Policy Summary
Effective date: May 26, 2026
Last updated: May 26, 2026
Nexsite is a web design, web development, and search engine optimization business based in Pickering, Ontario, Canada. This policy applies when you visit nexsite.ca, submit a form, email us, or otherwise interact with our services.
1. About this Policy
This Privacy Policy explains how Nexsite ("Nexsite," "we," "us," or "our") collects, uses, discloses, retains, and protects personal information when you visit nexsite.ca (the "Site"), submit a form, email us, or otherwise interact with our services (collectively, the "Services").
Nexsite provides services to clients in Canada, the United States, and internationally. We are committed to handling personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec's Act respecting the protection of personal information in the private sector (Law 25), the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and Canada's Anti-Spam Legislation (CASL).
By using the Site or submitting information to us, you confirm that you have read this Policy and consent to the practices it describes, to the extent permitted by applicable law.
2. Scope
This Policy applies to:
- Visitors to the Site.
- Prospective clients who submit forms, email, call, or inquire about our Services.
- Current and former clients with whom we have a service relationship.
- Anyone else whose personal information we may receive while operating Nexsite.
This Policy does not apply to third-party websites or services that we link to. Their data practices are governed by their own privacy policies, which we encourage you to review.
3. Information We Collect
We collect personal information in three ways: information you voluntarily provide, information collected automatically when you use the Site, and information from third parties.
3.1 Information You Provide
When you contact us through a form, email, phone, or another method, you may provide:
- Identification details, such as name, business name, and job title.
- Contact details, such as email address, phone number, and mailing address.
- Project details, such as information about your business, current website, goals, budget range, timelines, and project scope.
- Files and materials, such as logos, brand assets, written content, photos, screenshots, design references, or other materials you voluntarily upload or send.
- Correspondence, including emails, messages, and other communications.
We do not intentionally collect sensitive categories of personal information, such as health data, government identifiers like SIN/SSN, financial account numbers, racial or ethnic origin, religious beliefs, sexual orientation, or biometric data. Please do not submit this type of information through our forms or by email.
3.2 Information Collected Automatically
When you visit the Site, certain information is collected automatically through server logs, analytics, and similar technologies:
- Device and browser information, including device type, operating system, browser type and version, screen size, and language preference.
- Network information, including IP address, approximate general location, and internet service provider.
- Usage information, including pages viewed, time spent on pages, referring URL, click and scroll behaviour, and date/time of access.
- Performance data, including page load times, errors, and similar technical metrics used to monitor Site performance and reliability.
3.3 Information from Third Parties
We may receive information from:
- Search engines and webmaster tools, such as Google Search Console, which provide aggregated, non-personally-identifying search query and performance data.
- Public sources, including publicly available business information about you or your company that we may review when scoping a project.
- Referrals, where an existing client, partner, or contact refers you to us and provides your name and contact details.
4. How We Use Personal Information
| Purpose | Description |
|---|---|
| Responding to inquiries | Answering form submissions, emails, calls, and other requests. |
| Scoping and delivering Services | Preparing proposals, building previews, performing web design, development, SEO, and maintenance work. |
| Client communications | Sending project updates, deliverables, invoices, and operational messages. |
| Marketing with consent | Sending occasional updates about Nexsite where you have opted in or where permitted under CASL. |
| Business records | Maintaining accurate records of client engagements, invoices, and correspondence. |
| Site operation and improvement | Monitoring performance, debugging errors, and analyzing usage to improve content, structure, and conversion. |
| Security and abuse prevention | Detecting fraud, spam, automated abuse, and unauthorized access attempts. |
| Legal compliance | Complying with applicable laws, responding to lawful requests, and enforcing our agreements. |
We do not sell personal information, and we do not "share" personal information for cross-context behavioural advertising as those terms are defined under CCPA/CPRA.
5. Legal Bases for Processing
If you are located in the EU, UK, or another jurisdiction with a legal-basis requirement, we rely on the following:
- Consent when you submit a form, opt into marketing, or provide information voluntarily.
- Contract to take steps at your request before entering into a contract, and to perform services under an existing agreement.
- Legitimate interests to operate, secure, and improve the Site and our business, where those interests are not overridden by your rights.
- Legal obligation to comply with tax, accounting, and other legal requirements.
Under PIPEDA, the comparable foundation is knowledge and consent, whether express, implied, or opt-out, appropriate to the sensitivity of the information.
