Last Updated: October 1, 2025

PIPEDA (Personal Information Protection and Electronic Documents Act)

• Applies to commercial activities across Canada
• Primary federal privacy law
• Administered by Privacy Commissioner of Canada

InitiumX compliance:

• PIPEDA as baseline
• Quebec Bill 64 standards for QC clients
• Provincial laws respected where applicable

Oversight Authority:

• Website: www.priv.gc.ca
• Role: Investigate complaints, enforce PIPEDA
• Powers: Audit, investigate, recommend, publish findings
• Complaints: Free of charge for individuals

InitiumX is responsible for:

• Personal information under our control
• Information transferred to third parties
• Designating Privacy Officer
• Implementing policies and procedures

Privacy Officer Contact:

• Email: privacy@initiumx.dev
• Role: Oversee PIPEDA compliance

We collect personal information only for:

• Service delivery and contract fulfillment
• Communication about projects
• Legal and regulatory compliance
• Business operations (invoicing, support)

Purposes identified:

• At or before time of collection
• In clear language
• With your understanding

Required for:

• Sensitive personal information
• Uses beyond original purpose
• Disclosure to third parties (non-agents)

How we obtain:

• Written agreements
• Click-through acceptance
• Email confirmation
• Verbal (documented)

May apply for:

• Reasonable purposes given context
• Non-sensitive information
• Existing business relationships

You can withdraw consent:

• At any time (subject to legal/contractual limits)
• Email: privacy@initiumx.dev
• Reasonable notice required
• We inform you of implications

We collect only information that is:

• Necessary for identified purposes
• Collected by fair and lawful means
• Not excessive for purposes

Methods of collection:

• Directly from you
• From your authorized representatives
• From publicly available sources (when appropriate)

Personal information used/disclosed only for:

• Purposes for which it was collected
• Purposes you subsequently consent to
• As required or permitted by law

Third-party disclosure:

• Service providers (with contracts)
• As required by law or court order
• With your consent

We retain personal information:

• Only as long as necessary for purposes
• To meet legal requirements (7 years for financial records)
• Securely destroyed after retention period

We ensure personal information is:

• Accurate, complete, and up-to-date
• Sufficient for purposes
• Updated when necessary

Your responsibility:

• Inform us of changes
• Verify accuracy periodically
• Request corrections

Security measures appropriate to sensitivity:

• Physical: Restricted access to offices/servers
• Organizational: Policies, training, NDAs
• Technological: Encryption, firewalls, access controls

Specific measures:

• TLS 1.3 for data in transit
• AES-256 for data at rest
• Multi-factor authentication
• Regular security audits

We make information available about:

• Policies and practices
• Types of personal information held
• How information is used
• How to access information

Where to find:

• Privacy Policy
• This document
• Upon request to privacy@initiumx.dev

You have the right to:

• Be informed of personal information we hold
• Access that information
• Challenge accuracy and completeness

How to request:

• Email: privacy@initiumx.dev
• Subject: “PIPEDA Access Request”
• Timeline: 30 days response

We provide:

• Information about existence, use, disclosure
• Access to the information
• Account of third parties to whom disclosed

Exceptions:

• Prohibitively costly to provide
• Threatens safety or security
• Contains references to other individuals
• Subject to legal privilege
• Generated in investigation of breach

Minimal fees may apply:

• Costs of photocopying
• Postage for mailing
• Preparation time (reasonable)

You can challenge:

• Compliance with PIPEDA principles
• Accuracy of information
• Denial of access request

How to challenge:

1. Contact Privacy Officer: privacy@initiumx.dev
2. Internal review: 30 days for response
3. Privacy Commissioner: If unsatisfied with response

Commissioner complaint:

• Email: info@priv.gc.ca
• Online: https://www.priv.gc.ca/en/report-a-concern/
• Timeline: Within 1 year of becoming aware of issue

Additional rights beyond PIPEDA:

• Right to data portability
• Right to de-indexing (online reputation)
• Enhanced consent requirements
• Mandatory privacy impact assessments (PIA)
• Mandatory incident registry

Required for:

• New technologies with privacy risks
• Communication of personal information outside Quebec
• Use for purposes not previously identified

InitiumX compliance:

• PIA conducted for Quebec client projects
• Documentation available upon request
• Regular review and updates

Enhanced breach notification:

• To CAI (Commission d’accès à l’information): As soon as possible
• To affected individuals: When risk of serious harm
• Incident registry: Mandatory log of all incidents

Stricter than PIPEDA:

• Lower threshold for notification
• Specific timelines and content requirements
• Penalties for non-compliance

Must be:

• Manifest (clear action)
• Free
• Informed
• Specific to purposes
• Given for limited time

Cannot be obtained:

• As condition of service (unless necessary)
• Bundled with other consents
• Through pre-checked boxes

