Sutyr Inc.
Privacy Policy
Sutyr Inc. ("Sutyr," "we," "us," or "our") is committed to protecting the privacy of individuals who visit our website, inquire about our services, and use our billing orchestration platform. This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have with respect to your information.
This Policy applies to all personal information collected through sutyr.com, app.sutyr.com, our email communications, and through your use of the Sutyr billing orchestration platform (the "Service"). It covers our activities as both a data controller (where we determine the purposes and means of processing) and as a data processor (where we process personal information on behalf of our customers). Our obligations in our data processor role are described further in Section 2 and governed in full by the applicable Data Processing Agreement.
By using our website or the Service, you acknowledge that you have read and understood this Privacy Policy.
1. Identity and Contact Information
The data controller for personal information collected through sutyr.com and in connection with the Service is:
Sutyr Inc. Federal Corporation No. 1760760-1 Registered under the Canada Business Corporations Act Registered Office: 3240 Avenue de Kent, Montreal, Quebec H3S 1N1, Canada
Privacy Officer: Toufic Jrab Email: privacy@sutyr.com Mailing Address: 3240 Avenue de Kent, Montreal, Quebec H3S 1N1, Canada
The Privacy Officer is responsible for overseeing Sutyr's compliance with applicable privacy legislation, including An Act to modernize legislative provisions as regards the protection of personal information (Quebec Law 25), the Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable data protection laws. All privacy inquiries, data subject requests, and complaints should be directed to privacy@sutyr.com.
For contract and legal notices unrelated to privacy: legal@sutyr.com.
2. Personal Information We Collect
We collect personal information in six categories, depending on how you interact with us.
2.1 Website Technical Data When you visit sutyr.com, our hosting and security infrastructure automatically collects: IP address, browser type and version, device type and operating system, pages visited and time spent, referring URL, and general geographic location derived from IP address. This data is collected by Vercel (website hosting and cookieless aggregate analytics) and Cloudflare (DNS, WAF, and CDN) as part of normal web infrastructure operations. No cookies are used for this collection — see Section 9.
When you interact with the founding-cohort application form on sutyr.com, additional processing applies: Cloudflare Turnstile evaluates browser and device signals to confirm you are not a bot (the attestation is an in-transit check; Cloudflare does not persistently store this data on its side), and Sentry monitors the page for client-side errors (capturing stack traces, hashed request identifiers, and — only on error — a masked session replay where all input values are obscured). See Section 5 for the full sub-processor list.
2.2 Contact and Inquiry Data When you submit the "Get early access" / founding-cohort application form on sutyr.com, we collect the following: your name, work email address, company name, role, company stage (early / growing / scaling / established), an optional description of your current setup for handling failed payments, and an optional indication of interest in the founding cohort. We also retain audit hashes (the SHA-256 hash of your Cloudflare Turnstile attestation token and of your User-Agent string) for spam-pattern review; no raw token, no raw User-Agent, and no IP address is persisted alongside your submission. Submitted form data is stored in a managed Postgres database operated by Neon (see Section 5), and a notification email about your submission is delivered to Sutyr through Resend.
When you contact us directly by email or provide your business contact information at a conference or professional event, we collect that information for follow-up purposes. The date of first contact is recorded to manage our obligations under Canada's Anti-Spam Legislation (CASL).
2.3 Customer Account Data When you create an account on app.sutyr.com, we collect: your name, business email address, company name, hashed password (we do not store plaintext passwords), subscription tier, and billing address. This information is managed through Stytch (authentication) and stored on our AWS infrastructure.
2.4 Payment and Transaction Data When you subscribe to the Service, payment is processed by Stripe Inc. Sutyr does not store, transmit, or have access to your full payment card number, CVV, or sensitive authentication data. Stripe is a PCI-DSS Level 1 compliant payment processor and handles all card data directly. Sutyr receives and stores only: tokenized payment references, subscription status, invoice history, payment amounts, and billing address as provided to Stripe.
