Privacy Notice — Stratos Closeout

Last updated 2026-06-02

This Privacy Notice explains what personal data Avo Inc. collects when you participate in the Stratos Closeout Summer 2026 Challenge (the "Contest"), how we use it, who we share it with, how long we keep it, and the rights you have over it. Read this before signing in with LinkedIn or submitting a manual entry.

1. Identity and contact details of the Controller

The data controller for personal data processed in connection with the Contest is Avo Inc. (operating under the "Stratos" brand for this Contest), a Canadian corporation with its registered office at [ENTER LEGAL MAILING ADDRESS].

Data-protection contact: privacy@avo-inc.ca.

For UK/EU residents, Avo Inc. does not have an establishment in the UK or EU and is not subject to a mandatory Article 27 representative requirement on the basis that processing is limited to a low-volume, time-bounded skill contest. If processing materially expands, an EU/UK representative will be appointed and named here.

2. What data we collect and where it comes from

Category	Source	Example fields
LinkedIn-verified identity	LinkedIn OpenID Connect, after you sign in	First name, last name, email address, profile picture URL, LinkedIn member ID (sub), locale
Self-declared profile	You, when you complete the entry form	Company, industry, (manual path) display name
Round telemetry	Generated by your gameplay	Cycle time, score, grade, accuracy, depth, holes drilled, bits broken, overtime
Country (derived)	Your IP address at the moment of submission	Two-letter country code (e.g. "CA"); IP itself is hashed, never stored in clear
Device data	Your browser	User-agent string, browser language
Cookies	Set by our server	See § 7 below

We do not collect special categories of data (race, religion, health, sexual orientation, etc.), payment card data, or location data more granular than country. We do not buy, rent, or otherwise acquire personal data from third-party data brokers.

3. Purposes and legal basis

Purpose	Legal basis (GDPR Art. 6)
Administer the Contest: receive your entry, compute your rank, verify your identity, communicate with winners	(b) performance of a contract (the Contest Rules) and (a) consent (LinkedIn authorization)
Operate the public leaderboard (first name + last initial + country + company + cycle time)	(a) consent at the moment of entry
Detect fraud, bots, and ineligible entries; enforce eligibility rules including team-member exclusion and jurisdiction exclusion	(f) legitimate interest in the integrity of the Contest, balanced against your privacy interests
Audit and compliance (responding to legal requests, defending claims)	(c) legal obligation and (f) legitimate interest
Send you marketing communications from Stratos (only if you tick the optional marketing checkbox)	(a) explicit, separate, freely-given consent — you can withdraw at any time
Measure how the Contest site is used in aggregate (sessions, screen views, funnel steps, time spent on the round analysis) so we can improve it and report to internal stakeholders. First-party only — no third-party tracking or advertising networks, no cross-site profiling, no personalised advertising. See § 7a.	(f) legitimate interest in operating, improving, and reporting on the Contest, balanced against your privacy interests (low expected impact: pseudonymous device key, no cross-site tracking)

Under PIPEDA, the basis of processing is your knowledge and consent at the point of entry. Under CCPA/CPRA, we do not "sell" or "share" personal information as those terms are defined in California law.

4. Who we share data with

We share personal data only as strictly necessary, with the following categories of recipients:

LinkedIn Corporation — to authenticate you and read the profile fields you authorize. We do not transmit any data back to LinkedIn beyond the OAuth handshake.
Google LLC (Google Cloud Platform) — sub-processor for hosting (Cloud Run), database (Firestore), and authentication infrastructure. Region: [CONFIRM REGION e.g. us-central1]. Bound by Google’s standard Data Processing Addendum.
ipapi.co (Kaeru Pte. Ltd.) — server-side IP-to-country lookup, used only at the moment of submission, only the country code is retained; no log entry on their side is associated with your name or email.
Avo Inc. staff who administer the Contest, on a need-to-know basis.
Tax authorities, regulators, or law enforcement where required by law (e.g. tax-slip reporting for prize amounts above CRA-mandated thresholds).

We do not authorize any recipient to use your data for their own marketing purposes.

5. International transfers

If you are located in the United Kingdom or the European Economic Area, your personal data will be transferred to Canada (Avo Inc.’s location) and to the United States (Google Cloud’s primary infrastructure for this deployment). Canada is recognized by the European Commission as providing adequate protection for personal data transferred from the EU (Decision 2002/2/EC, as supplemented). Transfers to the United States rely on the EU–U.S. Data Privacy Framework (Google Cloud participates) and, as a backstop, the European Commission’s Standard Contractual Clauses incorporated into Google’s Data Processing Addendum. A copy is available from privacy@avo-inc.ca on request.

