Privacy Policy

English GRC ("we", "us", "our") respects your privacy. This policy describes how we handle personal information collected through englishgrc.ca and in the course of providing governance, risk, and compliance services.

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law. Where other federal or provincial privacy laws apply to a particular engagement, we honour those obligations in addition to this policy.

1. Who we are

English GRC is a consultancy based in New Brunswick, Canada, providing fractional GRC services to technology companies. Our privacy officer can be reached at privacy@englishgrc.ca.

2. Information we collect

You give us

• Contact form submissions: name, company, email, phone (optional), framework of interest, and message content.
• Email correspondence: whatever you include when you write to us.
• Client engagement data: during engagements we may receive personal information about you or your staff (e.g. names and roles for access reviews, interview notes).

Collected automatically

• Server logs: our site is hosted on Cloudflare Pages; Cloudflare may log IP address, user-agent, request path and timing for security and operations.
• No third-party analytics: we do not use trackers or advertising pixels. If this changes, the policy will be updated.

3. How we use it

• Responding to inquiries.
• Delivering, administering, and billing for consulting services.
• Communicating with clients about active engagements.
• Operating and securing our website and business systems.
• Complying with legal, regulatory, or professional obligations.

We do not sell personal information and do not use it for advertising or behavioural profiling.

4. Consent

By submitting the contact form or emailing us, you consent to our use of the information provided for the purpose of responding. For ongoing client engagements, consent is documented in the engagement letter. You may withdraw consent at any time by contacting the privacy officer, subject to legal or contractual restrictions.

5. Disclosure & sharing

• Service providers: Cloudflare (hosting, DNS, email transit via MailChannels), email and productivity tools. Written agreements require equivalent privacy protection.
• Within a client engagement: to the client, its auditors, or designated vendors as required by the contracted work.
• Legal & regulatory: where required by law, court order, or a regulator with jurisdiction over us.
• Business transactions: if we are involved in a merger, acquisition, or sale, subject to equivalent privacy protections.

6. Cross-border transfers

Data is processed primarily in Canada. Some service providers (including Cloudflare and email-transit providers) may process data in the United States or other jurisdictions, where it may be subject to local law including lawful access by foreign authorities. We select providers with strong security and privacy commitments.

7. Retention

• Contact-form inquiries that don't become engagements: up to 24 months.
• Client engagement records: duration of engagement plus 7 years, or longer if required by law.
• Security logs: per Cloudflare's standard retention (30–90 days).

8. Safeguards

Because protecting information is our trade, we hold ourselves to a high standard. Administrative, technical, and physical safeguards include:

• TLS encryption for website and email traffic where supported.
• Role-based access controls and multi-factor authentication on business systems.
• Vendor risk reviews for third-party processors.
• Secure disposal of records at end of retention.
• An annual internal privacy review, per PIPEDA's accountability principle.

If we become aware of a breach that poses a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as required by PIPEDA.

9. Cookies & analytics

This website does not set first-party cookies for tracking, profiling, or advertising. Cloudflare may set strictly-necessary cookies for security and bot mitigation. We do not embed third-party analytics, advertising pixels, or social media trackers.

10. Your rights

Under PIPEDA you have the right to:

• Ask whether we hold personal information about you.
• Request access to that information and how it has been used and disclosed.
• Request correction of inaccurate or incomplete information.
• Withdraw consent, subject to legal or contractual exceptions.
• File a complaint about our handling of your information.

Email privacy@englishgrc.ca. We respond within 30 days. We may need to verify your identity. In limited circumstances permitted by law (for example where disclosure would reveal another individual's information or where information is privileged) we may not be able to provide access.

11. Children

Our services are directed at businesses, not individuals under the age of majority. We do not knowingly collect personal information from children.

12. Changes

We may update this policy occasionally. The "Effective" date shows when the current version was published; material changes will be prominently noted.

13. Contact & complaints

Questions, requests, or complaints — contact our privacy officer first:

Privacy Officer, English GRC
privacy@englishgrc.ca
New Brunswick, Canada

If we cannot resolve your concern, you may file a complaint with the Office of the Privacy Commissioner of Canada:

30 Victoria Street, Gatineau QC K1A 1H3
1-800-282-1376 · priv.gc.ca