C-BAND MAILBOX, a Canadian corporation operating under C-Band Digital Innovations Inc. ("C-Band Mailbox", "we", "us", or "our") is committed to protecting your privacy and personal information. This Privacy Policy ("Policy") explains how we collect, use, disclose, retain, and safeguard your personal information when you access or use our website (cbandmailbox.com), our digital mail management platform (the "Platform"), or any related products, services, or applications (collectively, the "Services").

This Policy applies to all users of our Services, including Mailbox Renters ("Renters"), Mail Centre Operators ("Operators"), and visitors to our website. By accessing or using any of our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Policy, please do not use our Services.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. We will notify you of material changes by posting the revised Policy on our website and updating the "Last Updated" date. Your continued use of our Services after such changes constitutes acceptance of the revised Policy.

2.1 Personal Information. We collect personal information that identifies, relates to, describes, or is reasonably capable of being associated with you ("Personal Information"). This may include: (a) Identity Information: name, email address, phone number, mailing address, date of birth, government-issued identification documents (e.g., driver's license, passport), and other information you provide during account registration or identity verification; (b) Financial Information: payment card details, billing address, bank account information (for check deposits), and transaction history; (c) Service Usage Information: mailbox preferences, mail scanning requests, forwarding addresses, shredding instructions, and other service-related data; (d) Communication Information: correspondence with our support team, feedback, survey responses, and promotional preferences; and (e) Technical Information: IP address, device identifiers, browser type, operating system, and usage analytics.

2.2 Information from Operators. When you use our Services through a Mail Centre Operator, the Operator may collect and share with us Personal Information necessary to provide mailbox services, including identity verification documents, mail handling instructions, and service preferences.

2.3 Automatically Collected Information. We automatically collect certain information when you use our Services, including: (a) Log Data: server logs, access times, pages viewed, and actions taken; (b) Device Information: device type, operating system, browser version, and screen resolution; (c) Location Data: general geographic location (city/country level) derived from IP address; and (d) Cookies and Tracking Technologies: as described in Section 9 below.

We use your Personal Information for the following purposes. Where required by applicable law (including GDPR), we identify the lawful basis for each processing activity:

3.1 Service Delivery (Lawful Basis: Performance of Contract): (a) to provide, operate, maintain, and improve our Services; (b) to process your registration, verify your identity, and manage your account; (c) to enable Operators to receive, scan, digitize, forward, shred, or otherwise handle your mail in accordance with your instructions; (d) to process payments, manage subscriptions, and handle billing inquiries; and (e) to communicate with you about your account, service updates, and important notices.

3.2 Legal and Compliance (Lawful Basis: Legal Obligation): (a) to comply with applicable laws, regulations, and legal processes (including postal regulations, anti-money laundering requirements, and identity verification obligations); (b) to respond to lawful requests from government authorities, courts, or regulatory bodies; (c) to enforce our Terms & Conditions and protect our rights, property, or safety; and (d) to investigate and prevent fraud, security threats, or illegal activities.

3.3 Business Operations (Lawful Basis: Legitimate Interest / Consent): (a) to analyze usage patterns, improve user experience, and develop new features (legitimate interest); (b) to conduct research, analytics, and business intelligence (legitimate interest); (c) to send marketing communications (consent - you may withdraw at any time); (d) to personalize content and recommendations (legitimate interest); and (e) to manage our business relationships with Operators and service providers (legitimate interest).

3.4 Data Roles. C-Band Digital Innovations Inc. acts as the Data Controller for all Personal Information collected through the Services. Mail Centre Operators act as Data Processors when handling your mail on our behalf and are bound by data processing agreements. Third-party service providers (as described in Section 4.2) act as Sub-Processors under contractual obligations that ensure equivalent data protection standards.

We do not sell, rent, or trade your Personal Information to third parties for their marketing purposes. We may share your Personal Information in the following circumstances:

4.1 With Mail Centre Operators: We share your Personal Information with the Operator(s) you select to enable them to provide mailbox services. Operators are contractually required to protect your Personal Information and use it solely for service delivery purposes.

4.2 With Service Providers: We engage trusted third-party service providers who perform services on our behalf. Each provider is contractually bound by a Data Processing Agreement (DPA) and may only use your Personal Information for the purposes we specify. These providers assist us with: (a) payment processing and subscription billing; (b) website analytics (anonymized, consent-based); (c) live chat support and customer engagement (loaded only with your explicit consent); (d) transactional email delivery; and (e) cloud hosting and content delivery. For details about our current service providers, please contact our Privacy Officer at [email protected].

4.3 For Legal and Regulatory Reasons: We may disclose Personal Information: (a) to comply with applicable laws, regulations, court orders, or legal processes; (b) to respond to lawful requests from government authorities or regulatory bodies; (c) to enforce our Terms & Conditions or protect our rights, property, or safety; (d) to investigate or prevent fraud, security threats, or illegal activities; or (e) in connection with legal proceedings or disputes.