When transferring personal information outside Canada:

• Inform individuals
• Obtain consent
• Use contractual or other means for comparable protection
• Ensure foreign provider provides same level of protection

InitiumX safeguards:

• Standard contractual clauses
• Encryption in transit and at rest
• Access controls
• Regular security audits
• Sub-processor agreements

We inform you of:

• Countries where data may be processed
• Purposes of transfer
• Safeguards in place
• Foreign legal requirements (FIPA compliance)

Under PIPEDA:

• Must inform about possibility of foreign government access
• Disclose legal frameworks that may apply (e.g., US CLOUD Act)
• Document requests and disclosures

Transparency commitment:

• Annual transparency report (if requests occur)
• Notification to affected individuals (when legally permitted)
• Challenge unlawful requests

For commercial electronic messages (CEMs):

• Express or implied consent required
• Identification information mandatory
• Unsubscribe mechanism required

InitiumX compliance:

• No unsolicited commercial messages
• Clear identification in all emails
• Easy one-click unsubscribe
• Honor opt-outs within 10 business days (usually within 24 hours)

Obtained via:

• Opt-in checkbox
• Verbal consent (documented)
• Paper form with signature

Valid until:

• Withdrawn by recipient
• No expiry for express consent

Exists when:

• Existing business relationship (2 years)
• Inquiry or application (6 months)
• Membership, donation, volunteer work (2 years)
• Business card exchange with relevant content

Expires after: Specified timeframes above

Must include:

• Clearly visible unsubscribe link
• Valid for 60 days after sending
• Processed within 10 business days
• No fee to unsubscribe
• No requirement to provide reasons

Our standard:

• Unsubscribe honored within 24 hours
• Confirmation email sent
• No further marketing emails
• Transactional emails may continue

Accepted for Canadian clients:

• Credit/debit cards (CAD or USD)
• Electronic funds transfer (EFT)
• Wire transfer
• PayPal (CAD or USD)
• Interac e-Transfer (for amounts < $3,000 CAD)
• Cheque (certified)

Tax collection:

• Currently: Not registered for GST/HST
• Services: Provided from outside Canada
• Client responsibility: Clients may owe GST/HST under reverse charge or self-assessment

If registration occurs:

• 30 days notice to clients
• GST/HST added to invoices
• Rates vary by province

For Canadian businesses:

• May require foreign supplier information
• InitiumX provides invoices for tax reporting
• Classified as non-resident supplier

Federal law considerations:

• Services available in English
• French available for Quebec clients upon request
• Key documents translated for bilingual clients

Quebec (Bill 101 / Charter of French Language):

• French version of contracts available
• French customer service for Quebec clients
• Website: Some content in French

Standard:

• English language contracts
• French version for Quebec upon request
• Bilingual invoices for Quebec

Precedence:

• English version controls (unless otherwise specified)
• French version for Quebec (when specified in contract)

Governing law:

• Honduras law for contract interpretation
• Canadian law for privacy and consumer protection
• Provincial law where applicable

Steps:

1. Negotiation: Direct discussion (30 days)
2. Mediation: Neutral third party (60 days)
3. Arbitration: Binding arbitration
4. Litigation: As last resort

Venue:

• Virtual arbitration preferred
• Canadian venue if litigation required
• Costs determined by arbitrator/court

For Ontario healthcare clients:

• Personal Health Information Protection Act applies
• Additional safeguards required
• Business associate equivalent agreement
• Enhanced security measures

For public sector clients:

• Provincial FIPPA laws apply
• Enhanced data residency requirements
• Additional contractual provisions
• Approval for cloud storage

• Email: canada@initiumx.dev
• Phone: +504 3253-6271
• Hours: Eastern Time business hours

• Email: privacy@initiumx.dev
• For: PIPEDA requests, privacy questions

• Email: quebec@initiumx.dev
• Langue: Français disponible

• Website: www.priv.gc.ca
• Phone: 1-800-282-1376
• Complaints: https://www.priv.gc.ca/en/report-a-concern/

• Website: www.cai.gouv.qc.ca
• Phone: 1-888-528-7741
• For: Quebec residents only

Canadian clients should review:

• Privacy Policy
• Data Processing Agreement
• Cookie Policy
• Terms of Service

Privacy Resources:

• PIPEDA Full Text: https://laws-lois.justice.gc.ca/eng/acts/P-8.6/
• OPC Guidance: https://www.priv.gc.ca/en/privacy-topics/
• CASL: https://fightspam.gc.ca/

Quebec:

• Bill 64: https://www.cai.gouv.qc.ca/
• CAI Guidance: https://www.cai.gouv.qc.ca/documents/

Last Updated: October 1, 2025 Version: 1.0 Next Review: January 2026

Canada Support: canada@initiumx.dev | Privacy: privacy@initiumx.dev