Privacy Policy

Effective Date

This Privacy Notice is effective July 26, 2022. It was last updated July 26, 2022.

Statement on Privacy

Our organization takes great care to respect the privacy of the personal and corporate data contained within its systems. For this reason, we collect and process data only for reasons and ways needed to provide our services to you. Your personal data includes information such as: 

  • Name
  • Email address
  • Mailing address
  • Phone number
  • Other data collected that could directly or indirectly identify you

Our Privacy Notice is intended to describe to you how and what data we collect, and how and why we use your personal data. It also describes options we provide for you to access, update or otherwise take control of your personal data that we process. 

Privacy Contact

If you have questions about our policies or processes described below, you may contact our privacy team by emailing or These inboxes are actively monitored and someone will contact you quickly to answer your questions.

Data Collection

We collect information so that we are able to deliver the best possible user experience on our platform(s). Much of this information is collected in the following ways: 

  • Website Contact Form - as done by you when requesting a call-back, white-paper, or subscription to a newsletter
  • Account Creation or Modification - as done by you directly or by an organization that has enrolled you on our platform(s)
  • Order Placement - when placing an order in our system that requires a delivery address or contact details
  • Customer Service Inquiry - when contacting our support team to address an issue

The information collected is structured to be at the bare minimum required to provide adequate services to our clients and users. Additionally, we do have other forms of data collection that may not be obvious: 


These allow us to track browsing behavior on our platforms. We make use of Google Analytics to provide us insight into site usage and overall performance from the end user's perspective. No personal data is transferred to Google in this way and we do not make use of tracking beyond our platform(s); all cookies are first-party cookies. 
We additionally make use of cookies to manage user authentication against our platforms. These cookies are essential for the proper operation of the application. 

Service Usage

Usage logs are automatically generated through all interactions with our services. These logs contain specific service usage, source IP addresses, site referral URLs, system performance, as well as browser, operating system, and device information. 

Supplemental Data

Upon enrollment, your account may have been configured with additional details regarding your account and role within the enrolled program. This data is typically provided by the enrolling organization and typically consists of a job title and department. The information provided is typically pertinent to the type of program your organization is operating on our platform. Inquiries regarding this type of data should be forwarded to your own organization. 

Data Usage

While we collect a minimum amount of data on our users, we strictly process this data solely for the purposes of providing contracted services to the end user and client. Data is only used for purposes that:

  1. for which we have been given permission
  2. are necessary to deliver the Services you purchase or interact with, or
  3. might be required or permitted for legal compliance or other lawful purposes

These uses include delivering, improving, updating and enhancing the Services we provide to you. We collect various types of information relating to your use and/or interactions with our Services.

We use this information to:

  • Improve and optimize the operation and performance of our Services, specifically our applications and customer service.
  • Diagnose problems with and identify any security risks, errors or needed enhancements to the Services.
  • Detect and prevent fraud and abuse of our Services and systems.
  • Collect aggregate statistics about the use of the Services.
  • Understand and analyze how you use our Services and what features and products are most relevant to you.

Often, much of the data collected is aggregated or statistical data about how individuals use our Services, and is not linked to any personal data, but to the extent it is itself personal data, or is linked or linkable to personal data, we treat it accordingly.

Data Sharing

We may share your information with the following entities in order to provide you with service:

  1. Outsourced Call Center - we may make use of an outsourced call center with contracted dedicated staff to provide 24/7 customer service to our clients & users.
  2. Product Fulfillment - in order to provide local fulfillment of reward orders we will provide your shipping details to a local supplier who will deliver goods to you.

In all cases, we ensure that our sub-processing partners provide the same level of security and privacy to your personal data that we provide.

Data Rights

Data Access

You are permitted to request a report of the personal data contained in our platforms. To request a report, you may do any of the following:

  1. Use the provided tools on the platform (if available) and generate the report on an as needed basis.
  2. Contact your program administrator
  3. Contact our customer service team directly and submit the request by way of phone or email (contact details should be provided within your program)
  4. Contact our privacy team at or

Data Editing

You are permitted to update your user profile information at any time using the provided tools on our platform(s). If you are unable to do so, please contact your local program administrator.