6. Service Providers and Sub-processors
We use a small set of trusted third-party service providers to operate the Site and our business. These providers process personal information on our behalf under contractual obligations to maintain confidentiality and use the data only for the purposes we direct.
| Provider | Purpose | Data involved | Location of processing |
|---|---|---|---|
| Vercel Inc. | Site hosting, deployment, SSL, edge delivery, and server logs. | Server logs, including IP, request metadata, and timestamps. | United States and other regions. |
| Vercel Analytics | Privacy-friendly Site traffic and performance analytics. | Aggregated page-view and performance data; limited device metadata. | United States. |
| Tally | Embedded contact and intake forms. | Form submissions, including name, email, phone, message, and files. | European Union. |
| Formspree | Form submission processing used on some forms. | Form submissions, including name, email, phone, message, and files. | United States. |
| Google LLC - Maps Embed | Embedded map showing our service area. | Standard Google Maps cookies and IP address when the map loads. | United States and other regions. |
| Google LLC - Search Console | Aggregated search performance data for the Site. | Aggregated, non-personally-identifying search and click data. | United States and other regions. |
| GitHub Inc. | Source-code version control for the Site. | No visitor personal information; code only. | United States. |
| Email service provider | Sending and receiving email at our business address. | Email content, headers, and attachments. | United States and other regions. |
We also use industry SEO research tools such as Ahrefs and Semrush to analyze publicly available information about our own and clients' sites. These tools crawl public web data and do not receive personal information about visitors to the Site from us.
Outside of these service providers, we share personal information only:
- With your direction or consent.
- With professional advisors, such as lawyers or accountants, under duties of confidentiality.
- If required to comply with law, lawful requests, court orders, or to enforce our agreements.
- In the event of a corporate transaction, such as a merger, acquisition, or asset sale, where we will require the recipient to honour the commitments in this Policy.
We do not sell personal information.
7. Cookies and Similar Technologies
The Site uses a limited number of cookies and similar technologies:
- Strictly necessary technologies needed for the Site to function, such as load balancing and security.
- Analytics, including Vercel Analytics, which collects aggregated traffic data and is designed to operate without third-party tracking cookies.
- Embedded third-party content, including Google Maps, which may set its own cookies when the map loads on contact or service-area pages.
You can control cookies through your browser settings. Blocking some cookies may affect Site functionality. If you are in a jurisdiction that requires cookie consent, such as the EU/UK, we will request consent through an on-Site banner where applicable.
8. International Data Transfers
Nexsite is based in Canada, and some of our service providers, notably Vercel, Formspree, and Google, are located in the United States or other jurisdictions outside Canada and the EEA. As a result, personal information you provide may be stored, processed, or accessed outside your country of residence, including in the United States, where data-protection laws may differ from those in your jurisdiction.
Where required by law, we rely on appropriate safeguards for such transfers, including:
- Service-provider agreements that include confidentiality and data-protection commitments.
- Standard Contractual Clauses or equivalent transfer mechanisms for transfers from the EU/UK.
- Selection of providers with recognized security and privacy programs.
By submitting personal information to us, you understand that it may be transferred to and processed in these jurisdictions.
9. Data Retention
We retain personal information only for as long as reasonably necessary for the purposes described in this Policy, including:
| Category | Typical retention |
|---|---|
| Inquiries that do not become projects | Up to 24 months from last contact, then deleted or anonymized. |
| Active client records | For the duration of the engagement plus the period required by tax, accounting, and limitation-period laws, typically 7 years in Canada. |
| Server logs and analytics | Typically 90 days to 13 months, depending on the provider. |
| Marketing contacts | Until you withdraw consent, then promptly removed from active marketing lists. |
| Backups | Standard rolling backups, overwritten on a defined schedule. |
When personal information is no longer needed, we delete, destroy, or de-identify it using reasonable measures.
10. Security
We take reasonable technical and organizational measures to protect personal information against unauthorized access, use, disclosure, alteration, or destruction. Measures include:
- Encryption in transit: the Site is served entirely over HTTPS with HSTS.
- Hardened security headers, including Content Security Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
- Access controls restricting administrative access to systems and tools, with strong authentication.
- Reputable service providers with their own security programs.
- Minimization so we collect only the personal information reasonably needed.
No method of transmission or storage is completely secure. While we work to protect personal information, we cannot guarantee absolute security. You are responsible for keeping any credentials, links, or files we share with you confidential and secure.
If we become aware of a breach of security safeguards that creates a real risk of significant harm, we will notify the relevant privacy regulator(s) and affected individuals as required by law.
11. Your Privacy Rights
Subject to applicable law and reasonable verification of your identity, you have the rights described below. To exercise any right, contact us using the details in Section 16.
