Cadence Privacy Policy

1. Who We Are

Cadence is a division of Sonata Design, operating in Canada and offering services to users in Canada, the United States, and potentially other countries. For the purposes of data protection laws, Cadence (Sonata Design) is the data controller of personal information collected through the Service.

General contact: info@heycadence.ai

Dedicated privacy contact and data subject requests (DSRs): privacy@heycadence.ai and the privacy request web form available in your account settings and on our website. We maintain at least two designated methods for submitting verifiable privacy requests and we track and respond to them within statutory timeframes.

2. Information We Collect

We collect Personal Data and Non‑Personal Data in order to provide and improve the Service. "Personal Data" means information that relates to an identified or identifiable individual. "Non‑Personal Data" means information that is not reasonably associated with an identified or identifiable individual (such as aggregated or de‑identified information).

Information you provide to us: account registration data (e.g., name, email, company, phone, password), payment information processed by our payment processor (we do not store full payment card numbers), profile and preferences, customer support communications, and content/files you submit to the Service ("Customer Data").

Information collected automatically: device and technical data (IP address, browser, device type, OS, device identifiers), usage details (access times, pages/features used, clicks, session duration), and cookies or similar technologies (see Section 7).

Information from third parties: single sign‑on providers (e.g., Google, Microsoft), analytics providers (aggregated engagement data), and business partners (for onboarding or referrals). We do not request or intentionally collect sensitive personal data unless necessary for a specific feature with appropriate notice and consent.

3. How We Use Your Information

We use personal information to:

• Provide and operate the Service (account creation, authentication, delivering features) – generally necessary to perform our contract with you and in our legitimate interests.
• Process payments – to provide paid services.
• Communicate with you – service, support, security, and transactional notices.
• Send marketing communications – where permitted by law; you can opt out anytime.
• Personalize your experience – remember preferences and suggest features.
• Improve and develop the Service – analyze usage to enhance quality and performance.
• Enforce our Terms and protect the Service – prevent misuse and ensure security.
• Comply with legal obligations – tax, accounting, lawful requests by public authorities.

Use of de‑identified/aggregated data: We may de‑identify or aggregate data and use it for any legitimate business purpose (since it is no longer personal information).

No sale or sharing for cross‑context behavioral advertising: We do not sell your personal information, and we do not share your personal information for targeted advertising. If this changes, we will update this policy and provide required opt‑out mechanisms (including recognition of Global Privacy Control).

3.1 AI Data Training – Opt‑Out by Default; Opt‑In Only

By default, Cadence does not use your Customer Data to train our general machine learning or AI models. If we ever offer an optional program to contribute data for model improvement, it will be strictly opt‑in with clear disclosures and the ability to withdraw consent at any time without affecting your access to the Service.

3.2 Operational Safeguards for AI and Data Governance

We maintain technical and organizational safeguards to enforce the foregoing policy, including: data set segregation that prevents Customer Data from being ingested into general model‑training corpora by default; access controls and role‑based permissions; logging and auditing of data flows; and review and approval gates for any opt‑in data use. We periodically assess these controls and will notify customers of material changes to this policy.

4. How We Share Your Information

We share personal information only as described:

Service providers (processors): hosting/infrastructure, payment processing, communications, analytics, and feature integrations are contractually restricted to use information only to perform services for us and must safeguard it appropriately.

Affiliates: we may share with Sonata Design affiliates to operate our business under similar protections.

Business transfers: if we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred subject to protections at least as strong as those in this Policy.

Legal compliance and protection: we may disclose information to comply with law, respond to lawful requests, or protect our rights, users, or the public. Where legally permitted, we will give notice and seek protective orders for overly broad requests.

With your direction or consent: for integrations or cases where you ask us to share data.

Aggregated or de‑identified data: we may share for legitimate purposes where it cannot reasonably identify you.

5. International Data Transfers

Cadence is based in Canada, and many of our systems and service providers are located in Canada and the United States. Your information may be transferred to, stored, and processed in these countries (and others where service providers operate). We apply safeguards to protect your data wherever processed.

For EEA/UK/Swiss data: we rely on Standard Contractual Clauses (with UK Addendum if applicable) for transfers to countries without adequacy decisions, and we recognize Canada's adequacy status for commercial organizations under PIPEDA. Where a recognized certification framework (e.g., a Data Privacy Framework) applies to a provider, that commitment will be honored.

