Privacy Policy
Last updated: March 20, 2026 · Governed by PIPEDA and applicable Canadian provincial privacy laws
Our commitment: Your data stays in Canada. We store all data exclusively on Canadian servers, we never sell your information, and we only use your data to provide the services you signed up for. This policy explains exactly what we collect, why, and how you can control it.
1. Who We Are
SecureVault Technologies Inc. ("SecureVault", "we", "us", or "our") operates the SecureVault secure document management platform. We are a Canadian company based in Ottawa, Ontario, with servers located exclusively in Canada. Our Privacy Officer can be reached at privacy@securevault.ca.
This Privacy Policy applies to all personal information collected through the Platform, our website at securevault.ca, and any related services. It applies to registered users, trial users, visitors to our website, and end-clients of our subscribers.
2. PIPEDA Principles
We are committed to compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law. As an Ontario-based company serving clients across Canada, we also adhere to Ontario's Personal Health Information Protection Act (PHIPA) in the context of health-related data, British Columbia's Personal Information Protection Act (PIPA), Alberta's Personal Information Protection Act (PIPA), and Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25) as applicable to residents of those provinces.
Our privacy practices are founded on the ten PIPEDA principles:
1. Accountability
We have designated a Privacy Officer responsible for our compliance.
2. Identifying Purposes
We identify why we collect personal information before or at the time of collection.
3. Consent
We obtain meaningful consent for collection, use, and disclosure.
4. Limiting Collection
We collect only what is necessary for the identified purposes.
5. Limiting Use
We use information only for the purposes for which it was collected.
6. Accuracy
We keep information as accurate, complete, and up-to-date as necessary.
7. Safeguards
We protect information with appropriate security measures.
8. Openness
We make our privacy policies and practices readily available.
9. Individual Access
You can access your personal information upon request.
10. Challenging Compliance
You can challenge our compliance with our Privacy Officer.
3. Information We Collect
| Category | Examples | How Collected |
|---|
| Account information | Name, email address, password (hashed), phone number, professional title | Provided by you at registration |
| Billing information | Payment card details (tokenized by Stripe — we never store raw card numbers), billing address, invoice history | Provided at subscription signup |
| Document content | Files, documents, and any metadata you upload to the Platform | Uploaded by you |
| Usage data | Login timestamps, IP addresses, pages visited, files uploaded/downloaded, actions taken | Automatically collected |
| Device and technical data | Browser type and version, operating system, screen resolution, session identifiers | Automatically collected |
| Communications | Support emails, feedback, feature requests | Provided by you |
| Third-party signer data | Name and email of document signers you invite through the eSign feature | Provided by you |
We do not collect sensitive personal information such as health information, social insurance numbers, or government identification numbers through the Platform. If you choose to upload documents containing such information, that data is treated as Your Content under our Terms of Service and is protected by the same security measures.
4. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the services — authenticating your account, storing and retrieving your documents, processing payments, and enabling all Platform features
- Security and fraud prevention — monitoring for unauthorized access, scanning uploaded files for malware, maintaining audit logs
- Customer support — responding to your requests, troubleshooting issues, improving the Platform based on feedback
- Communications — sending account notifications, trial expiry reminders, invoices, security alerts, and service announcements. We do not send marketing emails without your explicit consent.
- Legal compliance — meeting our obligations under applicable Canadian laws, responding to lawful court orders or government requests
- Service improvement — aggregated, anonymized analytics to understand how the Platform is used and improve its features
We do not use your personal information or Your Content for advertising purposes, and we do not sell your data to any third party under any circumstances.
5. Sharing and Disclosure
We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:
- Service providers: We use a small number of carefully selected Canadian and trusted international service providers to operate the Platform, including Stripe for payment processing and DigitalOcean/Wasabi for infrastructure. These providers access your data only as necessary to perform their services and are bound by confidentiality agreements and PIPEDA-compliant data processing terms.
- Legal requirements: We may disclose information when required by law, regulation, court order, or government request. Where legally permissible, we will notify you before complying with such a request.
- Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you at least 30 days in advance and ensure the acquirer is bound by privacy obligations at least as protective as this Policy.
- With your consent: We may share information for other purposes with your explicit prior consent.
We never share Your Content (the files and documents you upload) with any third party except as required by law or with your explicit instruction.
6. Data Location and Canadian Sovereignty
All data is stored in Canada. Our servers are located in Canadian data centres, operated from our base in Ottawa, Ontario. We do not transfer personal information or Your Content outside of Canada for storage or processing.
Payment processing is handled by Stripe, which may process transaction data internationally. Stripe is certified to PCI DSS Level 1 and operates under appropriate data transfer safeguards. Stripe does not store or process Your Content.
We understand that many of our clients — particularly law firms, healthcare providers, and financial advisors — have specific regulatory obligations regarding data residency. Our Canadian-only infrastructure is designed to support these obligations. If you require documentation of our data residency for regulatory purposes, please contact us.
