Privacy Policy
This Privacy Policy describes Our policies and procedures on the collection, use and
disclosure of Your information when You use one or more of Our Services and advises You about Your privacy rights and how the law protects You. We use Your Personal Data to provide and improve Our Service. By using Our Service, You
agree to the collection and use of information in accordance with this Privacy Policy. NOTE: although We are a Canadian company primarily operating in Canada, We do Our best to comply not only with
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), but also Europe’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA)
. A General Overview (unofficial) in plain language of pertinent requirements and obligations under each of these privacy regimes is located at
Appendices A, B, and C, respectively.
1. Interpretation and Definitions
Interpretation
Words having the initial letter capitalized have the following definitions and shall have the same general meaning regardless of whether they appear in singular or in plural.
Definitions
For the purposes of this Privacy Policy:
Account means a unique account created for You to access Our Service or parts of Our Service.
Affiliate means an entity that controls, is controlled by or is
under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Nerve Strategic Inc., having a business location at 7 Abbs Street, Toronto, Ontario, Canada M6K 1M5.
Cookies are small files that are placed on Your computer, mobile device or any other Device by a website, containing the details of Your browsing history on that website.
Country refers to Canada.
Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
Personal Data is any information that relates to an identified or identifiable individual.
Service refers to the Executive Presence, Business Presence, and Corporate Package Services listed on Our Website, as well as The Edge on-line courses available from the Website.
Service Provider means any natural or legal person who processes data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the
Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
Usage Data refers to data collected automatically, either generated by the
use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
Website refers to the Nerve Strategic website, accessible from
https://nervestrategic.com/ You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or
using the Service, as applicable.
2. Information We Collect and Using Your Personal Data
Types of Data Collected
Personal Data
While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to: Email
address First name and last name Your employer/company name Phone number Address, City, State/Province, ZIP/Postal code Usage Data
Usage Data
Usage Data is collected automatically when using the Service. Usage Data may include information such as Your Device's Internet Protocol address, browser type, browser version, the pages of Our Service that You visit, the time and
date of Your visit, the time spent on those pages, unique Device identifiers and other diagnostic data. When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not
limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique Device identifiers and other
diagnostic data. We may also collect information that Your browser sends whenever You visit Our Service or when You access the Service by or through a mobile device.
Tracking Technologies and Cookies
We use Cookies and similar tracking technologies to enhance user experience, analyze traffic, track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and
track information and to improve and analyze Our Service. The technologies We use may include:
Cookies or Browser Cookies. A cookie is a small file placed on Your Device. You can instruct Your browser to refuse all
Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of Our Service. Unless You have adjusted Your browser setting so that it will refuse Cookies, Our
Service may use Cookies.
Web Beacons. Certain sections of Our Service and Our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that
permit the Company, for example, to count users who have visited those pages or opened an email and for other related Website statistics (for example, recording the popularity of a certain section and verifying system and server
integrity). Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on Your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close Your web browser. We use
both Session and Persistent Cookies for the purposes set out below:
Necessary / Essential Cookies Type: Session Cookies Administered by: Us Purpose: These Cookies are essential to provide You with Services available
through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user Accounts. Without these Cookies, the Services that You have asked for cannot be provided, and We
only use these Cookies to provide You with those Services.
Cookies Policy / Notice Acceptance Cookies Type: Persistent Cookies Administered by: Us Purpose: These Cookies identify if users have accepted the
use of Cookies on the Website.
Functionality Cookies Type: Persistent Cookies Administered by: Us Purpose: These Cookies allow Us to remember choices You make when You use the Website, such as remembering
Your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter Your preferences every time You use the Website.
3. How We Use Your Personal Data
The Company may use Personal Data for the following purposes:
To provide and maintain Our Service, including to monitor the usage of Our Service.
To manage Your Account: to manage Your registration
as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user. We generally use Your email address as Your login credential for
Our The Edge on-line learning system.
For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or Services You have purchased or of any other
contract with Us through the Service, e.g. for billing and invoicing purposes.
To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile
application's push notifications regarding updates, training tips, relevant news, or informative communications related to the functionalities, products or contracted Services, including security updates, when necessary or
reasonable for their implementation.
To provide You with news, special offers and general information about other goods, Services and events which We offer that are similar to those that You have already purchased
or enquired about unless You have opted not to receive such information.
To manage Your requests: To attend and manage Your requests to Us.
For business transfers: We may use Your information to
evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding,
in which Personal Data held by Us about Our Service users is among the assets transferred.