Data Deletion

You are permitted to request to delete your personal information from our platform. After doing so, we will be unable to provide any additional service to you as a customer. This will have the following consequences:

  1. We will be unable to provide you with customer support regarding any placed orders:
    1. Unable to handle any order status / delivery updates
    2. Unable to handle any product returns
    3. Unable to provide any refunds
    4. Unable to provide any warranty proof-of-purchase
  2. We will be unable to provide you with any historical account of your activities in the system.
  3. We will be unable to reactivate your account and/or reissue any terminated account balances


Similarly to personal data reports, you may request to have your personal data removed from our platform(s) in any of the following ways:

  1. Use the provided tools on the platform (if available) and trigger a deletion request
  2. Contact your program administrator
  3. Contact our customer service team directly and submit the request by way of phone or email (contact details should be provided within your program)
  4. Contact our privacy team at or

Data Handling

Data Security

We follow generally accepted standards to store and protect the personal data we collect, both during transmission and once received and stored, including the utilization of encryption where appropriate.

Data Storage

Data is stored securely at multiple locations, in conjunction with our technology partners.

  • Primary Data Facility
    Technology Partner: eStruxture Data Centers (formerly Aptum Technologies) 
    Location: Toronto, Canada
    Services: Colocation
  • Disaster Recovery Facility
    Technology Partner: AWS Canada 

    Region: ca-central-1
    Services: Compute, Storage, DNS, DRaaS 

Data Retention

We retain personal data only for as long as necessary to provide services and thereafter for a variety of legitimate legal or business purposes. These might include retention periods:

  • Mandated by law, contract or similar obligations applicable to our business operations.
  • For preserving, resolving, defending or enforcing our legal/contractual rights.
  • Needed to maintain adequate and accurate business and financial records.

If you have any questions about the security or retention of your personal data, you can contact us at or

International Transfers of Collected Information

If you use our Services from a country other than the country where our servers are located, your communications with us may result in transferring your personal data across international borders. Also, when you call us or initiate a chat, we may provide you with support from one of our global locations outside your country of origin. In these cases, your personal data is handled according to this Privacy Notice.

International Transfers to Third Parties

Some of the third parties described in this privacy notice, which provide services to us under contract, are based in other countries that may not have equivalent privacy and data protection laws to the country in which you reside. When we share information of customers in the European Economic Area, the UK, or Switzerland, we will make use of the following:

  • Standard contractual data protection clauses
  • Binding corporate rules for transfers to data processors 
  • Legal and security mechanisms to safeguard the transfer

Compliance with Legal, Regulatory, and Law Enforcement Requests

We cooperate with government and law enforcement officials and private parties to enforce and comply with the law. We will disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process (such as subpoena requests), to protect our property and rights or the property and rights of a third party, to protect the safety of the public or any person, or to prevent or stop activity we consider to be illegal or unethical.
To the extent we are legally permitted to do so, we will take reasonable steps to notify you in the event that we are required to provide your personal information to third parties as part of legal process.

‘Do Not Track’ Notifications

Some browsers allow you to automatically notify websites you visit not to track you using a “Do Not Track” signal. There is no consensus among industry participants as to what “Do Not Track” means in this context. Like many websites and online services, we currently do not alter our practices when we receive a “Do Not Track” signal from a visitor’s browser. To find out more about “Do Not Track,” you may visit 

Age Restrictions

Our Services are available for purchase only for those over the age of 16. Our Services are not targeted to, intended to be consumed by or designed to entice individuals under the age of 16. If you know of or have reason to believe anyone under the age of 16 has provided us with any personal data, please contact us at or

List of Sub-Processors




AWS Canada 

Hybrid-cloud services (compute and storage); storage of replicated backups; on-premises DR landing zone; DNS services 

Region: ca-central-1 

eStruxture Data Centers 

Colocation; houses our production environment and primary data center 

Toronto, Canada 


Customer service ticketing solution. System manages the inbound/outbound communication between CarltonOne and the end-user help requests 

California, USA (AWS Region: us-east-1) 


Customer Relationship Management system. System manages the client-service related communications between CarltonOne and clients 

Massachusetts, USA (AWS Region: us-east-1) 


Outsourced customer call center. Order Processing Coordinators and Customer Service Representatives may have access to limited customer data in order to provide contracted end-user support services

Manila, Philippines 


Privacy Policy Changes

We reserve the right to modify this Privacy Notice at any time. If we decide to change our Privacy Notice, we will post those changes to this documentation and any other places we deem appropriate, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. 
This Privacy Notice was last updated July 26, 2022.