Privacy Policy

This Privacy Policy describes how Cole Webcraft Services Inc., operating as “The Direct Studio” (the “Company,” “we,” “us,” or “our”), collects, uses, discloses, and safeguards personal information when you visit thedirectstudio.com (the “Site”), submit our contact form, or engage us for design and development services.

We are based in Canada and primarily serve clients located in Canada and the United States. This Policy is designed to comply with Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and substantially similar provincial legislation, and with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”), as applicable. By using the Site or engaging our services, you acknowledge that you have read and understood this Policy.

1. Information We Collect

Information you provide to us. When you fill out our contact form, request a quote, correspond with us by email, or engage us for services, you may provide your name, email address, phone number, business name, vacation rental property details, the content of your message, and any other information you choose to share.

Information we collect automatically. When you visit the Site, we and our analytics provider may automatically collect technical information, including your IP address, approximate geographic region, browser type and version, operating system, device type, referring URL, pages viewed, links clicked, time spent on pages, and date/time stamps. We use cookies and similar technologies for these purposes (see “Cookies & Analytics” below).

Information we receive during a Project. If you engage us, we may receive additional information necessary to perform the work, such as booking-platform credentials, brand assets, photographs, copy, marketing materials, and information about your guests where you provide it for testing or migration purposes.

We do not knowingly request or collect government identifiers, financial-account or payment-card numbers (payments are handled through external payment channels), health or biometric data, precise geolocation, or other categories that constitute “sensitive personal information” under CCPA/CPRA. If such information is provided to us inadvertently, please contact us so we can delete it.

2. How We Use Information

We use personal information to:

• Respond to inquiries, quote requests, and other communications;
• Negotiate, enter into, and perform service engagements;
• Issue invoices, collect payment, and maintain financial records;
• Operate, maintain, monitor, secure, and improve the Site and our services;
• Send service-related communications (such as project updates and renewal notices);
• Detect, investigate, and prevent fraud, abuse, and security incidents;
• Comply with our legal, tax, and regulatory obligations; and
• Establish, exercise, or defend legal claims.

We do not use personal information for automated decision-making that produces legal or similarly significant effects, and we do not engage in profiling for targeted advertising.

3. Legal Bases (Canadian Residents)

Under PIPEDA, we collect, use, and disclose personal information based on your express or implied consent, except where the law otherwise permits or requires collection without consent. Submitting our contact form, replying to our emails, or engaging us for services constitutes implied consent to the collection and use described in this Policy. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, by contacting us using the details below; doing so may limit our ability to provide services to you.

4. How We Share Information

We do not sell personal information, and we do not “share” personal information for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA. We have not done so in the preceding twelve (12) months. We disclose personal information only as follows:

• Service providers and sub-processors: trusted vendors that help us operate our business, including providers of email delivery, website hosting and infrastructure, website analytics, payment processing, project management, invoicing, and accounting. These providers process personal information only on our instructions and are bound by appropriate confidentiality and security obligations.
• Legal and protective disclosures: when we believe in good faith that disclosure is necessary to comply with applicable law, a court order, subpoena, or other valid legal process; to enforce our Terms of Service; to protect the rights, property, or safety of the Company, our clients, or the public; or to investigate suspected fraud or wrongdoing.
• Business transactions: in connection with a merger, acquisition, financing, reorganization, sale of all or substantially all of our assets, or similar transaction, in which case the recipient will be bound by obligations no less protective than this Policy.
• With your consent: for any other purpose disclosed at the time you provide the information or with your subsequent consent.

Service providers are bound by written agreements requiring them to use personal information only to provide services to us and to maintain appropriate security safeguards.

5. Cookies & Analytics

We and our analytics provider use cookies, pixels, and similar technologies to operate and improve the Site. We use:

• Strictly necessary cookies and storage to operate the Site (for example, to deliver pages and protect against form abuse);
• Analytics cookies to understand how visitors use the Site in aggregate so we can improve it.

You can control cookies through your browser settings, opt out of analytics tracking using the tools made available by our analytics provider, or use private/incognito browsing. Disabling cookies may affect some functionality. Where technically feasible, we honour Global Privacy Control (GPC) signals.