For other purposes: We may use Your information for other purposes, such as data analysis, identifying usage trends,
determining the effectiveness of Our promotional campaigns and to evaluate and improve Our Service, products, services, marketing and Your experience.
4. Legal Basis for Processing Personal Data
We process Your Personal Data based on the following:
Consent: When You voluntarily provide information, subscribe to communications, or provide explicit consent to the collection of Personal Data (e.g. via
checkboxes, opt-in forms).
Contractual Necessity: To fulfill Our obligations in providing Services to You.
Legitimate Interests: For internal business operations and Service improvement, provided
these interests are not overridden by Your rights.
5. Your Rights
Depending on Your jurisdiction, You may have the following general rights (note: a General Overview (unofficial) in plain language of pertinent requirements and obligations under each of these privacy regimes is located at
Appendices A, B, and C, respectively):
Under GDPR (EU/EEA Residents): - Right to access, correct, or delete Your data - Right to restrict or object to processing - Right to data portability
- Right to withdraw consent at any time - Right to lodge a complaint with a supervisory authority
Under CCPA/CPRA (California Residents): - Right to know what personal information We collect and how We use
it - Right to request deletion of Your personal information - Right to opt out of the sharing of personal information - Right to correct inaccurate personal information - Right to limit the use of sensitive personal information
Under PIPEDA (Canada): - Right to access and correct Your personal information - Right to withdraw consent - Right to challenge Our compliance with PIPEDA Although We are a Canadian company primarily
operating in Canada, We do Our best to comply not only with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), but also Europe’s General Data Protection Regulation (GDPR), and the California Consumer
Privacy Act and California Privacy Rights Act (CCPA/CPRA). To exercise any of these rights, please contact Us using the details in Section 14.
6. Security of Your Personal Data
The security of Your Personal Data is important to Us, and We use industry-standard encryption and secure storage practices to protect Your personal information from unauthorized access, disclosure, alteration, or destruction, but
remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute
security.
7. Sharing or Disclosure of Your Personal Data
We do NOT sell Your personal information. We may share Your personal information in the following situations:
With Service Providers: We may share Your personal information with Service Providers who assist with
billing, IT, communication systems, or to monitor and analyze the use of Our Service, but We do so under strict confidentiality agreements.
For business transfers: We may share or transfer Your personal information
in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of Our business to another company. We will provide notice before Your Personal Data is transferred and
becomes subject to a different Privacy Policy.
With Affiliates: We may share Your information with Our Affiliates, in which case We will require those Affiliates to honor this Privacy Policy. Affiliates may include
a parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.
With business partners: We may share Your information with Our
business partners to offer You certain products, services or promotions, but We do so under strict confidentiality agreements.
With other users: when You share personal information or otherwise interact in the
public areas with other users, such information may be viewed by all users and may be publicly distributed outside.
Law enforcement: Under certain circumstances, the Company may be required to disclose Your Personal
Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Other legal requirements: The Company may disclose Your Personal Data in the good faith
belief that such action is necessary to:
- Comply with a legal obligation
- Protect and defend the rights or property of the Company
- Prevent or investigate possible wrongdoing in connection with the Service
- Protect the personal safety of users of the Service or the public
- Protect against legal liability
With Your consent: We may disclose Your personal information for any other purpose with Your explicit consent.
8. Retention of Your Personal Data
The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with Our legal obligations (for
example, if We are required to retain Your data to comply with applicable laws), resolve disputes, and enforce Our legal agreements and policies. The Company will also retain Usage Data for internal analysis purposes. Usage Data is
generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.
9. Transfer of Your Personal Data
Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and
maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ from those from Your jurisdiction. Your consent to this Privacy Policy followed
by Your submission of such information represents Your agreement to that transfer. The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no
transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of Your data and other personal information. In this respect, where required by law,
We implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission or rely on adequacy decisions. For transfers from Canada, We ensure comparable levels of protection as required by PIPEDA.
10. Delete Your Personal Data
You have the right to delete or request that We assist in deleting the Personal Data that We have collected about You. Our Service may give You the ability to delete certain information about You from within the Service. You may
update, amend, or delete Your information at any time by signing in to Your Account, if You have one, and visiting the Account settings section that allows You to manage Your personal information. You may also contact Us to request
access to, correct, or delete any personal information that You have provided to Us. Please note, however, that We may need to retain certain information when We have a legal obligation or lawful basis to do so.
