Skip to main content

PolicyArc Early Access Beta — Privacy Policy

Effective date: May 20, 2026

This Privacy Policy describes how IDENTOS Inc. (“IDENTOS”, “we”, “us”, or “our”) handles Personal Information in connection with the PolicyArc Early Access Beta Program (“Beta Program”) and the PolicyArc platform (“Platform”) provided in a beta capacity. PolicyArc is a pre-release product offered by IDENTOS for evaluation purposes — IDENTOS is the corporate entity that operates the Platform, employs the personnel who build and run it, and is accountable under Canadian privacy legislation for the Personal Information processed through it.

While the Platform is in beta, IDENTOS applies the privacy practices described in this Privacy Policy alongside its broader corporate privacy program (the IDENTOS Privacy Policy). This Privacy Policy is specific to the PolicyArc Platform and Beta Program; it does not replace IDENTOS’s general corporate privacy practices, which apply to IDENTOS’s other products, services, and business operations. Where this Privacy Policy is silent, the IDENTOS Privacy Policy applies.

This Privacy Policy should be read in conjunction with the PolicyArc Early Access Beta Terms of Service. By participating in the Beta Program or by accessing the Platform in a beta capacity, you acknowledge the practices described below on behalf of yourself and, where applicable, your organisation.

1. Introduction

IDENTOS Inc. (“IDENTOS,” “we,” “us,” or “our”) is committed to protecting the privacy and security of the personal information entrusted to us by our customers and their authorized users. This Privacy Policy describes how we collect, use, disclose, retain, and protect Personal Information in connection with the PolicyArc platform (the “Platform”).

IDENTOS Inc. is a corporation incorporated under the laws of the Province of Ontario, Canada, with its principal office at 317 Adelaide St. West, Suite 901, Toronto, Ontario M5V 1P9.

This Privacy Policy applies to all users of the Platform, including administrators, authorized users, and any individuals whose Personal Information is processed through the Platform. This Privacy Policy should be read in conjunction with the PolicyArc Terms of Service.

We have designed this policy to be transparent, accessible, and written in plain language. If you have any questions about this policy, please contact our Privacy Officer at privacy@identos.ca.

2. Definitions

In this Privacy Policy, the following terms have the meanings set out below:

  • “Authorized User” means any individual who is authorized by a Customer to access and use the Platform under the Customer’s subscription.
  • “Customer” means the entity or organization that subscribes to the Platform under the PolicyArc Terms of Service.
  • “Customer Data” means all data, content, and information submitted, uploaded, or otherwise provided by or on behalf of the Customer or its Authorized Users to the Platform.
  • “Personal Information” means information about an identifiable individual, as defined under the Personal Information Protection and Electronic Documents Act (PIPEDA) and equivalent provincial privacy legislation. This includes any information that, alone or in combination with other information, can be used to identify an individual.
  • “Privacy Officer” means the individual designated by IDENTOS to be responsible for IDENTOS’s compliance with applicable privacy legislation and this Privacy Policy.

3. Accountability

IDENTOS has designated a Privacy Officer who is accountable for IDENTOS’s compliance with applicable privacy legislation and this Privacy Policy. The Privacy Officer can be contacted at:

Privacy Officer, IDENTOS Inc.
317 Adelaide St. West, Suite 901
Toronto, Ontario M5V 1P9
Email: privacy@identos.ca

IDENTOS is accountable for Personal Information in its possession or custody, including Personal Information that has been transferred to a third party for processing. When we transfer Personal Information to third parties (sub-processors) for processing, we use contractual and other means to ensure that the Personal Information is protected to a comparable level, as required under PIPEDA Principle 4.1.3.

