How Details Enter Our Systems

Information reaches us through several distinct channels, each tied to different moments in your interaction with our investment education platform.

Registration and Account Creation

When you establish an account with us, we receive your name, email address, and chosen password. You might also share a phone number if you want text notifications about portfolio updates or educational content releases. This intake happens once, at the moment you decide to join our community of beginner investors.

Educational Content Interaction

As you move through our courses, tutorials, and strategy guides, our platform records which modules you've completed, how long you spend on certain topics, and which resources you download. These patterns emerge automatically from your navigation choices. They help us understand which investment concepts resonate and which need better explanation.

Support Communications

When you reach out through our contact form or email us directly, we receive whatever details you choose to include. Some users share their investment goals, current financial situation, or specific questions about portfolio strategy. Others simply ask technical questions about platform functionality. You control what gets disclosed in these exchanges.

Payment Processing

Subscription transactions generate billing information. However, we don't directly handle credit card numbers or banking credentials. These sensitive details flow through our payment processor's secure infrastructure. What reaches our records is confirmation data: transaction ID, payment date, subscription tier selected, and billing address.

Why We Need These Details

Every piece of information serves a functional purpose. We don't gather data out of habit or for potential future applications. Each category connects to specific operational requirements.

Service Delivery Requirements

Your account credentials let you access educational materials behind the login barrier. Without name and email verification, we couldn't maintain separate learning profiles for different users. Progress tracking requires us to know which account completed which modules, so you don't lose your place or repeat content unnecessarily.

When you ask questions through our support channels, having your email and account history means our team can provide contextual answers. Someone halfway through our portfolio diversification course needs different guidance than someone just starting with basic investment concepts.

Content Improvement Decisions

Aggregated usage patterns inform curriculum development. If we notice most users dropping off during a particular lesson about bond allocation, that signals we need to revise that content. When download statistics show high interest in our retirement planning worksheets, we know to expand that topic area. These decisions depend on understanding collective behavior patterns.

Communication Obligations

Canadian investment education operates under certain disclosure requirements. We need reliable contact information to send important updates about changes to our educational materials, corrections to previously shared information, or platform functionality modifications. This isn't marketing communication—it's operational necessity.

Internal Access and Handling Protocols

Not everyone on our team can view all information. Access follows job function requirements, and we've built technical barriers to prevent unnecessary exposure.

Access Tier System

Our content development team sees aggregated learning statistics but not individual user identities. They work with anonymized data showing that "User 4721" struggled with a specific concept, not that "Jennifer Kowalski" had difficulty. Customer support representatives can view your account details and communication history because they need that context to help you effectively. Our financial team accesses billing records but has no reason to view your course progress or support tickets.

• Education content creators: anonymized learning patterns, completion rates, time-on-module statistics
• Support staff: account information, communication logs, technical issue reports
• Billing department: transaction records, subscription status, payment history
• Platform administrators: system access logs, security monitoring data

Automated Processing Operations

Some information handling happens without human involvement. When you log in, automated systems verify your credentials against stored records. Progress tracking updates happen through scripts that record completed modules. Email confirmations trigger automatically when you finish a course section. These automated processes follow predefined rules without discretionary human decision-making.

When Information Leaves Our Organization

We occasionally need to share certain details with external entities. These transfers happen under specific circumstances with defined limitations.

Essential Service Providers

Our platform infrastructure sits on cloud servers operated by a Canadian hosting company. They maintain the physical and digital environment where your account data resides, but contractual terms prevent them from using that information for any purpose beyond providing hosting services. Email delivery happens through a transactional email service that receives your address and the message content we're sending you. Again, contractual restrictions limit their use of this information.

Payment processing involves a third-party financial services company that handles the actual transaction mechanics. They receive your payment details directly from you during checkout, not from us. We get confirmation data back from them—transaction success or failure, subscription tier purchased, and billing cycle dates.

Legal Compliance Scenarios

Canadian law enforcement or regulatory bodies might request user information under specific legal frameworks. We respond to properly served subpoenas, court orders, and regulatory demands that meet legal standards. Before complying, we verify the request's authenticity and legal basis. Where legally permissible, we notify affected users about such requests unless prohibited from doing so.

Business Transition Possibilities

Should Shadowex merge with another educational provider or sell the platform to new ownership, user information would transfer as part of that business asset. The acquiring entity would assume responsibility for handling your data under terms at least as protective as this statement. We'd notify users about such transitions and any resulting changes to information handling practices.

Security Architecture and Risk Reality

We've implemented multiple defensive layers to protect information from unauthorized access, but no system achieves perfect invulnerability. Our approach combines technical safeguards with honest acknowledgment of inherent risks.

Technical Protection Measures

All data transmission between your browser and our servers occurs over encrypted connections using current TLS protocols. Passwords undergo one-way cryptographic hashing before storage, meaning even our administrators can't retrieve the original password text. Database access requires multi-factor authentication for all staff members. We maintain separate production and development environments to prevent testing activities from exposing real user data.

