Who we are and how to contact us

Legal entity: Senior Maple Marketing Ltd. (operating as Business Analysis Canada)

New Brunswick business number: 721480424NP0001

Registered address: 133 Prince William Street, Suite 801, Saint John, NB E2L 2B5, Canada

Website: https://business-analysis.ca

Privacy Officer: Privacy Officer, Business Analysis Canada

Email: office@business-analysis.ca

You may contact our Privacy Officer with any question, concern, or request regarding this Privacy Policy or your personal information.

Scope of this Policy

This Policy applies to personal information we collect:

• Through the Website (including forms, page interactions, and cookies).
• When you communicate with us by email or other electronic means.
• When you subscribe to our newsletter or other marketing communications.
• When you book or request a discovery call, consultation, or meeting with us.
• In the course of providing or proposing professional services to your organization.

This Policy does not apply to third-party websites, services, or platforms that may be linked from the Website. We encourage you to review the privacy policies of any third party before providing personal information to them.

Personal information we collect

We collect personal information in two ways: information you provide to us directly, and information we collect automatically when you use the Website.

Information you provide to us

• Contact form: full name, business email address, company name, phone number (optional), country, and the content of the message you send us.
• Newsletter subscription: name (optional) and business email address, processed through Kit (operated by ConvertKit LLC – see Section 6.1).
• Discovery call or meeting bookings: full name, business email address, company name, role/title, time-zone, scheduling information, and any details you choose to provide about your project, requirements, or organization.
• Correspondence: any personal information contained in messages you send to us by email or in attached documents.

Information collected automatically

When you visit the Website, we and our service providers automatically collect certain information through cookies, pixels, tags, and similar technologies. This may include:

• IP address and approximate location derived from it (typically city or region level).
• Device and browser information (device type, operating system, browser type and version, screen resolution, language).
• Usage information (pages visited, time spent, referring URL, clicks, scroll depth, session duration).
• Identifiers assigned by analytics or advertising tools (e.g., cookie IDs, pseudonymous user IDs).
• Search query data and impression data from search engines (when reported through Google Search Console or Bing Webmaster Tools).

More detail on the specific cookies and tracking technologies we use is provided in our Cookies Policy.

Information we do not collect

We do not knowingly collect: government-issued identification numbers, payment card data, financial account information, health information, biometric data, or sensitive categories of personal information through the Website. The Website does not host user accounts, client portals, paid downloads, blog comments, or e-commerce functionality.

We do not knowingly collect personal information from individuals under the age of 18. The Website is intended exclusively for business users.

Why we collect personal information (Purposes)

We collect and use personal information for the following purposes:

• To respond to inquiries submitted through the contact form or by email.
• To schedule and conduct discovery calls, consultations, and meetings.
• To prepare and deliver proposals, statements of work, and other pre-contractual or contractual communications.
• To deliver, administer, and support our professional services to client organizations.
• To send our newsletter and other commercial electronic messages, where you have given valid consent under Canada's Anti-Spam Legislation (CASL).
• To operate, maintain, secure, and improve the Website.
• To analyze and measure Website performance, traffic sources, and audience characteristics.
• To measure the performance of our marketing campaigns and adjust our advertising on third-party platforms.
• To comply with applicable legal, regulatory, accounting, and tax obligations, and to establish, exercise, or defend legal claims.

We will not use your personal information for purposes that are materially different from those listed above without first obtaining your consent or providing notice as required by law.

Legal basis, consent, and consent records

Under PIPEDA and Law 25, we generally rely on consent to collect, use, and disclose personal information.

• Express consent applies where you actively provide your information – for example, by submitting a form, subscribing to our newsletter, or booking a meeting.
• Implied consent may apply for activities that a reasonable person would expect in the context, such as using contact details you have provided to respond to your inquiry.
• Consent for non-essential cookies and tracking technologies is collected through our cookie consent banner before those technologies are activated.

You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawing consent may limit our ability to provide certain services or communications. To withdraw consent, contact our Privacy Officer using the details in Section 1.

Consent records and audit trail

To demonstrate that valid consent was obtained, in accordance with the accountability principle under PIPEDA and Quebec Law 25, we maintain consent records that capture, where applicable: a timestamp, the channel through which consent was given (form, banner, double opt-in email, etc.), the version of the policy in force, the categories or purposes consented to, and a pseudonymous identifier sufficient to associate the record with the relevant browser, device, or subscriber.