4. Information We Collect

4.1 Personal Information Collected Directly

We collect the following categories of Personal Information directly from Customers and Authorized Users:

CategoryData ElementsPurposeLegal Basis
Account RegistrationFull name, email address, job title, organization name, phone number (optional)Account creation, identity verification, communicationsConsent (PIPEDA s. 6.1); Contractual necessity
Authentication CredentialsUsername, hashed password (where IDENTOS hosts credentials), OIDC tokens, session identifiersSecure access to the PlatformContractual necessity; Security of processing
Billing ContactBilling contact name, billing email address, billing addressInvoicing and payment processingContractual necessity
CommunicationsEmail correspondence, support tickets, feedback submissionsCustomer support, product improvementConsent; Legitimate business interest

4.2 Information Collected Automatically

When Authorized Users interact with the Platform, we automatically collect certain technical information:

CategoryData ElementsPurposeRetention Period
Access and Audit LogsIP address, timestamps, actions performed, resources accessed, policy decisions renderedSecurity monitoring, compliance auditing, troubleshooting24 months (or as required by law)
Device and Browser DataBrowser type and version, operating system, device type, screen resolutionPlatform compatibility, user experience optimization12 months
Usage AnalyticsFeature usage patterns, session duration, navigation paths (aggregated)Product improvement, capacity planningAggregated/anonymized: indefinite

4.3 Information We Do Not Collect

The Platform is not designed to collect, store, or process the following categories of information:

  • Personal health information (as defined under applicable provincial health privacy legislation).
  • Financial account numbers, credit card numbers, or banking information (payment information is processed directly by Stripe and is not stored on IDENTOS systems).
  • Government-issued identification numbers (e.g., Social Insurance Numbers, driver’s licence numbers).
  • Biometric data.
  • Information relating to children under the age of majority in the applicable jurisdiction.

If IDENTOS becomes aware that it has inadvertently collected any of the above categories of information, it will take prompt steps to securely delete such information.

5. Purposes for Collection, Use, and Disclosure

5.1 Identified Purposes

We collect, use, and disclose Personal Information for the following purposes:

  • Providing, operating, and maintaining the Platform and its core services.
  • Authenticating users and managing access to the Customer’s Tenant.
  • Processing subscription payments and managing billing (through Stripe).
  • Providing technical support and responding to customer inquiries.
  • Sending transactional communications, including account notifications, security alerts, and service updates.
  • Sending commercial electronic messages regarding Platform features, updates, and related IDENTOS products (with consent, in compliance with CASL).
  • Monitoring and improving the Platform’s performance, security, and user experience.
  • Detecting, preventing, and addressing fraud, security incidents, and technical issues.
  • Complying with applicable laws, regulations, and legal processes.
  • Enforcing our Terms of Service and protecting our rights, property, and safety.

5.2 Limiting Collection

We limit our collection of Personal Information to that which is necessary for the identified purposes. We do not collect Personal Information indiscriminately, and we do not collect more information than is reasonably necessary to fulfill the purposes identified at or before the time of collection, as required under PIPEDA Principle 4.4.

5.3 Consent

We obtain meaningful consent for the collection, use, and disclosure of Personal Information. The form of consent (express or implied) depends on the sensitivity of the information and the reasonable expectations of the individual authorized user or designated contact persons, in accordance with PIPEDA Principle 4.3 and Quebec Law 25 requirements.

Where the Customer provides Personal Information of its Authorized Users to the Platform, the Customer represents and warrants that it has obtained all necessary consents from such individuals, or has another lawful basis, for the transfer of their Personal Information to IDENTOS for processing in connection with the Platform.

Authorized users (Individuals) may withdraw their consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent may affect the individual’s ability to use certain features of the Platform. To withdraw consent, please contact our Privacy Officer at privacy@identos.ca.

6. Disclosure of Personal Information

6.1 Circumstances of Disclosure

We may disclose Personal Information in the following circumstances:

  • To sub-processors engaged by IDENTOS to assist in providing the Platform, subject to contractual obligations that provide a comparable level of protection (see Section 6.2).
  • To the Customer, with respect to Personal Information of its Authorized Users, as necessary for the Customer to administer its Tenant.
  • To comply with applicable laws, regulations, court orders, or governmental requests.
  • To enforce our Terms of Service or protect IDENTOS’s rights, property, or safety.
  • In connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of IDENTOS’s assets, provided the acquiring entity agrees to be bound by obligations no less protective than those in this Privacy Policy.
  • With the individual’s express consent.

