Privacy Notice

We collect the minimum information required to provision org admins, reviewers, and staff records. Uploads remain encrypted in a Canada Central object store and are never used to train models or shared with third parties.

What we collect

• Account metadata (name, email, cohort / tenant identifiers).
• Uploaded credential files and extracted fields needed for compliance review.
• Audit events (who performed which action and when).

How we use it

Data is used to render staff dashboards, queue documents for reviewers, produce audit exports, and notify admins about outstanding requirements. We never sell data or repurpose it outside of compliance operations.

Storage & retention

All assets are encrypted at rest (KMS + PostgreSQL TDE). We retain pilot data for 90 days after the alpha unless otherwise requested. Daily backups are verified with restore drills per the alpha readiness checklist.

Contact

Questions or data subject requests can be sent to privacy@compliancehealth.ca.