Last updated: March 20, 2026
This privacy policy for NorthSec Competition (“we” or “our”) describes how we process your personal information when you visit nsec.io or participate in our events.
NorthSec Competition is founded and led by cybersecurity professionals. Privacy is central to our values. Questions or concerns? Contact us at privacy@nsec.io.
Note: This policy is published in both French and English. In the event of any discrepancy between the two versions, the French version prevails.
Summary
| Question | Answer |
|---|---|
| What information do we process? | Information you provide based on your role (participant, volunteer, speaker) and anonymized site usage data |
| Sensitive information? | Yes — identity documents (passport, visa) from invited speakers, processed with explicit consent for administrative purposes only |
| Collection from third parties? | No |
| Who do we share data with? | Payment processors (Stripe, PayPal) and government authorities for speaker immigration procedures only |
| Automated decisions or profiling? | No |
| How to exercise your rights? | Email privacy@nsec.io |
1. What information do we collect?
Information you provide
| Role | Data collected |
|---|---|
| Participants and competitors | Name, email, job title, organization, contact preferences, billing and mailing addresses |
| Volunteers | Name, email, phone number, availability and declared skills |
| Speakers and presenters | Name, email, phone, biography, professional photo; identity documents (passport, visa) collected only when required for immigration procedures, with explicit consent (GDPR Art. 9(2)(a)) |
| Newsletter subscribers | Email and communication preferences (express consent; unsubscribe at any time via the link in each email) |
| All roles (optional) | CV/résumé, accessibility needs, dietary restrictions, student status (for student pricing) |
Payment data
Payments are processed by Stripe and PayPal, bound to our organization through GDPR-compliant Data Processing Agreements (DPA). We do not store card data. See their policies: stripe.com/privacy and paypal.com.
Automatically collected data — Web analytics
We use Matomo Analytics in a cookieless configuration: no tracking cookies are placed on your device. Data is processed on Matomo’s servers (InnoCraft, Germany / EU) under a GDPR-compliant data processing agreement.
| Data | Processing |
|---|---|
| IP address | Anonymized before storage |
| Browser and operating system | Collected in aggregate |
| Pages visited, duration, referral source | Collected in aggregate |
If the Do Not Track (DNT) signal is enabled in your browser, Matomo will not collect any data.
Photographs and video at the event
Photographers mandated by NorthSec may capture images during the event (talks, competition, common areas). These images may be published on nsec.io, our social media channels, and in our archives, on the basis of our legitimate interest (GDPR Art. 6(1)(f); Law 25).
| When | How to opt out |
|---|---|
| Before the event | Email privacy@nsec.io |
| On-site | Request a “no photo” badge at registration |
| After the event | Request removal of an identifying image at privacy@nsec.io |
We cannot control photos taken by other attendees with their own devices.
2. How and why do we process your information?
| Legal basis (GDPR) | Purposes covered |
|---|---|
| Art. 6(1)(a) — Consent | Newsletter delivery |
| Art. 6(1)(b) — Contract performance | Event registration and payments; volunteer coordination; speaker invitation and hosting; participation-related communications |
| Art. 6(1)(c) — Legal obligation | Legal and tax compliance |
| Art. 6(1)(d) — Vital interests | Protection of a person’s vital interests |
| Art. 6(1)(f) — Legitimate interests | Photography and documentation of the event |
| Art. 9(2)(a) — Explicit consent | Speaker identity documents (passport, visa) |
For Canadian residents, the Act respecting the protection of personal information in the private sector (LPRPSP / Law 25) recognizes equivalent bases: express consent, implied consent, or legal obligation depending on the purpose.
3. Who do we share your information with?
| Recipient | Data shared | Reason |
|---|---|---|
| Stripe / PayPal | Payment data | Transaction processing; DPA in place |
| Government authorities and consulates | Speaker identity documents (passport, visa) | Immigration procedures; explicit consent required |
We never sell your personal data.
