Your rights under the General Data Protection Regulation
Vivid Spire is committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (GDPR). This page outlines how we process personal data of individuals in the European Economic Area (EEA) and the United Kingdom, and explains your rights under GDPR.
Vivid Spire acts as the data controller for personal information collected through our website and services. Our contact details are:
Vivid Spire
245 King Street West, Suite 1200
Toronto, ON M5V 1J2
Canada
Email: [email protected]
We process personal data under the following legal bases:
As a data subject under GDPR, you have the following rights:
You have the right to obtain confirmation as to whether we process your personal data and, if so, to request access to that data along with information about how it is processed.
You have the right to request correction of inaccurate personal data and to have incomplete data completed.
You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purposes for which it was collected, or when you withdraw consent.
You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
You have the right to object to processing based on legitimate interests or for direct marketing purposes.
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Vivid Spire does not use automated decision-making in relation to our services.
As Vivid Spire is based in Canada, personal data may be transferred outside the EEA. Canada has been recognised by the European Commission as providing an adequate level of data protection. For transfers to other countries, we implement appropriate safeguards such as Standard Contractual Clauses.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Retention periods vary depending on the type of data and its purpose. When data is no longer needed, it is securely deleted or anonymised.
We implement appropriate technical and organisational measures to protect personal data, including:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly.
To exercise any of your rights under GDPR, please contact us at [email protected]. We will respond to your request within one month of receipt. If your request is complex or we receive numerous requests, we may extend this period by a further two months, in which case we will inform you of the extension.
There is no fee for exercising your rights, though we may charge a reasonable fee for manifestly unfounded or excessive requests.
If you believe that our processing of your personal data violates GDPR, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.
We may update this GDPR notice from time to time. The current version will always be available on this page with the effective date noted.
Last updated: June 2026