Privacy policy

Grimaldi Tools Ltd. (“Grimaldi”, “we”, “our”, “us”) takes the confidentiality of buyer information seriously. This Privacy Policy describes the personal information we collect through the Grimaldi storefront, how we use it, who we share it with, how long we keep it, and the rights available to individuals whose information we process.

This Policy applies to the Site, our wholesale accounts, our support channels, and any related marketing communications you have opted into. It does not apply to third-party sites that link to or from the Site, which are governed by their own privacy notices.

Grimaldi acts as the organisation responsible for the personal information processed through the Site. Our Privacy Officer can be contacted at info@grimalditools.com or by writing to the address in the final section of this Policy.

Where we process personal information on behalf of another business — for example, where a manufacturer asks us to facilitate a warranty claim — we act as a service provider to that business and follow their instructions, in addition to our own controls.

We collect personal information in three ways:

Information you provide directly

• Account application: business name, jurisdiction, tax registration, ship-to and bill-to addresses, named purchasing contacts, role, email, and phone number.
• Orders and quotes: the products you request, quantities, references such as purchase-order numbers and project codes, and the addresses involved in fulfilment.
• Payment information: the limited information needed to authorise payment. Full card numbers are handled by our PCI-compliant payment service provider and are never stored on Grimaldi systems.
• Support contact: the messages, attachments, and context you share when you contact us through the Site, by email, or through other supported channels.

Information collected automatically

• Device and session signals: IP address, user-agent, language, time zone, and the events generated by your interaction with the Site, used to operate the storefront, secure sessions, and diagnose issues.
• Cookies and similar storage: first-party cookies and local storage are used to preserve sign-in state, currency and region preferences, and core storefront behaviour. See our Cookie Notice for the breakdown and the controls available to you.

Information from other sources

• Public business records: we may verify business registration, tax-exemption status, or sanctions-screening results using authoritative public sources or screening providers.
• Wholesale references: where a buyer offers wholesale references in support of credit terms, we may contact those references to confirm the information provided.
• Carrier and warehouse partners: shipping status, delivery exceptions, and proof-of-delivery records are received from our carrier and warehouse partners and tied to the related order record.

We use personal information to:

• evaluate wholesale-account applications and maintain account standing;
• resolve pricing, tier, and quoted pricing across the catalogue;
• process orders, payments, refunds, returns, and warranty claims;
• communicate transactional information such as order confirmations, shipment updates, and account notices;
• provide support, including the ability to associate a support request with the right order or business profile;
• secure the Site against fraud, abuse, and unauthorised access, including by maintaining audit logs of sensitive events;
• measure and improve the storefront, where permitted, using aggregate and pseudonymous usage data;
• comply with legal obligations, including tax, export-control, sanctions, accounting, and records-retention requirements; and
• send opt-in wholesale communications, where you have asked to receive them — you can withdraw consent at any time.

In Canada, our processing is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and, in British Columbia, by the Personal Information Protection Act (BC PIPA). For buyers in other jurisdictions, we apply the privacy law that applies to them where it grants additional rights.

We rely on the following bases:

• Performance of a contract: to operate the account, fulfil orders, and provide support.
• Legitimate business interest: to secure the Site, prevent fraud, maintain audit records, and improve our services, balanced against the privacy interests of the individual.
• Legal obligation: to satisfy tax, accounting, export, sanctions, and records-retention requirements.
• Consent: for optional uses such as opt-in wholesale communications and non-essential cookies, withdrawable at any time.

We do not sell personal information. We share it only with:

• Service providers that operate the Site under written agreements — including hosting, database, email, payment, shipping, warehouse, observability, and customer-support providers — and only for the purposes described in those agreements.
• Manufacturers and authorised distributors where required to fulfil a special-order, drop-ship, or warranty claim on your behalf.
• Professional advisers such as our lawyers, accountants, and auditors, where reasonably required for our business.
• Government and regulatory bodies where we are legally required to do so, or where disclosure is necessary to protect the rights, property, or safety of Grimaldi, our buyers, or others.
• A successor entity in connection with a corporate transaction such as a merger, acquisition, or asset sale, subject to confidentiality obligations.

Our service providers are selected for their security and privacy posture, are bound by written agreements that limit their use of personal information to the purposes we authorise, and are required to maintain appropriate technical and organisational safeguards.

Categories currently used include cloud database and storage, authenticated session management, email delivery, payment processing, shipping and warehouse coordination, error monitoring, and product analytics. Specific provider names can be shared on written request to info@grimalditools.com.

Grimaldi is headquartered in Canada. Some of our service providers operate in the United States or other jurisdictions. Where personal information leaves the buyer’s jurisdiction, we use contractual and operational safeguards designed to maintain a comparable level of protection, including data-processing terms, encryption in transit, and access controls scoped to the purpose of the transfer.

We keep personal information for as long as it is needed to operate the account, fulfil the order, meet our legal obligations, and resolve disputes. Typical retention windows include:

• Account records: for the active life of the wholesale account and, after closure, for the period required to satisfy our records-retention and tax obligations.
• Order and invoice records: retained for the period required by applicable tax and accounting law, typically at least six (6) years.
• Support records: retained for the period needed to operate the support relationship and to identify recurring issues, then archived or anonymised.
• Security and audit logs: retained for the period needed to investigate incidents and demonstrate compliance, then rotated.

We apply administrative, technical, and physical safeguards designed to protect personal information against unauthorised access, use, disclosure, alteration, and loss. These include role-based access, principle-of-least-privilege, encryption in transit, encryption at rest for sensitive stores, monitored audit logs, vendor due diligence, and a documented incident-response process. No system is perfectly secure, and we encourage buyers to use strong, unique credentials and to notify us promptly of any suspected compromise.

Subject to applicable law, individuals whose information we process have the right to:

• Access the personal information we hold about them and ask for an explanation of how it is used and disclosed;
• Correct personal information that is inaccurate or out of date;
• Withdraw consent for processing that relies on consent, including opt-in marketing, on reasonable notice;
• Object to certain processing, including direct marketing;
• Complain to the Office of the Privacy Commissioner of Canada or to the Office of the Information and Privacy Commissioner for British Columbia where applicable.

Requests can be sent to info@grimalditools.com. We may need to verify the identity of the requester before acting on a request. Some information must be retained to meet our legal obligations, in which case we will explain the basis for retention and limit further use.

The Site is intended for use by business buyers and is not directed at children. We do not knowingly collect personal information from anyone under the age of sixteen (16). If you believe a child has provided personal information through the Site, contact info@grimalditools.com and we will take reasonable steps to delete it.

We do not make decisions about wholesale-account approval, credit, or order acceptance solely by automated means. Automated screening may flag an application or order for review (for example, where a sanctions or fraud signal is raised), but a person at Grimaldi reviews the outcome before any adverse decision is finalised.

We may update this Policy from time to time to reflect changes to our operations, technology, or applicable law. Material changes will be communicated to active wholesale accounts through transactional email or an in-product notice. The “Last updated” date at the top of this page always shows the most recent revision.

To exercise a right or ask a privacy question, please contact:

We will acknowledge your request within thirty (30) days and respond on the timeline required by applicable privacy law.