6.2 Sub-Processors

IDENTOS engages the following sub-processors to assist in providing the Platform:

Sub-ProcessorPurposeData ProcessedLocation
Stripe, Inc.Payment processingBilling contact name, billing email, payment method detailsUnited States (PCI DSS compliant)
Microsoft Corporation (Azure)Platform hosting, data storage, compute infrastructure (Azure Kubernetes Service, Azure Database for MySQL)All Customer Data and Personal Information processed by the PlatformCanada (Canada Central / Canada East regions)

IDENTOS will provide at least thirty (30) days’ prior written notice before adding or replacing a sub-processor that processes Personal Information. The updated sub-processor list will be maintained in this Privacy Policy and communicated to Customers via email. If a Customer objects to a new sub-processor, the Customer may terminate its subscription in accordance with the Terms of Service.

7. Cross-Border Transfers

Customer Data is stored and processed exclusively in Canada, hosted on Microsoft Azure infrastructure in Canadian data centre regions (Canada Central and Canada East). IDENTOS does not currently offer customer-selected deployment regions or bring-your-own-cloud deployment options. However, certain sub-processors (such as Stripe for payment processing) may process limited categories of Personal Information in other jurisdictions, including the United States.

When Personal Information is transferred outside of Canada, IDENTOS ensures that:

  • The transfer is necessary for the identified purposes described in this Privacy Policy.
  • The sub-processor is bound by contractual obligations that provide a comparable level of protection to that required under Canadian privacy legislation.
  • Appropriate safeguards are in place to protect the Personal Information, including data processing agreements and, where applicable, Standard Contractual Clauses or equivalent mechanisms.

Customers should be aware that Personal Information transferred to or processed in other jurisdictions may be accessible to law enforcement and government authorities in those jurisdictions under their applicable laws. IDENTOS will notify Customers of any government access requests related to their data to the extent legally permitted.

As the Platform expands to serve customers in the United States and the European Union, IDENTOS will implement jurisdiction-specific transfer mechanisms as required, including GDPR-compliant Standard Contractual Clauses and supplementary measures where applicable.

8. Data Retention

8.1 Retention Schedule

We retain Personal Information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Data CategoryRetention PeriodBasis
Account registration informationDuration of subscription + 30 daysContractual necessity
Authentication credentialsDuration of subscription (deleted upon termination)Security
Billing and payment records7 years from date of transactionTax and financial reporting obligations
Access and audit logs24 months minimumPIPEDA breach record requirements; security
Customer Data (policy rules, configurations)Duration of subscription + 30 days for exportContractual necessity
Support correspondence3 years from resolutionService improvement; dispute resolution
Security breach recordsMinimum 24 months from date of determinationPIPEDA mandatory breach record-keeping (s. 10.3)

8.2 Deletion and Anonymization

When Personal Information is no longer required for any identified purpose and is not subject to a legal retention requirement, IDENTOS will securely delete or irreversibly anonymize the information using industry-standard methods. Anonymized data that can no longer be linked to an identifiable individual may be retained indefinitely for analytics and product improvement purposes.

8.3 Post-Termination Data Handling

Upon termination or expiration of a Customer’s subscription, IDENTOS will retain Customer Data for thirty (30) days to allow for data export. After this period, Customer Data will be securely deleted or anonymized in accordance with the retention schedule above, except where longer retention is required by applicable law.

9. Security Safeguards

IDENTOS maintains administrative, technical, and physical security safeguards that are proportional to the sensitivity of the Personal Information we collect and process, as required under PIPEDA Principle 4.7. Our security program includes:

9.1 Technical Safeguards

  • Encryption of Personal Information in transit using TLS 1.2 or higher.
  • Encryption of Personal Information at rest using AES-256 or equivalent.
  • Multi-factor authentication for administrative access to Platform infrastructure.
  • Multi-tenant isolation through dedicated databases, isolated container orchestration, and row-level security.
  • Regular vulnerability assessments and third-party penetration testing.
  • Automated intrusion detection and monitoring systems.
  • Secure software development lifecycle (SDLC) practices, including code review and dependency scanning.

9.2 Administrative Safeguards

  • Privacy and security training for all IDENTOS employees and contractors.
  • Access to Personal Information limited to employees and contractors who require it to perform their duties (principle of least privilege).
  • Confidentiality agreements with all employees, contractors, and sub-processors.
  • Regular review of access permissions and security policies.
  • Documented incident response procedures.

