Privacy Impact Assessment

This Privacy Impact Assessment (PIA) has been prepared in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Act respecting the protection of personal information in the private sector, as amended by Bill 64 (Law 25). It evaluates the privacy risks associated with the collection, use, disclosure, and retention of personal information by AtlasBrokers.

• Purpose — To systematically identify and mitigate privacy risks arising from our data processing activities, ensuring compliance with applicable Canadian privacy legislation.
• Scope — This assessment covers all personal information processed through the AtlasBrokers platform, including the public-facing website (atlasbrokers.ca), broker dashboard, and all integrated third-party services.
• Assessment Date — This PIA was conducted on March 8, 2026 and reflects the platform's data processing activities as of that date. It will be reviewed annually or upon material changes to processing activities.

AtlasBrokers is a Canadian insurance brokerage directory and comparison platform that connects consumers with licensed insurance brokers across all provinces and territories.

• Legal Name — AtlasBrokers (operating as Atlas Brokers), headquartered in Fredericton, New Brunswick, Canada.
• Nature of Operations — Online insurance brokerage directory, broker comparison, lead generation, and insurance education platform serving Canadian consumers and licensed brokers.
• Jurisdictions — We operate across all 13 Canadian provinces and territories. Our platform is subject to PIPEDA at the federal level and substantially similar provincial legislation where applicable, including Quebec's Law 25.
• Privacy Officer — The designated Privacy Officer is responsible for overseeing compliance with this PIA and all applicable privacy legislation. Contact: privacy@atlasbrokers.ca.

AtlasBrokers collects and processes the following categories of personal information. Each category is collected only for specified, legitimate purposes and with appropriate legal basis under PIPEDA Principle 2 (Identifying Purposes) and Principle 3 (Consent).

• Contact Information — Full name, email address, phone number, and mailing address. Collected for account creation, broker matching, quote requests, and communication. Legal basis: express consent at registration or form submission.
• Insurance Details — Insurance type preferences, coverage requirements, policy details, claims history, and risk profile information. Collected to match users with appropriate brokers and provide personalized recommendations. Legal basis: express consent.
• Financial Data — Payment card information (processed by Stripe; never stored on our servers), billing address, and transaction history. Collected for premium subscriptions and broker listing payments. Legal basis: contractual necessity and express consent.
• Usage Data — Pages visited, search queries, broker interactions, comparison selections, session duration, and referral sources. Collected via PostHog analytics for platform improvement and personalization. Legal basis: implied consent with opt-out mechanism.
• Device Information — IP address (anonymized after 30 days), browser type, operating system, device identifiers, and approximate geolocation (city-level). Collected for security, fraud prevention, and regional content delivery. Legal basis: legitimate interest and implied consent.

Personal information flows through the following stages within the AtlasBrokers ecosystem. Each stage is governed by appropriate technical and organizational safeguards.

• Collection — Data is collected via registration forms, quote request forms, broker contact forms, cookie consent preferences, and automated analytics tracking. All collection points display clear privacy notices.
• Processing — Data is processed for broker matching algorithms, lead scoring, search ranking, personalization, analytics aggregation, and communication delivery. Processing occurs on Canadian-hosted infrastructure.
• Storage — Primary data is stored in Neon PostgreSQL databases hosted in Canada. Encrypted at rest using AES-256 and in transit using TLS 1.3. Backups are encrypted and retained for 30 days.
• Sharing — Personal information is shared with matched brokers (contact details only, with consent), payment processors (Stripe), email service providers (SendGrid), and analytics platforms (PostHog). All sharing is governed by Data Processing Agreements.
• Deletion — Data is deleted upon user request, account closure, or expiry of retention periods. Deletion is propagated to all sub-processors within 30 days. Anonymized aggregate data may be retained indefinitely for statistical purposes.

The following risk matrix evaluates key privacy risks using a likelihood-by-impact methodology. Each risk has been assessed and assigned mitigating controls to reduce residual risk to an acceptable level.

AtlasBrokers employs automated processing in several areas of the platform. In accordance with PIPEDA and Law 25 requirements, we ensure transparency and human oversight for all automated decisions that may significantly affect individuals.

