Classified // Privacy Protocol v2.6

The Data Protocol.

No dark patterns. No tracking shadow armies. No buried clauses. This is the full transmission on what we collect, what we don't, and exactly how you shut it all down if you ever want to.

0
Data Sold
11
Clauses
4
Laws Met
30d
Data Export
EFFECTIVE March 01, 2026 // JURISDICTION Toronto, CA // VERSION 2.6
Your Rights Kill Switch
BRIEF_001 // THE TLDR

The Intel Brief

Thirty seconds. Six facts. The whole policy at a glance before you read the fine print.

We DO NOT
Sell your data.

Ever. To anyone. Your data is not a product. Not now, not when we get acquired, not when someone offers us a suitcase of cash.

You OWN
Every asset we create.

Every graphic, video, audio track, AI character and line of copy we build for you is yours. Full rights, full ownership. We don't hold brands hostage.

Compliant
GDPR, CCPA, PIPEDA, CASL.

Four jurisdictions. One standard. We meet the strictest rules out there — not because we have to, but because anything less is lazy.

On Request
Export everything in 30 days.

Ask, and we hand you a full copy of every byte we have tied to you. Machine-readable, no runaround, no retention fees.

One Click
The Kill Switch exists.

Want us to forget you completely? One email. We purge it all within 30 days and send you a deletion receipt. No dark-pattern retention loops.

Always
You're in control.

Access, correct, port, delete, object, withdraw consent — whenever you want, whatever the reason. No friction. That's the whole ethos.

BRIEF_002 // DATA FLOW MAP

Where Your Data Actually Goes

Live map. Every packet traced. Three destinations — zero shadows.

Form Input
Cookies / Logs
Project Files
BRIEF_003 // JURISDICTIONS

Compliance Console

Four flags. Same standard. Hover or tap each seal for the layman's version.

GDPR
European Union
General Data Protection Regulation
Hover to decode
Plain English

If you live in the EU/EEA, you get rights to access, rectify, erase, port, restrict and object to processing. We honour all of it — regardless of where you're actually based.

CCPA
California, USA
California Consumer Privacy Act
Hover to decode
Plain English

California residents can know what we collect, ask us to delete it, opt out of any "sale" (spoiler: we don't sell), and never face retaliation for exercising those rights.

PIPEDA
Canada
Personal Information Protection & Electronic Documents Act
Hover to decode
Plain English

Our home turf. We collect only what we need, tell you why, keep it secure, let you see it on request, and notify you fast if anything ever goes sideways.

CASL
Canada (email)
Canadian Anti-Spam Legislation
Hover to decode
Plain English

We only email you with clear consent (opt-in), identify ourselves in every send, and give you a working one-click unsubscribe. No drip-funnel games.

DOSSIER // OPEN_FILES

The Full Protocol

Eleven files. No hidden clauses. Click any file to open the transmission.

We are MediaWiz.ai — an AI-powered creative agency operating out of Toronto, Canada. This Privacy Policy ("Policy") governs every interaction you have with our website mediawiz.ai, our client portals, our campaigns, and any service we deliver under the MediaWiz brand (collectively, the "Services").

For the purposes of applicable privacy law (GDPR, CCPA, PIPEDA), MediaWiz.ai is the data controller of the personal information you give us directly, and a data processor for any information you hand us on behalf of your customers (e.g. realtor client lists, ad audience data).

This Policy covers every visitor, lead, client, vendor, applicant and reader. If you disagree with any part of it, the ethical move is to stop using our Services — we can't bind you to terms you don't accept.

