Back to Legal Center

Privacy Policy

Learn how CK Catalyst collects, secures, and processes personal and business data across its core operations and Business Cells™ infrastructure.

Last updated: June 3, 2026

1. Introduction

CK Catalyst ("we", "our", "us") is committed to protecting the privacy, security, and confidentiality of your personal data and operational information. This Privacy Policy explains how we collect, use, store, and safeguard data across our website, our automation tools, and our specialized solutions, including our MVP-to-Scale Framework and our dynamic Business Cells™ infrastructure (comprising Hybrid Cells™, Ops Cells™, Automation Cells™, Data Cells™, AI Cells™, and Dev Cells™).

By using our website or engaging our solutions, you agree to the practices outlined in this policy and our Terms of Service.

2. Information We Collect

We collect information to deliver our solutions effectively, securely, and in line with modern engineering and deployment standards:

A. Information you provide directly

  • Name, email address, phone number, and company details.
  • Onboarding inputs, discovery session data, and architecture requirements.

B. Operational data (for clients) If you deploy our specialized Business Cells™:

  • Standard Operating Procedures (SOPs), workflow instructions, and relevant CRM/tool data architectures.
  • Technical documents, deployment logs, and system access profiles provided for workflow execution.

In all cases, the underlying processes originate from your own business operations. Our role is to observe, document, and analyze your existing workflows first, then build, optimize, or deploy Business Cells™ around them with your explicit approval.

C. Technical and usage information Collected automatically via infrastructure logs and telemetry:

  • IP address, device characteristics, browser type, and operating system.
  • Workflow execution logs, error payloads, and integration event metadata required to maintain pipeline uptime.

We do not collect sensitive personal data (e.g., health or financial account credentials) unless strictly required by a specific, contractual statement of work.

3. How We Use Your Information

We use your information exclusively to deliver safe, effective, and optimized automated systems:

A. To deploy and manage solutions

  • Execute operational data routing and build custom automations, pipelines, and technical interfaces.
  • Map and analyze your existing core processes, tools, and systems together with your team before activating your Business Cells™.

B. To maintain and optimize systems

  • Monitor workflow reliability, debug execution errors, and establish performance analytics safeguards across active cells.

C. To communicate

  • Send project deployment updates, onboarding parameters, operational alerts, and essential legal adjustments.

We never sell your personal or business data. We never disclose client-specific operational workflows or proprietary system logic to third parties.

4. How We Protect Your Data

We implement industry-standard security practices across all layers of our solutions:

  • Encrypted data transmission using HTTPS/TLS protocols.
  • Secure credential storage (credentials and API tokens are never stored in plaintext).
  • Strict logical separation of client data environments to prevent cross-tenant access.
  • Device-level security and multi-factor authentication (MFA) for all technical and operational staff.

For technical workflows, sensitive configurations (API keys, secrets, access tokens) are stored exclusively within secure production environments, such as n8n’s encrypted credential store, secure enterprise vaults, or restricted cloud project variables.

5. AI and Automation Data Use

We use artificial intelligence and automated infrastructure responsibly within our Business Cells™:

  • No Public Training: Third-party AI models utilized inside your AI Cells™ or pipelines are configured to ensure they do not train public models on your proprietary business data or operational payloads.
  • Data Isolation: Internal AI assistants or pipelines are strictly scoped and logically isolated per client project.
  • Confidentiality: Workflow executions involving AI processing follow the exact same privacy boundaries as standard database and API handling.

6. Third-Party Services and Subprocessors

We utilize highly secure third-party platforms essential for hosting, database management, and automation infrastructure:

  • Database & Auth: Supabase
  • Automation Infrastructure: n8n, Zapier, Make.com
  • Hosting & Security: Vercel, Cloudflare

These services process technical metadata necessary for performance and security. All infrastructure vendors are vetted for SOC 2, ISO 27001, or GDPR compliance. For a complete list of current subprocessors, please see our Subprocessor Directory.

7. Data Retention & Deletion

We retain your data only for as long as necessary to fulfill solution delivery, legal obligations, or active business engagements:

  • Inquiries & Leads: Retained up to 24 months.
  • Operational Logs & Execution History: Typically purged automatically within 30 to 180 days, depending on cell configuration and platform settings.
  • Client Project Data: Retained for the duration of the active contract.

Upon contract termination or written request, we will securely archive or permanently delete your operational assets from our environments, subject to any overriding legal retention requirements.

8. Your Rights

Depending on your regional jurisdiction (such as Canadian privacy laws, GDPR, or CCPA), you have clear rights regarding your personal information, including the right to access, correct, export, or request the deletion of your data.

To exercise any of these options, please review our intake process or contact us directly. We will validate all identity requests before modifying any system records.

9. Confidentiality for Client Operations

Every client engagement operates under a strict, non-disclosure standard:

  • All internal processes, source documentation, and workflow structures remain private to your team.
  • Business Cells™ run on isolated permission layers; no logic, schemas, or data is shared cross-client.
  • Your underlying business processes remain yours entirely. We adapt to them, document them, and build solutions around them rather than forcing disruptive platform replacements without your review.

10. International Data Transfers

Data may be processed or stored in various secure regions depending on our infrastructure providers (primarily Canada and the United States). We rely on encrypted data transfer mechanisms and vendors maintaining rigorous compliance practices to guarantee data safety across borders.

11. Children’s Privacy

Our website and solutions are designed strictly for business-to-business (B2B) and professional enterprise operations. We do not knowingly collect or process data from individuals under 18 years of age.

12. Updates to This Policy

We update this Privacy Policy periodically to match solution changes or updated legal landscapes. When updates happen, we will change the "Last Updated" date above. We recommend checking our Legal Hub periodically for updates.

13. How to Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, reach out to us at:

We review and address all privacy and data access requests promptly, typically within 30 days of validation.

Document FAQ

Quick, non-legalese answers to common operational questions.

We only collect fundamental operational data required to manage your account and deliver services. This includes basic account registration parameters (such as your name, corporate email address, and company name) and standard billing data processed securely via our payment gateways.

Never. Your transactional business files, CRM lists, and runtime payloads belong exclusively to you. We act strictly as an infrastructure bridge to run your automated cells. We do not sell, rent, index, or use your company's processing data for any external marketing or commercial purposes.

Our site performance tracking uses Google Cloud Platform (GCP) configurations that completely anonymize visitor information. It strips out distinct IP markers, capturing only aggregated system events—such as page load benchmarks, asset loading speeds, and interface click pathways—to optimize app performance.

We only share specific data parameters with verified third-party infrastructure providers that are absolutely necessary to maintain your services (such as Supabase for login security, or your dedicated n8n automation runtime environment). We do not share records with third-party advertising networks.

You maintain absolute authority over your records. You can request a complete profile erasure, data export, or correction at any time by contacting our privacy desk at our main support email. Non-essential configuration files are purged completely within 30 days of a verified request.

Next