4.4 Business Transfers: In the event of a merger, acquisition, reorganization, sale of assets, or other business transaction, your Personal Information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your Personal Information.

4.5 With Your Consent: We may share your Personal Information for any other purpose disclosed to you at the time of collection, or with your explicit consent.

5.1 Security Measures. We implement industry-standard technical, administrative, and physical safeguards to protect your Personal Information against unauthorized access, disclosure, alteration, or destruction. These measures include: (a) encryption of data in transit (TLS/SSL) and at rest; (b) access controls and authentication mechanisms; (c) regular security audits and vulnerability assessments; (d) employee training on data protection and privacy; (e) secure data centres and infrastructure; and (f) incident response and breach notification procedures.

5.2 Access Restrictions. Access to Personal Information is restricted to authorized employees, contractors, and service providers who need such information to perform their duties. All such individuals are bound by confidentiality and data protection obligations.

5.3 No Guarantee of Absolute Security. While we strive to protect your Personal Information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we will promptly notify you and relevant authorities if we become aware of a security breach that may affect your Personal Information.

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), the General Data Protection Regulation (GDPR), and other applicable privacy laws, you have the following rights:

6.1 Right to Access (PIPEDA Principle 9 / GDPR Art. 15): You have the right to request access to the Personal Information we hold about you, including information about how we collect, use, and disclose your information. We will provide a copy of your data in a commonly used electronic format within 30 days.

6.2 Right to Correction (PIPEDA Principle 6 / GDPR Art. 16): You have the right to request correction of inaccurate, incomplete, or outdated Personal Information.

6.3 Right to Withdraw Consent (PIPEDA Principle 3 / GDPR Art. 7): Where we rely on your consent to process Personal Information, you have the right to withdraw your consent at any time, subject to legal or contractual restrictions. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

6.4 Right to Erasure / Right to Be Forgotten (GDPR Art. 17): You have the right to request deletion of your Personal Information when: (a) it is no longer necessary for the purpose it was collected; (b) you withdraw consent and no other lawful basis applies; (c) you object to processing and there are no overriding legitimate grounds; or (d) the data has been unlawfully processed. We may retain data where required by law (e.g., CRA tax obligations, fraud prevention).

6.5 Right to Restrict Processing (GDPR Art. 18): You have the right to request that we restrict processing of your Personal Information when: (a) the accuracy of the data is contested; (b) the processing is unlawful but you prefer restriction over erasure; (c) we no longer need the data but you require it for legal claims; or (d) you have objected to processing pending verification of legitimate grounds.

6.6 Right to Data Portability (GDPR Art. 20): You have the right to receive your Personal Information in a structured, commonly used, and machine-readable format (e.g., JSON, CSV), and to transmit that data to another controller without hindrance. This applies to data processed by automated means based on consent or contract performance.

6.7 Right to Object (GDPR Art. 21): You have the right to object to processing of your Personal Information based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds. You have an absolute right to object to processing for direct marketing purposes at any time.

6.8 Rights Related to Automated Decision-Making (GDPR Art. 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. C-Band Mailbox does not currently use automated decision-making that produces such effects. If this changes, we will update this Policy and provide meaningful information about the logic involved.

6.9 Right to File a Complaint: You have the right to file a complaint with the applicable supervisory authority if you believe your privacy rights have been violated: (a) Canada: Office of the Privacy Commissioner of Canada (OPC) - www.priv.gc.ca; (b) Quebec: Commission d'accès à l'information du Québec (CAI) - www.cai.gouv.qc.ca; (c) European Union: Your national Data Protection Authority (DPA) - a full list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en; (d) United Kingdom: Information Commissioner's Office (ICO) - ico.org.uk.

6.10 How to Exercise Your Rights: To exercise any of these rights, please contact our Privacy Officer at [email protected] or write to us at 31-700 Dovercourt Dr, Winnipeg, MB R3Y 1X5, Canada. We will acknowledge receipt within 5 business days and respond to your request within 30 days (or as required by applicable law). We may require verification of your identity before processing your request. If we cannot comply with your request, we will provide written reasons.

7.1 Retention Period. We retain your Personal Information only for as long as necessary to fulfil the purposes for which it was collected, subject to the following specific retention schedules: (a) Account and identity data: retained for the duration of your account plus 30 days after account closure (unless longer retention is required by law); (b) Financial and billing records: retained for 7 years after the end of the fiscal year in which the transaction occurred, as required by the Canada Revenue Agency (CRA) and applicable tax laws; (c) Contact form submissions: retained for 90 days, then permanently deleted; (d) Server logs and technical data: retained for 90 days for security and debugging purposes; (e) Consent records (cookie consent, PP consent, ToS consent): retained for 7 years as evidence of valid consent; (f) Mail scan images and digital mail: retained in accordance with your subscription plan terms and deleted within 30 days of account closure or upon your deletion request; (g) Analytics data (Google Analytics): anonymized and retained according to Google's data retention settings (currently set to 14 months).

