Privacy Governance
This page describes, in simple and clear terms, the governance policies and practices that PeasyBooking Technologies Inc. (“PeasyBooking”, “we”) applies to the personal information in its keeping. We publish it as part of our accountability obligations under Canadian privacy law, including Quebec’s Law 25. It summarizes — and does not replace — our Privacy Policy. Where a business uses PeasyBooking to manage its own clients and patients, we handle that information on the business’s behalf under our Data Processing Agreement.
Who is responsible
Our Privacy Officer is the person in charge of the protection of personal information at PeasyBooking (for Quebec’s Law 25, the “person in charge of the protection of personal information”). The Privacy Officer oversees this framework, approves how long each category of data is kept, and handles privacy questions, requests, and complaints. You can reach the Privacy Officer at:
PeasyBooking Technologies Inc.
Attn: Privacy Officer
150 Evergreen Mount SW, Calgary, AB T2Y 0L8, Canada
info@peasybooking.com
How long we keep personal information, and how it is destroyed
We keep personal information only as long as it is needed for the purposes it was collected for, or as the law requires, and then we destroy it. Each category of data has a defined retention period and a defined destruction process; when a retention period ends, the data is deleted from our active systems and encrypted backups age out on a rolling schedule. Deletion may be paused in limited circumstances, such as a legal hold. The full framework — category by category — is set out in our Data Retention Schedule.
Who can access personal information, and how that is controlled
Responsibilities are assigned across the whole life cycle of personal information — collection, use, disclosure, retention, and destruction:
- Least-privilege access. Personnel can access personal information only when their role requires it, through role-based access controls, and they are bound by confidentiality obligations.
- Audit logging. Access to personal information and administrative actions are logged, so that access can be reviewed.
- Safeguards. Personal information is encrypted in transit and at rest, and sensitive client records are stored in an encrypted records vault, as described in our Privacy Policy.
- Service providers. We share personal information only with the vetted service providers listed in our Privacy Policy and Data Processing Agreement, under contracts that limit what they may do with it.
- Oversight. The Privacy Officer oversees these practices and is consulted on new features and projects that involve personal information.
Complaints: how to raise a concern, and what happens next
If you have a question, concern, or complaint about how we handle personal information, contact the Privacy Officer using the details above. We will acknowledge your complaint, look into it, and respond within the timeframes the law requires — within 30 days for matters under Quebec’s private-sector privacy law, generally within 45 days for access and correction requests under Alberta’s PIPA, and within the timeframes PIPEDA imposes for requests it governs.
If you are not satisfied with our response, you may escalate your complaint to the privacy regulator for your jurisdiction: the Commission d’accès à l’information du Québec (CAI) for Quebec, the Office of the Privacy Commissioner of Canada (OPC) for matters under PIPEDA, or your provincial Information and Privacy Commissioner (OIPC) — for example, the Office of the Information and Privacy Commissioner of Alberta.