Last Updated: June 16, 2026
sapphire-birch is committed to compliance with the General Data Protection Regulation (GDPR) and respecting the privacy rights of individuals in the European Economic Area (EEA). This page outlines how we meet our obligations under GDPR.
For the purposes of GDPR, sapphire-birch is the data controller responsible for your personal information. Our contact details are:
sapphire-birch
142 King Street West
Toronto, ON M5H 1J5
Canada
Email: [email protected]
We process personal data only when we have a lawful basis to do so under GDPR Article 6:
As an individual in the EEA, you have the following rights regarding your personal data:
You have the right to request confirmation of whether we are processing your personal data and, if so, to access that data along with certain information about how it is being processed.
You have the right to request correction of inaccurate personal data and to have incomplete personal data completed.
You have the right to request deletion of your personal data in certain circumstances, including when:
You have the right to request restriction of processing in certain situations, such as when you contest the accuracy of the data or object to processing.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller where technically feasible.
You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not currently engage in automated decision-making of this nature.
To exercise any of your rights under GDPR, please contact us at [email protected] with:
We will respond to your request within one month, though this period may be extended by two additional months where necessary, considering the complexity and number of requests. We will inform you of any such extension within the initial one-month period.
We adhere to the GDPR data protection principles, ensuring that personal data is:
When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, such as:
We implement appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. We will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible.
You have the right to lodge a complaint with a supervisory authority, particularly in the EEA member state of your habitual residence, place of work, or place of the alleged infringement, if you believe our processing of your personal data violates GDPR.
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. Retention periods vary depending on the type of data and the purpose of processing:
We do not knowingly process personal data of children under 16 years of age. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
We may update this GDPR compliance information from time to time to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website.
For questions about our GDPR compliance or to exercise your rights, please contact us at [email protected].