Legal
Data Processing Agreement
The DPA governs Growthify Ltd's role as a processor (or service provider) for personal information that Kolekt operators are accountable for under PIPEDA and provincial privacy law.
Last updated: 2026-04-25
Working draft
Kolekt is in private beta. This document is a working draft and will be reviewed by Growthify Ltd's legal counsel before any customer data is collected. Operators considering Kolekt for regulated workloads should request the executed version when it issues.
Parties and roles
The Operator (the business subscribed to Kolekt) is the accountable organisation under PIPEDA and the equivalent provincial statutes for personal information collected via the operator's Kolekt line. Growthify Ltd, operating Kolekt, acts as a processor on the operator's behalf.
Scope of processing
Growthify processes personal information solely to deliver the Kolekt service to the operator: answering inbound calls, capturing lead information, scheduling bookings, sending notifications, generating reports, and operating the dashboard. Processing for any other purpose requires the operator's prior written instruction.
Subprocessors
The list of subprocessors used to deliver Kolekt — cloud hosting, telephony, AI inference, observability — will be maintained on this page in the executed version of the DPA. Operators will be notified by email when subprocessors change, with at least thirty days' notice for material additions.
Security measures
Growthify maintains technical and organisational security measures appropriate to the risk, including encryption in transit and at rest, access controls, audit logging, multi-factor authentication on administrative access, and regular review of subprocessor posture. The detailed measures schedule will accompany the executed DPA.
Data subject requests
When Growthify receives a request from an end-caller relating to personal information processed on the operator's behalf, Growthify will refer the request to the operator without responding substantively, and will assist the operator in responding within the timeframe required by applicable law.
Breach notification
Growthify will notify the operator without undue delay (and in any event within seventy-two hours) of becoming aware of a personal information breach affecting the operator's data, providing the information the operator needs to meet its own breach-notification obligations under PIPEDA, Quebec Law 25, and applicable provincial law.
Cross-border transfers
Customer personal information is hosted in Canadian regions by default. Where any onward transfer is necessary for the operation of the service (for example, to a subprocessor with regional presence), the transfer is subject to appropriate safeguards, and subprocessors are listed in the subprocessor schedule.
Audit and assurance
Growthify will respond to operator audit requests within reasonable scope and frequency, and will share third-party assurance reports (when available) on request.
Termination and return
On termination, Growthify will, at the operator's election, return or delete personal information processed on the operator's behalf, subject to retention required by applicable law.