7.2 Deletion Requests. You may request deletion of your Personal Information by contacting our Privacy Officer at [email protected]. We will delete your Personal Information within 30 days of receiving your verified request, unless we are required or permitted by law to retain it (e.g., for CRA tax obligations, fraud prevention, or dispute resolution purposes). We will inform you of any data we are legally required to retain and the applicable retention period.

7.3 Data Accuracy. We take reasonable steps to ensure that Personal Information is accurate, complete, and up-to-date. Please notify us if your Personal Information changes or if you become aware of any inaccuracies.

7.4 Data Minimization. We collect only the minimum Personal Information necessary for the purposes described in this Policy. We regularly review our data collection practices to ensure compliance with the principle of data minimization (GDPR Art. 5(1)(c), PIPEDA Principle 4.4).

8.1 Data Processing Locations. Your Personal Information is stored and processed in the country where you receive our Services. We maintain separate data infrastructure in Canada and the United States to ensure your data remains in your region. Some of our service providers may process limited data in the United States for purposes such as payment processing, analytics, and hosting. Mail Centre Operators process your mail data at their respective service locations.

8.2 Safeguards for Cross-Border Transfers. When we transfer Personal Information outside of Canada, we implement the following safeguards: (a) Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914) for transfers from the EEA; (b) Data Processing Agreements (DPAs) with all service providers that include equivalent data protection obligations; (c) verification that US-based providers participate in recognized data protection frameworks; (d) regular assessments of our service providers' data protection practices and compliance; and (e) supplementary technical measures including encryption in transit and at rest.

8.3 EU/UK Data Subjects. If you are located in the European Economic Area (EEA) or the United Kingdom, your Personal Information is transferred to Canada on the basis of the European Commission's adequacy decision for Canada (Commission Decision 2002/2/EC, reaffirmed). For transfers to the United States, we rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. You have the right to obtain a copy of the applicable transfer safeguards by contacting our Privacy Officer.

8.4 Quebec Residents. If you are a resident of Quebec, transfers of your Personal Information outside Quebec are conducted in accordance with Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), including a privacy impact assessment where required.

9.1 Use of Cookies. We use cookies, web beacons, pixels, and similar tracking technologies (collectively, "Cookies") to enhance your experience, analyze usage patterns, and support our customer engagement. Cookies are small text files stored on your device when you visit our website. Non-essential cookies are only placed after you provide explicit consent through our cookie consent banner.

9.2 Types of Cookies. We use the following categories of cookies: (a) Essential/Necessary Cookies (always active, no consent required): These are strictly necessary for the website to function, including session management, authentication, security tokens (CSRF), and cookie consent preferences. Duration: session or up to 1 year. (b) Analytics Cookies (require consent): Used to understand how visitors interact with our website, including pages visited, time spent, and navigation patterns. IP anonymization is enabled. Duration: up to 14 months. (c) Marketing & Live Chat Cookies (require consent): Used to provide live chat support, track customer engagement, and improve our customer service. These cookies are only loaded when you click "Accept All" in our cookie consent banner. Duration: up to 13 months.

9.3 Consent and Management. When you first visit our website, a cookie consent banner allows you to: (a) Accept All cookies (essential + analytics + marketing); (b) Accept Necessary Only (essential cookies only); or (c) Manage Preferences to review details about each cookie category. You can change your cookie preferences at any time by clearing your browser cookies and revisiting our website, which will display the consent banner again. You can also control cookies through your browser settings. Blocking essential cookies may affect the functionality of our Services.

9.4 Analytics Consent Mode. We implement a consent-based analytics system, which means: (a) by default, analytics data collection is denied until you provide consent; (b) when consent is denied, our analytics tools send cookieless pings that do not identify individual users; (c) when you grant analytics consent, standard measurement begins; and (d) you can revoke consent at any time by clearing your cookie preferences.

9.5 Do Not Track Signals. Our website respects your privacy choices through our consent management system. While we do not specifically respond to browser "Do Not Track" signals, our default-denied consent approach achieves the same privacy-protective outcome.

Our Services are not intended for or directed to individuals under the age of 18. We do not knowingly collect Personal Information from children under 18. If you are a parent or guardian and believe that your child has provided us with Personal Information, please contact us at [email protected], and we will promptly delete such information.

Our Services may contain links to third-party websites, applications, or services that are not operated or controlled by C-Band Mailbox. This Privacy Policy does not apply to such third-party services. We encourage you to review the privacy policies of any third-party services you access. We are not responsible for the privacy practices or content of third-party services.

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer:

Privacy Officer: Caner Düzenli

Email: [email protected]

Phone: +1 (431) 276-5927

Address: 31-700 Dovercourt Dr, Winnipeg, MB R3Y 1X5, Canada

For complaints or inquiries under PIPEDA, you may also contact:

Office of the Privacy Commissioner of Canada

30 Victoria Street, Gatineau, Quebec K1A 1H3

Toll-free: 1-800-282-1376

Website: www.priv.gc.ca