4. International transfers
Our primary servers are located in Canada. However, certain third-party services we use involve data processing outside Canada. All transfers are governed by a Data Processing Agreement (DPA) and, depending on the destination, Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework.
| Service | Data concerned | Location |
|---|---|---|
| Stripe | Payment data | United States / EEA |
| PayPal | Payment data | United States |
| Google Workspace | Internal communications (email, working documents) | United States (primarily) |
| Matomo Analytics | Anonymized usage data | Germany / EU |
5. Retention periods
| Data category | Retention period |
|---|---|
| Participant data | 3 years after the relevant edition |
| Volunteer data | 3 years after end of involvement |
| Speaker identity documents (passport, visa) | Deleted within 90 days of completing the relevant procedures |
| Accounting and billing data | 7 years (tax obligations) |
| Web analytics data (Matomo) | 13 months from collection |
| Newsletter subscribers | Until unsubscription, then deleted within 30 days |
| CVs and recruitment data | 2 years, or deleted on request |
| Photos and videos | Duration of organizational archives; identifying images removed within 30 days of a valid request |
Once the applicable period expires, data is permanently deleted or anonymized.
6. How do we protect your information?
Our organization is made up of cybersecurity professionals. We apply industry-leading security practices to protect your data: encryption in transit and at rest, least-privilege access control, system isolation, and regular security reviews.
In the event of an incident affecting your data, we fulfill our notification obligations under Québec Law 25 and the GDPR (EU).
7. Automated decisions and profiling
We do not perform any profiling or automated decision-making that produces legal effects or similarly significantly affects you, within the meaning of GDPR Article 22.
8. Children’s data
Our Services are intended for individuals 18 years of age and older. We do not knowingly collect data from minors. If you are aware of such collection, contact us at privacy@nsec.io.
9. Your rights by jurisdiction
EEA, UK, and Switzerland residents (GDPR)
| Right | Article | Description |
|---|---|---|
| Access | Art. 15 | Obtain a copy of your data and information on its processing |
| Rectification | Art. 16 | Correct inaccurate or incomplete data |
| Erasure | Art. 17 | Request deletion of your data |
| Restriction | Art. 18 | Restrict processing in certain circumstances |
| Portability | Art. 20 | Receive your data in a structured, machine-readable format |
| Objection | Art. 21 | Object to processing based on legitimate interests |
| Withdrawal of consent | Art. 7 | Withdraw consent at any time, without retroactive effect |
| Complaint | Art. 77 | Lodge a complaint with your national data protection authority (e.g., CNIL in France, ICO in the UK, APD in Belgium) |
Québec and Canada residents (Law 25 / PIPEDA)
| Right | Description |
|---|---|
| Access | Obtain your data and information on its processing |
| Rectification | Correct inaccurate or incomplete data |
| Withdrawal of consent | At any time, subject to legal obligations |
| Right to image | Request removal of an identifying photo or video (Law 25 / LPRPSP) |
| Complaint | With the Commission d’accès à l’information (CAI): cai.gouv.qc.ca |
US residents
California (CCPA/CPRA) and similar state laws (Virginia VCDPA, Colorado CPA, Texas TDPSA, etc.):
| Right | Description |
|---|---|
| Right to know | Know what categories of data are collected and how they are used |
| Right to deletion | Request deletion of your data |
| Right to correction | Correct inaccurate data |
| Right to opt out of sale | We do not sell your personal data |
| Non-discrimination | No adverse treatment for exercising your rights |
How to exercise your rights
Email privacy@nsec.io. We will respond within the timeframe required by applicable law (30 days under GDPR and Law 25; 45 days under CCPA).
Newsletter unsubscription takes effect immediately; your contact information is removed from our lists within 30 days.
10. Do Not Track (DNT)
Our cookieless Matomo configuration respects your browser’s DNT signal: if this setting is enabled, no data is recorded about your browsing on our site.
11. Policy updates
The “Last updated” date at the top of this document reflects the current version. For significant changes, we will notify you via a prominent notice on the site or direct notification.
12. Contact
Data Protection Officer (DPO)
NorthSec Competition
3450 rue Saint-Denis, Montréal, Québec H2X 3L3
privacy@nsec.io
13. Access, update, or delete your data
To request access, correction, or deletion of your personal information, email privacy@nsec.io. We will process your request in accordance with applicable law.
14. Official language
This policy is published in French and English. In the event of any discrepancy between the two versions, the French version prevails.