2.5 Product Usage Data When you use app.sutyr.com, our self-hosted analytics tool (PostHog, operated on Sutyr's own AWS infrastructure) collects: feature interactions, navigation patterns, dashboard configuration choices, session duration, and UI engagement data. This data is collected in cookieless mode — no tracking cookies are placed; analytics are associated with your authenticated user session after login. Consent for product usage analytics is captured at account registration. This data is used to improve the Service and is processed by Sutyr in its capacity as a data controller.
2.6 Customer Billing Event Data (Processor Role) When you use the Service to orchestrate billing workflows, billing event data — including payment failure codes, customer identifiers, invoice amounts, subscription metadata, and workflow execution state — flows through Sutyr's Temporal-powered infrastructure. Sutyr processes this data on your behalf, as a data processor acting under your instructions as the data controller. We do not use this data for our own purposes beyond providing the Service. For details on Sutyr's obligations as a data processor, see the applicable Data Processing Agreement or contact privacy@sutyr.com.
3. Purposes of Collection and Legal Bases
Quebec's Law 25 and PIPEDA require that personal information be collected for specific, explicit purposes, stated at or before the time of collection. The following table maps each data category to its purpose and legal basis.
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Website Technical Data | Operate and secure sutyr.com; analyze aggregate usage; protect against threats | PIPEDA: legitimate business interest. Law 25: necessary for service provision. GDPR Art. 6(1)(f): legitimate interest. |
| Contact and Inquiry Data | Respond to access requests; communicate about the Service; send commercial messages with CASL consent | PIPEDA: consent. Law 25: consent for commercial messages. CASL: implied consent (s.10(9)(a), arising from an existing business relationship per s.10(10)(e)) or express consent. GDPR Art. 6(1)(f): legitimate interest (enquiry follow-up); GDPR Art. 6(1)(a): consent (commercial messages). |
| Account Data | Provide and maintain the Service; authenticate users; communicate about account status; comply with legal obligations | Contract performance. PIPEDA / Law 25: necessary for contracted service. GDPR Art. 6(1)(b): contract performance. |
| Payment Data | Process subscription payments via Stripe; issue invoices and receipts; comply with tax and accounting obligations | Contract performance. ITA / QTA: legal obligation (7-year financial record retention). GDPR Art. 6(1)(b): contract performance; GDPR Art. 6(1)(c): legal obligation. |
| Product Usage Data | Understand feature adoption; improve UI/UX; prioritize product roadmap; debug issues | Consent (captured at account registration). Law 25: consent for analytics collection. GDPR Art. 6(1)(a): consent. |
| Billing Event Data | Execute billing orchestration workflows on behalf of Customer; retry logic; dunning; workflow state management | Contract performance (processor role). Instructions of Customer as controller. GDPR Art. 6(1)(b): contract performance (processor role). |
4. AI and Data Intelligence
Sutyr's billing orchestration platform improves over time as it processes more billing patterns. This section explains how we use anonymized data to improve the Service, and what rights you have to opt out.
4.1 What Sutyr Does As part of the Service, Sutyr uses anonymized and aggregated data derived from billing event patterns to improve its classification models, refine retry timing algorithms, and expand its billing edge-case taxonomy. This improvement capability is a feature of the Service — it is how Sutyr's intelligence layer compounds in accuracy over time, and it is part of what customers receive when they subscribe. The contractual basis for this processing is set out in the applicable Master Services Agreement or Terms of Service.
4.2 What Sutyr Does Not Do Sutyr does not use identifiable customer data, individual billing events, or any personal information in identifiable form for model training or improvement. No individual's personal information, and no Customer's business-identifiable billing data, is used in the aggregated learning layer. All data used for model improvement is stripped of personal identifiers and customer-specific information before aggregation.
4.3 Anonymization Standard Sutyr anonymizes billing event data using techniques designed to prevent re-identification, including differential privacy and equivalent measures that meet the applicable regulatory standard in each jurisdiction in which Sutyr operates. Anonymized data cannot reasonably be used to re-identify any individual or any Customer's business operations.