9.3 Physical Safeguards

  • Data centre security controls maintained by our cloud infrastructure provider, including access controls, surveillance, and environmental protections.
  • Physical access restrictions at IDENTOS office locations.

10. Individual Rights

Under applicable Canadian privacy legislation, individuals have certain rights with respect to their Personal Information. IDENTOS supports the exercise of these rights as follows:

10.1 Right of Access

Individuals have the right to request access to their Personal Information held by IDENTOS. Upon receipt of a written request and verification of identity, IDENTOS will provide the requested information within thirty (30) days, or will notify the individual of any extension of time required to respond, as permitted under applicable law.

10.2 Right to Correction

Individuals have the right to request the correction of inaccurate or incomplete Personal Information. IDENTOS will make the requested corrections within thirty (30) days of receiving sufficient information to verify the correction, and will transmit the corrected information to any sub-processors to which the information has been disclosed.

10.3 Right to Deletion

Individuals may request the deletion of their Personal Information, subject to any legal or contractual retention requirements. Where deletion is not possible due to legal obligations, IDENTOS will de-identify or anonymize the information to the extent practicable. This right is provided in accordance with Quebec Law 25 requirements for the right to de-indexing and deletion.

10.4 Right to Data Portability

Individuals have the right to request a copy of their Personal Information in a structured, commonly used, and machine-readable format, as required under Quebec Law 25 (effective September 2024). IDENTOS will fulfill portability requests within thirty (30) days.

10.5 Right to Withdraw Consent

Individuals may withdraw their consent to the collection, use, or disclosure of their Personal Information at any time, subject to legal or contractual restrictions. Withdrawal of consent may affect the individual’s ability to access or use the Platform.

10.6 Right to Complain

Individuals who are not satisfied with IDENTOS’s response to a privacy request or who wish to raise a concern about IDENTOS’s privacy practices may file a complaint with:

  • The Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca
  • The Commission d’accès à l’information du Québec (CAI): www.cai.gouv.qc.ca
  • The Office of the Information and Privacy Commissioner for British Columbia (OIPC BC): www.oipc.bc.ca
  • The Office of the Information and Privacy Commissioner of Alberta (OIPC AB): www.oipc.ab.ca

10.7 Exercising Your Rights

To exercise any of the rights described above, please contact our Privacy Officer at privacy@identos.ca. We may require verification of your identity before processing your request. There is no fee for submitting a request, unless the request is manifestly unfounded or excessive.

Note for Authorized Users: If you are an Authorized User of a Customer’s Tenant, certain privacy requests may need to be directed to your organization’s administrator (the Customer), as the Customer is the organization accountable for the Personal Information provided to the Platform. IDENTOS will assist Customers in fulfilling such requests upon request.

11. Breach Notification

11.1 Notification to Customers

In the event of a breach of security safeguards involving Personal Information (a “Privacy Breach”), IDENTOS will notify the affected Customer(s) as soon as feasible, and in any event within seventy-two (72) hours of becoming aware of the breach. The notification will include:

  • A description of the nature and scope of the Privacy Breach.
  • The categories and approximate number of individuals affected.
  • A description of the Personal Information involved.
  • An assessment of the risk of harm to affected individuals.
  • A description of the measures taken or proposed to address the Privacy Breach, including measures to mitigate potential harm.
  • Contact information for the Privacy Officer.

11.2 Notification to Regulatory Authorities

Where a Privacy Breach creates a real risk of significant harm to affected individuals, IDENTOS will report the breach to the applicable regulatory authorities, including:

  • The Office of the Privacy Commissioner of Canada (OPC), as required under PIPEDA section 10.1.
  • The Commission d’accès à l’information du Québec (CAI), as required under Quebec Law 25.
  • The Office of the Information and Privacy Commissioner for British Columbia (OIPC BC), as applicable under BC PIPA.
  • Any other applicable regulatory authority in the jurisdiction of the affected individuals.

11.3 Notification to Affected Individuals

Where a Privacy Breach creates a real risk of significant harm to affected individuals, IDENTOS will, in coordination with the affected Customer, notify the affected individuals as soon as feasible. The notification will be provided directly to the individuals unless direct notification is not feasible, in which case indirect notification (such as a public announcement) will be provided.