We retain consent records for a minimum of three (3) years from the date of the consent event, after which they are deleted or anonymized. This retention period applies to both cookie consent records (collected through our consent banner) and newsletter consent records (collected through Kit). The retention of the consent record is distinct from the lifetime of any individual cookie set on your device, which is governed by the durations listed in our Cookies Policy.

We will produce these records on request from a competent privacy regulator or in response to a verifiable request from the individual concerned.

How we share personal information

We do not sell your personal information. We disclose personal information only in the following circumstances:

Service providers and processors

We share personal information with the third parties listed below, only to the extent necessary for them to perform services on our behalf and under contractual terms requiring them to safeguard personal information. We have entered into, or are subject to, written data processing agreements (DPAs) with each named processor.

Website hosting and content management – Webflow, Inc. (398 11th Street, 2nd Floor, San Francisco, CA 94103, United States). Governed by the Webflow Customer Terms of Service and Data Processing Addendum.

Newsletter and email delivery – Kit, operated by ConvertKit LLC (P.O. Box 761, Boise, Idaho 83701, United States). Governed by the Kit Terms of Service and the Kit Data Processing Addendum (kit.com/dpa), which incorporates Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA). ConvertKit LLC is self-certified to the EU-U.S. Data Privacy Framework, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

Analytics and measurement – Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, United States) for Google Analytics 4, Google Search Console, and Google Tag Manager; and Microsoft Corporation (One Microsoft Way, Redmond, WA 98052, United States) for Bing Webmaster Tools. Governed by the Google Analytics / Google Ads Data Processing Terms and the Microsoft Online Services Data Protection Addendum.

Advertising and marketing measurement – Google LLC (Google Ads), Meta Platforms, Inc. (1 Hacker Way, Menlo Park, CA 94025, United States; Meta Pixel), and LinkedIn Corporation (1000 W. Maude Avenue, Sunnyvale, CA 94085, United States; LinkedIn Insight Tag). Governed by the respective platforms' advertiser data processing terms.

Cookie consent management – FlowAppz (flowappz.com). The vendor's registered legal entity, jurisdiction, and the Data Processing Agreement governing this relationship are under confirmation with the vendor; see Cookies Policy, Section 8. This Policy will be updated to reflect the final position.

Professional advisors – legal counsel, accountants, and auditors, where access to personal information is required for the services they provide to us, under professional duties of confidentiality.

Where we introduce additional categories of processor (for example, a meeting-scheduling or video-conferencing tool), we will update this Section 6.1 with the processor's name, jurisdiction, and DPA status before activating the tool, and – where required by applicable law – obtain fresh consent.

Affiliates and successors

We may disclose personal information to our affiliates, or to a successor entity in connection with a merger, acquisition, financing, reorganization, or sale of all or part of our business, subject to applicable privacy law.

Legal and regulatory disclosures

We may disclose personal information where we believe in good faith that disclosure is required by law, court order, subpoena, or other legal process, or where disclosure is necessary to protect our rights, property, or safety, or that of our clients, users, or others.

Cross-border transfers and Privacy Impact Assessments

Most of the service providers listed in Section 6.1 are located in the United States. As a result, your personal information may be stored and processed outside the province in which you reside, and outside Canada. When personal information is transferred outside Canada, it may be subject to the laws of the foreign jurisdiction, and may be accessible to that jurisdiction's law enforcement, regulatory, and national security authorities.

Privacy Impact Assessment (Quebec Law 25, section 17)

Before initiating cross-border transfers of personal information, we conduct a Privacy Impact Assessment (PIA) as required under section 17 of Quebec Law 25. The PIA evaluates, for each receiving jurisdiction:

• The sensitivity of the personal information being transferred (in our case, primarily B2B contact details, pseudonymous identifiers, IP addresses, and behavioural Website data – not directly identifying or sensitive information).
• The purposes of the transfer and the volume of data involved.
• The protections, including contractual safeguards, that apply to the personal information.
• The legal regime applicable in the destination jurisdiction (in particular the United States), and any potential government access.

PIA conclusion: Based on the assessment we have performed, the personal information transferred to the processors named in Section 6.1 receives a level of protection adequate for the purposes for which it is used, taking into account the contractual and configuration safeguards described below. The PIA is reviewed at least annually and whenever a new cross-border transfer is introduced. A summary of the assessment is available to regulators on request.