11.1 All individuals - PIPEDA (Canada)
- Access: request confirmation of whether we hold personal information about you and a copy of that information.
- Correction: request that we correct information that is inaccurate or incomplete.
- Withdrawal of consent: withdraw consent to our use of your personal information, subject to legal and contractual restrictions.
- Complaint: file a complaint with us, and if unresolved, with the Office of the Privacy Commissioner of Canada.
11.2 Quebec residents - Law 25
In addition to the rights above, Quebec residents have the right to:
- Data portability for certain personal information.
- De-indexing or cessation of dissemination in specified circumstances.
- Be informed about automated decision-making, if used. Nexsite does not currently use automated decision-making that produces legal or similarly significant effects.
You may also complain to the Commission d'acces a l'information du Quebec.
11.3 EU / UK / EEA residents
- Access, rectification, and erasure.
- Restriction of processing.
- Objection to processing based on legitimate interests.
- Data portability.
- Withdrawal of consent at any time, without affecting prior lawful processing.
- Lodging a complaint with your local supervisory authority.
11.4 California residents - CCPA / CPRA
- Right to know what categories and specific pieces of personal information we collect, use, and disclose.
- Right to delete personal information, subject to exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing. Nexsite does not sell or share personal information for cross-context behavioural advertising.
- Right to limit use of sensitive personal information. We do not knowingly collect sensitive personal information as defined under CPRA.
- Right to non-discrimination for exercising your privacy rights.
You may designate an authorized agent to make a request on your behalf, subject to identity verification.
11.5 Other US states
Residents of other US states with privacy laws may have similar rights of access, correction, deletion, portability, and opt-out. We honour these rights to the extent required by applicable law.
11.6 Response times
We will respond to verified requests within the timelines required by the applicable law, generally 30 days under PIPEDA and GDPR and 45 days under CCPA, with extensions where permitted.
12. Marketing Communications (CASL)
If we send you commercial electronic messages, such as email about Nexsite's services or content, we will do so only where we have your express or implied consent under Canada's Anti-Spam Legislation. Every message will:
- Identify Nexsite as the sender.
- Provide our contact information.
- Include a clear and functional unsubscribe mechanism.
You can unsubscribe at any time by using the link in any marketing email or by emailing us. We will action unsubscribe requests within 10 business days. Transactional and relationship messages, such as responses to inquiries, project communications, and invoices, may continue after you unsubscribe from marketing.
13. Children's Privacy
The Site and Services are intended for business users aged 18 or older. We do not knowingly collect personal information from children under 16, or the applicable age of digital consent in your jurisdiction. If you believe a child has provided personal information to us, please contact us and we will take reasonable steps to delete it.
14. Do Not Track and Global Privacy Control
Some browsers transmit Do Not Track (DNT) signals or Global Privacy Control (GPC) signals. Because there is no industry-standard interpretation of DNT, we currently do not respond to DNT signals. Where we are required by law to treat GPC signals as a valid opt-out, for example for California residents, we will do so.
15. Third-Party Links and Embeds
The Site may link to third-party websites, such as social media profiles or partner sites, or embed third-party content, such as Google Maps. We are not responsible for the privacy practices or content of those third parties. Please review their privacy policies before providing personal information.
16. Contact Us / Privacy Officer
The person responsible for personal information at Nexsite is:
Privacy Officer - NexsiteLiam Pruden, Owner
Pickering, Ontario, Canada
Email: liam@nexsite.ca
You can contact us to:
- Ask questions about this Policy.
- Exercise any of your privacy rights.
- File a privacy concern or complaint.
- Request that we update or delete your information.
We will acknowledge your request promptly and respond within the timeline required by applicable law.
If you are not satisfied with our response, you may contact:
- Office of the Privacy Commissioner of Canada: priv.gc.ca, 1-800-282-1376.
- Information and Privacy Commissioner of Ontario: ipc.on.ca.
- Commission d'acces a l'information du Quebec: cai.gouv.qc.ca.
- Your local EU/UK Data Protection Authority.
- Your state Attorney General's office if you are a US resident.
17. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, our Services, or applicable law. When we make material changes, we will:
- Update the Last updated date at the top of this Policy.
- Post a notice on the Site or contact you directly where appropriate.
- Where required by law, obtain renewed consent.
We encourage you to review this Policy periodically.
18. Governing Law
This Policy and any dispute arising out of or in connection with it are governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict-of-laws principles. The courts of Ontario will have exclusive jurisdiction, subject to any non-waivable rights you may have under the privacy laws of your jurisdiction of residence.