11. Children's Privacy
Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If You are a parent or guardian and You are aware that Your child has provided
Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 13 without verification of parental consent, We take steps to remove that information from Our servers.
If We need to rely on consent as a legal basis for processing Your information and Your country requires consent from a parent, We may require Your parent's consent before We collect and use that information.
12. Links to Other Websites
Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You
visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
13. Data Breach Notification
In accordance with PIPEDA, We are committed to promptly notifying affected individuals and the Office of the Privacy Commissioner of Canada in the event of a data breach involving personal information that poses a real risk of
significant harm. Notification to affected individuals will be made as soon as feasible after the breach is discovered and will include: - A description of the breach and the personal information involved - The steps taken to
mitigate the breach - Contact information for further inquiries - Recommendations for individuals to reduce the risk of harm Notifications may be delivered via email, postal mail, telephone, or public communication, depending on the
circumstances and available contact information. We will also maintain a record of all data breaches for a minimum of 24 months, as required by PIPEDA.
14. Internal Privacy Governance
We are committed to maintaining the highest standards of privacy protection through robust internal governance practices. To ensure compliance with PIPEDA, the Company has implemented the following measures:
Staff Training: All employees undergo regular privacy and data protection training to ensure they understand their responsibilities in handling personal information. Training sessions are updated periodically to
reflect changes in legislation and internal policies.
Internal Audits: The Company conducts periodic internal audits to assess compliance with privacy policies and procedures. These audits help identify potential
risks and areas for improvement in data handling practices.
Policy Reviews: Privacy policies and procedures are reviewed at least annually, or more frequently if required by changes in law or business practices.
Updates are communicated to all staff and incorporated into training materials. These governance practices demonstrate Our commitment to protecting personal information and ensuring ongoing compliance with PIPEDA.
15. Changes to this Privacy Policy
We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on Our Website. We will let You know via email and/or a prominent notice on Our Service, prior to the change
becoming effective and update the "Last updated" date at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted
on the Website.
16. Contact Us
We have appointed a Data Protection/Privacy Officer to oversee compliance with data protection laws. If You have any questions, concerns, or requests regarding this Privacy Policy or Your personal information, please contact:
Privacy Officer Nerve Strategic Inc. 7 Abbs Street, Toronto, Ontario, Canada M6K 1M5 Email: privacy@nervestrategic.com Phone: (437) 344-3702
Appendix A
General Overview: Basic Requirements and Obligations for Compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
The official Act can be found here:
https://laws-lois.justice.gc.ca/eng/acts/p-8.6/FullText.html. The general requirements and obligations
(unofficially) are based on the following Principles:
1. Accountability
Reference: Schedule 1, Principle 1 Organizations are responsible for personal information under their control and must designate an individual (often a Privacy Officer) to ensure compliance with PIPEDA. - Must implement policies and
procedures to protect personal information. - Must train staff and communicate policies to third parties.
2. Identifying Purposes
Reference: Schedule 1, Principle 2 Organizations must identify the purposes for which personal information is collected at or before the time of collection. - Purposes must be documented and communicated to the individual. - New
purposes require additional consent.
3. Consent
Reference: Schedule 1, Principle 3; Section 6.1 Knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. - Consent must be meaningful (i.e.,
informed and voluntary). - Can be express or implied, depending on the sensitivity of the information.
4. Limiting Collection
Reference: Schedule 1, Principle 4 Organizations must limit the collection of personal information to what is necessary for the identified purposes. - Collection must be fair and lawful. - Must not collect information
indiscriminately.
5. Limiting Use, Disclosure, and Retention
Reference: Schedule 1, Principle 5 Personal information must not be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law. - Must retain information only as long as
necessary to fulfill the purpose. - Must develop guidelines and implement procedures for retention and destruction.
6. Accuracy
Reference: Schedule 1, Principle 6 Personal information must be as accurate, complete, and up to date as necessary for the purposes for which it is to be used. - Especially important when decisions are made based on the information.
7. Safeguards
Reference: Schedule 1, Principle 7 Organizations must protect personal information with security safeguards appropriate to the sensitivity of the information. - Includes physical, organizational, and technological measures. -
Employees must be aware of and trained in these safeguards.
8. Openness
Reference: Schedule 1, Principle 8 Organizations must make their policies and practices relating to the management of personal information readily available to individuals. - Must include contact information, types of personal
information held, and a general account of its use.
