1. Accountability

Simplify Tech Solutions Inc. is responsible for personal information in our custody or control. Our Privacy Officer is responsible for our compliance with this policy and applicable privacy laws. For privacy inquiries, contact us at info@simplifyts.ca.

2. Identifying Purposes

We collect personal information for the following purposes:

• To provide managed IT, cybersecurity, and cloud services to clients
• To respond to inquiries and schedule consultations through Microsoft Bookings
• To process Microsoft Forms submissions (quote requests, IT assessments, support requests)
• To process service agreements, invoicing, and billing
• To send relevant service updates, security advisories, and threat intelligence briefings
• To monitor, detect, and respond to security incidents within client environments
• To comply with legal, regulatory, and contractual obligations

We identify the purpose before or at the time of collection.

3. Consent

We obtain meaningful consent for the collection, use, and disclosure of personal information, except where the law permits or requires collection without consent. By submitting information through our website, booking a consultation, or engaging our services, you consent to the collection and use of that information for the purposes described in this policy. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting our Privacy Officer.

4. Limiting Collection

We collect only the personal information necessary for the identified purposes. This may include:

• Identification data: name, email address, phone number, company name, job title
• Service delivery data: technical environment details, security posture information, incident logs
• Transactional data: billing information, service agreements, support tickets
• Website data: IP address, browser type, pages visited (collected via cookies — see Section 12)

We do not collect personal information indiscriminately or beyond what is required to deliver our services.

5. Limiting Use, Disclosure, and Retention

We use and disclose personal information only for the purposes for which it was collected, except with your consent or as required by law. We do not sell, rent, or trade personal information to third parties.

Retention periods:

• Prospect/lead data: retained for up to 24 months after last interaction, then anonymized or deleted
• Active client data: retained for the duration of the service agreement plus 7 years for tax and audit purposes (per CRA requirements)
• Security logs and incident data: retained for up to 12 months for forensic and compliance purposes
• Form submissions and Bookings data: retained for up to 24 months unless escalated to a client engagement
• Marketing communications: retained until consent is withdrawn

After applicable retention periods expire, personal information is securely destroyed or anonymized.

6. Accuracy

We take reasonable steps to ensure that personal information is accurate, complete, and up-to-date as required for the purposes for which it is used. You may request corrections to your information at any time by contacting our Privacy Officer.

7. Safeguards

We protect personal information using security safeguards appropriate to the sensitivity of the information. These include:

• Technical safeguards: encryption at rest and in transit, multi-factor authentication, conditional access, endpoint detection and response (EDR), DNS filtering, and email threat protection
• Organizational safeguards: role-based access controls, least-privilege access, security awareness training, and confidentiality agreements with all personnel
• Physical safeguards: data hosted in Microsoft Azure Canada Central data centres with industry-leading physical security

Our infrastructure complies with applicable Canadian security standards, including Protected B requirements where contractually applicable.

8. Data Residency

Simplify Tech Solutions stores and processes personal information within Canada. Specifically:

• Microsoft 365, Dynamics 365, Business Central, and Azure infrastructure operate in the Canada Central region (Toronto)
• OpenText cybersecurity services (Email Threat Protection, DNS Protection, EDR, Cloud Backup) are configured to keep data within Canadian boundaries where regional options are available
• Backup and disaster recovery systems remain within Canadian sovereign infrastructure

Limited cross-border data transfers may occur for global threat intelligence, abuse detection, and security analytics. Where such transfers occur, they are governed by contractual safeguards with our processors and are limited to non-content metadata (e.g., threat indicators, anonymized telemetry).

9. Openness

We make information about our privacy policies and practices readily available. This Privacy Policy is publicly accessible on our website at simplifyts.ca/privacy-policy.

10. Individual Access and Rights

Upon written request to our Privacy Officer, you have the right to:

• Access: obtain confirmation that we hold your personal information and receive a copy within 30 days
• Correction: challenge the accuracy or completeness of your information and request amendments
• Withdrawal of consent: withdraw consent for collection, use, or disclosure (subject to legal or contractual obligations)
• Deletion: request deletion of personal information when it is no longer required for the original purpose
• Portability: request a copy of your data in a structured, commonly used electronic format

We may charge a minimal fee for access requests where permitted by law, with advance notice. Requests are processed within 30 days; complex requests may be extended by up to 30 additional days with written notice.

11. Breach Notification

In accordance with PIPEDA's mandatory breach notification requirements, in the event of a breach of security safeguards involving personal information that creates a real risk of significant harm to an individual, we will:

• Notify affected individuals as soon as feasible
• Report the breach to the Office of the Privacy Commissioner of Canada
• Notify any other organization that may be able to mitigate harm
• Maintain records of all breaches for a minimum of 24 months

Our incident response process is integrated with our managed security operations and follows established containment, investigation, and remediation procedures.

12. Cookies and Website Data

Our website uses cookies and similar technologies to improve your experience, analyze traffic, and deliver embedded content. Specifically:

• Essential cookies: required for site functionality and security (cannot be disabled)
• Analytics cookies: used to understand site usage and improve content
• Embedded service cookies: set by Microsoft Bookings, Microsoft Forms, and other embedded Microsoft services when you interact with those features
• Cloudflare: used for site security, performance, and protection against malicious traffic

You may disable non-essential cookies through your browser settings, though some features (such as scheduling consultations) may be affected.

13. Third-Party Processors

To deliver our services, we engage trusted third-party service providers bound by confidentiality and data protection obligations. Our primary processors include:

• Microsoft Corporation — Microsoft 365, Dynamics 365, Azure, Microsoft Bookings, Microsoft Forms, Power Platform. Data hosted in Canada Central.
• OpenText Corporation — Email Threat Protection, DNS Protection, Endpoint Detection and Response (EDR), Cloud-to-Cloud Backup, Security Awareness Training
• Cloudflare, Inc. — website security, content delivery, and DDoS protection
• Royal Bank of Canada (RBC) — banking and payment processing

These processors are contractually prohibited from using your personal information for any purpose other than providing services to us.

14. Children's Privacy

Our services are directed at businesses and government organizations, not individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected such information, we will take steps to delete it promptly.

15. Challenging Compliance

You may direct any privacy-related questions or complaints to our Privacy Officer at info@simplifyts.ca. We investigate all complaints and take appropriate corrective action where warranted. If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada:

30 Victoria Street
Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
Website: www.priv.gc.ca

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. We will post any changes on this page with an updated revision date. For material changes, we will provide additional notice (such as email notification to active clients). Continued use of our services after changes constitutes acceptance of the revised policy.

17. Contact Us

For privacy-related inquiries, access requests, corrections, or to withdraw consent, please contact our Privacy Officer:

Simplify Tech Solutions Inc.
Attn: Privacy Officer
1505 Laperriere Avenue, Ottawa, ON K1Z 7T1, Canada
Email: info@simplifyts.ca
Phone: +1 (613) 319-4940