4.4 Opt-Out Customers may opt out of having their billing event data included in Sutyr's anonymized aggregation and model training processes by submitting a written opt-out request to privacy@sutyr.com. Upon receiving an opt-out request, Sutyr will exclude the Customer's billing event data from all aggregation and model training processes within 30 days of receiving the request. Opting out does not affect the core Service — billing workflows continue to execute; only participation in the aggregated learning layer is excluded.
5. Sub-Processors and Third-Party Service Providers
Sutyr engages the following sub-processors to operate the Service. Each sub-processor has been evaluated for data protection compliance and is bound by contractual data protection obligations. A current list of sub-processors, including any additions with 30 days' advance notice to DPA customers, is maintained at sutyr.com/legal/subprocessors.
| Sub-processor | Country | Purpose | Data Categories | Privacy Policy |
|---|---|---|---|---|
| Amazon Web Services | US | Infrastructure, compute, database, storage, monitoring | All platform data: billing events, workflow state, account data, logs | aws.amazon.com/privacy |
| Stripe Inc. | US | Payment processing, subscription management | Payment tokens, invoice data, subscription status, billing identifiers | stripe.com/privacy |
| Temporal Technologies Inc. | US | Workflow orchestration and durable execution | Billing event metadata, workflow state, retry parameters, failure codes | temporal.io/privacy |
| Stytch Inc. | US | B2B authentication and session management | Email addresses, password hashes, session tokens, org membership | stytch.com/privacy |
| Vercel Inc. | US | Website hosting; cookieless aggregate analytics | Aggregate pageview data (non-PII); no individual tracking | vercel.com/legal/privacy-policy |
| Cloudflare Inc. | US | DNS, WAF, CDN, DDoS protection | IP addresses, traffic metadata, security event logs | cloudflare.com/privacypolicy |
| Cloudflare Inc. (Turnstile) | US | Form bot-protection attestation on sutyr.com | IP addresses, device and browser signals, submission metadata | cloudflare.com/privacypolicy |
| Resend Inc. | US | Transactional and marketing email delivery | Email addresses, message content, delivery metadata | resend.com/legal/privacy-policy |
| Neon Inc. | US | Managed Postgres for sutyr.com application form data | Applicant name, email, company, role, stage, optional setup description, audit hashes | neon.tech/privacy |
| Sentry (Functional Software Inc.) | US | Error monitoring and exception tracking on sutyr.com | Stack traces, request metadata, hashed email correlation IDs, masked session-replay-on-error | sentry.io/privacy |
Note: Sutyr's self-hosted PostHog instance (product analytics) operates entirely within Sutyr's own AWS infrastructure. PostHog Inc. does not receive or process any personal data from this deployment and is not a sub-processor. Cloud Sentry (Functional Software Inc.) is used for error monitoring on sutyr.com only; the app.sutyr.com platform continues to use a separate self-hosted Sentry instance with no external data transmission.
6. Cross-Border Transfers of Personal Information
Sutyr is incorporated and headquartered in the Province of Quebec, Canada. All ten sub-processors listed in Section 5 are based in the United States. Personal information processed through the Service is therefore transferred to and processed in the United States, a jurisdiction that does not have a general adequacy designation equivalent to Canada's under all applicable frameworks.
Sutyr applies the transfer mechanism required by each applicable jurisdiction. Details of the applicable mechanism for each sub-processor are available on request from the Privacy Officer at privacy@sutyr.com.
6.1 Jurisdiction-Specific Transfer Mechanisms Quebec (Law 25, s.17): Sutyr has conducted a review of each sub-processor's data protection practices. A Privacy Impact Assessment for cross-border transfers is being conducted in accordance with Law 25 s.17. All US sub-processors are bound by contractual data protection obligations requiring equivalent protection to that required under Law 25.
Canada Federal (PIPEDA, Schedule 1, Principle 4.1.3): Canada has received partial adequacy recognition from the EU for PIPEDA-covered organizations. Cross-border transfers are governed by contractual safeguards in Sutyr's vendor agreements.
European Union (GDPR, Chapter V): Transfers from the EU to US sub-processors are governed by the 2021 EU Standard Contractual Clauses (SCCs). Canada holds partial EU adequacy for PIPEDA-covered processing; Law 25 is not independently covered by the EU adequacy decision.