Entity
MediaWiz.ai
Registered
Toronto, Ontario, Canada
Controller Email
privacy@mediawiz.ai
Scope
Website, portals, campaigns, deliverables

We collect only what's necessary to run, improve, and protect the Services. In practice, that's four buckets:

  • Information you give us directly. Name, email, phone, company, project brief, billing details, and anything you type into a contact form, strategy call intake, or client portal.
  • Information we collect automatically. IP address, device type, browser, OS, referral URL, pages viewed, time-on-page, clickstream, and cookie identifiers — standard web analytics.
  • Information from third parties. Data that comes from advertising platforms, social networks or enrichment tools you've authorized (e.g. we connect your Meta Business Account so we can run your ads).
  • Project data you upload. Creative assets, brand guidelines, customer lists, audience seeds, and any material you hand us to build your campaign or AI deliverable. This data is treated as your property, full stop.

We do not knowingly collect biometric data, precise GPS, government ID numbers, health records, or payment card numbers (payments are handled by PCI-DSS-certified processors — see File 005).

Every use case maps to a lawful basis under GDPR (contract, consent, legitimate interest, or legal obligation). Specifically, we use your information to:

  • Deliver the Services you asked for — fulfill proposals, run campaigns, produce creative, invoice for work.
  • Communicate with you — reply to inquiries, send project updates, confirm bookings, issue receipts.
  • Send marketing (only if you opted in) — newsletters, case studies, product updates. Every email contains a one-click unsubscribe.
  • Improve the Services — analyze aggregated usage patterns to fix bugs, sharpen UX, benchmark campaign performance.
  • Protect the Services — detect fraud, prevent abuse, enforce our terms, defend legal claims.
  • Comply with the law — respond to court orders, tax audits, and lawful regulator requests where we're obligated to.

We do not use your personal information to train our public AI models, to build audience profiles for resale, or for any purpose you haven't been clearly informed of.

Like every modern website, we use cookies and similar tech. We split them into three tiers so you can make informed choices via our cookie banner:

  • Strictly Necessary. Session management, form security, load balancing. These cannot be disabled — the site won't function without them.
  • Analytics. Aggregated, de-identified data on how visitors use the site (e.g. Google Analytics 4 with IP anonymization). Helps us ship better content.
  • Marketing & Retargeting. Pixels from Meta, LinkedIn, X and Google that power our ad campaigns. Off by default in EU/UK/California; opt-in elsewhere.

You can review, change or withdraw consent at any time via the "Cookie Settings" link in the footer, through your browser's Do-Not-Track signal, or by emailing privacy@mediawiz.ai. We honour Global Privacy Control (GPC) signals automatically.

We share personal information only with vetted, contract-bound third parties who help us run the Services. We don't sell, rent, or trade your data. Period.

  • Infrastructure providers — hosting (SiteGround, Cloudflare), databases, CDNs, backup services.
  • Payment processors — Stripe and/or PayPal handle card data; we never see or store card numbers.
  • Communication tools — email (e.g. Google Workspace), transactional messaging, client portals.
  • Analytics & advertising — Google Analytics, Meta Pixel, LinkedIn Insight, etc. — where consented.
  • AI & creative processors — image/video generation, transcription, editing platforms used to produce deliverables. These tools process data only as needed and never retain it beyond the job.
  • Professional advisors — lawyers, accountants, and auditors, bound by professional duties of confidence.
  • Legal & safety — authorities, where legally compelled or to prevent imminent harm.

Every processor is bound by a Data Processing Agreement (DPA) that restricts them to our instructions, requires appropriate safeguards, and forbids secondary use. The current list of subprocessors is available on request.

We build AI-powered deliverables (AI characters, generated imagery, video, audio, copy). Because our business involves AI, we owe you extra transparency here:

  • We do not train public foundation models on your data. Any model we fine-tune for you is private to your engagement and deleted/returned on request.
  • Third-party AI tools are chosen for their privacy posture. We prefer vendors who contractually guarantee zero-retention and zero-training on submitted content (e.g. API-tier offerings from major providers).
  • Generated content of real people — we only produce likenesses of real individuals with documented consent. AI characters are fictional unless explicitly commissioned otherwise.
  • You always get the final cut. You can request full deletion of any AI-generated asset, along with the prompts, seeds and reference inputs used to create it.

