Privacy Policy
Vencer Group is committed to handling your data responsibly under Canadian privacy law (PIPEDA, PIPA Alberta) and the GDPR where applicable. This page describes - in plain language - what we collect, why, how long we keep it, and what you can ask us to do with it.
Who we are
Vencer Group is a Calgary-based managed IT and cybersecurity firm. Our head office is at 700 4 Ave SW #1680, Calgary AB T2P 3J4. You can reach our privacy contact at privacy@vencergroup.com.
What we collect on this website
The website at vencergroup.com runs a layered analytics stack. Each tracker is described below.
1. Google Tag Manager + Google Analytics 4
What it does: aggregated traffic measurement (pageviews, sessions, top pages, referrers) and conversion event tracking (when you click a CTA, submit a form, complete a diagnostic).
What it collects: a randomly generated client identifier, your country/region (derived from IP - IP itself is not stored), device type, browser, referring URL, pages visited. With your consent, behavioral profile data may be passed to Google for ad personalization.
Default state: denied. We use Google Consent Mode v2 - Google Analytics receives only modeled, anonymous signal until you accept the cookie banner.
Retention: 14 months by default.
2. Microsoft Clarity
What it does: records anonymized session replays and generates heatmaps so we can improve the website experience.
What it collects: anonymized cursor movement, click positions, scroll depth, page resize events, device and browser metadata. Form field values are masked by default. We do not record screens or text in fields containing personal information.
Default state: denied until consent.
Retention: 30 days.
3. Cloudflare Web Analytics
What it does: ground-truth traffic measurement at the network edge.
What it collects: aggregated request counts, country, browser type, top pages, top referrers. No cookies, no fingerprinting, no individual user tracking.
Default state: always active. Because no personal data is collected and no cookies are used, Cloudflare Web Analytics does not require consent under PIPEDA, PIPA, or GDPR.
Retention: 6 months aggregated; no individual records.
4. LinkedIn Insight Tag
What it does: if you visit our site and have a LinkedIn account, allows us to show you Vencer ads on LinkedIn later (retargeting) and gives us aggregated reports of which companies visit our content.
What it collects: LinkedIn member ID (only if you're logged into LinkedIn), URL visited, timestamp, browser type. LinkedIn handles the data per its own privacy policy.
Default state: denied until consent.
Retention: 180 days for retargeting; aggregated reports indefinite.
5. Customer relationship management system (form submissions)
What it does: when you submit any form on this site (contact, eBook gate, diagnostic email capture, newsletter subscribe), our CRM creates or updates a contact record and routes the submission to our team.
What it collects: exactly what you enter - typically email address, name, role, company, and any free-text message you write.
Lawful basis: consent (you submitted the form) and legitimate interest (replying to your inquiry).
Retention: until you ask us to delete it, or 7 years from last contact, whichever is shorter.
6. Newsletter subscriptions
What it does: sends you the Operator's Brief (~6 issues per year).
What it collects: email address; if provided, name and role.
Unsubscribe: every email includes an unsubscribe link. You can also email privacy@vencergroup.com.
7. Behavioral signals (logged-in CRM contacts only)
What it does: for contacts already in our CRM, we log page-level engagement signals to inform whether and when to follow up. Anonymous visitors are never tracked behaviorally.
What it collects: page URL, event name (e.g. "blog read", "diagnostic completed"), event timestamp. Tied to the CRM tracking cookie only if you've previously submitted a form.
Retention: 7 years; aggregate analytics retained indefinitely.
Sub-processors
We use the following third-party services to operate the website and follow-up communications. Each is a "sub-processor" under PIPEDA/GDPR terminology - they process personal data on our behalf under contractual terms.
- CRM platform (CRM, newsletter) - US/EU. Stores contact records, form submissions, behavioral signals.
- Resend (transactional email) - US. Sends eBook deliveries, diagnostic results, and follow-up sequences. Processes recipient email + content.
- Inngest (workflow engine) - US. Orchestrates email send timing. Processes event metadata (contact ID, event name).
- Cloudflare (hosting, edge functions, DNS) - global edge. Processes request data (IP, user-agent) and stores subscription preferences in their D1 database (Canadian or US region).
- Google (Tag Manager, Analytics 4) - US/EU. Aggregate analytics under Consent Mode v2.
- Microsoft (Clarity) - US/EU. Session replay with PII masked.
- LinkedIn (Insight Tag) - US/EU. Conversion tracking, audience matching.
For specific sub-processor questions or the latest sub-processor list, email privacy@vencergroup.com.
What we do NOT do
- We do not sell your personal data to third parties.
- We do not run ad networks on this site.
- We do not share form contents with advertising partners.
- We do not use behavioral data for credit, employment, or insurance decisions.
Your rights under PIPEDA and PIPA
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete personal data
- Withdraw consent for any tracking at any time
- Request deletion of your personal data, subject to legal retention requirements
- File a complaint with the Office of the Privacy Commissioner of Canada
To exercise any of these rights, email privacy@vencergroup.com. We will respond within 30 days per PIPEDA.
Cookies and consent
When you first visit the site, you'll see a cookie consent banner. Your choice is stored in your browser and respected on all future visits from the same device. You can revoke consent at any time by clearing your browser storage for vencergroup.com, or by emailing privacy@vencergroup.com.
Data location
Form submissions and newsletter signups are stored in Canada or the United States, depending on the service provider. Aggregate analytics are processed by Google (US/EU), Microsoft (US/EU), Cloudflare (global edge), and LinkedIn (US/EU).
Security
We follow industry-standard security practices. Vencer Group's fully managed clients have not experienced a security breach in 11 years. For our vulnerability disclosure policy, see /security.txt.
Changes to this policy
We update this policy when we add, remove, or change a tracker. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated via a banner on the homepage.
Contact
Vencer Group
700 4 Ave SW #1680
Calgary AB T2P 3J4
privacy@vencergroup.com