Privacy Policy

Effective Date: January 1, 2025

1. Our Role as Data Processor

Candyblocks, Inc. (“ChannelStack”) provides performance marketing automation services. We act as a data processor on behalf of our business customers. This policy describes how we handle data when you use our platform directly and when our customers use our SDK/pixel on their websites.

2. Information We Collect

2.1 From Our Business Customers

  • Account registration and billing information
  • Campaign configuration and API credentials
  • Usage data for platform improvement

2.2 Via SDK/Pixel (Per Customer Instructions)

  • Conversion events and user interactions as configured by customers
  • Device information for attribution (IP address, user agent)
  • Identifiers provided by customers (hashed emails, user IDs)

Important: When consent=false is set by our customers, we do NOT:

  • Forward any data to advertising networks
  • Process data for behavioral advertising
  • Create user profiles or segments
  • Perform cross-site tracking

3. How We Process Data

3.1 As Instructed by Customers

  • Forward consented data to advertising platforms per customer configuration
  • Generate campaign performance reports
  • Provide attribution and analytics as requested

3.2 For Service Operations

  • Fraud detection and security monitoring
  • Service reliability and error tracking
  • Aggregated analytics (anonymized)
  • Legal compliance and abuse prevention

We do NOT:

  • Share data between different customers
  • Use customer data to build audience segments for resale
  • Process non-consented data for advertising purposes
  • Retain identifiable data beyond customer instructions

4. Consent and Privacy Controls

4.1 Consent Management

We respect the consent status provided by our business customers:

  • When consent=false, we do not forward data to advertising networks
  • When consent=true or undefined, we process per customer instructions
  • Customers are responsible for determining consent based on their users' preferences and applicable laws

4.2 Do Not Sell or Share

For opt-out requests, including Global Privacy Control (GPC) preferences, contact the website where your data was collected. Our customers are responsible for honoring your privacy choices and instructing us accordingly.

5. Data Sharing

5.1 Service Providers (Processors)

  • Cloud infrastructure (AWS, Google Cloud)
  • Payment processing (Stripe)
  • Email delivery (for transactional emails only)
  • Security and fraud prevention services

5.2 As Directed by Customers

  • Advertising platforms (only with valid consent and customer instruction)
  • Analytics endpoints configured by customers
  • Webhooks and integrations set up by customers

5.3 Legal Requirements

  • Law enforcement with valid legal process
  • To protect rights and safety
  • In connection with business transfers

6. Data Retention

  • Event data: 24 months (configurable by customer)
  • Account data: Duration of business relationship
  • Backups: 90 days after deletion
  • Aggregated data: Indefinite (fully anonymized)
  • Legal records: As required by law (typically 6 years)

7. Your Privacy Rights

7.1 Rights You Have

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate information
  • Deletion: Request deletion of your data
  • Portability: Receive data in machine-readable format
  • Opt-out: Stop sale/sharing of personal information
  • Non-discrimination: Equal service regardless of privacy choices

7.2 How to Exercise Rights

For end users: Contact the website where your data was collected. They are the data controller and will handle your request.

For our business customers: Contact legal@candyblocks.com for account-related data requests.

We respond to direct requests within 30 days (45 days for complex requests).

8. International Transfers

We process data in the United States and other countries. For transfers from the EEA/UK, we use:

  • Industry-standard encryption and security measures
  • Data Processing Agreements available upon request

9. Security

We implement industry-standard security measures including encryption, access controls, and secure hosting infrastructure.

10. Cookies and Tracking

10.1 On Our Platform

  • Essential cookies for authentication and security
  • Analytics cookies (with consent) for service improvement

10.2 Via SDK/Pixel

  • First-party cookies as configured by customers
  • No third-party cookies without explicit consent

11. Children's Privacy

Our services are not directed to children under 16. We do not knowingly collect children's personal information. If notified, we will promptly delete such data.

12. Data Processing Agreement

Business customers requiring a Data Processing Agreement (DPA) for GDPR compliance can request one at legal@candyblocks.com.

13. California Privacy Rights

California residents have additional rights under CCPA/CPRA:

  • Right to know categories and specific pieces of data
  • Right to delete (with exceptions)
  • Right to opt-out of sale/sharing
  • Right to correct inaccurate information
  • Right to limit use of sensitive personal information

Do Not Sell or Share: Contact the website that collected your data to exercise opt-out rights. They will update their instructions to us.

14. European Privacy Rights

EEA/UK residents have rights under GDPR including:

  • Right to access and data portability
  • Right to rectification and erasure
  • Right to object and restrict processing
  • Right to withdraw consent
  • Right to lodge a complaint with supervisory authority

Legal basis for processing: Contract performance, legitimate interests (security, fraud prevention), consent (where applicable), legal obligations.

15. Changes to This Policy

We may update this policy. Material changes will be notified via email or platform notice 30 days before taking effect. Continued use after changes constitutes acceptance.

16. Contact Us

Candyblocks, Inc.

250 - 997 Seymour St

Vancouver, BC V6B 3M1

Canada

Email: legal@candyblocks.com