Personal Information Protection and Electronic Documents Act (PIPEDA)
Document version 1.0
Purpose of the Policy
How Apexitude Applies The Ten Principles of PIPEDA
Accountability: Apexitude is accountable for the protection of the personal information collected, used, retained and disclosed during the course of commercial activities; and requires a comparable level of protection of this information from its thrid party relations.
Apexitude has a Chief Privacy Officer who has overall responsibility for the protection of personal information and for Apexitude’s compliance with this policy.
Identifying Purposes: Personal Information is any information that would identify an individual directly, or indirectily in combination with data from other sources. Apexitude may collect Personal Information from customers including:
- Name, email address, phone number, shipping and billing addresses, and payment information;
- Areas of the Sites a customer visits, transaction types a customer engages in, content a customer views, IP address, data downloaded or submitted by a customer, as well as the type, frequency and price of the goods or services the customer asks to exchange;
Consent: Apexitude must obtain the Individual’s express or implied consent when we collect, use or disclose your Personal Information.
If you use the Sites, or conduct a transaction through the Sites where Personal Information is essential, your consent is implied to collect and use to facilitate that use or complete the transaction requested or initiated by you only.
Examples of instances in which Personal Information may be collected by Apexitude are, without limitation:
- When you access and navigate a Site, or engage in communication and/or business transactions with Apexitude;
- If you knowingly submit Personal Information through a Site for the purpose of registering for a service, downloading content, participating in a contest or authentication.
In these cases, we may collect data such as, but not restricted to: areas of the Sites you visit, transaction types you engage in or request, content you view, your IP address, data downloaded or submitted by you, payment infromation you provide, shipping and billing information entered by you, as well as the nature, quantity and price of the goods or services you exchange and the individuals with whom you communicate or transact with while using the services.
Should Apexitude request Personal Information for scenarios outside of what is outlined above such as questionnaires, surveys, and profile data, it will include a specific consent request. Apexitude will advise that it is the individual’s right to refuse permission for Apexitude to use Personal Information for any new purposes.
Limiting Collection: Apexitude limits the amount and type of Personal Information it collects to that which is necessary for the business and as permitted by law. After which, Personal Information in our possession or control will be de-personalized or securely destroyed.
Limiting Use, Disclosure and Retention: Personal Information may be used only for the purposes identified and must not be disclosed to third parties unless the Individual consents to the alternative use or disclosure.
Personal Information Use: Apexitude may use collected Personal Information for such purposes as:
- Helping to establish and verify the identity of users, and to keep user accounts secure,
- Opening, maintaining, and administering user accounts or memberships;
- Providing Services and support to users;
- Improve the Sites, including tailoring websites to users’ preferences;
- Giving users product or Service updates, promotional notices, offers and information about Apexitude;
- To send surveys in connection with our Services with the exception of marketing material, in which case Apexitude will seek explicit consent to email you;
- Corresponding with customers and respond to questions, inquiries, comments and instructions;
- Maintaining the security and integrity of Apexitude’s systems; and
- Complying with applicable laws.
Exceptions to the Consent Policy as per PIPEDA
Apexitude may collect personal information without the individual’s knowledge or consent only:
- if it is clearly in the individual’s interests and consent is not available in a timely way;
- if knowledge and consent would compromise the availability or accuracy of the information and collection is required to investigate a breach of an agreement or contravention of a federal or provincial law;
- for journalistic, artistic or literary purposes;
- if it is publicly available as specified in the regulations;
- when it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim;
- where it is produced by individuals in the course of their employment, business or profession–as long as the collection is consistent with the purpose for which the information was produced;
- when an individual is employed by a federal work, undertaking or business and the collection is necessary to establish, manage or terminate an employment relationship. The employer must, however, inform individuals in advance that their personal information could be collected for such purposes.
Apexitude may use personal information without the individual’s knowledge or consent only:
- if the organization has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
- for an emergency that threatens an individual’s life, health or security;
- for statistical or scholarly study or research (the organization must notify the Privacy Commissioner of Canada before using the information);
- if it is publicly available as specified in the regulations;
- if the use is clearly in the individual’s interest and consent is not available in a timely way;
- when it is contained in a witness statement, and the use is necessary to assess, process, or settle an insurance claim;
- where it is produced by individuals in the course of their employment, business or profession–as long as the use is consistent with the purpose for which the information was produced;
- if knowledge and consent would compromise the availability or accuracy of the information and collection was required to investigate a breach of an agreement or contravention of a federal or provincial law; or
- when the organization is a federal work, undertaking or business and the use is necessary to establish, manage or terminate an employment relationship. The organization must, however, inform individuals in advance that their personal information could be used for such purposes.
