Privacy Policy

1. PIPEDA Compliance Statement

CanCertify ("Company", "we", "our", or "us") is committed to protecting your privacy in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), the Canadian Privacy Act, and all applicable provincial privacy legislation, including Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), Alberta's Personal Information Protection Act (PIPA), and British Columbia's Personal Information Protection Act (PIPA).

This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our website at cancertify.ca, our web application, and all related services (collectively, the "Service"). We adhere to the ten fair information principles set out in PIPEDA, including accountability, consent, limiting collection, accuracy, safeguards, and openness.

2. Information We Collect

2.1 Personal Information

When you create an account or use the Service, we may collect the following personal information:

• Full name and job title
• Email address and phone number
• Business address and province of operation
• Login credentials (passwords are stored in hashed form and are never accessible in plaintext)
• Payment and billing information (processed securely by our third-party payment provider)

2.2 Company and Business Data

To provide compliance recommendations and gap analysis, we collect information about your organization:

• Company name, industry, size, and province of incorporation
• Business registration numbers and operating jurisdictions
• Compliance status, certifications held, and certification expiration dates
• Documents you upload for compliance assessment (policies, procedures, certifications)
• Information about your data handling practices, client types, and regulatory obligations

2.3 Usage Data

We automatically collect certain information when you interact with the Service:

• Device information (browser type, operating system, device identifiers)
• IP address and approximate geolocation (country/province)
• Pages visited, features used, and actions taken within the Service
• Session duration, timestamps, and referring URLs
• Error logs and performance data to improve the Service

2.4 Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: Creating and managing your account, delivering compliance assessments, generating recommendations, producing documents, and enabling certification tracking
• AI-Powered Features: Powering our gap analysis engine, generating compliance documents, and providing personalized recommendations based on your business profile
• Communication: Sending transactional emails (account verification, password resets, billing receipts), compliance reminders, certification expiry notifications, and service updates
• Improvement and Analytics: Understanding how users interact with the Service, identifying areas for improvement, and developing new features
• Security: Detecting, preventing, and addressing fraud, abuse, and security threats
• Legal Compliance: Fulfilling our legal obligations under Canadian law and responding to lawful requests from government authorities

4. Consent

In accordance with PIPEDA, we obtain your consent before collecting, using, or disclosing your personal information, except where permitted or required by law. By creating an account and using the Service, you consent to the collection and use of your information as described in this Privacy Policy.

You may withdraw your consent at any time by contacting us at privacy@cancertify.com. Please note that withdrawing consent may affect your ability to use certain features of the Service.

5. Data Sharing and Third Parties

5.1 Service Providers

We share your information with trusted third-party service providers who assist us in operating the Service, including:

• Cloud hosting providers for data storage and processing (hosted in Canadian data centers)
• Payment processors for subscription billing and payment handling
• Email service providers for transactional and notification emails
• Analytics providers for understanding usage patterns (anonymized data only)
• AI service providers for powering AI-driven features (data is processed in accordance with our data processing agreements)

All service providers are contractually obligated to protect your information and use it only for the purposes we specify.

5.2 Legal Requirements

We may disclose your personal information if required to do so by law, court order, or government regulation, or if we believe in good faith that such disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a lawful request from Canadian or international authorities.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of the transaction. We will notify you of any such transfer and any changes to this Privacy Policy.

5.4 No Sale of Personal Information

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6. Data Security

We implement industry-standard security measures to protect your personal information, including:

• Encryption of data in transit using TLS 1.2 or higher and encryption of data at rest using AES-256
• Secure password hashing using bcrypt with appropriate salt rounds
• Regular security assessments, penetration testing, and vulnerability scanning
• Role-based access controls limiting employee access to personal information on a need-to-know basis
• Monitoring and logging of system access for audit purposes
• Incident response procedures for prompt detection and response to security breaches

For more details about our security practices, please visit our Security page.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

• Active account data: Retained for the duration of your account plus 30 days following account closure
• Billing records: Retained for 7 years in accordance with Canadian tax law requirements
• Usage logs: Retained for up to 24 months for analytics and security purposes, then anonymized or deleted
• Support correspondence: Retained for 3 years following resolution

Upon request, we will delete your personal information within 30 days, subject to any legal obligations that require us to retain certain data.

8. Your Rights Under PIPEDA

Under PIPEDA and applicable provincial privacy legislation, you have the following rights:

• Right of Access: You may request access to the personal information we hold about you. We will respond to your request within 30 days.
• Right to Correction: You may request that we correct any inaccurate or incomplete personal information.
• Right to Withdraw Consent: You may withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
• Right to Data Portability: You may request an export of your data in a commonly used machine-readable format.
• Right to Complain: You have the right to file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.

To exercise any of these rights, please contact our Privacy Officer at privacy@cancertify.com.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child, please contact us at privacy@cancertify.com.

10. International Data Transfers

CanCertify is headquartered in Canada, and your personal information is primarily stored and processed in Canadian data centers. In some cases, your data may be processed by service providers located outside of Canada (for example, AI processing services). When this occurs, we ensure that appropriate safeguards are in place, including contractual data protection agreements that provide a level of protection comparable to Canadian privacy laws.

We will notify you if your personal information will be transferred to a jurisdiction with materially different privacy protections, and we will obtain your consent where required.

11. Quebec Law 25 (Bill 64) Compliance

For users and businesses located in Quebec, we comply with the requirements of Quebec's Act Respecting the Protection of Personal Information in the Private Sector (commonly known as Law 25), including:

• Conducting privacy impact assessments for activities involving personal information
• Providing clear and accessible privacy notices in both English and French
• Implementing data de-identification and anonymization where appropriate
• Maintaining an inventory of personal information holdings
• Reporting privacy breaches to the Commission d'accès à l'information du Québec where required

12. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on our website with a revised "Last updated" date and, where appropriate, by sending you an email notification.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

13. Privacy Officer

CanCertify has designated a Privacy Officer responsible for overseeing our compliance with applicable privacy legislation and this Privacy Policy. If you have any questions, concerns, or complaints about our privacy practices, or if you wish to exercise any of your privacy rights, please contact:

• Privacy Officer
• Email: privacy@cancertify.com
• General Inquiries: hello@cancertify.com
• Website: cancertify.ca
• Address: Toronto, Ontario, Canada

14. Office of the Privacy Commissioner

If you are not satisfied with our response to your privacy concern, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada:

• Website: www.priv.gc.ca
• Phone: 1-800-282-1376