6. Your Rights and Choices

We facilitate the exercise of privacy rights for all users and summarize key regimes here.

6.1 GDPR (EEA/UK and similar jurisdictions)

Rights include to be informed, access, rectification, erasure, restriction, portability, objection, and not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We generally respond within one month (extendable where permitted for complexity).

6.2 California CCPA/CPRA

Rights include to know, delete, correct, opt‑out of sale/sharing (we do not sell/share), limit use of sensitive personal information (we do not use sensitive PI beyond what is necessary for the Service), and non‑discrimination. We recognize and honor Global Privacy Control (GPC) signals as a valid opt‑out.

6.3 Canada (PIPEDA)

Rights include access, correction, withdraw consent (subject to legal/contractual limits), and the right to complain to the Office of the Privacy Commissioner of Canada (or relevant provincial commissioner).

6.4 Other U.S. states/international

We honor analogous rights to the extent required by applicable law.

6.5 Managing your data and preferences

You can update certain profile information in your account; unsubscribe from marketing via email links; and request account deletion (subject to legal retention obligations).

6.6 How to Submit and Verify Privacy Requests

You may submit rights requests via (1) privacy@heycadence.ai and (2) the privacy request web form in your account settings and on our website. We will verify your identity to a reasonable degree (e.g., email confirmation, account details, recent activity) before acting, and we may request additional information if needed to protect your data. Authorized agents may submit requests where allowed by law if they provide proof of authorization and we can verify the consumer's identity. We strive to respond within the timelines applicable to your jurisdiction (e.g., 45 days under CPRA; 30 days under PIPEDA; one month under GDPR), with extensions where legally permissible.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to operate, secure, and improve the Service. Types include essential (required for the Service), preferences, and analytics. We currently do not use advertising cookies for third‑party targeted advertising. You can control cookies through your browser settings and, where required by law, via our on‑site cookie controls. We also honor Global Privacy Control (GPC) signals to disable any tracking that would constitute a sale or sharing under CPRA and to limit certain data uses accordingly. We do not currently respond to "Do Not Track" (DNT) signals due to a lack of industry standards, but you can use the mechanisms above.

8. Data Security

We implement appropriate technical and organizational measures to protect personal information, including TLS for data in transit, encryption of credentials and sensitive stores, access controls and least‑privilege practices, network security, logging/monitoring, backups and business continuity, and periodic testing and assessments (including third‑party reviews where appropriate). If we confirm an incident involving unauthorized access to or disclosure of unencrypted personal information, we will notify affected users and regulators as required and take steps to mitigate and prevent future occurrences.

9. Data Retention and Deletion

We retain personal information for as long as necessary to provide the Service and for legitimate business or legal purposes (e.g., tax, accounting, security logs). Upon account deletion or a valid deletion request, we will delete or irreversibly de‑identify personal information from active systems and, over time, from backups consistent with our retention schedule. We may retain certain information as required by law or to establish, exercise, or defend legal claims. We may retain non‑personal, de‑identified, or aggregated data.

10. Additional Information

Links to other websites: third‑party sites are governed by their own policies.

Third‑party integrations: when you enable an integration, the third party's terms and privacy policy apply to the data you direct us to share.

Children's privacy: the Service is not intended for children under 13; we do not knowingly collect information from them. Parents/guardians may contact us if a child has provided information so we can delete it.

Global Privacy Control: we reiterate our support for GPC; when detected, we treat it as an opt‑out of sale/sharing (not used by us) and as a request to limit data use for tracking/advertising purposes to the extent required by law.

Do Not Sell Personal Information: we do not sell personal information.

Do Not Track: as noted above, we do not currently respond to DNT signals; use cookie settings, GPC, and browser tools for control.

11. Changes to this Privacy Policy

We may update this Policy to reflect changes in our practices, technologies, or legal requirements. If we make material changes, we will notify you via email (to the address associated with your account) or by posting a notice on our website before changes take effect. The "Last Updated" date above reflects the most recent change. Continued use of the Service after an update constitutes acceptance of the changes to the extent permitted by law.

12. Contact Us