Privacy Policy

1. Information We Collect

1.1 Information You Provide

We collect information you voluntarily provide when you:

• Create an account (full name, business email, company name, country)
• Complete a purchase (billing address, VAT number if applicable)
• Contact us (email address, message content)
• Subscribe to communications (email address, with your express consent)

1.2 Information Collected Automatically

When you visit our Site we automatically collect:

• IP address and approximate geographic location
• Browser type, operating system, and device information
• Pages visited, time on site, and referring URL
• Cookies and similar technologies (see Section 7)

1.3 Payment Information

Payment processing is handled entirely by Stripe, Inc., a PCI DSS Level 1 certified processor. GRCadia does not store, process, or have access to your full credit card number, CVV, or banking details. We receive only a transaction confirmation, last four digits of your card, and billing address for record-keeping.

2. How We Use Your Information

Under PIPEDA, we collect and use personal information only for purposes that a reasonable person would consider appropriate in the circumstances. We use your information to:

• Create, maintain, and secure your account
• Process and fulfil your orders
• Provide customer support and respond to inquiries
• Send transactional communications (order confirmations, download links, security alerts)
• Send marketing communications (only with your express opt-in consent)
• Comply with legal obligations, including tax reporting and law enforcement requests
• Detect, prevent, and address fraud or security issues
• Improve and optimize the Services

3. Consent

Under PIPEDA, we rely on the following forms of consent:

• Express consent: For collecting personal information at registration, for processing payments, and for sending marketing emails (opt-in).
• Implied consent: For automatically collected technical data necessary to operate the Site and for transactional emails arising from your existing business relationship with us.

You may withdraw your consent at any time, subject to legal or contractual restrictions. To withdraw consent, contact us at privacy@grcadia.com. Note that withdrawing consent for essential data processing may prevent us from providing certain Services.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only with the following categories of third parties and only to the extent necessary:

• Stripe, Inc. — Payment processing. Stripe processes your payment data under its own privacy policy and PCI DSS obligations.
• Email service provider — To deliver transactional and (where consented) marketing emails. We use industry-standard providers that comply with PIPEDA and CASL.
• Cloud infrastructure providers — To host and serve the Site. Servers are located in North America.
• Legal and regulatory authorities — When required by law, court order, subpoena, or to protect our rights, property, or safety or that of our users or the public.
• Professional advisors — Lawyers, accountants, and auditors where necessary for the operation of our business.

5. Your Rights Under PIPEDA

As a Canadian privacy law, PIPEDA provides you with the following rights regarding your personal information:

• Right of Access — You may request access to the personal information we hold about you.
• Right to Correction — You may request correction of inaccurate or incomplete personal information.
• Right to Withdrawal of Consent — You may withdraw your consent for the collection, use, or disclosure of your personal information, subject to legal or contractual limitations.
• Right to Deletion — You may request deletion of your personal information, subject to our legal retention obligations.
• Right to Data Portability — You may request your personal information in a commonly used, machine-readable format.

To exercise any of these rights, email privacy@grcadia.com. We will respond within thirty (30) days of receiving your request, as required by PIPEDA. If we need additional time, we will notify you.

If you are unsatisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

6. Data Breach Notification

In accordance with the Breach of Security Safeguards Regulations under PIPEDA, GRCadia maintains a data breach response procedure. In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will:

• Notify the Office of the Privacy Commissioner of Canada as soon as feasible after determining that the breach has occurred.
• Notify you directly as soon as feasible, describing the nature of the breach, the personal information involved, the steps we have taken to reduce the risk of harm, and the steps you can take to protect yourself.
• Notify any other organization or government institution that may be able to reduce the risk of harm.
• Maintain a record of every breach of security safeguards for a minimum of twenty-four (24) months, as required by PIPEDA.

7. Cookies and Tracking Technologies

We use only essential cookies that are strictly necessary for the operation of the Site:

• Session authentication cookies (to keep you logged in)
• Shopping cart cookies (to maintain your cart across pages)
• CSRF protection tokens (for security)

We do not use third-party advertising cookies, analytics tracking pixels, or social media tracking tools. If we introduce non-essential cookies in the future, we will obtain your consent and provide a cookie management mechanism.

For visitors from the European Union, we will implement a cookie consent banner if and when non-essential cookies are introduced, in compliance with the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

8. Data Retention

We retain your personal information as follows:

• Account information — Retained for the duration of your account. Upon account deletion, personal data is removed within thirty (30) days, except as required by law.
• Order and transaction records — Retained for seven (7) years after the date of the transaction, as required by the Canada Revenue Agency for tax and financial record-keeping.
• Communication records — Retained for twenty-four (24) months after the last communication.
• Breach records — Retained for a minimum of twenty-four (24) months as required by PIPEDA.

9. Data Security

We implement reasonable technical and organizational safeguards to protect your personal information, including: encryption in transit (TLS/SSL), password hashing (bcrypt), two-factor authentication for account access, access controls limiting employee access to personal information on a need-to-know basis, and regular security reviews. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.

10. International Data Transfers

Our servers and service providers are located in North America (Canada and the United States). If you access our Services from outside North America, your information may be transferred to and processed in Canada or the United States.

For transfers from the European Economic Area (EEA) or the United Kingdom, we rely on contractual safeguards with our service providers (Standard Contractual Clauses) and the adequacy of Canadian privacy law as recognized by the European Commission. By using our Services, you consent to this transfer.

11. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we learn that we have collected information from a child under 18, we will delete that information promptly. If you believe a minor has provided us with personal information, please contact us at privacy@grcadia.com.

12. Privacy Officer

Under PIPEDA, GRCadia has designated a Privacy Officer responsible for overseeing compliance with this Policy and applicable privacy legislation. All privacy-related inquiries, access requests, complaints, and breach reports should be directed to:

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on the Site with a revised "Last updated" date and, where practical, communicated to you by email. Your continued use of the Services after changes are posted constitutes your acceptance of the updated Policy.

Technology Partners and Sub-Processors

We believe in transparency about the technology that powers our store. The following third-party services process or have access to certain data as part of providing our Services:

We do not store, process, or have access to your full credit card details. All payment card data is handled exclusively by Stripe in accordance with PCI DSS Level 1 standards. We will update this table as our technology partners change.

14. Contact Us

For any privacy-related questions or requests: