PIPEDA compliance.
How Luna and Boréal Tech Solutions comply with the Personal Information Protection and Electronic Documents Act of Canada.
Our commitment
Boréal Tech Solutions, Inc. operates under Quebec jurisdiction and applies both Law 25 (provincial) and PIPEDA (federal). For customers outside Quebec, PIPEDA primarily applies, along with equivalent provincial laws (PIPA in Alberta and British Columbia).
The 10 principles
PIPEDA rests on 10 principles described in Schedule 1. Here is how we apply them:
1. Accountability
Boréal designates a person responsible for compliance (Paul Arnac, CEO) and maintains a register of all policies and procedures related to personal information.
2. Identifying purposes
Collection purposes are stated before or at the time of collection (privacy policy, contract, call introduction message).
3. Consent
Consent is required for collection, use and disclosure of information. It is given explicitly at contract signing (customer side) and presumed for callers after notification at the start of the call or via the customer's privacy policy.
4. Limiting collection
We only collect what is necessary for the service. No hidden collection, no incidental data not documented in the privacy policy.
5. Limiting use, disclosure and retention
Information is only used for stated purposes. No resale, no sharing for third-party marketing. Retention: 12 months by default for call data, 7 years for accounting data.
6. Accuracy
We offer a customer dashboard allowing autonomous correction. A correction request received by email is processed within 10 business days.
7. Safeguards
TLS 1.3 and AES-256 encryption, two-factor authentication, least-privilege access controls, annual security audits, annual team training.
8. Openness
Our policies are published on our website (privacy policy, Law 25 page, present PIPEDA page) and provided on request in an easily understandable format.
9. Individual access
Upon written request, we provide a copy of an individual's personal information within 30 days, free of charge. If a request is denied, we provide the reasons.
10. Challenging compliance
Any complaint can be addressed first to the responsible person at Boréal (privacy@borealtech.solutions), then to the Office of the Privacy Commissioner of Canada in case of non-resolution.
Breach notification
Pursuant to PIPEDA amendments in 2018, we notify the Commissioner and affected individuals in case of a security breach presenting a real risk of significant harm. Internal target: notification within 72 hours of detection.