Apexitude may disclose personal information without the individual’s knowledge or consent only:
- to a lawyer representing the organization;
- to collect a debt the individual owes to the organization;
- to comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction;
- to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act;
- to a government institution that has requested the information, identified its lawful authority to obtain the information, and indicates that disclosure is for the purpose of enforcing, carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law; or suspects that the information relates to national 17 security, the defence of Canada or the conduct of international affairs; or is for the purpose of administering any federal or provincial law;
- to a government institution or an individual’s next of kin or authorized representative when there are reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse. Organizations however may make such a disclosure only for the purpose of preventing or investigating the abuse, and only if it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent or investigate the abuse;
- to another organization in instances where it is reasonable for the purposes of:
- investigating a breach of an agreement or contravention of a federal or provincial law that has been, is being or is about to be committed; or
- detecting or suppressing or preventing fraud that is likely to be committed. (However, it must be reasonable to expect that disclosure with the knowledge or consent of an individual would compromise the investigation of a law or agreement being broken or the ability to prevent, detect or suppress the fraud.)
- in connection with a business transaction (for example, the sale or merger of a business, or the lease of a company’s assets), provided certain conditions are met to, among other things, protect the information and limit its use;
- when it is contained in a witness statement, and the disclosure is necessary to assess, process, or settle an insurance claim;
- where it is produced by individuals in the course of their employment, business or profession–as long as the disclosure is consistent with the purpose for which the information was produced;
- when the organization is a federal work, undertaking or business (FWUB, such as telecommunications and broadcasting companies, airlines and banks) and disclosure is necessary to establish, manage or terminate an employment relationship. The organization must, however, inform individuals in advance that their personal information could be disclosed for such purposes;
- in an emergency threatening an individual’s life, health, or security (the organization must inform the individual of the disclosure);
- to a government institution, individuals’ next of kin, or authorized representative if necessary to identify an individual who is injured, ill or deceased (and if alive, the individual has to be informed in writing that the disclosure took place);
- for statistical, scholarly study or research (the organization must notify the Privacy Commissioner before disclosing the information); to an archival institution;
- 20 years after the individual’s death or 100 years after the record was created;
- if it is publicly available as specified in the regulations; or
- if required by law.
Accuracy: Apexitude will take all reasonable steps to ensure that all personal information will be kept accurate, complete and up to date. As appropriate, individuals may seek to have Personal Information about them updated for accuracy and completeness.
Although Apexitude does use appropriate security measures, no method of data transfer or storage on the internet is 100% secure and security risks cannot be eliminated entirely. Therefore, Apexitude cannot guarantee 100% security, integrity or confidentiality of Personal Information.
In the event that the security of your Personal Information, in the possession of Apexitude, is compromised, we will initiate a security incident response protocol. In the event of a data breach or security event involving Sites or Services, Apexitude will respond in an appropriate manner to contain, assess and communicate the breach or incident. If notification is deemed appropriate or required, Apexitude will notify individuals by email, or by other appropriate means within 72 hours.
A cookie is a piece of software that can be sent by a web server to an individual’s computer or device, which may be stored by the web browser on that computer or device. Cookies allow Apextiude to recognize the computer while the individual is on our Sites and can customize the user experience and make it more convenient. Cookies are useful in that they allow for a more efficient log-in, tracking transaction histories, and preserving information between visits. The information collected from cookies can also be used to improve the Sites’ functionality.
Most web browsers have features that can notify you when you receive a cookie or prevent cookies from being sent. If you disable cookies, however, you may not be able to use certain personalized functions of our Sites.
Individual Access: Any customer of Apexitude can have access to the Personal Information about them that we have in our possession or control. As stated above, individuals may seek to have Personal Information about them updated for accuracy and completeness, as appropriate.
Customers can make their requests by email firstname.lastname@example.org. Response to an individual’s request will be made in a timely manner.