Truvald™

Privacy Policy

How we treat your data.
Short version: carefully.

We sell PKI assessment software to security people. We expect to be held to a higher standard than the average vendor — and we hold ourselves there. This page explains, in plain language, what data we collect, why, where it goes, and what you can do about it.

Effective: May 12, 2026 · Last updated: May 25, 2026

The short version

  • We don't sell data. Not to ad networks, not to data brokers, not to anyone.
  • We collect what we need to deliver the product — your email to send your license, your purchase details from Stripe so we can issue it, and the installation ID you give us at activation time.
  • Card numbers never touch our servers. Stripe handles all payment data.
  • Assessment data stays on your machine. The Truvald™ product runs locally; results live in a SQLite database on your assessment workstation, not on ours.
  • You can ask for a copy of your data, or for it to be deleted, at any time — write to admin@brkrops.ca.
  • We're a Canadian company, hosted in Canada, and subject to PIPEDA and Alberta PIPA.

1. Who we are

Truvald™ is a product of BrkrOps™ Inc., a Canadian corporation based in Edmonton, Alberta. We are the "data controller" responsible for the personal information collected through the truvald.ca website and the Truvald™ desktop application.

Mailing and inquiries: admin@brkrops.ca.

2. What we collect, and why

2.1 Evaluation download

When you click the Download button on the website, our backend records a download event containing a truncated IP address (last octet replaced with ***), the browser User-Agent string, the referring page, and a timestamp. This lets us count downloads and detect abuse. We do not link this event to any personal account.

2.2 Purchasing a license

When you buy a Truvald™ license, you complete a Stripe-hosted checkout. Stripe collects your name, email, billing address and payment method. We never see or store your card number. Stripe sends us back: your email, your purchased product, the quantity, and a session ID.

2.3 License activation & migration

To issue your activation code we store, on our infrastructure:

  • The Stripe session ID for your purchase.
  • The email address used at checkout.
  • The Installation ID(s) you provide when activating.
  • The activation code(s) we generate, and their expiry date.
  • If a license is migrated to a new machine, a record linking the new license to the original.

This lets us re-issue codes to legitimate customers, prevent the same purchase being activated more times than was paid for, and answer support questions.

2.4 Consulting hour requests

If your purchase included consulting hours, the activation page presents a form asking for your name, email, optional phone and company, your stated requirement, and urgency. This information is emailed to admin@brkrops.ca via Resend so we can schedule the session. It is not used for any other purpose.

2.5 Shopping cart

Items you add to your cart are stored in your browser's localStorage under the key truvald_cart. They are never transmitted to our servers until you start checkout. They are cleared after a successful payment.

2.6 Language preference

Your chosen interface language (EN/FR) is stored in localStorage as pref_lang. It never leaves your browser.

2.7 The Truvald™ application itself

Truvald™ runs on your workstation. Assessment results, risk acceptances, governance survey answers, GPO findings, and audit data are stored in a local SQLCipher-encrypted SQLite database on your machine. None of this data is transmitted to BrkrOps Inc. The only outbound call the app makes to us is a periodic license-validity check using your activation code.

3. Service providers we share data with

We use a small number of service providers strictly to deliver the product. Each receives only the minimum data needed for its function.

  • Stripe, Inc. — payment processing. Stripe receives the data you enter at checkout and is responsible for it under its own privacy policy. We receive a confirmation containing your email and what you bought.
  • Resend — transactional email delivery. Resend handles outgoing emails (activation links, consulting-request notifications). It does not use your email for any marketing.

We do not use third-party ad networks, third-party analytics services (Google Analytics, Meta Pixel, etc.), session-replay tools, or marketing automation platforms on this site. We use first-party page analytics hosted on the same Canadian VPS that serves the site — see section 8 for what is collected and how to opt out.

4. Where your data lives, and for how long

Our application database is a SQLite file hosted on infrastructure located in Canada. Backups are retained on the same infrastructure.