Contractual safeguards

We rely on the following safeguards to protect personal information transferred outside Canada:

• Data Processing Agreements (DPAs) executed with, or auto-incorporated by, each named processor (Webflow DPA, Kit DPA, Google Analytics / Google Ads Data Processing Terms, Meta Business Tools Data Processing Terms, LinkedIn Marketing Solutions Data Processing Agreement, Microsoft Online Services Data Protection Addendum, and a DPA with FlowAppz – status pending as noted in Section 6.1).
• Standard Contractual Clauses or equivalent transfer mechanisms incorporated into those DPAs where the processor offers them (for example, the SCCs and UK IDTA included in the Kit DPA).
• Reliance on the EU-U.S., UK, and Swiss Data Privacy Frameworks where the processor is self-certified (for example, ConvertKit LLC).
• Vendor due diligence on each processor's security and privacy practices before it is engaged, and periodic re-assessment thereafter.
• Configuration measures within each tool, such as IP-anonymisation features in Google Analytics where available and consent-gated tag firing through Google Consent Mode v2.

If you would like more information about how we protect personal information transferred outside Canada, please contact our Privacy Officer.

Cookies and similar technologies

We use cookies, pixels, tags, and similar technologies on the Website. Some are strictly necessary to operate the Website; others are used for analytics, advertising measurement, and marketing, and are activated only after you provide consent through our cookie banner.

For a detailed description of the technologies we use, their purposes, retention periods, and the third parties involved, please see our Cookies Policy. You can also manage your preferences at any time through the cookie consent banner provided by FlowAppz.

How long we keep personal information

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, contractual, or reporting requirements. Indicative retention periods are:

• Contact form inquiries that do not result in an engagement: up to 24 months from the last contact.
• Newsletter subscriber data (held in Kit): until you unsubscribe, plus a short period to honour suppression and unsubscribe records.
• Information related to client engagements: for the duration of the engagement and for the period required by professional, tax, and legal obligations (typically 6–7 years following the end of the engagement).
• Website analytics data: subject to the retention settings configured in the relevant tool (for example, the configured retention period in Google Analytics 4).
• Consent records: a minimum of three (3) years from the consent event, as described in Section 5.1. This is distinct from the lifetime of cookies on your device, which is governed by the durations listed in the Cookies Policy.

When personal information is no longer needed, it is securely deleted, anonymized, or destroyed in accordance with our internal retention practices.

How we protect personal information

We implement reasonable physical, organizational, and technical safeguards designed to protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification. These measures include:

• Use of HTTPS/TLS encryption for data transmitted to and from the Website.
• Access controls limiting personal information to personnel and service providers who need it for the purposes described in this Policy.
• Vendor due diligence and contractual data-protection commitments with our service providers.
• Internal policies and training on privacy, confidentiality, and information security.

No method of transmission or storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security.

Breach and confidentiality-incident notification

If we become aware of a breach of security safeguards or a confidentiality incident involving personal information that creates a real risk of significant harm to affected individuals, we will:

• Notify the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible, in accordance with PIPEDA's Breach of Security Safeguards Regulations.
• Notify the Commission d'accès à l'information du Québec (CAI) within 72 hours of becoming aware of the incident, where Quebec Law 25 applies.
• Notify affected individuals without undue delay, using contact information we have on file.
• Maintain a register of confidentiality incidents as required by Law 25 and equivalent obligations under PIPEDA.

Where applicable, we will also notify other regulators (such as U.S. state attorneys general) within the timeframes their respective laws require.

Your privacy rights

Depending on the law that applies to you, you may have the following rights with respect to your personal information:

Rights under PIPEDA and Canadian provincial privacy laws

• Access: request confirmation of whether we hold personal information about you, and a copy of that information.
• Correction: request that we correct personal information that is inaccurate or incomplete.
• Withdrawal of consent: withdraw your consent to our collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions.
• Complaint: file a complaint with us, and ultimately with the Office of the Privacy Commissioner of Canada.

Additional rights under Quebec Law 25

If you reside in Quebec, you also have the following rights:

• De-indexation and cessation of dissemination: in certain circumstances, request that we cease disseminating your personal information or that a hyperlink giving access to it be de-indexed.
• Data portability: receive personal information you have provided to us in a structured, commonly used technological format, and have it communicated to another person or body authorized by law to collect it.
• Information about automated decision-making: be informed if a decision concerning you is based exclusively on automated processing of your personal information, and request information about the personal information used, the reasons and principal factors that led to the decision, and your right to have the information corrected. As of the date of this Policy, we do not make decisions concerning you based exclusively on automated processing.

Rights for U.S. residents and Global Privacy Control

If you are a resident of California or another U.S. state with applicable privacy legislation, you may have additional rights, including the right to know what personal information we have collected about you, the right to request deletion or correction, the right to opt out of certain types of “sale” or “sharing” of personal information (including for cross-context behavioural advertising), and the right not to be discriminated against for exercising your rights.

