Connects You Privacy Policy Effective Date: January 27, 2026 Data Officer: team@connectsyou.ca
1. Introduction
Connects You is committed to protecting the privacy and security of all personal data processed through our platform. This policy outlines our practices regarding the collection, use, disclosure, and protection of personal information in accordance with:
- GDPR (EU 2016/679) – Articles 5, 6, 7, 12-22, 30, 32, 35-39
- PIPEDA (Canada) – Schedule 1, Sections 4.1-4.9, 5(3), 6(1), 7(1)
- HIPAA (USA) – 45 CFR Parts 160, 162, 164 (Privacy, Security, and Breach Notification Rules)
- CAN-SPAM Act (USA) – 15 U.S.C. § 7701 et seq.
- CCPA/CPRA (California) – Cal. Civ. Code §§ 1798.100-1798.199
This policy applies to all users, clients, and visitors of Connects You, including those accessing our services from the EU, Canada, the United States, and California.
2. Information We Collect
We collect the following categories of personal information, as defined by applicable regulations:
a. Personal Identification Information
- Name, email address, phone number, postal address, and professional title (GDPR Art. 4(1); PIPEDA Principle 4.1; CCPA § 1798.140(o))
- For HIPAA-covered services: ePHI as defined in 45 CFR § 160.103 (e.g., medical records, health insurance information)
b. Technical and Usage Data
- IP address, browser type, device identifiers, cookies, and usage analytics (GDPR Art. 4(15); CCPA § 1798.140(g); PIPEDA Principle 4.3)
c. Financial Information
- Billing and payment details (PIPEDA Principle 4.5; GDPR Art. 9(1))
d. Sensitive Personal Information (where applicable)
- Health data (HIPAA 45 CFR § 164.501; GDPR Art. 9; CCPA § 1798.140(ae))
- Biometric or genetic data (GDPR Art. 9; CCPA § 1798.140(ae))
e. Commercial Information
- Records of products or services purchased, obtained, or considered (CCPA § 1798.140(d))
3. Legal Basis and Purpose of Processing
| Purpose | Legal Basis (GDPR) | Regulatory Reference |
|---|---|---|
| Service provision and contract fulfillment | Art. 6(1)(b) | PIPEDA Principle 4.2; CCPA § 1798.100(b) |
| Consent (marketing, cookies, newsletters) | Art. 6(1)(a) | CAN-SPAM 15 U.S.C. § 7704; PIPEDA Principle 4.3 |
| Compliance with legal obligations | Art. 6(1)(c) | HIPAA 45 CFR § 164.508; CCPA § 1798.145(a) |
| Legitimate interest (fraud prevention, security) | Art. 6(1)(f) | GDPR Recital 47; PIPEDA Principle 4.5 |
| Protection of vital interests | Art. 6(1)(d) | HIPAA 45 CFR § 164.512(j) |
4. Data Subject Rights
Users retain the following rights under applicable laws:
| Right | GDPR | PIPEDA | CCPA/CPRA | HIPAA |
|---|---|---|---|---|
| Access | Art. 15 | Principle 4.9 | § 1798.110(a) | 45 CFR § 164.524 |
| Rectification | Art. 16 | Principle 4.6 | § 1798.106(a) | 45 CFR § 164.526 |
| Erasure (“Right to be Forgotten”) | Art. 17 | Principle 4.5 | § 1798.105(d) | N/A |
| Restriction of Processing | Art. 18 | Principle 4.5 | § 1798.125(a)(2) | N/A |
| Data Portability | Art. 20 | N/A | § 1798.130(a)(2) | N/A |
| Object to Processing | Art. 21 | Principle 4.3.3 | § 1798.120(c) | 45 CFR § 164.522 |
| Opt-Out of Sale/Sharing (CCPA) | N/A | N/A | § 1798.120(a) | N/A |
| Withdraw Consent | Art. 7(3) | Principle 4.3.8 | § 1798.135(a)(5) | 45 CFR § 164.508 |
To exercise these rights, contact team@connectsyou.ca. We will respond within:
- 30 days (GDPR Art. 12(3); CCPA § 1798.130(a)(2))
- 15 days for HIPAA access requests (45 CFR § 164.524(b)(2))
5. Data Sharing and Disclosure
We may share personal information with:
- Service Providers: Under strict contractual obligations (GDPR Art. 28; PIPEDA Principle 4.1.3; HIPAA Business Associate Agreements, 45 CFR § 164.502(e))