• AI-Powered Broker Matching — Our matching algorithms use insurance type, location, coverage needs, and broker ratings to suggest relevant brokers. These recommendations are informational and do not restrict user choices. Users may browse all brokers regardless of algorithmic suggestions.
• Lead Scoring — Incoming quote requests are scored based on completeness, insurance type, and geographic factors to prioritize broker routing. Scoring does not determine eligibility for services and is subject to human review upon request.
• Fraud Detection — Automated systems monitor for suspicious account activity, spam reviews, and fraudulent listings. Flagged accounts are reviewed by a human operator before any adverse action is taken.
• Human Oversight — Individuals have the right to request human review of any automated decision. Requests can be submitted to privacy@atlasbrokers.ca and will be processed within 30 business days in accordance with PIPEDA timelines.

While AtlasBrokers stores primary data in Canada, certain sub-processors operate infrastructure outside of Canadian borders. We implement appropriate safeguards to ensure that all cross-border transfers provide a substantially similar level of protection as required by PIPEDA and Law 25.

• Canadian Storage (Neon) — All primary application data, including user accounts, broker profiles, reviews, and transaction records, is stored on Neon PostgreSQL servers located in the AWS ca-central-1 region (Montreal, Canada).
• Analytics (PostHog — US/EU) — Product analytics data may be processed in the United States or European Union. IP addresses are anonymized prior to transfer. A Data Processing Agreement with standard contractual clauses is in place.
• Payments (Stripe — US) — Payment processing occurs on Stripe's infrastructure in the United States. Stripe is PCI DSS Level 1 certified and maintains contractual commitments for data protection. AtlasBrokers does not store raw payment card data.
• Safeguards — All cross-border transfers are protected by Data Processing Agreements incorporating standard contractual clauses, encryption in transit (TLS 1.3), data minimization to limit transferred data, and regular compliance assessments of sub-processors.

AtlasBrokers implements a comprehensive consent management framework in compliance with PIPEDA's meaningful consent requirements and Law 25's enhanced consent provisions.

• Cookie Consent Banner — A granular cookie consent banner is displayed to all visitors on first visit, offering clear choices for essential, analytics, and marketing cookies. Default state is opt-out for non-essential cookies in compliance with Law 25.
• Granular Preferences — Users can manage consent preferences at any time through the cookie settings panel accessible from the site footer. Separate consent is obtained for each processing purpose (analytics, marketing, broker data sharing).
• Withdrawal Mechanisms — Consent may be withdrawn at any time via the cookie preferences panel, account privacy settings, or by contacting privacy@atlasbrokers.ca. Withdrawal is processed promptly and does not affect the lawfulness of prior processing.

AtlasBrokers retains personal information only as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention schedule is aligned with PIPEDA Principle 5 (Limiting Use, Disclosure, and Retention) and insurance industry regulatory requirements.

• Insurance Records — Insurance-related records, including quote requests, broker correspondence, and policy referral data, are retained for a minimum of 7 years in compliance with provincial insurance regulations and limitation periods.
• Automated Retention Policies — Automated data lifecycle management policies ensure that data is flagged for review and disposal upon reaching its retention limit. Analytics data is anonymized after 24 months. Inactive account data is purged after 36 months of inactivity following notification.
• Secure Deletion — When personal information is no longer required, it is securely deleted using cryptographic erasure or overwriting methods. Deletion is propagated to all sub-processors and backups within 30 days. Deletion confirmation logs are maintained for audit purposes.

AtlasBrokers implements technical and organizational security measures commensurate with the sensitivity of the personal information processed, in accordance with PIPEDA Principle 7 (Safeguards).

• Encryption — All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. Database connections use certificate-pinned SSL. Backup data is encrypted with separate key management.
• Multi-Factor Authentication — Two-factor authentication (2FA) is required for all broker dashboard access, administrative accounts, and any operations involving personal information export or bulk access.
• Role-Based Access Control — Access to personal information is restricted on a need-to-know basis through role-based access control (RBAC). Administrative privileges are subject to regular review and least-privilege principles.
• Audit Logging — All access to personal information is logged with timestamps, user identifiers, and action details. Audit logs are immutable and retained for 24 months for compliance and incident investigation purposes.
• Encrypted Vault — Highly sensitive credentials, API keys, and encryption keys are stored in an encrypted vault with hardware-backed key management. Access to the vault requires multi-party authorization.

