How we collect, store, protect, and delete your data — built around Canadian law, minimal collection principles, and full client control.
All client data is stored and processed within Canadian data centres. We do not route or store personal information through US or international jurisdictions without explicit consent.
We collect only the personal information necessary to deliver the service requested. No speculative or pre-emptive data collection occurs. All collection is purpose-bound.
Every data processing activity is documented. Clients may request a copy of all data held about them at any time. Our Privacy Officer responds within 30 days as required by PIPEDA.
Data is retained only for as long as required by law or active service delivery. Automated deletion schedules apply to all categories. Session logs are purged within 90 days.
All retention periods are aligned with applicable Canadian law. Deletion is automated.
In the event of a privacy breach, we follow a structured 4-phase response. PIPEDA requires notification to affected individuals and the Office of the Privacy Commissioner within 72 hours.
Automated SIEM alerts trigger immediate incident response. Affected systems are isolated to prevent spread.
Incident team assesses scope, data categories affected, and number of individuals impacted.
Affected clients and the Office of the Privacy Commissioner of Canada (OPC) are notified within 72 hours as required by PIPEDA.
Root cause analysis completed, corrective controls implemented, and incident report filed.
Our Privacy Officer responds within 5 business days to all data-related inquiries.