Privacy Policy

In this Privacy Policy, the following defined terms apply:

2.1 VisaNauta Technologies (“we,” “us,” “our”) is fully accountable for all Personal Information under our control, including information transferred to third-party service providers for processing on our behalf. We ensure that our service providers maintain equivalent safeguards through binding Data Processing Agreements (DPAs).

2.2 We have designated a Privacy Officer who is responsible for ensuring compliance with PIPEDA, administering this policy, receiving and responding to privacy-related inquiries and complaints, and ensuring staff training on privacy obligations.

3.1 We collect Personal Information strictly for the following identified and documented purposes:

• •Connecting Clients with licensed RCICs through our marketplace platform
• •Facilitating secure messaging and encrypted document exchange between Clients and RCICs
• •Processing bookings and payments through our integrated payment system (Stripe Connect)
• •Verifying RCIC licensing status with the CICC
• •Providing platform support, customer service, and service quality improvements
• •Maintaining platform security, preventing fraud, and ensuring system integrity
• •Conducting anonymized usage analytics to improve Platform features and performance
• •Sending transactional communications (booking confirmations, security alerts, archival reminders)
• •Sending marketing communications (only with express opt-in consent)
• •Meeting legal and regulatory obligations under PIPEDA, CICC By-Laws, CRA requirements, and applicable Canadian law

3.2 We identify the purposes for which Personal Information is collected at or before the time of collection. We will not use or disclose your information for purposes other than those for which it was collected, except with your further consent or as required or permitted by law.

4.1 We obtain meaningful consent for the collection, use, and disclosure of Personal Information. The form of consent varies depending on the sensitivity of the information and the reasonable expectations of the individual.

4.1 Express Consent (Required)

• •Account Registration: During sign-up, users must actively acknowledge: "I consent to VisaNauta storing my personal information in Canadian data centres for platform operations."
• •Document Upload: Before each document upload, users must confirm: "I consent to storing this document in VisaNauta's Secure Workspace for the designated retention period."
• •Payment Processing: Explicit authorization is obtained before processing any payment via Stripe Connect.
• •Marketing Communications: Opt-in consent is required for promotional or marketing communications. You may opt out at any time via the unsubscribe link in any marketing email or by updating preferences in Account Settings.

4.2 Implied Consent (Limited)

• •Strictly necessary cookies required for session management and platform functionality (no opt-out available)
• •Transactional service emails, including booking confirmations, security alerts, archival reminders, and account notifications

4.3 Withdrawal of Consent

4.3.1 You may withdraw your consent at any time by contacting support@visanauta.com or by deleting your account through Account Settings. Withdrawal of consent may limit your ability to use certain Platform features or may result in the termination of services, in accordance with our Terms of Service.

4.3.2 Withdrawal of consent does not affect the lawfulness of processing based on consent obtained before withdrawal, and does not affect our right to retain certain information where required by law (e.g., audit logs retained for 7 years).

5.1 We limit the collection of Personal Information to that which is necessary for the identified purposes. Information is collected by fair and lawful means.

5.2 If you choose not to provide certain Personal Information, we may not be able to provide the Platform Services to you or respond to your requests.

5.3 Information You Provide Directly

5.4 Information Collected Automatically

5.5 Information We Receive from Third Parties

5.5.1 We may receive Personal Information from RCICs when they designate you as a client on the Platform. We may also receive limited information from Stripe in connection with payment processing (e.g., payment confirmation, card last-four digits).

5.5.2 We do not purchase or obtain Personal Information from data brokers, advertising networks, or social media platforms.

5.6 Information We Do NOT Collect

• •Biometric data (fingerprints, facial recognition, voice prints)
• •Social Insurance Numbers (SIN) or government-issued identification numbers
• •Health or medical records (unless voluntarily uploaded by a Client specifically for their immigration case)
• •Precise geolocation tracking beyond IP address-based approximate location
• •Financial information beyond what is processed through Stripe Connect (we never store full credit card numbers or CVV codes)
• •Information from children under the age of 16 (see Section 14)

6.1 Personal Information is used and disclosed only for the purposes for which it was collected, and is retained only as long as necessary to fulfill those purposes or as required by law.

