Privacy Policy

Last updated: February 9, 2026

1. Introduction

Corhaven Corporation, operating under the trade names "GTM Eng" and "RocketOps" ("Corhaven," "GTM Eng," "we," "us," or "our"), operates the website gtmeng.co and provides data infrastructure and revenue operations consulting services. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website or engage our services.

We are committed to complying with Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), and where applicable, the General Data Protection Regulation ("GDPR") and other privacy laws that may apply to the data we process on behalf of our clients.

2. Roles & Definitions

Understanding our role in data processing is important:

When you visit our website or contact us directly: We act as the data controller (or "organization" under PIPEDA). We determine why and how your personal information is collected and used.
When we provide services and access your CRM data: We act as a data processor (or "service provider") on your behalf. You, as our client, are the data controller of your CRM data. We process that data solely on your instructions and for the purposes set out in your Service Agreement.

3. Information We Collect

3a. Information You Provide Directly

Contact Information: Name, email address, company name, and job title when you book a call, fill out a form, subscribe to our mailing list, or contact us
Diagnostic Data: Responses submitted through our GTM Health Diagnostic assessment tool
Communications: The content of messages you send us via email or contact forms

3b. Information Collected Automatically

Usage Data: Pages visited, time spent on pages, browser type, device information, operating system, and referring URLs
Cookies and Similar Technologies: We use cookies and similar tracking technologies as described in Section 7 below

3c. Client CRM Data (Processor Role)

When you engage our services, we access your CRM data (e.g., HubSpot) solely to provide the contracted data infrastructure and analytics services. This CRM data may contain personal information about your customers, leads, and contacts, including names, email addresses, company information, and interaction history.

We process this data exclusively as your data processor, in accordance with your Service Agreement and any applicable Data Processing Agreement.

4. How We Use Your Information

4a. Website Visitors and Contacts (Controller)

We use the information we collect to:

Respond to your inquiries and communicate with you about our services
Deliver diagnostic assessment results you have requested
Send you marketing communications where you have opted in (you may unsubscribe at any time)
Improve our website, services, and user experience
Analyze website usage patterns through aggregated analytics
Comply with legal obligations and enforce our Terms of Service

Legal Basis (GDPR, where applicable): We rely on legitimate interest for website analytics and service improvement, consent for marketing communications, and contractual necessity for responding to inquiries and delivering requested services.

4b. Client CRM Data (Processor)

When processing your CRM data as a data processor, we:

Access data only for the purposes outlined in your Service Agreement
Process data using the tools and infrastructure specified in your engagement
Never sell, rent, share, or use your CRM data for our own purposes or for any purpose outside your engagement
Do not use your CRM data to train machine learning models, for advertising, or for profiling
Return or delete your CRM data upon termination of services, at your request, or as specified in your Service Agreement

5. Data Processing & Sub-Processors

In the course of providing our services, we use the following third-party sub-processors:

Sub-Processor	Purpose	Data Processed	Location
Google Cloud Platform (BigQuery)	Data warehousing, analytics, and compute	Client CRM data	Region selected per engagement (typically US or Canada)
Airbyte	Data pipeline and integration	Client CRM data in transit	Cloud or self-hosted per engagement
dbt (dbt Labs)	Data transformation and modeling	Runs transformation queries against client data warehouse	No separate data storage; executes against BigQuery
Lightdash	Business intelligence and dashboards	Reads from client data warehouse	Cloud or self-hosted per engagement
Google Analytics	Website analytics	Website visitor usage data	United States
Cal.com	Appointment scheduling	Name, email, scheduling details	United States

We maintain data processing agreements with each sub-processor, requiring them to protect data in accordance with applicable privacy laws. We will provide notice of any material changes to our sub-processor list.

If you require a formal Data Processing Agreement ("DPA") for your engagement, please contact us at [email protected].

6. Data Transfers

Some of the sub-processors we use are located outside of Canada. Where personal information is transferred outside Canada, we ensure that appropriate safeguards are in place as required by PIPEDA.

For clients subject to the GDPR, where data is transferred outside the European Economic Area, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses or adequacy decisions, to ensure an adequate level of data protection.