7. Data Retention
We retain personal information only as long as necessary for the purposes described in this Policy:
- Active account data: Retained for the duration of your subscription plus 30 days following account closure
- Uploaded documents: Retained until you delete them, or for 30 days following account closure, whichever comes first
- Trial accounts (not converted): Account data and all uploaded files are deleted 10 days after trial expiry
- Billing records: Retained for 7 years as required by Canadian tax law
- Audit logs: Retained for 2 years, or longer if required by applicable professional regulations
- Legal holds: Data subject to a legal hold is retained for the duration of the hold, regardless of account status
- Backup data: Encrypted backups are retained for up to 90 days on a rolling basis
8. Security Measures
We implement technical and organizational measures to protect your personal information against unauthorized access, loss, alteration, or disclosure:
- AES-256 encryption for all data stored on our servers
- TLS 1.2 or higher for all data transmitted between your browser and our servers
- Bcrypt password hashing — we never store passwords in plain text
- ClamAV antivirus scanning of all uploaded files
- Role-based access controls limiting staff access to data on a need-to-know basis
- Comprehensive audit logging of all access to data
- Automated nightly encrypted backups stored in geographically separate Canadian locations
- Regular security reviews and penetration testing
9. Your Rights
Under PIPEDA and applicable provincial legislation, you have the following rights with respect to your personal information:
- Right of access: You have the right to request a copy of all personal information we hold about you.
- Right to correction: You may request correction of any inaccurate or incomplete personal information.
- Right to withdrawal of consent: You may withdraw consent to certain uses of your information at any time, subject to legal or contractual restrictions.
- Right to deletion: You may request deletion of your account and personal information. Deletion requests are processed within 30 days, except where retention is required by law.
- Right to portability: Residents of Quebec (under Law 25) and other provinces with applicable legislation may request their personal information in a structured, commonly used, and machine-readable format. We extend this right to all users upon request.
- Right to complain: If you believe your privacy rights have been violated, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca, or with the applicable provincial privacy commissioner in your province of residence.
To exercise any of these rights, contact our Privacy Officer at privacy@securevault.ca. We will respond within 30 days.
10. Cookies and Tracking
The Platform uses cookies and similar technologies to maintain your session, remember your preferences, and ensure the security of your account. We use the following types of cookies:
- Strictly necessary cookies: Required for the Platform to function — session authentication, CSRF protection. These cannot be disabled.
- Functional cookies: Remember your preferences such as view settings. These are set only after login.
We do not use advertising cookies, tracking pixels, or third-party analytics services on the logged-in Platform. Our marketing website (securevault.ca) may use basic analytics. We do not fingerprint your device or track you across other websites.
11. Professional and Client Data
Many of our users are regulated professionals (lawyers, accountants, healthcare providers, financial advisors) who upload client documents to the Platform. We understand that such documents may be subject to additional regulatory protections including solicitor-client privilege, professional secrecy, and sector-specific privacy legislation such as PHIPA, FINTRAC requirements, and OSFI guidelines.
As the data processor in these relationships, we:
- Only access client documents when technically required to deliver the service or when you explicitly request support
- Never use the content of client documents for any purpose other than storage and delivery
- Support legal hold and eDiscovery capabilities to assist with professional obligations
- Provide compliance reporting tools for PIPEDA, PHIPA, FINTRAC, and OSFI requirements
- Are available to execute data processing agreements (DPAs) for enterprise clients with specific regulatory requirements
12. Data Breach Notification
In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm to you, we will:
- Notify you directly by email as soon as feasible, and in any case within 72 hours of confirming the breach
- Report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA's mandatory breach reporting provisions
- Maintain a record of the breach for a minimum of 24 months
- Take immediate steps to contain the breach and prevent further harm
13. Children's Privacy
The Platform is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately and we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email at least 14 days before the changes take effect. The date of the most recent revision is indicated at the top of this page.
If any changes involve new uses or disclosures of your personal information, we will obtain your meaningful consent before implementing those changes, as required under PIPEDA and applicable provincial privacy laws.
For any privacy-related questions, requests, or complaints, please contact our designated Privacy Officer:
Privacy Officer
SecureVault Technologies Inc.
Ottawa, Ontario, Canada
Email: privacy@securevault.ca
Website: securevault.ca
We will acknowledge receipt of your request within 5 business days and respond fully within 30 days. If we require more time to respond, we will notify you of the delay and the reason.
If you are not satisfied with our response, you have the right to file a complaint with:
- Office of the Privacy Commissioner of Canada: priv.gc.ca · 1-800-282-1376
- Information and Privacy Commissioner of Ontario: ipc.on.ca (for Ontario residents or health information matters)
- Office of the Information and Privacy Commissioner for BC: oipc.bc.ca (for BC residents)
- Office of the Information and Privacy Commissioner of Alberta: oipc.ab.ca (for Alberta residents)
- Commission d'accès à l'information du Québec: cai.gouv.qc.ca (for Quebec residents)