GDPR Compliance

Last Updated: May 29, 2026

Introduction

Legacy Chronicles is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). This page outlines our practices regarding the collection, use, and protection of personal data for individuals in the European Economic Area (EEA).

Legal Basis for Processing

We process personal data only when we have a legal basis to do so. Our legal bases include:

Consent

When you provide explicit consent for us to process your personal data for specific purposes, such as receiving communications or participating in our services.

Contract

When processing is necessary to fulfill a contract with you, such as providing research services, tours, or workshops you've requested.

Legitimate Interests

When we have a legitimate interest in processing your data, such as improving our services, preventing fraud, or maintaining website security, provided these interests are not overridden by your rights.

Legal Obligation

When we must process your data to comply with legal obligations, such as tax requirements or responding to lawful requests from authorities.

Your Rights Under GDPR

If you are located in the EEA, you have the following rights regarding your personal data:

Right to Access

You have the right to request a copy of the personal data we hold about you. We will provide this information in a structured, commonly used, and machine-readable format.

Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purposes for which it was collected.

Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in certain situations, such as when you contest the accuracy of the data.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used format and to transmit it to another controller.

Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.

How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected] with "GDPR Request" in the subject line. Please include:

• Your full name and contact information
• A description of your request
• Any relevant details to help us locate your data

We will respond to your request within 30 days. In some cases, we may extend this period by an additional 60 days if the request is complex, in which case we will inform you of the extension and the reasons for the delay.

Data Protection Officer

For GDPR-related inquiries, you may contact our Data Protection Officer:

Email: [email protected]
Subject Line: ATTN: Data Protection Officer

Data We Collect

We collect and process the following categories of personal data:

• Identity data (name, title)
• Contact data (email address, mailing address)
• Technical data (IP address, browser type, device information)
• Usage data (how you interact with our website)
• Project data (information you provide related to research or preservation services)

How We Use Your Data

We process your personal data for the following purposes:

• To provide and manage our services
• To communicate with you about your projects or inquiries
• To improve our website and services
• To comply with legal and regulatory requirements
• To protect our rights and prevent fraud

Data Sharing

We do not sell your personal data. We may share your data with:

• Service providers who assist with website hosting, email delivery, and analytics
• Professional advisors such as lawyers and accountants
• Government authorities when required by law

All third parties with whom we share data are required to respect the security of your data and treat it in accordance with applicable law.

International Data Transfers

Your personal data may be transferred to and processed in countries outside the EEA, including Canada. We ensure appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the European Commission
• Adequacy decisions where the destination country provides adequate protection
• Your explicit consent to the transfer

Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit and at rest
• Regular security assessments
• Access controls and authentication
• Staff training on data protection
• Incident response procedures

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations. Retention periods vary depending on the type of data and purpose:

• Service request data: Duration of project plus 7 years for legal compliance
• Communication records: 3 years from last contact
• Website analytics: 26 months
• Marketing consent: Until consent is withdrawn

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Children's Data

Our services are not directed to children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data, we will take steps to delete it promptly.

Updates to This Policy

We may update this GDPR compliance statement from time to time. We will notify you of significant changes by posting a notice on our website or by contacting you directly.

Contact Information

For questions or concerns about our GDPR compliance or to exercise your rights, please contact us:

Legacy Chronicles
247 Wellington Street
Ottawa, ON K1A 0H8
Canada

Email: [email protected]
Subject: GDPR Inquiry

Supervisory Authority

If you are not satisfied with our response to your GDPR-related concerns, you have the right to lodge a complaint with your local data protection supervisory authority.