Privacy Policy
Privacy at a Glance
thrc-accreditation is committed to protecting your personal information in compliance with Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25.
- We collect only the information necessary to provide accreditation services
- Your data is stored exclusively in Canada
- You have the right to access, correct, and request deletion of your information
- We obtain your explicit consent before collecting or using your personal information
- Contact our Privacy Officer at privacy@example.com
Last Updated: December 21, 2025
1. Accountability
thrc-accreditation has designated a Privacy Officer who is responsible for our compliance with PIPEDA and Quebec Law 25.
2. Purposes for Collection
We collect personal information for the following specific purposes:
- Account Management: To create and manage your organization's account and user profiles
- Accreditation Processing: To evaluate, process, and manage accreditation applications
- Communication: To send notifications about your application status, renewals, and important updates
- Payment Processing: To process application fees and related financial transactions
- Certificate Issuance: To generate and provide accreditation certificates
- Compliance and Legal: To meet legal and regulatory requirements
- Service Improvement: To improve our services and user experience (with your consent)
We will not use your personal information for purposes other than those identified without obtaining your consent.
3. Consent
We obtain your meaningful consent before collecting, using, or disclosing your personal information. Your consent may be express or implied depending on the sensitivity of the information and reasonable expectations.
Express Consent Required For:
- Sensitive personal information
- Marketing communications
- Analytics and profiling (Quebec Law 25 requirement)
- Non-essential cookies and tracking
Your Consent Rights:
- You can withdraw consent at any time, subject to legal or contractual restrictions
- Withdrawing consent may limit our ability to provide certain services
- We will inform you of the implications before you withdraw consent
Quebec Residents (Law 25):
In accordance with Quebec's Law 25, we apply privacy-by-default principles. Non-essential processing activities (such as analytics and marketing) require your explicit opt-in consent.
4. Limiting Collection
We collect only the personal information that is necessary for the identified purposes. The types of information we collect include:
- Contact Information: Name, email address, phone number, mailing address
- Organization Information: Organization name, registration details, business contact information
- Application Data: Information submitted in accreditation applications and supporting documents
- Account Credentials: Username, encrypted password
- Payment Information: Billing details (processed through secure third-party payment processors)
- Technical Information: IP address, browser type, device information (with consent for analytics)
5. Limiting Use, Disclosure, and Retention
Use and Disclosure:
We use and disclose personal information only for the purposes for which it was collected, except with your consent or as required by law.
Third-Party Sharing:
We may share your information with:
- Service Providers: Third-party processors who assist in providing our services (see our Subprocessors List)
- Legal Requirements: Government authorities when required by law
- Business Transfers: In the event of a merger, acquisition, or sale of assets (with notice to you)
Retention:
We retain personal information only as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our retention periods include:
- Active Accounts: Duration of account plus applicable legal retention periods
- Application Records: As required by accreditation standards and legal obligations
- Financial Records: As required by tax and financial regulations
- Inactive Accounts: Deleted or anonymized after a defined period of inactivity
6. Accuracy
We take reasonable steps to ensure that personal information we collect and use is accurate, complete, and up-to-date. You can help us maintain accuracy by:
- Updating your profile information when it changes
- Notifying us of any errors or outdated information
- Requesting corrections through your account or by contacting our Privacy Officer
7. Safeguards
We implement physical, organizational, and technological safeguards to protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification.
Our Security Measures Include:
- Encryption: Data in transit is protected using TLS/SSL encryption; sensitive data at rest is encrypted
- Access Controls: Role-based access controls and principle of least privilege
- Authentication: Secure authentication mechanisms and password policies
- Monitoring: Security monitoring and audit logging
- Vendor Management: Security assessments of third-party service providers
- Incident Response: Documented procedures for detecting and responding to security incidents
Data Residency:
Production systems and backups are hosted in Canadian regions only. All personal information is stored in Canada.
8. Openness
We are transparent about our privacy practices. Information about our policies and practices is readily available through:
- This Privacy Policy
- Just-in-time notices at data collection points
- Our Subprocessors List
- Direct communication with our Privacy Officer
9. Individual Access and Rights
You have the right to access your personal information and to request corrections. Upon request, we will inform you of the existence, use, and disclosure of your personal information.
Your Privacy Rights:
- Right to Access: Request a copy of your personal information
- Right to Correction: Request corrections to inaccurate or incomplete information
- Right to Deletion: Request deletion of your personal information (subject to legal retention requirements)
- Right to Portability: Receive your personal information in a structured, machine-readable format (Quebec Law 25)
- Right to Object: Object to certain processing activities
- Right to Withdraw Consent: Withdraw previously given consent
How to Exercise Your Rights:
To exercise any of these rights, please contact our Privacy Officer at privacy@example.com. We will respond to your request within the timeframes required by law (typically 30 days under PIPEDA, or as specified under Quebec Law 25).
10. Challenging Compliance
If you have concerns about our compliance with this Privacy Policy or applicable privacy laws, please contact our Privacy Officer:
Privacy Officer
Email: privacy@example.com
We will investigate all complaints and respond within a reasonable timeframe. If you are not satisfied with our response, you have the right to file a complaint with:
- Office of the Privacy Commissioner of Canada (PIPEDA): www.priv.gc.ca
- Commission d'accès à l'information du Québec (Quebec Law 25): www.cai.gouv.qc.ca