6. Retention

We retain entrant data only as long as needed for the purposes set out above:

Entry record (LinkedIn profile + company + industry + country + round telemetry): until February 28, 2027 (six months after Contest close), after which it is automatically deleted.
Marketing-list entries (only if you opted in): until you unsubscribe.
Audit logs of data-subject requests: 24 months, for accountability under Article 5(2) GDPR.
Hashed IP addresses: 90 days for fraud detection.

7. Cookies and browser storage

We use only strictly-necessary cookies. We do not use third-party analytics or advertising cookies, social-network trackers, or cross-site fingerprinting.

Cookie / storage	Purpose	Lifetime
`dm_li_state`	CSRF protection for the LinkedIn OAuth round-trip	10 minutes
`dm_li_session`	Keeps you signed in via LinkedIn so you don’t have to re-auth each round	14 days
`dm_session` (sessionStorage)	Random per-tab ID so we can stitch one playthrough together for analytics. Cleared automatically when you close the tab.	Tab lifetime
`dm_user` (localStorage)	Random per-device ID so we can count returning vs new users in aggregate. Never tied to your name or email unless you also sign in with LinkedIn. Clearing site storage opts you out.	Until you clear site storage

Because none of the above are used for advertising or cross-site tracking, prior consent is not required under the EU ePrivacy Directive (Art. 5(3) exemption); the analytics identifiers are processed under our Article 6(1)(f) legitimate interest in operating and improving the Contest.

7a. Site analytics

Stratos runs first-party, in-house analytics on the Contest site so we can understand which screens are reached, how long the round-analysis page is read, which jurisdictions players come from in aggregate, and whether the entry funnel works. The data we record for analytics consists of: a random session ID and a random device ID (see § 7 above), the type of event (e.g. “round started”, “results viewed”), the timestamp, the country derived from your IP, a coarse device class (mobile / tablet / desktop) and browser family, and — when you are signed in via LinkedIn — a hash of your email so we can distinguish verified entrants from anonymous plays for funnel reporting. We do not embed third-party trackers, use cookies for advertising, build cross-site profiles, sell or share analytics data, or use it for automated decisions that produce legal effects.

How to opt out: the analytics identifiers live entirely in your browser’s own storage. Clearing site data for this site removes them; opening the page in a private / incognito window prevents the device ID from persisting. You may also contact privacy@avo-inc.ca to object to analytics processing on legitimate-interests grounds under Article 21 GDPR; we will exclude your identifiers from future analytics aggregation within 30 days.

8. Your rights

Depending on where you live, you have some or all of the following rights:

Access — receive a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — have your data deleted, subject to limited exceptions.
Restriction — pause processing while a dispute is resolved.
Portability — receive your data in a structured, machine-readable format.
Objection — to processing based on our legitimate interests, including profiling.
Withdraw consent — for any processing based on consent, at any time, without affecting the lawfulness of prior processing.
Automated decision-making — we do not make decisions about you using solely automated processing within the meaning of GDPR Article 22.
Lodge a complaint with your supervisory authority: Office of the Privacy Commissioner of Canada for Canadian residents; your national supervisory authority for EEA residents; the Information Commissioner’s Office (ICO) for UK residents; the California Attorney General for California residents.

How to exercise your rights: if you are signed in with LinkedIn, you can view and download your stored data and request erasure directly from the entry modal (look for the "Your data" controls below the verified-profile card). Otherwise, email privacy@avo-inc.ca with your request. We will respond within thirty (30) days, and at no charge. We may need to verify your identity before acting on a request.

9. Security

We use TLS in transit, encryption at rest provided by Google Cloud, HMAC-signed session cookies, server-side input validation, IP-rate-limiting on the entry endpoint, and email-based deduplication to prevent enumeration attacks. Email addresses are never returned by the public leaderboard API.

10. Changes to this Notice

If we materially change this Privacy Notice, we will update the "Last updated" date above and, where the change affects already-collected data, contact entrants by email before the change takes effect.

11. Contact

Questions, complaints, or requests: privacy@avo-inc.ca.

For legal review: placeholders [ENTER LEGAL MAILING ADDRESS], [CONFIRM REGION] must be completed; an Article 27 EU representative may be required if volumes scale beyond the current low-volume contest; CCPA "Do Not Sell or Share" link may be required even though we do not sell, to satisfy California disclosure formalism.