11.4 Breach Record-Keeping

IDENTOS maintains a record of all Privacy Breaches, including breaches that do not meet the threshold for notification. These records are retained for a minimum of twenty-four (24) months from the date the breach was determined to have occurred, as required under PIPEDA section 10.3.

12. Privacy Impact Assessments

IDENTOS conducts Privacy Impact Assessments (PIAs) in accordance with Quebec Law 25 requirements before implementing new technologies, products, or services that involve the collection, use, or disclosure of Personal Information, or before making significant changes to existing processing activities.

A PIA was conducted for the PolicyArc platform prior to its initial deployment. PIAs are reviewed and updated on an ongoing basis as the Platform evolves, and in response to material changes in data processing activities, regulatory requirements, or risk profiles.

13. Anti-Spam Compliance (CASL)

IDENTOS complies with Canada’s Anti-Spam Legislation (CASL), S.C. 2010, c. 23, in all commercial electronic messages. Our compliance includes:

  • Obtaining express or implied consent before sending commercial electronic messages, as applicable.
  • Clearly identifying IDENTOS as the sender of all commercial electronic messages.
  • Including valid physical mailing address and contact information in all commercial electronic messages.
  • Providing a clear, prominently displayed, and functional unsubscribe mechanism in every commercial electronic message.
  • Processing unsubscribe requests within ten (10) business days of receipt.

Transactional messages (such as account notifications, security alerts, and service updates directly related to the Customer’s use of the Platform) are not subject to CASL consent requirements but will still include sender identification and contact information.

14. Cookies and Tracking Technologies

The Platform uses cookies and similar technologies for the following purposes:

  • Essential cookies: Required for the Platform to function, including session management, authentication state, and security tokens. These cookies are strictly necessary and cannot be disabled.
  • Analytics cookies: Used to collect aggregated usage data to improve the Platform. These cookies are enabled only with the user’s consent, where required by applicable law.

The Platform does not use third-party advertising cookies or cross-site tracking technologies.

Users may manage their cookie preferences through their browser settings. Disabling essential cookies may impair the functionality of the Platform.

15. Applicable Privacy Legislation

This Privacy Policy has been designed to comply with the following Canadian privacy legislation. Where differences exist between jurisdictions, IDENTOS applies the most restrictive standard:

LegislationFull CitationApplicability
PIPEDAPersonal Information Protection and Electronic Documents Act, S.C. 2000, c. 5Federal; all Canadian operations
Quebec Law 25An Act to modernize legislative provisions as regards the protection of personal information, amending Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1Quebec customers; compliance baseline
BC PIPAPersonal Information Protection Act, S.B.C. 2003, c. 63British Columbia customers
Alberta PIPAPersonal Information Protection Act, S.A. 2003, c. P-6.5Alberta customers
CASLCanada’s Anti-Spam Legislation, S.C. 2010, c. 23All electronic communications

As the Platform expands to additional jurisdictions, this Privacy Policy will be updated to address applicable laws, including the California Consumer Privacy Act (CCPA/CPRA) for US customers and the General Data Protection Regulation (GDPR) for EU customers.

16. Changes to This Privacy Policy

IDENTOS may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. When we make material changes, we will:

  • Provide at least thirty (30) days’ prior written notice to Customers via email to their registered contact address.
  • Post the updated Privacy Policy on the Platform with a revised effective date.
  • Clearly identify the changes made in a summary of revisions.

Material changes include any modification to the categories of Personal Information collected, the purposes for processing, sub-processor arrangements, cross-border transfer practices, or individual rights provisions.

Continued use of the Platform after the effective date of an updated Privacy Policy constitutes acceptance of the changes. If a Customer does not agree to the updated Privacy Policy, the Customer may terminate its subscription in accordance with the Terms of Service.

17. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or IDENTOS’s privacy practices, please contact:

Privacy Officer
IDENTOS Inc.
317 Adelaide St. West, Suite 901
Toronto, Ontario M5V 1P9
Canada
Email: privacy@identos.ca

For general inquiries about the Platform, reach us at support.policyarc@identos.ca or through identos.ca/contact.

For security concerns or to report a suspected security incident:
Email: security@identos.ca