United Kingdom (UK GDPR): Transfers from the UK are governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable. This mechanism operates separately from the EU framework following Brexit.
Australia (Privacy Act 1988, APP 8): Sutyr takes reasonable steps to ensure that all US sub-processors receiving personal information from Australian individuals are contractually bound to provide privacy protections equivalent to those required under the Australian Privacy Principles.
Singapore (PDPA 2012, s.26): Sutyr ensures that all US sub-processors receiving personal information from Singapore individuals are bound by contractual obligations providing a standard of protection comparable to that required under the PDPA.
Japan (APPI): Japan has not recognized Canada as an adequate jurisdiction. Transfers of personal information from Japan are governed by contractual safeguards that ensure continuous equivalent protection as required by the APPI and guidance issued by the Personal Information Protection Commission (PPC).
South Korea (PIPA): Sutyr relies on standard contractual protections approved by the Personal Information Protection Commission (PIPC) for cross-border transfers of personal information from South Korea.
Taiwan (PDPA): Transfers of personal information from Taiwan are governed by contractual safeguards; Sutyr monitors the adequacy of the receiving jurisdiction and updates its transfer mechanisms in accordance with guidance from the Personal Data Protection Commission (PDPC).
Malaysia (PDPA 2010): Sutyr relies on consent captured in the applicable Terms of Service or Master Services Agreement, together with contractual safeguards binding US sub-processors to equivalent data protection standards.
Switzerland (nFDPA): Transfers from Switzerland are governed by standard data protection clauses consistent with the Swiss adequacy framework and guidance from the Federal Data Protection and Information Commissioner (FDPIC). Switzerland's nFDPA operates separately from the EU GDPR framework.
7. Data Retention
Sutyr retains personal information only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, and to resolve disputes or enforce agreements. The following retention periods apply:
| Data Category | Retention Period | Authority |
|---|---|---|
| Website technical data | 24 months from collection | Operational standard |
| Contact and inquiry data (direct email) | 24 months from last activity, or until unsubscribe, whichever is earlier | PIPEDA; Law 25 |
| Founding-cohort applications (form submissions) | 36 months from date of submission, or until your written deletion request is processed, whichever is earlier | PIPEDA; Law 25; CASL s.10(9)(a) implied-consent window |
| Conference / event contacts — CASL implied consent | 6 months from date of first contact. If express consent not obtained within this period, the contact is marked inactive and no further commercial electronic messages are sent. | CASL s.10(9)(a) and s.10(10)(e) — implied consent arising from an existing business relationship (inquiry within preceding 6 months) |
| Customer account data | Duration of account plus 12 months following account termination | Contract performance; PIPEDA; Law 25 |
| Payment and financial records | 7 years from date of transaction | Income Tax Act (Canada) s.230; Taxation Act (Quebec) |
| Customer billing event data (processor role) | Duration of the applicable agreement, plus a 30-day data export window following termination, after which Customer data is deleted or returned as specified in the DPA | Contract (processor obligation); applicable DPA |
| Product usage data | 24 months from collection | Operational standard; consent |
| Confidentiality incident register | 5 years from date of incident | Law 25, s.3.8; Reg. CQLR c A-2.1, r 3.1, s.7 |
8. Your Privacy Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal information. To exercise any right, submit a written request to privacy@sutyr.com. Sutyr will acknowledge your request promptly and respond in full within 30 days, or within the shorter period required by applicable law.
8.1 Rights Under Quebec Law 25 and PIPEDA Right of Access: You may request confirmation of whether Sutyr holds personal information about you and, if so, a copy of that information. Right of Rectification: You may request correction of inaccurate or incomplete personal information. Right of Withdrawal of Consent: You may withdraw consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. Withdrawal may affect your ability to use the Service. Right of Deletion: You may request deletion of your personal information, subject to Sutyr's legal retention obligations set out in Section 7. Right of Data Portability: You may request that your personal information be provided to you in a structured, commonly used, and machine-readable format. Right to Lodge a Complaint: You may file a complaint with the Commission d’accès à l’information (CAI) or the Office of the Privacy Commissioner of Canada (OPC) — see Section 13.