7. Cookies & Analytics

Cookies We Use

Cookie Type	Provider	Purpose	Duration
Analytics	Google Analytics	Understand website traffic and usage patterns	Up to 2 years
Functional	Cal.com	Enable appointment scheduling functionality	Session
Analytics	PostHog	Session recordings, web analytics, and product insights to improve usability	1 year
Marketing	LinkedIn	Professional audience demographics and campaign measurement	Up to 2 years
Consent Preferences	Klaro (first-party)	Stores your cookie consent choice	1 year

Cookie Consent

When you first visit our site, you will see a cookie consent notice at the bottom of the page. Analytics cookies are not loaded unless you actively choose to accept them. You may:

Accept: Click "Accept" to allow analytics cookies. Your preference is remembered for one year.
Decline: Click "Decline" to browse without any analytics cookies. No tracking data will be collected.
Change your mind: You can update your cookie preferences at any time by clicking the cookie icon in the bottom-left corner of the page, or by clearing your browser cookies.

Additional Opt-Out Options

Browser Settings: You can configure your browser to refuse cookies or alert you when cookies are being sent
Google Analytics Opt-Out: You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on
Do Not Track: We respect Do Not Track browser signals where technically feasible

We do not use cookies for advertising, retargeting, or cross-site tracking.

8. Data Security

We implement appropriate technical and organizational measures to protect information under our control, including:

Encryption of data in transit (TLS) and at rest
Access controls limiting data access to authorized personnel on a need-to-know basis
Use of read-only API access to client CRM systems unless explicitly authorized otherwise
Regular review of security practices and sub-processor security postures
Secure deletion of client data upon engagement completion or upon request

No method of transmission over the Internet or method of electronic storage is completely secure. While we strive to use commercially reasonable measures to protect your information, we cannot guarantee absolute security.

9. Data Retention

Website Data

Contact Information: Retained for as long as we have an ongoing relationship with you or a legitimate business need, and for up to two (2) years after your last interaction with us, unless you request earlier deletion
Diagnostic Assessment Data: Retained for twelve (12) months unless you request earlier deletion
Website Analytics Data: Retained in accordance with Google Analytics default retention settings (14 months)

Client CRM Data

During Active Engagements: Data is retained in the infrastructure specified in your Service Agreement (typically your own cloud environment)
After Engagement Completion: Any data temporarily stored in our infrastructure during an engagement is deleted within thirty (30) days of engagement completion, or as specified in your Service Agreement
Upon Request: We will delete your data from our systems upon written request and confirm deletion in writing

10. Breach Notification

In the event of a security breach involving personal information under our control that creates a real risk of significant harm, we will:

Notify affected clients without unreasonable delay, and in any event within seventy-two (72) hours of becoming aware of the breach
Provide details of the nature of the breach, the categories of data affected, and the measures taken or proposed to address the breach
Report the breach to the Office of the Privacy Commissioner of Canada and any other applicable regulatory authorities as required by law
Cooperate with affected clients in fulfilling their own breach notification obligations

11. Your Privacy Rights

Under PIPEDA (All Users)

You have the right to:

Access the personal information we hold about you
Request correction of inaccurate or incomplete information
Withdraw consent to the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions)
File a complaint with the Office of the Privacy Commissioner of Canada

Under GDPR (Where Applicable)

If you are located in the European Economic Area, you additionally have the right to:

Request erasure of your personal data ("right to be forgotten")
Restrict or object to certain processing activities
Request portability of your personal data in a structured, commonly used format
Lodge a complaint with your local supervisory authority

Under CCPA/CPRA (Where Applicable)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of your personal information. We do not sell personal information.

To exercise any of these rights, please contact us at [email protected]. We will respond to verified requests within thirty (30) days, or as required by applicable law.

12. Children's Privacy

Our website and services are directed to business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete it promptly.

13. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on this page with a revised "Last updated" date. Where we have your email address, we will make reasonable efforts to notify you of material changes. Your continued use of our website or services after any changes constitutes acceptance of the updated policy.

15. Contact Us & Privacy Inquiries

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

Corhaven Corporation
Toronto, Ontario, Canada
[email protected]

For privacy-related complaints that we are unable to resolve to your satisfaction, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.