6.2 Retention Schedule

6.2.1 To determine appropriate retention periods, we consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the information, and applicable legal requirements.

6.3 Disclosure to Third Parties

6.3.1 We disclose Personal Information only in the following circumstances:

• •To RCICs: Client information is shared with the selected RCIC only after a booking is confirmed, strictly to facilitate the immigration consulting service.
• •To Stripe (Payment Processor): Payment details are processed via Stripe Connect, where the RCIC acts as the merchant of record. VisaNauta does not store credit card numbers or CVV codes.
• •To Wasabi Cloud Storage: Documents are stored in Wasabi's Toronto data centre (ca-tor-1) under a strict Data Processing Agreement (DPA).
• •To Service Providers: We engage a limited number of service providers (e.g., email delivery, analytics) who process Personal Information on our behalf under binding DPAs and only as necessary to provide services to us.
• •Legal Requirements: We may disclose information pursuant to a court order, subpoena, or investigation by the Office of the Privacy Commissioner (OPC), law enforcement, or other government authority. We will notify affected individuals where permitted by law.
• •Business Transactions: Personal Information may be disclosed in connection with a merger, acquisition, reorganization, or sale of assets. We will notify affected users by email and/or prominent notice on the Platform of any change in ownership that impacts the use of Personal Information.

6.3.2 We never sell, rent, or trade Personal Information to advertisers, data brokers, or any third party for marketing purposes. VisaNauta has not sold Personal Information in the 12 months preceding the effective date of this policy.

6.4 Subprocessors

6.4.1 We maintain a list of authorized subprocessors who process Personal Information on our behalf. Current subprocessors include:

6.4.2 All subprocessors are bound by DPAs containing PIPEDA-aligned data protection clauses. We conduct due diligence on subprocessors before engagement and periodically review their compliance.

6.4.3 We will provide 30 days' advance notice before adding a new subprocessor that processes Personal Information, posted at visanauta.ca/subprocessors.

6.6 Anonymization and Aggregation

6.6.1 We may anonymize and aggregate Personal Information so that it does not identify any individual. We may use Aggregate Data for Platform improvement, analytics, research, testing, and developing new features. We may share Aggregate Data with third parties for lawful business purposes, provided that Aggregate Data never identifies you or any individual.

6.6.2 Once Personal Information has been anonymized, it is no longer considered Personal Information under PIPEDA and is not subject to the restrictions of this policy.

7.1 We take reasonable steps to ensure that Personal Information is accurate, complete, and up-to-date as necessary for the purposes for which it is used.

• •Users may update their profile information at any time through Account Settings.
• •RCICs are required to maintain current CICC license status; we conduct quarterly verification checks against the CICC public register.
• •Inaccuracies may be reported to support@visanauta.com and will be corrected within 30 calendar days.
• •User-uploaded documents reflect the content provided by the user; VisaNauta does not modify, alter, or verify the contents of uploaded files.
• •If Personal Information is disclosed to a third party (e.g., an RCIC) and is subsequently corrected, we will make reasonable efforts to notify the third party of the correction where appropriate.

8.1 We protect Personal Information with security safeguards appropriate to the sensitivity of the information, guarding against loss, theft, unauthorized access, disclosure, copying, use, or modification.

8.2 Technical Safeguards

8.3 Organizational Safeguards

• •All employees and contractors are bound by confidentiality agreements covering Personal Information handling.
• •Annual PIPEDA compliance training is mandatory for all staff with access to Personal Information.
• •Strict "need-to-know" access policies limit Personal Information access to authorized personnel only.
• •DPAs are in place with all third-party vendors (Wasabi, Stripe, AWS) containing PIPEDA-aligned data protection clauses.
• •Documented incident response procedures are tested regularly to ensure timely breach notification.
• •Access to Personal Information is logged and auditable; access logs are reviewed periodically.

