Submit a request to privacy@webility.local. We will respond within 30 days of receiving a verifiable request (may be extended by 2 months for complex requests, with notice).
Right to complain: You have the right to lodge a complaint with your national data protection authority:
- EU: Your national DPA (list at edpb.europa.eu)
- UK: Information Commissioner's Office (ico.org.uk)
- Ireland: Data Protection Commission (dataprotection.ie)
- France: CNIL (cnil.fr)
- Germany: Your state DPA (BfDI for federal matters)
13. Quebec Law 25 / PIPEDA Rights (Canada)
If you are located in Canada, you have the following rights:
| Right | Description |
|---|---|
| Right of access | Request access to your personal information we hold |
| Right to rectification | Request correction of inaccurate information |
| Right to withdrawal of consent | Withdraw consent to the collection, use, or disclosure of your information (subject to legal or contractual constraints) |
| Right to data portability (Law 25) | Request that personal information be communicated to you or to another organization in a structured, technological format |
| Right to de-indexing (Law 25) | Request that certain personal information published online be de-indexed or rendered non-identifiable, where applicable |
How to exercise your rights: Contact privacy@webility.local.
Right to complain:
- Federal (PIPEDA): Office of the Privacy Commissioner of Canada — priv.gc.ca
- Quebec (Law 25): Commission d'accès à l'information (CAI) — cai.gouv.qc.ca
Privacy Officer for Quebec Law 25 purposes: [Name or Title] — privacy@webility.local
14. CCPA / CPRA Rights (California, USA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:
| Right | Description |
|---|---|
| Right to Know | Know what categories of personal information we collect, use, disclose, and sell |
| Right to Access | Request a copy of the specific personal information we collected about you in the past 12 months |
| Right to Delete | Request deletion of your personal information (subject to exceptions) |
| Right to Correct | Request correction of inaccurate personal information |
| Right to Opt-Out of Sale/Sharing | Opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising |
| Right to Limit Use of Sensitive Personal Information | Limit use of sensitive personal information to what is necessary to provide our services |
| Right to Non-Discrimination | We will not discriminate against you for exercising your CCPA rights |
Do Not Sell or Share My Personal Information: We do not sell or share personal information for monetary consideration or for cross-context behavioral advertising. A "Do Not Sell or Share" opt-out link is available at [webility.local/privacy-choices].
Submitting a CCPA Request: Email privacy@webility.local with "California Privacy Request" in the subject line. We will respond within 45 days (may be extended by 45 additional days with notice).
Authorized Agent: California residents may designate an authorized agent to submit requests on their behalf. We may require verification of the agent's authority.
Financial Incentives: We do not offer financial incentives in exchange for personal information.
15. Cookies & Tracking
We use cookies and similar tracking technologies on our website. Detailed information about the cookies we use, their purpose, and how to manage your preferences is available in our Cookie Policy: [webility.local/cookies].
In summary:
- Essential cookies are always active (required for the website to function)
- Analytics cookies require your consent in the EU/UK and Quebec
- Marketing cookies require your consent in all jurisdictions where we serve users
You can manage your cookie preferences at any time via the cookie settings panel on our website.
16. Children's Privacy
Our website and services are not directed at children under the age of 16 (or the applicable minimum age in your jurisdiction — 13 in the USA under COPPA).
We do not knowingly collect personal data from children. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@webility.local and we will delete the information promptly.
17. AI Tools & Automated Processing
17.1 AI-Assisted Service Delivery
We use AI tools to assist in delivering our services (see our AI Use & Data Policy for full details). In the context of service delivery, we apply the following principles:
- We do not input identifiable personal data into consumer AI tools
- API-level access is used (not consumer interfaces) — API providers have enterprise data protection commitments
- We do not use your personal data to train AI models for use with other clients
17.2 Automated Decision-Making
We do not make any decisions about you using solely automated processing that produces legal or similarly significant effects. Human review is involved in all consequential decisions made about clients.
18. Marketing Communications
18.1 How We Send Marketing
We may send you marketing emails if:
- You have subscribed to our newsletter (consent-based), or
- You are an existing client and we are communicating about related services (legitimate interests, subject to opt-out)
We use [Mailchimp / Brevo / other] to manage our marketing communications. Your email address and name are transferred to this platform for this purpose.
18.2 Opting Out
You can opt out of marketing communications at any time by:
- Clicking the unsubscribe link in any marketing email
- Emailing us at privacy@webility.local with "Unsubscribe" in the subject line
Opting out of marketing does not affect transactional communications related to your active service agreements.
19. Changes to This Policy
We review and update this Privacy Policy periodically to reflect changes in our practices, services, technology, or applicable law.
When we make material changes, we will:
- Update the "Last Revised" date at the top of this policy
- Post a notice on our website
- For EU/UK users: provide notice via email if the change materially affects how we process your data
- For Quebec users: provide advance notice as required under Law 25
We encourage you to review this policy periodically. Your continued use of our website after changes are posted constitutes acceptance of the revised policy.
20. How to Contact Us
For general privacy inquiries: Email: privacy@webility.local
For GDPR requests (EU/UK): Email: privacy@webility.local Subject line: "GDPR Request — [Type of Request]"
For CCPA requests (California): Email: privacy@webility.local Subject line: "California Privacy Request — [Type of Request]"
For Quebec Law 25 / PIPEDA requests: Email: privacy@webility.local Subject line: "Canadian Privacy Request — [Type of Request]"
By mail: Webility — Privacy [Full Mailing Address]
We aim to respond to all privacy requests within 30 days. For complex requests, we may extend this by a further 30–60 days (depending on jurisdiction) with notice.
Webility — WBL-POL-PP-v1.0 | Effective [DATE] | Last Revised 2026-02-19
This policy is available in [French / other language] upon request — Cette politique est disponible en français sur demande.