PIPEDA Compliance

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law that governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities.

PIPEDA is built on 10 fair information principles:

• Accountability — An organization is responsible for personal information under its control and shall designate an individual to be accountable for compliance.
• Identifying Purposes — The purposes for which personal information is collected shall be identified at or before the time the information is collected.
• Consent — The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.
• Limiting Collection — The collection of personal information shall be limited to that which is necessary for the purposes identified.
• Limiting Use, Disclosure, and Retention — Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law.
• Accuracy — Personal information shall be as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.
• Safeguards — Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
• Openness — An organization shall make readily available specific information about its policies and practices relating to the management of personal information.
• Individual Access — Upon request, an individual shall be informed of the existence, use, and disclosure of their personal information and shall be given access to that information.
• Challenging Compliance — An individual shall be able to challenge an organization's compliance with the above principles by contacting the designated individual accountable.

BrokersAtlas meets all applicable regulatory requirements for Canadian privacy, anti-spam, and insurance industry standards. Below is an overview of our compliance status.

AtlasBrokers implements the following measures to comply with PIPEDA:

• Informed Consent — We obtain clear, meaningful consent before collecting personal information. Consent is specific to the purposes identified and can be withdrawn at any time.
• Purpose Limitation — We only collect information necessary to provide our services and clearly communicate how data will be used.
• Data Minimization — We collect only the minimum amount of personal information required for each purpose.
• Transparency — Our privacy practices are documented in our Privacy Policy and made easily accessible.
• Accountability — We have designated a Privacy Officer responsible for PIPEDA compliance and handling privacy-related inquiries.

We collect the following categories of personal information with your consent:

• Account Information — Name, email address, and authentication credentials collected during registration.
• Workspace Data — Business data including contacts, leads, campaigns, and documents stored within your workspace.
• Payment Information — Billing details processed securely through Stripe. We do not store credit card numbers.
• Usage Data — Anonymized analytics data including page views, feature usage, and session duration.
• Communications — Emails and support requests you send to us, used to respond to your inquiries.

Transparency in how we handle your data throughout its entire lifecycle, from collection to secure deletion.

We retain personal information only as long as necessary:

• Active Accounts — Data is retained for the duration of your account. You may request deletion at any time.
• Post-Deletion — After account deletion, personal data is removed within 30 days. Encrypted backups are purged within 90 days.
• Analytics Data — Anonymized usage analytics are retained for up to 24 months for product improvement.
• Legal & Regulatory Obligations — Insurance-related records (policies, quotes, claims, and supporting documents) are retained for a minimum of 7 years in accordance with Canadian provincial insurance regulations. Other data may be retained longer to comply with legal, tax, or regulatory requirements.
• Secure Disposal — When data is no longer needed, it is securely deleted using industry-standard methods.

Under PIPEDA, you have the following rights regarding your personal information:

• Right of Access — You can request a copy of all personal information we hold about you.
• Right of Correction — You can request correction of any inaccurate or incomplete personal information.
• Right of Deletion — You can request deletion of your personal information, subject to legal retention requirements.
• Right to Withdraw Consent — You can withdraw consent for data processing at any time, subject to legal or contractual restrictions.
• Right to Data Portability — You can export your workspace data in standard formats (CSV, JSON) at any time.
• Right to Challenge — You can challenge our compliance with PIPEDA by contacting our Privacy Officer or filing a complaint with the Office of the Privacy Commissioner of Canada.

We provide comprehensive self-service privacy controls so you can manage your personal information directly from your account dashboard.

Every access to personal data is logged with comprehensive audit trails, ensuring full accountability and transparency.

We use the following third-party service providers to operate the Service:

• All third-party processors are contractually bound to protect your personal information.
• Third-party access is limited to the minimum data necessary to provide their service.
• We regularly review our third-party processors' security practices and compliance status.
• Cross-border data transfers are conducted in accordance with PIPEDA requirements and relevant contractual safeguards.

We plan to engage independent auditors to assess our security controls, privacy practices, and regulatory compliance on a regular basis.

In the event of a data breach, we follow the mandatory breach notification requirements under PIPEDA and Quebec Law 25 (Loi 25):

• Risk Assessment — We assess every security incident to determine if there is a real risk of significant harm to individuals.
• Commissioner Notification — If a breach poses a real risk of significant harm, we notify the Office of the Privacy Commissioner (OPC) as soon as feasible under PIPEDA. For Quebec residents, the Commission d’accès à l’information (CAI) is notified within 72 hours as required by Law 25.
• Individual Notification — Affected individuals are notified within 30 days, with information about the breach, risks, and steps they can take to protect themselves.
• Record Keeping — We maintain records of all breaches for a minimum of 24 months as required by PIPEDA.

Select your province to generate a tailored compliance checklist for insurance brokers operating in your jurisdiction.

Recent regulatory changes affecting insurance brokers in Canada. We continuously monitor and adapt to evolving compliance requirements.

For any privacy-related questions, concerns, or requests, please contact our Privacy Officer:

You may also file a complaint directly with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or by calling 1-800-282-1376.