PIPEDA privacy policy
PIPEDA Privacy Policy: Vanwebdev LTD
This PIPEDA privacy policy explains how Vanwebdev LTD collects, uses, retains, and discloses operator data. The firm operates as a Canadian AI infrastructure consultancy.
Operator note
Vanwebdev LTD published this PIPEDA privacy policy as a starting point. The operator should ask counsel to review the document. Counsel review matters before any formal dispute or regulatory inquiry. This policy reflects federal law on the version date. Provincial regimes in Quebec, BC, Alberta, and the Atlantic provinces add further obligations. The relevant sections below note where provincial law binds a Canadian AI consulting firm.
Scope of this PIPEDA privacy policy
This PIPEDA privacy policy covers personal information that Vanwebdev LTD handles. The firm runs vanwebdev.ca. The firm delivers paid engagements. The policy governs site visits, contact form submissions, and scoping conversations. The policy also governs paid service engagements, product engagements, the Monthly Canadian Threat Brief subscription, and PivotToAI cohort communications.
This policy does NOT cover third-party platforms the operator chooses to use. Third-party platforms include Stripe for payments, Cal.com for scheduling, and cloud providers used during an engagement. Each platform publishes its own privacy policy. Operators who book a scoping call through Cal.com or pay through Stripe agree to those platforms’ terms separately.
Information we collect under this PIPEDA privacy policy
Vanwebdev LTD collects personal information in five categories. First, contact form submissions: the operator types a name, email address, optional company name, and a free-text message. Second, engagement intake: the operator shares stack details and infrastructure inventory under a written contract. Third, subscription data: the firm holds the operator’s name, email address, and billing address for the Monthly Canadian Threat Brief and PivotToAI subscriptions. Stripe handles all card data; the firm never stores card numbers.
The firm also collects two site-traffic categories. Fourth, anonymised analytics: the site uses privacy-respecting analytics with no third-party tracking cookies. The firm reviews aggregated page-view counts and referrer data only. Fifth, server logs: the web server records standard request logs with IP address, timestamp, request path, and response code. The server rotates logs every 90 days for security review.
Notably, Vanwebdev LTD deploys NO advertising trackers. The site sets no Facebook pixel. The site sets no Google Ads conversion tag. The site sets no LinkedIn Insight Tag. The site shows no programmatic cookie consent banner because the site runs no behavioural tracking. An operator visit to vanwebdev.ca feeds no downstream advertising graph.
How we use information collected under this PIPEDA privacy policy
Vanwebdev LTD uses collected personal information for four stated purposes only. First, the firm responds to inquiries from the contact form, the Monthly Canadian Threat Brief mailing list, or direct email. Second, the firm delivers paid service and product engagements within a written scope. Third, the firm sends subscription content to Monthly Canadian Threat Brief and PivotToAI subscribers. Fourth, the firm reviews aggregated anonymised analytics to improve site performance.
Importantly, Vanwebdev LTD uses information for NO secondary purpose. The firm sells no personal information. The firm rents no personal information. The firm licences no personal information to third parties. The firm feeds no operator data to any advertising graph. The firm builds no profiles for resale to data brokers. The firm does NOT use operator information to train AI systems offered to other operators. Engagement deliverables stay scoped to the engagement that produced them.
Lawful basis under this PIPEDA privacy policy
PIPEDA principle 3 governs consent. An organisation must obtain meaningful consent before collecting, using, or disclosing personal information. Vanwebdev LTD obtains consent at the point of collection. The contact form requires the operator to type a message and submit it knowingly. The Monthly Canadian Threat Brief signup requires an explicit form submission with a clear statement of what subscribers receive. Paid engagements run under a written contract that names the expected data flows.
PIPEDA principle 4 governs limiting collection. An organisation must limit collection to what the identified purposes need. Vanwebdev LTD collects only what answering an inquiry, delivering an engagement, fulfilling a subscription, or meeting a legal obligation requires.
PIPEDA principle 5 governs limiting use, disclosure, and retention. Personal information must serve only the purposes for which an organisation collected it. Organisations must not retain personal information longer than those purposes need. Vanwebdev LTD repurposes no information without first obtaining new consent. The firm retains personal information per the schedule in the retention section below.
Office of the Privacy Commissioner of Canada publishes the canonical PIPEDA overview; Justice Canada publishes the consolidated statute text.
Sharing and disclosure under this PIPEDA privacy policy
Vanwebdev LTD shares personal information with a short list of strictly necessary subprocessors. The firm discloses information only where law or contract requires. The firm uses Stripe for payment processing on subscription and product transactions. Stripe receives the operator’s name, email address, billing address, and card data. The firm uses Cal.com for scoping-call scheduling. Cal.com receives name, email, and time slot. The firm uses Hetzner Helsinki for web hosting. Hetzner Helsinki sees only the standard request traffic any cloud host sees.
Paid engagements may need Canadian-region cloud subprocessors. An engagement that contracts for sovereign data residency names the Canadian-region cloud provider in the written scope. The firm prefers Canadian regions of major cloud providers when the operator contracts for sovereign residency. Otherwise the firm follows the operator’s stack decisions.
Furthermore, Vanwebdev LTD sells no personal information. The firm licences no personal information to third parties. The firm discloses information to law enforcement only when a valid Canadian court order compels disclosure. Upon receiving a lawful order, the firm reviews the order’s scope. The firm narrows compliance to the minimum the order requires. The firm notifies the affected operator unless the order itself prohibits notification.