  • License records are retained for the duration of the license (12 months for the annual subscription) — support and reactivation are provided during the license period. Renew or repurchase to extend.
  • Download tracking entries are retained for 12 months for abuse-detection purposes, then aggregated into anonymous counts.
  • First-party page-analytics entries (anonymous visitor ID, page path, masked IP, time-on-page) are retained for 12 months, then aggregated into anonymous monthly totals.
  • Consulting request emails are retained in our admin inbox under our standard email-retention practice (typically 24 months).
  • Stripe-side records are governed by Stripe's own retention policy.

5. Your rights

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Alberta's Personal Information Protection Act (PIPA), you have the right to:

  • Know what personal information we hold about you.
  • Request a copy of it.
  • Ask us to correct it if it is inaccurate.
  • Ask us to delete it, subject to legal and contractual retention requirements.
  • Withdraw consent for any optional processing.
  • File a complaint with the Office of the Privacy Commissioner of Canada or the Office of the Information and Privacy Commissioner of Alberta if you believe we have mishandled your data.

Email admin@brkrops.ca with the request. We will respond within 30 days. Verifying identity may require confirming details we already hold (e.g. the email on file).

6. How we protect data

  • All traffic to truvald.ca is served over HTTPS with modern TLS.
  • Payment data is handled directly by Stripe — we never receive card numbers, CVVs, or full PANs.
  • License-database access is restricted to a small number of named administrators, authenticated via SSH keys.
  • The Truvald™ desktop application's local database is encrypted at rest using SQLCipher (AES-256).
  • Installer binaries are Authenticode-signed so you can verify they were built by BrkrOps Inc. before running them.

No system is perfectly secure. If we ever discover a breach affecting your personal information, we will notify affected users without unreasonable delay and report it as required under PIPEDA's mandatory breach-notification rules.

7. Cookies and local storage

We don't use tracking cookies. The website uses your browser's localStorage for three things:

  • truvald_cart — the items in your shopping cart, until you check out.
  • pref_lang — your selected interface language.
  • truvald_vid — an anonymous random identifier used by our first-party page analytics (see section 8). It contains no personal information and is never shared with third parties.

Clearing your browser storage removes all three. No cookies are set for advertising or cross-site tracking.

8. First-party page analytics

We measure how visitors use truvald.ca so we can improve the site (which pages are read, which articles land, where people drop off). This is done with a small piece of JavaScript that lives on truvald.ca itself and reports back to a SQLite database on the same Canadian VPS that serves the site. No third-party analytics service is involved — no Google Analytics, no Plausible, no Fathom, nothing else.

Per page view we record:

  • The page path you visited (e.g. /blog/esc1-detection-defenders-guide/). Query strings are stripped.
  • The referring URL, if your browser sent one.
  • Your User-Agent string (browser/OS identification — used to filter out bots).
  • Your IP address with the last octet masked to *** (so we keep a /24 bucket for abuse detection but cannot identify a specific household).
  • An anonymous visitor ID (the truvald_vid localStorage entry described in section 7) — a random UUID with no link to your name, email, or anything else.
  • How long you spent on the page, measured by a beacon your browser sends when you navigate away.

We do not record what you typed, what you clicked beyond the page-level navigation, or any form contents. There is no session replay, no heatmapping, no mouse tracking. Known bot User-Agents are filtered before storage.

How to opt out: clear your browser's localStorage for truvald.ca (which deletes truvald_vid) and use a browser with Do Not Track or an ad-blocker that suppresses first-party scripts. We honour requests under PIPEDA — email admin@brkrops.ca from the IP range or with the visitor ID you'd like deleted, and we will purge matching records.

9. Children's privacy

Truvald™ is an enterprise security product intended for IT professionals. It is not directed at, and we do not knowingly collect personal information from, anyone under 16.

10. Changes to this policy

If we make material changes to how we handle personal information, we will update the "Last updated" date at the top of this page and, where appropriate, notify existing customers by email. Previous versions are kept in our internal records and are available on request.

11. Contact

Privacy questions, access requests, complaints, or just feedback on this policy: admin@brkrops.ca.

BrkrOps™ Inc.
Edmonton, Alberta, Canada