Skip to main content

LeadFilter™ — Data Breach Policy

Last Updated: November 18, 2025

Website: leadfilter.ca

Legal Entity: VIGO ONLINE GROUP (Sole Proprietorship, BIN: 1000520463)

Merchant of Record: VIGO ONLINE GROUP

Address: 2 Robert Speck Pkwy Suite 750, Mississauga, ON L4Z 1H8

1. Purpose and Scope

1.1. This Data Breach Policy (“Policy”) governs the actions taken by VIGO ONLINE GROUP (“Company,” “we,” “LeadFilter”) in the event of a security incident involving:

  • Personal data of our Partners;
  • Personal data of End-Users (“Leads”) collected via Quizzes;
  • Transactional data processed by VIGO as the Merchant of Record.

1.2. This Policy is designed to ensure compliance with GDPR (Art. 33-34), PIPEDA (Canada), and CCPA (California). It applies to all data stored on VIGO’s infrastructure.

2. Definition of a Security Incident

A “Data Breach” is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Examples of Incidents covered by this Policy:

  • Unlawful access to the LeadFilter database by a third party (hacking);
  • Accidental exposure of user data due to a server misconfiguration;
  • Compromise of a VIGO employee’s administrative account;
  • Ransomware attacks affecting data availability;
  • Unauthorized access to API keys resulting in data scraping.

3. Company Obligations (VIGO)

3.1. Detection and Investigation.

Upon detection of an anomaly, VIGO’s Security Team will immediately isolate the affected systems and conduct a forensic analysis to determine:

  • The nature and scope of the breach;
  • The categories of data affected (e.g., emails vs. financial tokens);
  • Whether the breach poses a “real risk of significant harm” (RROSH) to individuals.

3.2. Notification to Regulators.

  • GDPR (EU/UK): If the breach is likely to result in a risk to the rights and freedoms of individuals, VIGO will notify the relevant Supervisory Authority within 72 hours of becoming aware of the breach.
  • PIPEDA (Canada): VIGO will report to the Office of the Privacy Commissioner of Canada (OPC) if the breach creates a real risk of significant harm.

3.3. Notification to Partners (Controllers).

Since Partners act as Data Controllers for Quiz content, VIGO (as Processor) must notify the Partner “without undue delay” after becoming aware of a breach affecting their specific Lead Data.

3.4. Notification to End-Users.

VIGO will notify affected individuals directly if:

  • Their financial data or sensitive personal information was compromised;
  • There is a high risk of identity theft or fraud;
  • Required by applicable law.

4. Partner Responsibilities

4.1. Security of Credentials.

The Partner is responsible for maintaining the security of their own login credentials and API keys. VIGO is not liable for data breaches caused by the Partner’s use of weak passwords or sharing of accounts.

4.2. Exported Data.

Once a Partner exports data from LeadFilter (e.g., downloads a CSV file or sends data to a webhook), the Partner assumes full liability for the security of that data. This Policy does not cover data stored on the Partner’s local devices or third-party CRMs.

4.3. Reporting Suspicions.

If a Partner suspects their account has been compromised, they must notify VIGO immediately at support@leadfilter.ca.

5. Incident Response Procedure

VIGO follows a standardized 5-step Incident Response Plan:

  1. Identification: Monitoring systems alert the team to suspicious activity.
  2. Containment: Immediate blocking of affected accounts, IP addresses, or vulnerable endpoints to stop the leak.
  3. Eradication: Removing the root cause (e.g., patching the bug, deleting malicious files).
  4. Recovery: Restoring data from secure, encrypted backups to ensure integrity.
  5. Notification: Issuing alerts to Partners and Regulators as described in Section 3.

6. Technical Security Measures

To prevent breaches, VIGO implements:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Access Control: Role-based access control (RBAC) ensuring employees only see what is necessary.
  • Audit Logs: Immutable logs of all system access and changes.
  • Vulnerability Scanning: Regular automated scans of the infrastructure.

7. Limitation of Liability

7.1. VIGO ONLINE GROUP is responsible for the security of data only while it resides within the LeadFilter infrastructure.

7.2. VIGO is NOT liable for breaches resulting from:

  • The Partner’s negligence (e.g., phishing attacks targeting the Partner);
  • Security failures of third-party integrations configured by the Partner (e.g., a vulnerable WordPress plugin connected to LeadFilter);
  • Force Majeure events beyond reasonable control, provided standard industry security practices were followed.

8. Contact Information

To report a security vulnerability or suspected breach:

VIGO ONLINE GROUP

Security Officer

Email: support@leadfilter.ca

Phone: +1 437 886 3152

Address: 2 Robert Speck Pkwy Suite 750, Mississauga, ON L4Z 1H8

Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None