Retention schedule under this PIPEDA privacy policy
Vanwebdev LTD retains personal information per the schedule below. The firm retains marketing inquiries from the contact form for 24 months from the last operator-initiated contact. The firm then deletes the inquiry from production systems. The firm retains engagement records for the active engagement plus 12 months after closeout. Engagement records include stack details and infrastructure inventory shared under a written contract. Longer retention applies if the engagement contract specifies a longer term.
The firm retains billing records for 6 years from the close of the relevant tax year. The Canada Revenue Agency requires a 6-year retention floor for business tax records. The firm rotates server logs every 90 days. The firm retains aggregated analytics indefinitely in anonymised form.
Notably, the firm retains the Monthly Canadian Threat Brief mailing list and the PivotToAI cohort list for as long as the operator stays subscribed. An operator who unsubscribes drops off the active list at the next send cycle. The firm keeps an audit record of the unsubscribe event for 24 months for compliance review.
Canada Revenue Agency publishes records-retention guidance at canada.ca/keeping-records.
Operator rights under this PIPEDA privacy policy
PIPEDA principle 9 grants the operator a right of access. An operator may request a copy of personal information the firm holds about them. The operator may request correction of factual errors. The operator may challenge the accuracy of records the firm holds. Vanwebdev LTD answers access and correction requests within 30 days, as PIPEDA timing requires.
PIPEDA principle 3 grants the operator a right to withdraw consent. The right covers ongoing collection, use, or disclosure. Legal or contractual limits may apply. The operator may unsubscribe from marketing lists at any time. The unsubscribe link in any subscription email exercises this right. The operator may also email the address in the contact section below.
Notably, operators in Quebec hold additional rights under Quebec Law 25. The Commission d’acces a l’information administers Law 25. Operators in British Columbia hold additional rights under the BC Personal Information Protection Act. The Office of the Information and Privacy Commissioner for BC administers PIPA. Operators in Alberta and the Atlantic provinces hold rights under their respective provincial privacy regimes. An operator may file a complaint with the federal Office of the Privacy Commissioner of Canada. The operator may file with the relevant provincial commissioner additionally.
Quebec operators: Commission d’acces a l’information du Quebec. BC operators: Office of the Information and Privacy Commissioner for BC.
Security safeguards under this PIPEDA privacy policy
Vanwebdev LTD applies administrative, physical, and technical safeguards to personal information. Administrative safeguards include written access policies. Administrative safeguards include least-privilege role assignments. Administrative safeguards include onboarding and offboarding procedures for any contractor who handles operator data. Physical safeguards include lockable storage for printed engagement artefacts. Physical safeguards include locked-host workstations for personnel who handle operator data. Technical safeguards include HTTPS for all site traffic. Technical safeguards include encrypted database storage on the production host. Technical safeguards include a host firewall with restrictive default-deny rules. Technical safeguards include fail2ban on the SSH port. Technical safeguards include the Wordfence WAF on the WordPress surface.
Engagement-side technical safeguards align with ITSG-33 control selection where the operator’s stack supports the alignment. Engagements that contract for Protected B handling capability follow the documented ITSG-33 profile for the classification level. Engagements that contract for no specific classification inherit the firm’s default operator-grade security posture.
Notably, no security posture is absolute. The firm documents its incident response procedure in a separate internal runbook. Upon confirming a personal-information breach, the firm notifies affected operators. The firm notifies the federal Office of the Privacy Commissioner within the timing PIPEDA’s mandatory breach notification regulations require.
Cross-border transfers under this PIPEDA privacy policy
Vanwebdev LTD’s production web hosting runs on Hetzner Helsinki in Finland. Finland sits outside Canada. Contact form submissions transit through the Finnish-region web server. Subscription signups transit the same path. Operator messages then route to firm-side mailboxes or to subscriber lists the firm holds. Site analytics aggregates process on the same server.
Stripe payment processing transits the operator’s billing information through Stripe’s US-region infrastructure where Stripe’s architecture requires it. Cal.com scheduling transits operator name, email address, and selected time slot through Cal.com’s infrastructure. Cal.com may operate across multiple regions.
Paid engagements that contract for Canadian-region data residency scope to Canadian-region cloud subprocessors only. The written engagement contract names the Canadian region for processing and storage during the engagement. Operators who need strict Canadian residency for inquiry-stage interactions should contact Vanwebdev LTD by direct email to a Canadian-domiciled inbox. Operators who prefer the website form accept the Finnish-region transit path.
Changes to this PIPEDA privacy policy
Vanwebdev LTD updates this PIPEDA privacy policy when material changes warrant an update. Material changes include data handling, subprocessor list changes, or regulatory environment shifts. The firm date-stamps the version at the top of the document. The firm increments the version number for each material revision. Operators in active paid engagements receive an email notification when a material revision affects their engagement.
The firm reviews this policy at least annually to confirm alignment with PIPEDA. The annual review also confirms alignment with applicable provincial privacy regimes. The annual review confirms alignment with the firm’s current subprocessor list. The version date at the top of the document reflects the most recent review or revision.
How to exercise rights under this PIPEDA privacy policy
Operators may exercise rights under this PIPEDA privacy policy by emailing contact@vanwebdev.ca. The email should name the request type and the details the firm needs to locate records. Access requests should describe the personal information the operator wants. Correction requests should describe the factual error and the proposed correction. Withdrawal requests should name the consent being withdrawn. Vanwebdev LTD answers within 30 days, as PIPEDA requires.
Operators may file a complaint with the federal Office of the Privacy Commissioner of Canada if the firm has handled personal information improperly. The firm welcomes scoping calls to discuss data handling questions before an engagement begins. The firm prefers to surface data flow questions in writing during scoping. The firm prefers not to discover them mid-engagement.
Related pages: About, Contact, Terms, Intelligence Audit, Standing Engagement, Brief, Defend, Build.