8.2 CASL Right to Withdraw Consent to Commercial Electronic Messages Independent of your rights under Law 25 and PIPEDA, you may withdraw consent to receive commercial electronic messages from Sutyr at any time by using the unsubscribe mechanism included in any commercial message, or by submitting a written unsubscribe request to privacy@sutyr.com. Sutyr will process your unsubscribe request within 10 business days, as required by CASL.
8.3 Additional Rights — Jurisdiction-Specific EU / UK (GDPR / UK GDPR): In addition to the rights above, you have the right to restriction of processing, the right to object to processing based on legitimate interests, and the right to lodge a complaint with the supervisory authority in your EU or UK member state of habitual residence.
Australia (Privacy Act 1988, APPs): You have the right to access and correct personal information held about you. If you are not satisfied with Sutyr's response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
South Korea (PIPA): You have the right to access, rectification, deletion, and suspension of processing of your personal information. You may lodge a complaint with the Personal Information Protection Commission (PIPC).
Other jurisdictions: Sutyr will respond to privacy rights requests from individuals in all jurisdictions in which it operates, consistent with the requirements of applicable local law. If you are unsure of your rights, contact privacy@sutyr.com.
9. Cookies and Tracking Technologies
Sutyr has adopted a cookieless approach across its web properties. We do not use advertising cookies, cross-site tracking cookies, or third-party cookies on any Sutyr domain.
9.1 sutyr.com (Marketing Website) sutyr.com uses Vercel Analytics for aggregate, cookieless website analytics. Vercel Analytics does not set cookies, does not track individual visitors, and does not collect personally identifiable information. No cookie consent is required for sutyr.com analytics.
9.2 app.sutyr.com (Application) app.sutyr.com uses the following technologies: Strictly Necessary Cookies: Session authentication cookies set by Stytch following login. These cookies are essential for the operation of the Service and cannot be disabled while you are using app.sutyr.com.
Product Analytics: Sutyr operates a self-hosted instance of PostHog on its own AWS infrastructure. PostHog is configured in cookieless mode — it tracks product usage events by authenticated user session after login, without placing any tracking cookies or using browser storage for identification. Consent for product analytics is captured as a checkbox at account registration. You may withdraw consent at any time by contacting privacy@sutyr.com; withdrawal will disable product usage data collection for your account without affecting Service functionality.
9.3 No Third-Party Tracking Sutyr does not use Google Analytics, Meta Pixel, LinkedIn Insight Tag, or any other third-party advertising or tracking script on any of its domains. No personal information is shared with advertising networks in connection with your visit to sutyr.com or use of app.sutyr.com.
10. Security and Breach Notification
10.1 Security Measures Sutyr and its sub-processors implement technical and organizational security measures appropriate to the sensitivity of the personal information processed, including: encryption of data at rest (AES-256) and in transit (TLS 1.2 or higher); identity and access management controls with least-privilege principles; continuous infrastructure monitoring through AWS CloudWatch (Sutyr platform) and Sentry (sutyr.com error monitoring, with all submitted form values masked and email addresses hashed before reaching Sentry); and regular security reviews. Sutyr completed a comprehensive 203-issue security audit remediation prior to launch. A full description of Sutyr's security posture will be available at trust.sutyr.com.