AtlasBrokers respects and facilitates the exercise of individual privacy rights as provided under PIPEDA and Quebec's Law 25. All requests are processed free of charge within 30 business days.

• Right of Access — Individuals may request access to all personal information held about them. We provide information in a clear, understandable format and disclose the sources, purposes, and any third parties to whom data has been disclosed.
• Right of Correction — Individuals may request correction of inaccurate or incomplete personal information. Corrections are propagated to all systems and any third parties to whom the data was previously disclosed.
• Right of Deletion — Individuals may request deletion of their personal information, subject to legal retention obligations (e.g., 7-year insurance record minimum). Upon request, we delete all non-required data and anonymize any data subject to retention holds.
• Right of Portability — Under Law 25, individuals may request their personal information in a structured, commonly used, and machine-readable format (JSON or CSV). Portability requests are fulfilled within 30 business days.
• Right to Complain — Individuals who are dissatisfied with our handling of their personal information may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) or the Commission d'acces a l'information du Quebec (CAI).

AtlasBrokers maintains a comprehensive breach response plan to detect, assess, contain, and report privacy breaches in accordance with PIPEDA's mandatory breach reporting requirements and Law 25's enhanced notification obligations.

• Detection — Automated monitoring systems, intrusion detection, and anomaly alerts enable rapid identification of potential breaches. Employees are trained to recognize and report suspected incidents immediately.
• Assessment — Upon detection, the Privacy Officer conducts an immediate assessment to determine the scope, nature of affected data, number of individuals impacted, and whether the breach creates a real risk of significant harm.
• Notification — Where a breach poses a real risk of significant harm: the OPC is notified as soon as feasible (PIPEDA), the Commission d’accès à l’information (CAI) is notified within 72 hours (Quebec Law 25), and affected individuals are notified within 30 days with details of the breach and recommended protective measures.
• Remediation — Immediate containment measures are implemented, followed by root cause analysis, system hardening, and process improvements to prevent recurrence. Affected individuals are offered appropriate support such as credit monitoring where applicable.
• Record-Keeping — A register of all privacy breaches is maintained for a minimum of 5 years, including details of the incident, assessment results, notifications issued, and remediation actions taken. This register is available for inspection by the OPC and CAI.

AtlasBrokers ensures that all third parties processing personal information on our behalf maintain appropriate privacy and security standards through a structured risk management program.

• Sub-Processor Vetting — All prospective sub-processors undergo a privacy and security assessment prior to engagement. This includes review of their privacy policies, security certifications (SOC 2, ISO 27001, PCI DSS), data residency, and breach history.
• Data Processing Agreements — Binding Data Processing Agreements (DPAs) are executed with all sub-processors, incorporating mandatory clauses for data protection, breach notification, audit rights, sub-processor restrictions, and data return/deletion upon termination.
• Ongoing Monitoring — Sub-processors are subject to annual compliance reviews, including verification of security certifications, assessment of any material changes to processing activities, and evaluation of breach incident history. Non-compliant processors are remediated or replaced.

This Privacy Impact Assessment is a living document subject to regular review and updates to reflect changes in processing activities, technology, and regulatory requirements.

• Annual Review Cycle — This PIA is reviewed at minimum annually by the Privacy Officer and relevant stakeholders. The next scheduled review is March 2027.
• Trigger Events — A re-assessment is triggered by: introduction of new data processing activities, changes to sub-processors, material changes to the platform architecture, regulatory amendments, privacy breaches, or complaints indicating systemic issues.
• Version History — Version 1.0 (March 8, 2026) — Initial Privacy Impact Assessment. All previous versions are archived and available upon request to the Privacy Officer.

For questions about this Privacy Impact Assessment, to exercise your privacy rights, or to file a complaint, please contact us using the information below.