What is PIPEDA? The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law. It governs how organizations collect, use, and disclose personal information in the course of commercial activities. OmniDesk is fully subject to PIPEDA and this notice explains, principle by principle, how we comply.
Our core commitment: All personal information and business data processed through OmniDesk is stored exclusively on servers physically located in Canada. This means your data is protected by Canadian law at all times — not subject to US surveillance laws (CLOUD Act, FISA) or any foreign jurisdiction. This commitment is written into our Terms of Service as a contractual guarantee.
01 The Ten PIPEDA Principles — OmniDesk's Commitments
PIPEDA is built on ten fair information principles established in Schedule 1 of the Act. Here is how OmniDesk addresses each one:
[COMPANY LEGAL NAME] is responsible for all personal information under its control, including information transferred to third-party service providers for processing. We have designated a Privacy Officer responsible for our compliance with PIPEDA. Contact: [PRIVACY@OMNIDESK.CLOUD].
We identify the purposes for collecting personal information before or at the time of collection. OmniDesk collects personal information to: (a) create and manage your account; (b) deliver the OmniDesk platform; (c) process payments; (d) power OmniDesk AI features; (e) send transactional communications; (f) comply with Canadian legal obligations. No personal information is collected for undisclosed purposes.
We obtain your express consent at account creation for the collection and use of your personal information. Consent for optional communications (product updates, newsletters) is obtained separately and can be withdrawn at any time. For sensitive information, we always obtain express consent — we never rely on implied consent for sensitive data processing. You may withdraw consent at any time by contacting [PRIVACY@OMNIDESK.CLOUD], subject to legal and contractual restrictions.
We collect only the personal information necessary to fulfill the identified purposes. We do not collect: Social Insurance Numbers (SINs), government-issued ID numbers, health information, or any information unrelated to business operations. Collection is done by fair and lawful means.
Personal information is used only for the purposes for which it was collected. We do not sell, rent, or trade personal information to any third party. Disclosure to service providers (Stripe, Plaid, [hosting provider]) is limited to what is necessary for service delivery, governed by data processing agreements. Retention periods are defined in our Privacy Policy Section 7 — data is deleted when no longer needed.
Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is used. You can update your account information at any time from your profile settings. If you believe information we hold is inaccurate, contact [PRIVACY@OMNIDESK.CLOUD] and we will correct it within 30 days.
We protect personal information with security safeguards appropriate to its sensitivity, including: TLS 1.2+ encryption for all data in transit; AES-256 encryption for sensitive data at rest; role-based access controls; multi-factor authentication; regular security audits; and employee training on privacy obligations. Physical access to servers is restricted to authorized personnel at [DATACENTER PROVIDER] facilities in Canada.
Our privacy practices are publicly available and written in plain language. This PIPEDA Notice, our Privacy Policy, and our Terms of Service are accessible at omnidesk.cloud/legal without requiring an account. Questions about our privacy practices can be directed to [PRIVACY@OMNIDESK.CLOUD].
Upon written request, you have the right to: (a) be informed of the existence, use, and disclosure of your personal information; (b) receive access to that information; and (c) challenge its accuracy and completeness. Requests are responded to within 30 days. If access cannot be provided (e.g., due to legal privilege), we will explain why in writing. To submit an access request: [PRIVACY@OMNIDESK.CLOUD].
You may challenge our compliance with PIPEDA by contacting our Privacy Officer at [PRIVACY@OMNIDESK.CLOUD]. We will investigate and respond within 30 days. If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca or by phone at 1-800-282-1376.
02 Breach of Security Safeguards Regulations
Under PIPEDA's Breach of Security Safeguards Regulations (in force since November 2018), OmniDesk is required to:
- Report to the Office of the Privacy Commissioner of Canada any breach of security safeguards that creates a real risk of significant harm to an individual
- Notify affected individuals directly of breaches that create a real risk of significant harm
- Maintain records of all breaches of security safeguards for a minimum of 24 months
In the event of a reportable breach, OmniDesk will notify affected users as soon as feasible, and will notify the OPC without unreasonable delay, within a target of 72 hours of becoming aware of the breach.
03 Quebec Law 25 (Bill 64) — Additional Obligations
Quebec's Law 25 (An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information) introduced obligations beyond federal PIPEDA for businesses operating in or serving Quebec. OmniDesk's commitments for Quebec users include:
- Privacy by default: the highest level of privacy protection is applied by default, without any action required by the user
- Privacy impact assessments (PIAs): conducted before releasing new features that involve personal information processing
- Data portability: Quebec residents have the right to receive their personal information in a structured, commonly used technological format
- Right to de-indexation: Quebec residents may request that personal information collected from them be de-indexed or no longer accessible where it causes them harm
- French language: all consent requests, privacy notices, and communications to Quebec users are available in French, in compliance with Bill 96 (Charter of the French Language)
04 Cross-Border Data Transfers
OmniDesk does not transfer personal information outside of Canada. All infrastructure, processing, and storage occurs on Canadian soil. This is not merely a policy preference — it is a contractual obligation in our agreements with all infrastructure providers, and a term in our subscriber contracts.
The only exceptions are:
- Stripe: card payment processing. Stripe is PCI-DSS Level 1 certified. We do not transmit full card numbers to Stripe — tokenization occurs client-side. Stripe's processing infrastructure may operate outside Canada; however, OmniDesk does not send personal information to Stripe beyond what is technically required for payment processing.
- OmniDesk AI: AI inference may be processed by [AI MODEL PROVIDER] under a data processing agreement that prohibits retention, training, or disclosure of your data. We are actively evaluating Canadian-hosted AI inference alternatives.
05 Children Under 18
OmniDesk does not knowingly collect personal information from individuals under 18 years of age. OmniDesk is a business software platform intended exclusively for adults. If we become aware that personal information of a minor has been collected, it will be deleted immediately.
06 Changes to This Notice
This PIPEDA Notice may be updated to reflect changes in our practices or in applicable Canadian privacy law. Material updates will be communicated to users by email with at least 30 days' notice. The current version is always available at omnidesk.cloud/legal/pipeda.
External Oversight
Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
Web: priv.gc.ca
You have the right to file a complaint with the OPC at any time, without first contacting OmniDesk.