9. Individual Access
Reference: Schedule 1, Principle 9; Sections 8–9 Upon request, individuals must be informed of the existence, use, and disclosure of their personal information and be given access to that information. - Individuals can challenge the
accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance
Reference: Schedule 1, Principle 10 Individuals must be able to challenge an organization’s compliance with the above principles. - Organizations must have procedures in place to receive and respond to complaints or inquiries.
Appendix B
General Overview: Basic Requirements and Obligations for Compliance with Europe’s General Data Protection Regulation (GDPR)
The official GDPR can be located here:
https://gdpr-info.eu/. The general requirements and obligations (unofficially) include the following:
Lawful, Fair, and Transparent Processing (Article 5(1)(a))
Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
Purpose Limitation (Article 5(1)(b))
Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimization (Article 5(1)(c))
Only collect data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy (Article 5(1)(d))
Ensure personal data is accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.
Storage Limitation (Article 5(1)(e))
Keep personal data in a form that permits identification of data subjects for no longer than is necessary.
Integrity and Confidentiality (Article 5(1)(f))
Process data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Accountability Principle (Article 5(2))
The controller is responsible for, and must be able to demonstrate, compliance with all the principles above.
Lawful Basis for Processing (Article 6)
Processing is lawful only if at least one of the following applies: Consent, Contractual necessity, Legal obligation, Vital interests, Public task, Legitimate interests.
Consent Requirements (Article 7)
Consent must be freely given, specific, informed, and unambiguous. It must be as easy to withdraw as to give.
Children’s Data (Article 8)
Parental consent is required for processing personal data of children under 16 (or lower age as defined by Member States, but not below 13).
Special Categories of Data (Article 9)
Processing of sensitive data (e.g., health, race, religion) is prohibited unless specific conditions are met (e.g., explicit consent, legal obligations).
Transparency and Information (Articles 12–14)
You must provide clear and accessible information to data subjects about how their data is used, including: Identity of the controller, Purpose of processing, Legal basis, Data retention, Rights of the data subject.
Data Subject Rights (Articles 15–22)
You must enable and respond to requests from individuals exercising their rights: Right of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.
Data Protection by Design and by Default (Article 25)
Implement appropriate technical and organizational measures to ensure data protection principles are integrated into processing activities.
Processor Obligations and Contracts (Article 28)
Ensure that data processors provide sufficient guarantees and that contracts include specific GDPR-mandated terms.
Records of Processing Activities (RoPA) (Article 30)
Maintain detailed records of processing activities, including purposes, categories of data, recipients, and security measures.
Security of Processing (Article 32)
Ensure a level of security appropriate to the risk, including encryption, confidentiality, integrity, availability, and resilience.
Data Breach Notification (Articles 33–34)
Notify the supervisory authority within 72 hours of becoming aware of a personal data breach. Notify affected individuals if the breach is likely to result in a high risk to their rights and freedoms.
Data Protection Impact Assessments (DPIAs) (Article 35)
Conduct DPIAs for processing likely to result in high risk to individuals’ rights and freedoms.
Designation of a Data Protection Officer (DPO) (Articles 37–39)
Appoint a DPO if you are a public authority, or your core activities require regular and systematic monitoring of data subjects on a large scale, or you process special categories of data on a large scale.
International Data Transfers (Articles 44–50)
Transfers of personal data outside the EU/EEA must be based on: Adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or Derogations for specific situations.
Appendix C
General Overview: Basic Requirements and Obligations for Compliance with the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA)
The official Act can be found here:
https://oag.ca.gov/privacy/ccpa. The general requirements and obligations include (unofficially) the following:
1. Determine Applicability
*Reference:* Section 1798.140(d) The CCPA/CPRA applies to for-profit entities doing business in California that meet one or more of the following thresholds: - Annual gross revenue over $25 million - Buy, sell, or share personal
information of 100,000+ consumers or households - Derive 50% or more of annual revenue from selling or sharing personal information
2. Consumer Rights
*Reference:* Sections 1798.110, 1798.115, 1798.105, 1798.106, 1798.120, 1798.135, 1798.121, 1798.125 Businesses must support and honor the following rights: - Right to Know: Consumers can request categories and specific pieces of
personal information collected, sources, purposes, and third parties. - Right to Delete: Consumers can request deletion of their personal information, with exceptions. - Right to Correct: Consumers can request correction of
inaccurate personal information. - Right to Opt-Out of Sale/Sharing: Consumers can opt out of the sale or sharing of their personal information. - Right to Limit Use of Sensitive Personal Information: Consumers can limit the use and
disclosure of sensitive personal information. - Right to Non-Discrimination: Businesses cannot discriminate against consumers for exercising their rights.