Regular security audits happen quarterly, conducted by an external cybersecurity firm that specializes in educational technology platforms. We patch identified vulnerabilities within defined timeframes based on severity ratings. Critical issues get immediate attention, while lower-risk items follow a scheduled maintenance cycle.

Remaining Vulnerabilities

Despite these precautions, risks persist. A determined attacker with sufficient resources might breach our defenses. Insider threats—malicious or careless employees—could compromise security. Third-party service providers might suffer their own breaches that expose data they handle on our behalf. Natural disasters could damage data centers before backup systems fully activate. We work to minimize these risks, but we can't eliminate them entirely.

If a security incident does occur, we'll notify affected users within 72 hours of discovering the breach. That notification will explain what information was compromised, what steps we're taking in response, and what actions you should consider to protect yourself.

Your Control Mechanisms

You maintain several forms of control over information associated with your account. Some actions you can take directly through your account settings. Others require contacting our team.

Direct Account Management

Through your account dashboard, you can modify your email address, change your password, and update communication preferences. You can export your learning progress data in CSV format if you want a personal record of completed courses. You can delete individual support ticket messages from your communication history.

Information Access Requests

You can request a comprehensive report of all information we hold about you. Submit this request through our contact form or by emailing contact@shadowex.com. We'll compile and deliver this report within 30 days. The report includes account details, learning progress records, communication logs, and transaction history.

Correction Procedures

If any stored information about you is inaccurate, you can request corrections. For simple details like your name or email address, use the account settings interface. For corrections to support communication logs or other complex records, contact our team with specific information about what needs changing and why.

Deletion and Restriction Options

You can request full account deletion, which removes your personal details and learning progress from active systems. However, we retain transaction records for seven years to comply with Canadian financial record-keeping requirements. We can also restrict processing of your information while we investigate a dispute about accuracy or appropriate use.

Deletion requests get processed within 45 days. During that window, your account becomes inaccessible but isn't permanently removed in case you change your mind. After 45 days, deletion becomes irreversible.

Objection Rights

If we're processing your information based on legitimate business interest rather than contractual necessity, you can object to that processing. For example, if we use learning patterns to improve course content, you could object to your data being included in those analyses. We'll honor such objections unless we can demonstrate compelling operational reasons why the processing must continue.

Retention Duration Framework

Different information categories have different retention periods based on operational necessity and legal requirements.

Active Account Information

While your account remains active, we retain all associated information. This includes your profile details, learning progress, and communication history. "Active" means you've logged in at least once in the past 24 months or maintain a current subscription.

Inactive Account Handling

If you don't log in for 24 consecutive months and hold no active subscription, your account enters inactive status. We send email warnings at 18 months and 22 months before this happens. Inactive accounts get deleted six months later unless you log in to reactivate during that grace period.

Financial Record Duration

Transaction records persist for seven years after the transaction date, regardless of account status. Canadian tax law and financial regulations mandate this retention period. After seven years, we delete billing addresses and transaction details while retaining anonymized revenue records for business accounting purposes.

Communication Archives

Support tickets and email correspondence remain accessible while your account stays active. After account deletion or expiration into inactive status, we retain communication records for three years to handle potential disputes or follow-up questions. After that period, messages get permanently deleted.

Regulatory Framework and Geographic Scope

Shadowex operates as a Canadian educational services provider, subject to federal and provincial information handling regulations.

Applicable Legal Standards

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how private-sector organizations collect, use, and disclose personal information during commercial activities. Our practices also align with Ontario's provincial privacy legislation since our physical operations center in that province.

While we primarily serve Canadian users, international visitors can access our educational content. For users in the European Union, we voluntarily apply GDPR principles even though we're not legally required to do so as a Canadian entity without EU establishment. This means EU residents can exercise rights similar to those described in this statement.

Cross-Border Data Considerations

Our servers physically reside in Canadian data centers. However, our cloud hosting provider operates a distributed infrastructure that might temporarily route or cache data through facilities in other countries for performance optimization. These technical operations don't constitute deliberate data transfers to foreign jurisdictions, but we acknowledge the possibility.

When legally required to provide information to Canadian authorities, we do so under Canadian legal process. We don't voluntarily share user data with foreign governments or international law enforcement except in extraordinary circumstances involving imminent threats to life or safety.

Statement Modifications

This document might change as our platform evolves or regulations shift. We handle updates in a specific way to ensure users stay informed.

Minor clarifications that don't alter the substance of our practices—fixing typos, rewording for clarity, adding examples—happen without special notification. We update the "Current as of" date at the top of this page to reflect these minor changes.

Material changes that affect how we collect, use, or share information trigger a notification process. We'll email all active users at least 30 days before new practices take effect. That email will summarize what's changing and link to the updated full statement. Users who object to the new practices can delete their accounts during that 30-day window under the previous terms.

You can view historical versions of this statement through our document archive, accessible from the footer of any page on shadowex.com. Each archived version shows its effective date range and links to the subsequent version for comparison.