Privacy Policy

This Privacy Policy explains how Break Space Inc. (d/b/a Pyract) ("Pyract", "we", "us", or "our") handles personal information in connection with the Pyract Forge website at forge.pyract.com and the Pyract Forge software-as-a-service product ("Forge" or "the Service"). Break Space Inc. (d/b/a Pyract) is a Canadian corporation headquartered in British Columbia.

We follow Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) as our primary framework, and align with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) for visitors and customers in those jurisdictions.

1. Who is the controller?

For website visitors (forge.pyract.com): Break Space Inc. (d/b/a Pyract) is the controller of the limited data we collect, described below.

For Forge customers: the customer organization is the controller of employee and operational data they put into Forge. Pyract acts as the processor and only uses that data to operate the Service for the customer. Specific obligations are governed by the executed Master Service Agreement and Data Processing Agreement.

2. What we collect on the website

The marketing website at forge.pyract.com is intentionally minimal. It does not use cookies, behavioural tracking, or third-party analytics. See our Cookie Policy for details.

The only personal information we receive from website visitors is what you choose to send us:

• Email correspondence. When you email hello@pyract.com, privacy@pyract.com, or security@pyract.com, we receive your email address, your name (if included), and the contents of your message.
• Server access logs. Our web server records the IP address, request path, response status, user-agent, and timestamp for each request. We use these logs to operate the website, detect abuse, and meet security obligations. Logs are retained for 30 days unless required for an active security investigation.

3. What Forge collects from customers

When a customer organization uses Forge, the following categories of personal information are processed on their behalf:

• Identity: employee name, email address, employee ID, role (technician, payroll, admin), and assigned region or division.
• Authentication: hashed password (when not using SSO), session tokens, and audit metadata such as login timestamps and IP addresses.
• Operational: hours worked per day, expense entries, banked-hour balances, time-off requests, and pay-period assignments.
• Integration data: records pulled from the customer's SAP Field Service Management tenant or ERP, used to compare against employee submissions for reconciliation.

We do not collect or store: social insurance numbers, banking or payment account information, government-issued ID numbers, biometric data, health information, or geolocation data.

4. Why we use it

Website visitors: we use your email and message content to respond to your inquiry, schedule demos, and maintain a record of business correspondence. We use server logs to operate the site and protect it from abuse.

Customer data: we process customer data only to deliver the Service — authenticating users, calculating pay categories, comparing against integrated systems, generating exports, and supporting the customer when they request help. We do not use customer data to train machine-learning models, build advertising profiles, or for any purpose outside the customer's instructions in the Master Service Agreement.

5. Legal bases (for visitors in the EU/UK)

Where GDPR applies, we rely on the following legal bases:

• Legitimate interest for operating the website, responding to inquiries, maintaining security, and processing customer data on customers' instructions.
• Contract performance for delivering the Forge service to a customer organization once a contract is in place.
• Consent for any optional marketing communication, where we ask before sending and you can withdraw at any time.
• Legal obligation where retention or disclosure is required by Canadian, EU, or other applicable law.

6. Who else touches the data (subprocessors)

We use a small number of trusted subprocessors to deliver the Service. As of the effective date above, our active subprocessors fall in these categories:

• Cloud infrastructure for hosting the website and the production application.
• Managed database for storing customer operational data with at-rest encryption and backup.
• Transactional email for sending operational notifications (account verification, password resets, system alerts) — we do not use it for marketing email blasts.

The current named list is provided to customers under NDA on request to security@pyract.com. We notify customers at least 30 days before adding or replacing a subprocessor that handles their data. None of our subprocessors are authorized to use customer data for their own purposes.

7. International transfers

Break Space Inc. (d/b/a Pyract) is based in Canada and our default hosting region for Canadian customers is British Columbia. For customers in other regions, we offer regional hosting on the Enterprise tier. Where data is transferred outside the customer's region, we use standard contractual clauses or other valid transfer mechanisms recognized by the originating jurisdiction.

8. How long we keep it

• Email correspondence: retained for the duration of the business relationship plus 24 months, then deleted.
• Web server logs: 30 days, unless required for an active investigation.
• Customer operational data: retained for the duration of the customer's contract. On termination, deleted from production within 30 days and from backups within 90 days, except where Canadian or other applicable law requires longer retention (for example, payroll-related records that must be kept for tax purposes — those are returned to the customer for their own retention obligations rather than retained by us).
• Audit logs: retained for the duration of the customer's contract and provided to the customer on request.

9. Your rights

Depending on your jurisdiction, you have some or all of the following rights regarding your personal information:

• Access. Request a copy of the personal information we hold about you.
• Correction. Ask us to correct inaccurate information.
• Deletion. Ask us to delete your information, subject to legal retention requirements and any ongoing contract.
• Portability. Receive your information in a structured, machine-readable format.
• Objection & restriction. Object to or restrict certain processing.
• Withdraw consent. Withdraw any consent you previously gave, without affecting prior lawful processing.
• Complain. Lodge a complaint with the Office of the Privacy Commissioner of Canada or your local supervisory authority. We'd appreciate the chance to address your concern first.

Send rights requests to privacy@pyract.com. We respond within 30 days. If you are an employee of a customer organization, we'll typically route your request to that organization (the controller) — they manage their own employee data inside Forge. We'll let you know if that's the case.

10. How we secure it

Our technical and organizational measures are summarized on our Security page. In short: TLS in transit, AES-256 at rest, application-level encryption for customer credentials, role-based access control, audit logging, encrypted backups with quarterly restore testing, and a documented incident-response process with 72-hour customer notification.

11. Children

Forge is enterprise software for the workplace and is not intended for or directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@pyract.com and we will delete it.

12. Changes to this policy

We update this policy when our practices change or when laws change. The "Effective date" at the top reflects the latest version. For material changes that affect customers, we notify the primary administrator on each customer account at least 30 days before the change takes effect, where reasonably possible.

13. Contact

For privacy questions, rights requests, or to identify our designated privacy officer:

• Email: privacy@pyract.com
• Postal: Break Space Inc. (d/b/a Pyract), British Columbia, Canada (full mailing address provided on request)

For security incidents and vulnerability disclosures: security@pyract.com.