10.2 Breach Notification In the event of a confidentiality incident involving personal information, Sutyr will notify affected individuals and applicable regulatory authorities in accordance with the timelines required by each jurisdiction:
| Jurisdiction | Authority | Required Timeline |
|---|---|---|
| Quebec | Commission d’accès à l’information (CAI) | "With diligence" per Law 25 s.3.5; 72-hour operational standard |
| Canada Federal | Office of the Privacy Commissioner (OPC) | "As soon as feasible" per PIPEDA |
| European Union | Relevant national supervisory authority | 72 hours per GDPR Art. 33 |
| United Kingdom | Information Commissioner's Office (ICO) | 72 hours per UK GDPR |
| Singapore | Personal Data Protection Commission (PDPC) | 3 calendar days per PDPA s.26D |
| Australia | Office of the Australian Information Commissioner (OAIC) | "As soon as practicable" per NDB scheme (Privacy Act) |
| South Korea | Personal Information Protection Commission (PIPC) | "Without delay" per PIPA |
| Switzerland | Federal Data Protection and Information Commissioner (FDPIC) | "As soon as possible" per nFDPA Art. 24 |
| Japan | Personal Information Protection Commission (PPC) | Promptly, in accordance with APPI reporting thresholds. Mandatory PPC notification applies to breaches involving 1,000 or more individuals, sensitive personal information, or information likely to cause property damage; other incidents are subject to best-efforts notification obligations. |
| Taiwan | Personal Data Protection Commission (PDPC) | 72-hour operational standard (per 2025 PDPA amendments); exact statutory timelines subject to applicable sector regulations |
| Malaysia | Department of Personal Data Protection (JPDP) | 72-hour operational standard; no mandatory statutory timeline currently in force |
Sutyr maintains a confidentiality incident register for a period of 5 years from the date of each incident, in accordance with Law 25 s.3.8 and the Regulation respecting confidentiality incidents (CQLR c A-2.1, r 3.1, s.7).
11. Children
Sutyr's website and Service are intended for business users and are not directed to individuals under the age of 18. Sutyr does not knowingly collect personal information from minors. If Sutyr becomes aware that personal information has been collected from an individual under 18 without appropriate consent, it will take prompt steps to delete that information. If you believe that a minor has provided personal information to Sutyr, please contact privacy@sutyr.com.
12. Changes to This Privacy Policy
Sutyr may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. The revised Policy will be posted at sutyr.com/legal/privacy with an updated effective date.
For material changes — including changes to the categories of personal information collected, the purposes of processing, new sub-processors, or changes to individual rights — Sutyr will provide at least 30 days' advance notice by posting a prominent notice on sutyr.com. Registered customers will additionally receive email notification at the address associated with their account.
Your continued use of sutyr.com or the Service after the effective date of a revised Policy constitutes your acceptance of the revised terms. If you do not accept a material change, you may close your account prior to the effective date. Prior versions of this Policy are maintained at sutyr.com/legal/privacy for reference. This provision applies to processing based on contractual or legitimate interest bases. Where Sutyr relies on your consent as the legal basis for processing, material changes to such processing will require your renewed consent.
13. Contact and Regulatory Complaints
13.1 Contact the Privacy Officer For all privacy inquiries, data subject requests, opt-out requests, and complaints, contact:
Privacy Officer: Toufic Jrab Email: privacy@sutyr.com Mailing Address: Sutyr Inc., 3240 Avenue de Kent, Montreal, Quebec H3S 1N1, Canada
Sutyr will acknowledge your request promptly and will use reasonable efforts to resolve your concern. If you are not satisfied with Sutyr's response, you have the right to file a complaint with the applicable regulatory authority.
13.2 Regulatory Authorities The following regulatory authorities accept privacy complaints from individuals in their respective jurisdictions:
| Jurisdiction | Authority | Website |
|---|---|---|
| Quebec | Commission d’accès à l’information (CAI) | cai.gouv.qc.ca |
| Canada (Federal) | Office of the Privacy Commissioner of Canada (OPC) | priv.gc.ca |
| European Union | Relevant national supervisory authority (coordinated by EDPB) | edpb.europa.eu |
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk |
| Australia | Office of the Australian Information Commissioner (OAIC) | oaic.gov.au |
| Singapore | Personal Data Protection Commission (PDPC) | pdpc.gov.sg |
| Japan | Personal Information Protection Commission (PPC) | ppc.go.jp |
| South Korea | Personal Information Protection Commission (PIPC) | pipc.go.kr |
| Switzerland | Federal Data Protection and Information Commissioner (FDPIC) | edoeb.admin.ch |
| Taiwan | Personal Data Protection Commission (PDPC) | pdpc.gov.tw |
| Malaysia | Department of Personal Data Protection (JPDP) | pdp.gov.my |