SEO-Safeharbour is committed to strong data governance, privacy by design, and compliance with Canadian privacy laws, including PIPEDA and Quebec Law 25.
SEO-Safeharbour operates under a “Privacy by Design” framework. Because we facilitate care for children, seniors, and vulnerable persons, we apply security standards typically reserved for financial or medical institutions.
This Master Privacy & Data Governance Policy (Document ID: GRC-PP-2025-003, Version 1.0) explains how we collect, use, protect, and retain personal information in a lawful, transparent, and secure manner.
We are committed to minimizing data collection, protecting personal information throughout its lifecycle, and ensuring accountability across all privacy-related processes. Privacy considerations are embedded into system design, vendor selection, and operational decision-making.
We collect only what is strictly necessary to fulfill the SEO-Safeharbour “TrustedCare” promise and to meet legal and regulatory obligations.
| User Type | Data Categories Collected | Legal Basis (Canada) |
|---|---|---|
| Clients (Families) | Name, physical address, care requirements (health or age-related), emergency contacts, and payment tokens. | Contractual necessity and consent. |
| Providers (Workers) | Government-issued identification, Social Insurance Number (for tax purposes), criminal record results, vulnerable sector screening, professional certifications, and optional geo-location data. | Legal obligation and explicit consent. |
| All Users | IP address, device identifiers, and in-platform communication logs. | Legitimate interest (fraud prevention and platform security). |
Background checks are conducted in compliance with Office of the Privacy Commissioner (OPC) guidelines.
Explicit Consent: Separate written or digital consent is obtained before initiating any background check via approved third-party partners (e.g., Sterling or Checkr).
Minimal Disclosure: Clients are shown only a “Verified” or “Cleared” status. Full criminal records are never disclosed.
Accuracy: Providers have the right to challenge and correct inaccuracies directly with the reporting agency.
We prioritize Canadian data residency wherever possible.
Where third-party services (such as AWS or Stripe) process data outside Canada, including in the United States, we ensure substantially similar protection through Standard Contractual Clauses (SCCs) and documented Privacy Impact Assessments (PIAs), in accordance with Quebec Law 25.
We do not retain personal information indefinitely.
Active Accounts: Data is retained for as long as the account remains active.
Inactive Accounts: Profiles are anonymized after 24 months of inactivity.
Deletion Requests: Upon verified request, personal information is deleted within 30 days unless retention is required by law, such as CRA financial record obligations (up to 7 years).
Technical Safeguards: AES-256 encryption at rest and TLS 1.3 encryption in transit.
Organizational Safeguards: Access is strictly limited to personnel with a legitimate need to know. Staff cannot access sensitive health notes unless required for a safety investigation.
Breach Notification: In the event of a Real Risk of Significant Harm (RROSH), affected individuals and the Privacy Commissioner will be notified within 72 hours, as required by PIPEDA and Quebec Law 25.
You have the right to access your personal information in a machine-readable format, request corrections, and withdraw consent at any time.
Quebec residents may also request de-indexing, which removes profiles from internal search results.
Our designated Privacy Officer oversees compliance with this policy.
Attn: Privacy Officer