Privacy Policy
This document describes how Arkion Identity Systems Inc. collects, uses, and protects personal information in connection with the Arkion platform and associated services, in accordance with applicable United States and Canadian privacy laws.
About Us
Arkion Identity Systems Inc. (“Arkion,” “we,” “us,” or “our”) is incorporated in Ontario, Canada and operates across the United States and Canada. We provide a Non-Human Identity Governance (NHIG) platform that helps enterprises discover, classify, and govern machine identities including AI agents, certificates, API keys, and service accounts.
For purposes of applicable privacy laws, Arkion operates as an “organization” under PIPEDA and applicable provincial privacy legislation, and as a “business” under applicable US state privacy laws, that determines the purposes and means of processing personal information.
Scope
This policy applies to:
- Website visitors
- Prospective customers requesting scans or enquiries
- Platform customers
- Authorised users of the Arkion platform
Personal Information We Collect
3.1 Information You Provide
Full name, work email address, job title, organisation, technology stack preferences, and communication records created when you contact us or register for the platform.
3.2 Information Collected Automatically
IP address, browser and device type, pages visited, referral source, session duration, and cookies or similar tracking technologies.
3.3 Platform Usage Data
Login events, session data, feature usage analytics, configuration settings, and support records generated through your use of the Arkion platform.
3.4 Infrastructure Scan Data
Our platform performs read-only scans of customer infrastructure to identify and inventory non-human identities.
Legal Bases for Processing
| Legal Basis | Processing Activity | Applicable Law |
|---|---|---|
| Performance of a contract | Onboarding, platform access, scan delivery | US (all states) · Canada (PIPEDA) |
| Legitimate business interest | Security, fraud prevention, product improvement | US (all states) · Canada (PIPEDA) |
| Legal obligation | Regulatory compliance, tax records, lawful requests | US (all states) · Canada (PIPEDA/Law 25) |
| Consent | Marketing communications, optional cookies | Canada (CASL) · US (where required) |
How We Use Personal Information
- Deliver the Arkion platform and infrastructure discovery scans
- Communicate about your account, findings, and support requests
- Onboard and verify customers and authorised users
- Ensure the security, integrity, and availability of our services
- Send product updates and marketing communications (where consent is obtained or not opted out)
- Fulfil legal and regulatory obligations
- Improve the platform through aggregated and de-identified analytics
Disclosure of Personal Information
We may disclose personal information to the following categories of recipients:
- Cloud infrastructure providers (e.g. AWS, Azure)
- Identity and access management tooling providers
- Support and communication platform providers
- Analytics and product improvement services
- Professional advisors under confidentiality obligations
- Regulators, courts, and law enforcement where required by applicable law
A current list of sub-processors is available upon request at privacy@arkion.ai. Material changes to sub-processors are notified per contractual obligations.
Cross-Border Data Transfers
Arkion is incorporated in Ontario, Canada and operates across both the United States and Canada. Personal information collected in one jurisdiction may be transferred to and processed in the other jurisdiction. As a Canadian company doing business in the United States, data may flow from Canada to the US and vice versa. We ensure that appropriate contractual and organizational safeguards are in place for all cross-border transfers.
Where personal information is transferred between Canada and the United States, we rely on contractual protections and our internal privacy practices to ensure an adequate level of protection.
Data Retention
| Data Category | Retention Period |
|---|---|
| Customer account data | Contract duration + 7 years |
| Scan data and findings | Per customer contract and DPA |
| Website and analytics data | Up to 13 months |
| Marketing contact data | Deleted within 30 days of opt-out |
| Support records | Up to 3 years after case closure |
On expiry: personal information is securely deleted or de-identified per our data destruction procedures.
Cookies & Tracking
- Strictly necessary cookies — Cannot be disabled; required for session management and core functionality.
- Analytics cookies — Help us understand visitor behavior and improve the platform. Consent required where applicable.
- Preference cookies — Remember your settings and preferences across sessions.
Manage your cookie preferences via the cookie banner on first visit or through your browser settings.
California residents: Certain cookies may constitute “sharing” of personal information under the CCPA/CPRA. You may opt out of non-essential cookies at any time using the cookie banner or by contacting privacy@arkion.ai.
Your Privacy Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal information:
California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act and the California Privacy Rights Act (collectively, “CCPA/CPRA”) provide you with specific rights regarding your personal information.
Categories of Personal Information Collected
We collect the following categories as defined by the CCPA/CPRA: identifiers (name, email, IP address), commercial information (transaction records, service usage), internet or other electronic network activity (browsing history, interactions with our website and platform), and professional or employment-related information (job title, organisation).
No Sale or Sharing
Arkion does not sell your personal information as defined under the CCPA/CPRA. We do not share your personal information for cross-context behavioral advertising purposes.
Shine the Light
Under California Civil Code Section 1798.83, California residents may request information regarding the disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes.
Authorized Agent
You may designate an authorized agent to make a request on your behalf. To do so, provide the agent with written permission and verify your identity directly with us. Contact privacy@arkion.ai.
Other US State Privacy Laws
Residents of the following states have additional rights under their respective privacy laws:
- Virginia (VCDPA) — Right to access, correct, delete, obtain a copy, and opt out of targeted advertising, sale, or profiling.
- Colorado (CPA) — Right to access, correct, delete, data portability, and opt out of targeted advertising, sale, or profiling.
- Connecticut (CTDPA) — Right to access, correct, delete, obtain a copy, and opt out of targeted advertising, sale, or profiling.
- Texas (TDPSA) — Right to access, correct, delete, data portability, and opt out of targeted advertising, sale, or profiling.
To exercise rights under any US state privacy law, contact privacy@arkion.ai. If your request is denied, you may appeal by replying to the denial notice.
Canadian Residents
Canadian residents have rights under federal and provincial privacy legislation. The following laws may apply depending on your province of residence:
Consent
We collect, use, and disclose your personal information with your knowledge and consent, except where permitted or required by law. Consent may be express or implied depending on the sensitivity of the information and your reasonable expectations. You may withdraw consent at any time by contacting privacy@arkion.ai, subject to legal or contractual restrictions.
Accountability
Arkion has designated a Privacy Officer responsible for our compliance with applicable Canadian privacy legislation. Our Privacy Officer can be contacted at privacy@arkion.ai.
Right to Complain
If you are not satisfied with our response to your privacy concern, you have the right to file a complaint with the applicable privacy commissioner or oversight body (see Section 16 for details).
Security
We implement appropriate technical and organizational measures to protect personal information, including:
- TLS 1.2+ encryption in transit
- AES-256 encryption at rest
- Role-based access control (RBAC) and least privilege
- Multi-factor authentication (MFA) for all platform access
- Regular vulnerability assessments and penetration testing
- Documented incident response procedures
Children
Arkion is an enterprise product designed for business professionals. We do not knowingly collect personal information from children under the age of 13, in compliance with the Children’s Online Privacy Protection Act (COPPA). We also do not knowingly collect personal information from individuals below the age of majority in their applicable Canadian province. If we become aware that we have inadvertently collected personal information from a child, we will promptly delete that information.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email or in-platform notification at least 30 days before taking effect. Continued use of the Arkion platform or website after the effective date of any update constitutes acceptance of the revised policy. The current version is always available at arkion.ai/privacy.
Contact
Supervisory Authorities
If you are not satisfied with our response, you may contact the following authorities:
- US — California Privacy Protection Agency (CPPA) — cppa.ca.gov
- Canada — Office of the Privacy Commissioner (OPC) — priv.gc.ca
- Canada — Commission d’accès à l’information du Québec (CAI) — cai.gouv.qc.ca