8.4 Security Breach Notification

8.4.1 In the event of a breach of security safeguards involving Personal Information that creates a real risk of significant harm to individuals, VisaNauta will:

8.4.2 VisaNauta will cooperate with affected individuals to identify affected Content, investigate the breach, and use commercially reasonable efforts to mitigate harmful effects and prevent recurrence.

While we take all reasonable precautions, no transmission of information via the internet is completely secure, and we cannot guarantee absolute security. Any transmission of Personal Information is at your own risk.

9.1 We are committed to making our privacy practices readily available and easy to understand.

• •This Privacy Policy is published at visanauta.ca/privacy and linked prominently in the website footer and all registration workflows.
• •This policy is available in English, with a French translation available upon request.
• •Material changes to this policy will be communicated with a minimum of 30 days' advance notice via email notification and Platform posting.
• •A plain-language summary of our privacy practices is provided during the account registration process.
• •A current list of authorized subprocessors is maintained at visanauta.ca/subprocessors.
• •Information about our security practices is available upon reasonable request.

10.1 You have the right to access the Personal Information we hold about you, to challenge its accuracy, and to request corrections where appropriate. In accordance with PIPEDA and applicable privacy law, you have the following specific rights:

10.1 Your Privacy Rights

• •Right of Access: The right to obtain access to your Personal Information and to receive that information in a commonly used format.
• •Right to Rectification: The right to have inaccurate or incomplete Personal Information corrected without undue delay.
• •Right to Erasure: The right to request deletion of your Personal Information where it is no longer necessary for the purposes for which it was collected, subject to our legal retention obligations (e.g., 7-year audit log retention).
• •Right to Withdraw Consent: The right to withdraw consent at any time, as described in Section 4.3.
• •Right to Non-Discrimination: The right to not be denied services, charged different prices, or receive different quality of service for exercising your privacy rights.
• •Right to Complaint: The right to file a complaint with the OPC if you believe your privacy rights have been violated (see Section 11).

10.2 How to Submit an Access Request

10.2.1 We may request identity verification before processing any access request. We will not process requests that cannot be verified.

10.3 Response Timeline

• •Acknowledgement: Within 3 business days of receipt.
• •Full Response: Within 30 calendar days, as required by PIPEDA.
• •Complex Requests: If additional time is needed, we will notify you of the extension and reasons, with a maximum total processing time of 60 calendar days.

10.3.1 A minimal fee may be charged for excessive or repetitive requests, in accordance with PIPEDA guidelines. Any applicable fees will be communicated before processing.

10.3.2 In certain circumstances permitted by law, we may not disclose certain information. For example, we may not disclose information where other individuals are referenced, where there are legal or security restrictions, or where disclosure would reveal confidential commercial information. We will explain the reasons for any refusal.

10.4 Account Data Access

10.4.1 You may access, correct, or update most of your Personal Information directly by logging into your VisaNauta account via Account Settings. You may also download your Content through the Platform's export functionality.

11.1 If you believe VisaNauta has not handled your Personal Information in compliance with PIPEDA, you have the right to challenge our compliance.

11.1 Internal Complaint Process

11.1.1 As a first step, contact our Privacy Officer at support@visanauta.com. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 calendar days. All complaints are investigated promptly, and documented resolutions are maintained for at least 24 months.

11.2 External Complaint Process

If your complaint is not resolved to your satisfaction through our internal process, you may file a complaint with:

12.1 The Platform uses cookies and similar technologies (collectively “cookies”) to distinguish you from other users, maintain your session, and improve your experience. This section describes what cookies we use and how you can manage them.