3. Privacy Policy Requirements
*Reference:* Section 1798.130(a)(5) Your privacy policy must: - Be updated at least once every 12 months - Describe consumer rights and how to exercise them - List categories of personal information collected, sold, or shared in the
past 12 months - Include a “Do Not Sell or Share My Personal Information” link if applicable
4. Notice at Collection
*Reference:* Section 1798.100(b) At or before the point of collection, businesses must inform consumers: - What categories of personal information are being collected - The purposes for which they will be used - Whether the
information will be sold or shared
5. Data Minimization and Purpose Limitation
*Reference:* Section 1798.100(c) Personal information must be collected only for specified purposes and retained only as long as necessary.
6. Security Safeguards
*Reference:* Section 1798.150(a)(1) Businesses must implement reasonable security procedures and practices to protect personal information from unauthorized access, theft, or disclosure.
7. Contractual Obligations with Service Providers, Contractors, and Third Parties
*Reference:* Sections 1798.140(j), (ag), (ah) Contracts must: - Prohibit the sale or sharing of personal information - Limit use to specified purposes - Require compliance with CCPA/CPRA - Include audit rights and subprocessor
restrictions
8. Data Retention Disclosure
*Reference:* Section 1798.100(a)(3) Businesses must disclose how long they retain each category of personal information or the criteria used to determine that period.
9. Training and Recordkeeping
*Reference:* Section 1798.130(a)(6) Businesses must train employees handling consumer inquiries and maintain records of requests and responses for 24 months.
10. Automated Decision-Making and Profiling (Forthcoming)
*Reference:* Section 1798.185(a)(16) The CPPA is developing regulations around consumer rights related to automated decision-making, including access and opt-out rights.
11. Annual Risk Assessments and Audits
*Reference:* Section 1798.185(a)(15) Businesses engaged in high-risk processing must conduct regular privacy risk assessments and cybersecurity audits (regulations pending). Personal Data Retention and Deletion Policy
1. Purpose
This policy outlines how Nerve Strategic Inc. (“Nerve”) manages the retention and deletion of personal information in compliance with
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
It ensures that personal data is retained only as long as necessary for the fulfillment of identified purposes and is securely disposed of when no longer required.
2. Scope
This policy applies to all employees, contractors, and third-party service providers who collect, use, store, or process personal information on behalf of Nerve.
3. Legal Framework
This policy is governed by PIPEDA, specifically:
Principle 5: Limiting Use, Disclosure, and Retention
Clause 4.5.3: Personal information that is no longer required to fulfill the identified purposes
should be destroyed, erased, or made anonymous.
Clause 4.7.5: Care shall be used in the disposal or destruction of personal information to prevent unauthorized access.
4. Retention Guidelines and Schedule
Personal information shall be retained only as long as necessary to fulfill the purposes for which it was collected, or as required by law. Retention periods are set out in the Table below in accordance with the applicable category
and purpose of collection for the specific personal information involved.
| Data Type |
Purpose |
Retention Period |
Legal Basis/Notes |
| Customer Contact Info |
Service delivery, support |
7 years |
CRA audit requirements |
| Usage Data |
Data analysis, Usage trends, determining service effectiveness |
3 years |
Business service improvements |
| Job Applications |
Recruitment |
2 years |
Best practice for future opportunities |
| Email Communications |
Business correspondence |
3 years |
Operational necessity |
| Financial Records |
Accounting, tax compliance |
7 years |
Income Tax Act |
5. Deletion and Disposal Procedures
Once the retention period expires, personal information must either be:
- Securely destroyed (e.g., shredding paper documents, wiping electronic files) and erased from all systems and backups; or
- Anonymized, if continued use is necessary for statistical or analysis purposes.
Disposal methods must prevent unauthorized access or reconstruction of the data.
6. Roles and Responsibilities
Privacy Officer: Oversees compliance, updates the retention schedule, and ensures secure disposal.
IT Department: Ensures technical measures for secure deletion and backup management.
7. Data Subject Rights
Individuals have the right to request: - Access to their personal information - Correction of inaccuracies - Deletion of their data when it is no longer required Requests must be addressed within 30 days, in accordance with PIPEDA.
8. Training and Awareness
All staff must receive training on data retention and deletion practices as part of their onboarding and through annual refreshers.
9. Policy Review
This policy will be reviewed annually or when significant changes to legislation or business practices occur.