6. International Data Transfers

The Company is based in Canada, and our service providers may store or process personal information in Canada, the United States, or other jurisdictions whose data-protection laws may differ from those of your jurisdiction. Where we transfer personal information across borders, we use service providers that we consider provide an adequate level of protection and impose appropriate contractual safeguards. By using the Site or our services, you acknowledge that your personal information may be processed outside your country of residence and may be subject to disclosure under the laws of those jurisdictions, including lawful access requests by foreign government authorities.

7. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes described in this Policy or as required by law. As a guideline:

• Contact-form submissions and unaccepted leads: up to twenty-four (24) months;
• Active client project records, contracts, invoices, and tax records: at least seven (7) years from the end of the relevant tax year, consistent with Canada Revenue Agency requirements;
• Site analytics: per our analytics provider’s default retention settings then in effect;
• Backups: until they are overwritten in the ordinary course of our backup cycle.

When personal information is no longer needed, we securely delete or de-identify it.

8. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, loss, or destruction. These include encryption in transit, restricted access controls, abuse-prevention measures on public form endpoints, and use of reputable service providers. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. Clients are responsible for safeguarding the credentials and devices they use to access services we provide and for promptly notifying us of any suspected compromise.

In the event of a breach of security safeguards involving personal information under our control where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an affected individual, we will notify the affected individual and report to the Office of the Privacy Commissioner of Canada as required by PIPEDA, and will keep records of any such breach for the period required by law.

9. Your Privacy Rights (Canadian Residents)

Subject to limited exceptions under PIPEDA and applicable provincial law, you have the right to:

• Access the personal information we hold about you;
• Request correction of inaccurate or incomplete personal information;
• Withdraw consent to our continued use of your personal information;
• Be informed of the purposes for which we use your personal information; and
• Make a complaint to us about our handling of personal information.

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca or with the privacy regulator in your province of residence.

10. Your Privacy Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), provides you with the following rights, subject to verification and the exceptions provided in applicable law:

• Right to know what categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collecting it, and the categories of third parties to whom we disclose it;
• Right to delete personal information we have collected about you;
• Right to correct inaccurate personal information;
• Right to opt out of the sale or sharing of personal information for cross-context behavioural advertising. We do not sell or share personal information as those terms are defined under CCPA/CPRA, and have not done so in the preceding twelve (12) months;
• Right to limit the use of sensitive personal information. We do not collect sensitive personal information for purposes that trigger this right;
• Right to non-discrimination for exercising any of these rights.

To exercise these rights, please email us at hello@thedirectstudio.com with the subject line “Privacy Request.” To protect your information, we will need to verify your identity before responding, which may require you to confirm details that match information we already hold. Authorized agents may submit requests on your behalf with proof of authorization.

Residents of other U.S. states with comprehensive consumer privacy legislation may have similar but not identical rights under their state law. If you reside in such a state and wish to exercise rights available to you, please contact us using the same process described above and identify your state of residence; we will respond in accordance with applicable law.

11. Children’s Privacy

The Site and our services are intended for adults engaged in commercial vacation rental activities. They are not directed to children under sixteen (16), and we do not knowingly collect personal information from anyone under that age. If you believe a child has provided us with personal information, please contact us so that we can promptly delete it.

12. Third-Party Links

The Site may contain links to third-party websites or services that we do not operate. This Policy does not apply to those third parties, and we are not responsible for their content, privacy practices, or terms. We encourage you to review the privacy policies of any third-party services before providing personal information to them.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The “Last updated” date at the top indicates when this Policy was last revised. For material changes, we will take reasonable steps to notify you, such as posting a prominent notice on the Site. Your continued use of the Site or our services after the effective date of an updated Policy constitutes acceptance of the updated Policy.

14. Contact Us & Privacy Officer

Cole Webcraft Services Inc. acts as our Privacy Officer for the purposes of this Policy. If you have questions or concerns about this Policy or our handling of your personal information, or if you wish to exercise any of your rights, please reach out through our contact page or email us at hello@thedirectstudio.com with the subject line “Privacy Request.” We will respond to verifiable requests within the timeframes required by applicable law.