We do not sell personal information for monetary consideration. To the extent that our use of advertising and analytics cookies is considered “sharing” under the California Consumer Privacy Act (CCPA / CPRA), you can opt out by adjusting your preferences in our cookie consent banner.

We honour Global Privacy Control (GPC) signals on a best-efforts basis for all visitors who send them, regardless of jurisdiction. Where required by applicable U.S. state privacy law, we treat a recognized GPC signal as a binding opt-out of “sale”, “sharing”, and targeted advertising. For visitors in Canada, including Quebec, we treat GPC as an indication that you do not wish to consent to non-essential cookies, and we will not load analytics or marketing cookies until you affirmatively grant consent through the Flowappz banner.

How to exercise your rights

To exercise any of these rights, contact our Privacy Officer at office@business-analysis.ca. We will respond within the timeframes required by applicable law (generally within 30 days under PIPEDA and Law 25, with limited extensions where permitted).

We may need to verify your identity before responding to a request. We will not charge a fee unless permitted by law and we have provided you with prior notice of the fee.

Filing a complaint

If you are not satisfied with our response, you may contact:

• Office of the Privacy Commissioner of Canada (OPC) – priv.gc.ca
• Commission d'accès à l'information du Québec (CAI) – cai.gouv.qc.ca (for Quebec residents)
• The privacy regulator of your province or U.S. state of residence, where applicable.

Marketing and electronic communications (CASL)

We send commercial electronic messages (such as our newsletter) only to recipients who have given valid consent under Canada's Anti-Spam Legislation (CASL).

Express consent

Express consent is given when you actively opt in – for example, by checking a subscription box, completing a newsletter sign-up form on the Website, or confirming a double opt-in email. Express consent does not expire automatically; it remains valid until you withdraw it.

Implied consent

Under CASL, implied consent is time-limited. We may rely on implied consent only in narrowly defined circumstances, including:

• An existing business relationship (for example, a person who has purchased services from us, or has had a written contract with us): implied consent generally lasts for two (2) years from the date of the relevant transaction or expiry of the contract.
• An existing non-business relationship (for example, donations or volunteer work, where applicable): implied consent generally lasts for two (2) years.
• An inquiry made to us about our services: implied consent generally lasts for six (6) months from the inquiry.
• Conspicuous publication of a business email address (where the publication is not accompanied by a statement that unsolicited messages are not wanted, and our message is relevant to the recipient's role).

We track the consent basis (express or implied) and, where implied, the start and expiry dates, so that we can demonstrate compliance with CASL on request.

Form and unsubscribe requirements

Every commercial electronic message we send identifies us as the sender, includes our contact information, and provides a clear unsubscribe mechanism. You can withdraw your consent to marketing communications at any time by clicking the unsubscribe link in any message we send, or by emailing office@business-analysis.ca. Unsubscribe requests are honoured within ten (10) business days, as required by CASL.

Even after you unsubscribe from marketing communications, we may continue to send you transactional or relationship messages (for example, replies to your inquiries or messages about an active engagement).

Children's privacy

The Website is intended for business users and is not directed to children. We do not knowingly collect personal information from individuals under the age of 18. If you believe that we have inadvertently collected personal information from a minor, please contact us so that we can delete it.

Automated decision-making

We do not currently make decisions concerning you that are based exclusively on automated processing of your personal information. If we introduce such automated decision-making in the future, we will update this Policy and inform affected individuals as required by Law 25 and other applicable laws.

Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, our services, or applicable law. The “Last updated” date and version number at the top of this Policy indicate when it was most recently revised.

For material changes – for example, the introduction of a new processing purpose, a new category of processor handling personal information, or a new cross-border transfer – we will seek fresh consent where required by applicable law (including PIPEDA and Quebec Law 25), and will provide additional notice (for example, by posting a prominent notice on the Website or, where appropriate, by email).

Continued use of the Website after the effective date of an updated Policy constitutes acceptance only of non-material updates, to the extent permitted by applicable law. We will retain a record of each version of this Policy, together with the consent records described in Section 5.1, so that we can identify which version applied at any given time.

How to contact us

If you have questions, comments, or complaints about this Privacy Policy or our handling of your personal information, please contact our Privacy Officer:

Privacy Officer

Business Analysis Canada (Senior Maple Marketing Ltd.)

133 Prince William Street, Suite 801

Saint John, NB E2L 2B5, Canada

Email: office@business-analysis.ca