If any AI processing meaningfully affects your legal rights (e.g. automated decision-making), you have the right to human review and to contest the decision. Email privacy@mediawiz.ai.

No system is unhackable. But these are the measures we take to make sure we're a much harder target than the next agency:

  • Encryption in transit — TLS 1.2+ across all endpoints, HSTS on the main domain.
  • Encryption at rest — AES-256 on production databases and backups.
  • Access control — role-based access, least-privilege, MFA enforced on every admin account.
  • Audit logging — administrative actions are logged and retained for incident review.
  • Vendor due diligence — security posture is assessed before onboarding any subprocessor.
  • Incident response — if a breach occurs and it poses a real risk to your rights, we will notify affected users and relevant regulators within 72 hours, in line with GDPR Article 33.

On your end: use a strong, unique password, enable MFA where offered, and tell us immediately if you suspect your account has been compromised.

We keep personal information only as long as we need it for the purpose it was collected, plus any legally required retention window. Specifically:

  • Contact form submissions — 24 months from last interaction, then auto-purged.
  • Active client records — duration of the engagement plus 12 months for handoff and reference.
  • Financial records (invoices, receipts) — 7 years, as required by Canadian tax law.
  • Analytics data — 14 months at most in raw form; aggregated reports kept indefinitely in de-identified form.
  • Marketing subscribers — until you unsubscribe (one click, any email).
  • Backups — rolling 90-day retention, then overwritten.

When the clock runs out, data is securely deleted or fully anonymized so it can no longer be tied back to you.

MediaWiz.ai operates from Canada and may store or process data in Canada, the United States, and the European Economic Area, depending on the provider. Where personal data is transferred out of its origin jurisdiction, we rely on one or more of:

  • Adequacy decisions — where the destination country is recognized by the European Commission as offering equivalent protection (Canada is partially adequate).
  • Standard Contractual Clauses (SCCs) — EU Commission-approved contract language appended to every processor agreement.
  • UK IDTA / EU-US Data Privacy Framework — where applicable and when the processor is certified.

You can request a copy of our transfer safeguards at any time.

The Services are built for business customers and are not directed to children under 16. We do not knowingly collect personal information from anyone under that age.

If you believe a minor has submitted personal information to us, contact privacy@mediawiz.ai and we will delete it within 30 days.

Privacy law evolves. Our stack evolves. This Policy will too. When we make material changes, we will:

  • Update the "Effective Date" at the top of this page.
  • Post a banner on the site for 30 days highlighting what changed.
  • Email active clients and subscribers directly for any change affecting consent or rights.

Prior versions are archived and available on request so you can see exactly what's been amended.

BRIEF_004 // ACCESS LEVEL: YOU

Your Rights

Six buttons. You can press any of them. We respond in 30 days or less, free of charge.

Right 01
Right to Access

Ask us what we have on you. We'll send a full, machine-readable export within 30 days — no cost, no interrogation.

Right 02
Right to Rectify

Spot something wrong? Tell us. We'll correct or complete inaccurate information without pushback.

Right 03
Right to Erasure

The "right to be forgotten." We purge every trace of you within 30 days and send a deletion receipt as proof.

Right 04
Right to Port

Want to move your data to a competitor? We'll hand you a clean, structured copy in a standard format. No grudges.

Right 05
Right to Object

Disagree with how we're using your data for a legitimate-interest purpose? Raise an objection. We'll stop unless there's a compelling legal reason not to.

Right 06
Right to Withdraw

Change your mind on consent? Anytime. Instantly. No explanation needed, no penalty, no dark-pattern winback email.

The Kill Switch

Ready to Cut the Cord?

One email is all it takes. Request an export, correction, or full deletion. We respond fast, we don't ask why, and we send you a receipt when it's done. That's the whole contract.

Request My Data Delete Everything
Data Protection Contact: privacy@mediawiz.ai // General: info@mediawiz.ai
File 00/11 0%