- Legal Authorities: As required by law (GDPR Art. 6(1)(c); PIPEDA Principle 4.3; CCPA § 1798.145(a); HIPAA 45 CFR § 164.512)
- Third Parties: Only with explicit consent (CAN-SPAM 15 U.S.C. § 7704(c)(2); GDPR Art. 6(1)(a))
Cross-Border Transfers:
- For EU users: Standard Contractual Clauses (GDPR Art. 46)
- For Canadian users: Adequacy or contractual measures (PIPEDA Principle 4.1.3)
- For HIPAA: Encryption and Business Associate Agreements (45 CFR § 164.314)
6. Data Security
We implement the following safeguards:
- Technical: Encryption (AES-256), access controls, regular audits (GDPR Art. 32; HIPAA 45 CFR § 164.312; CCPA § 1798.81.5)
- Organizational: Staff training, incident response plans, and Data Protection Impact Assessments (DPIAs) for high-risk processing (GDPR Art. 35; HIPAA 45 CFR § 164.308(a)(1)(ii)(A); PIPEDA Principle 4.7)
- ePHI Specific: Network segmentation, anti-malware, and mandatory multi-factor authentication (HIPAA 45 CFR § 164.316; 2026 Security Rule Updates)
7. CAN-SPAM and Email Marketing Compliance
All commercial electronic messages (CEMs) sent by Connects You comply with:
- CAN-SPAM Act: Clear identification, accurate header information, valid physical address, and conspicuous opt-out mechanism (15 U.S.C. § 7704(a)(5))
- CASL (Canada): Express or implied consent, identification, and unsubscribe mechanism (SOR/2014-22)
- GDPR/PIPEDA: Granular consent for direct marketing (GDPR Art. 7; PIPEDA Principle 4.3.4)
Opt-out requests are processed within 10 business days (CAN-SPAM 15 U.S.C. § 7704(a)(4)).
8. California-Specific Rights (CCPA/CPRA)
California residents have the right to:
- Opt-Out of Sale/Sharing: Via “Do Not Sell or Share My Personal Information” link (CCPA § 1798.120; CPRA § 1798.135)
- Limit Use of Sensitive Personal Information: As defined in CCPA § 1798.140(ae)
- Non-Discrimination: For exercising CCPA rights (CCPA § 1798.125)
We do not sell personal information as defined by CCPA/CPRA.
9. HIPAA-Specific Provisions (ePHI)
For services involving ePHI:
- Business Associate Agreements (BAAs): Required for all vendors (45 CFR § 164.504(e))
- Breach Notification: Within 60 days of discovery (45 CFR § 164.408)
- Access and Amendments: As per 45 CFR § 164.524 and § 164.526
- Security Incidents: Documented and reported as per 45 CFR § 164.308(a)(6)
10. Data Retention and Deletion
| Data Type | Retention Period | Regulatory Basis |
|---|---|---|
| User Account Data | 5 years post-closure | GDPR Art. 5(1)(e); PIPEDA Principle 4.5 |
| Financial Records | 7 years | CCPA § 1798.100(e); Canadian tax law |
| ePHI | 6 years (or as required by law) | HIPAA 45 CFR § 164.530(j) |
| Marketing Consent Records | Until withdrawal | CAN-SPAM 15 U.S.C. § 7704(a)(1) |
Data is securely deleted using NIST SP 800-88 or equivalent methods.
11. Children’s Privacy
We do not knowingly collect data from individuals under 13 (COPPA; GDPR Art. 8; CCPA § 1798.120(c)). For users aged 13-16, we obtain parental consent as required (GDPR Art. 8(1); PIPEDA Principle 4.3.7).
12. Changes to This Policy
Material changes will be communicated via email and posted on this page. Continued use of our services constitutes acceptance of the updated policy (GDPR Art. 13(3); CCPA § 1798.100(b)).
13. Contact Information
For questions or to exercise your rights: Data Officer: team@connectsyou.ca
Postal Address:13235220 Canada Inc. 184 Old Pakenham Rd Ottawa, ON K0A 1X0
Acknowledgments:
- This policy is designed to be a living document, updated as regulations evolve.
- For HIPAA-covered entities, a separate Notice of Privacy Practices (NPP) is available upon request.