12.2 Types of Cookies We Use

VisaNauta does NOT use targeting or advertising cookies. We do not serve third-party advertisements on the Platform, and we do not use cookies to track you across other websites.

12.3 Managing Cookies

12.3.1 You can manage non-essential cookies through the cookie preferences banner displayed when you first visit the Platform, or through your browser settings at any time. If you disable strictly necessary cookies, you may not be able to access the Platform.

12.3.2 Browser-specific cookie management instructions are available at:

• •Chrome: support.google.com/chrome/answer/95647
• •Firefox: support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
• •Safari: support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471
• •Microsoft Edge: support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge

12.4 Do Not Track

12.4.1 Some browsers offer a “Do Not Track” (DNT) signal. As there is currently no industry-standard for recognizing or honoring DNT signals, the Platform does not currently respond to DNT signals. If a standard is established in the future, we will reassess this practice.

13.1 RCICs who use the Platform to store, process, or transmit Client Personal Information acknowledge and agree that:

13.2 VisaNauta acts as a processor of Client data on behalf of the RCIC (the controller). We process Client data only as directed by the RCIC and in accordance with this Privacy Policy and our DPA.

14.1 The Platform is not directed at persons under the age of 16, and we do not knowingly collect Personal Information from children under 16. If you become aware that a child under 16 has provided us with Personal Information without appropriate parental or guardian consent, please contact us at support@visanauta.com so that we can take appropriate steps to delete such information.

14.2 If we discover that we have inadvertently collected Personal Information from a child under 16 without verified parental consent, we will delete that information as soon as reasonably possible.

15.1 The Platform may contain links to third-party websites or services that are not owned or controlled by VisaNauta. These links are provided for your convenience only. We do not accept responsibility or liability for the privacy practices of third-party websites. Please review the privacy policies of any third-party sites before submitting Personal Information.

15.2 Third-Party Services integrated with the Platform (such as Stripe for payment processing) are subject to their own privacy policies and terms. By using such Third-Party Services through the Platform, you acknowledge that those third parties' privacy practices govern their use of your data.

15.3 The Platform may include social media features (e.g., share buttons, links to social media profiles). Interactions with these features are governed by the privacy policies of the respective social media companies, not this policy.

16.1 With your express consent, we may display testimonials, reviews, or endorsements on the Platform or our marketing materials. If you wish to update or delete your testimonial or review, contact support@visanauta.com.

16.2 Reviews posted on the Platform may include your first name, location (city), and the content of your review. Information posted in public reviews is visible to other users and may be indexed by search engines.

17.1 VisaNauta's primary duty is to protect Personal Information to the extent the law allows. We may disclose Personal Information where required and permitted by law, including in response to a court order, subpoena, warrant, regulatory investigation, or lawful request by a government authority (including the OPC, CICC, RCMP, or CBSA).

17.2 Where VisaNauta is required by law to disclose Personal Information, we will provide you with prompt written notice (to the extent permitted by law) prior to such disclosure so that you may seek a protective order or other appropriate relief. We will disclose only the portion of Personal Information legally required.

17.3 We will only accept legal requests for production of Personal Information or Content through formal legal process directed to support@visanauta.com.

18.1 We may update this Privacy Policy from time to time to reflect changes in legal requirements, technology, or our business practices. When material changes are made:

• •The revised policy will be posted at visanauta.ca/privacy with an updated "Last Updated" date.
• •Active users will receive an email notification describing the nature of the changes at least 30 days before the changes take effect.
• •Users will be required to re-accept the updated policy during their next login session.

18.2 Non-material changes (such as typographical corrections, clarifications, or formatting updates) may be made without advance notice.

18.3 Your continued use of the Platform after the effective date of any updated policy constitutes your acceptance of the revised Privacy Policy. If you do not agree with any changes, you must discontinue use of the Platform and delete your account.

If you have any questions, comments, concerns, or requests regarding this Privacy Policy or our handling of your Personal Information: