Trust Center
PIPEDA Compliance
Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) · April 2026
About This Document
Flowtriq is a brand of traztech, a Canadian company. As a Canadian organisation collecting and using personal information in the course of commercial activities, Flowtriq is directly subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA also applies to Flowtriq's handling of personal information about individuals in Canadian provinces that do not have substantially similar provincial privacy legislation. Alberta, British Columbia, and Quebec have their own provincial laws (PIPA, PIPA, Law 25 respectively); Flowtriq complies with those laws where they apply.
PIPEDA is built around ten fair information principles from the Canadian Standards Association Model Code for the Protection of Personal Information (CAN/CSA-Q830-96). This document maps each principle to Flowtriq's practices.
The 10 Fair Information Principles
| # | Principle | Flowtriq Practice |
|---|---|---|
| 1 | Accountability | traztech is responsible for personal information under its control. Privacy inquiries are handled by the designated privacy contact: [email protected]. Sub-processors (Stripe, SendGrid, Cloudflare, etc.) are contractually bound to protect personal information transferred to them. |
| 2 | Identifying Purposes | Purposes for collecting personal information are identified at or before the time of collection. Account registration collects email and name for service delivery and communication. Billing data is collected for payment processing. Server metrics are collected for DDoS detection and alerting on behalf of the customer. Purposes are disclosed in the Privacy Policy. |
| 3 | Consent | Meaningful consent is obtained for the collection, use, or disclosure of personal information. Account creation constitutes consent for service delivery purposes. Marketing communications require separate opt-in. Website visitors may consent to analytics and tracking through the tools available on the platform. |
| 4 | Limiting Collection | Personal information is collected only to the extent necessary to fulfill identified purposes. ftagent collects aggregate network statistics rather than individual connection records or payload data. User data fields are limited to what is required for account management and billing. |
| 5 | Limiting Use, Disclosure, and Retention | Personal information is used and disclosed only for the purposes for which it was collected. Data is not sold or shared with third parties for their own marketing. Information is retained only as long as necessary for identified purposes. See retention schedule on the Data Flow page. Implemented |
| 6 | Accuracy | Personal information is as accurate, complete, and up-to-date as necessary. Users can update their account information (name, email, password) directly in the dashboard. Inaccurate information can be corrected by contacting [email protected]. Implemented |
| 7 | Safeguards | Personal information is protected by security safeguards appropriate to its sensitivity. Technical measures include: TLS encryption in transit, bcrypt password hashing, RBAC with four permission levels, TOTP/email 2FA, HttpOnly and Secure cookies, tamper-evident audit logging, encrypted credential storage, and Cloudflare DDoS and bot protection. Implemented |
| 8 | Openness | Policies and practices governing personal information management are made readily available. Flowtriq's Privacy Policy is publicly available at flowtriq.com/legal. This Compliance Center provides additional transparency. A sub-processor list is published on the Data Flow page. Implemented |
| 9 | Individual Access | Individuals may request access to their personal information held by the organisation and challenge its accuracy. Account holders can export their data from the dashboard. Requests to access, correct, or delete personal information are handled within 30 days at [email protected]. Implemented |
| 10 | Challenging Compliance | Individuals may challenge Flowtriq's compliance with these principles. Privacy complaints should be submitted to [email protected] and will be acknowledged within 5 business days. If not resolved satisfactorily, individuals may complain to the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca. Implemented |
Breach of Security Safeguards (PIPEDA Part 1, Division 1.1)
PIPEDA requires organisations to notify affected individuals and report to the Office of the Privacy Commissioner when a security breach creates a real risk of significant harm.
| Obligation | Flowtriq Practice |
|---|---|
| Report to OPC | Flowtriq will report to the OPC as soon as feasible after determining that a breach creates a real risk of significant harm to an individual. |
| Notify affected individuals | Affected individuals will be notified directly (by email) as soon as feasible. Notification will include a description of the breach, the type of information involved, steps the individual can take, and contact information for [email protected]. |
| Notify organisations | Where another organisation may be able to reduce the risk of harm, Flowtriq will notify them where appropriate. |
| Maintain breach records | All breaches, regardless of whether they meet the reporting threshold, are recorded in an internal breach log for a minimum of 24 months. |
CASL — Canada's Anti-Spam Law
Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23) governs the sending of commercial electronic messages (CEMs) to Canadian recipients.
| CASL Requirement | Flowtriq Practice |
|---|---|
| Express or implied consent before sending CEMs | Marketing emails (newsletter, product updates) are sent only to subscribers who have actively opted in, or to existing customers under implied consent provisions. Trial and account onboarding emails are transactional and exempt. |
| Sender identification in every CEM | All commercial emails include the Flowtriq name, brand (a brand of traztech), and a reply email address ([email protected] or the relevant contact). |
| Unsubscribe mechanism in every CEM | Every marketing email contains a clearly visible unsubscribe link. Unsubscribe requests are processed immediately and honoured within 10 business days as required by CASL. |
| Consent records | Opt-in records (timestamp, source page, IP address) are retained for the duration of the subscription relationship plus 3 years to demonstrate compliance. |
Provincial Privacy Laws
| Province | Law | Notes |
|---|---|---|
| Quebec | Law 25 (Act respecting the protection of personal information in the private sector, as amended) | Quebec's Law 25 (fully in force since September 2023) has requirements beyond PIPEDA, including mandatory Privacy Impact Assessments (PIAs) for technology projects involving personal information, a 72-hour breach notification to the Commission d'accès à l'information (CAI), and enhanced consent requirements for cookies/tracking. Flowtriq is assessing Law 25 obligations given its Canadian operations. |
| British Columbia | BC PIPA (Personal Information Protection Act, S.B.C. 2003) | BC PIPA is substantially similar to PIPEDA and applies to private sector organisations operating in BC. Flowtriq's PIPEDA compliance substantially satisfies BC PIPA requirements. |
| Alberta | Alberta PIPA (Personal Information Protection Act, S.A. 2003) | Alberta PIPA is substantially similar to PIPEDA. Flowtriq's PIPEDA-compliant practices satisfy Alberta PIPA requirements in most respects. |
| Other provinces/territories | PIPEDA | PIPEDA applies directly in all other Canadian provinces and territories for commercial activities. |
Upcoming: Bill C-26 (CPPA)
Canada's proposed Consumer Privacy Protection Act (CPPA), introduced under Bill C-26, would replace PIPEDA with a modernised privacy framework that is more closely aligned with GDPR. As of April 2026, Bill C-26 has not yet received Royal Assent. Key changes to watch:
- Algorithmic transparency: The CPPA would require disclosure of automated decision-making systems that significantly affect individuals.
- Data mobility: Enhanced portability rights allowing individuals to transfer data between service providers.
- Consent enhancement: Stricter requirements for valid consent and expanded rights to withdraw.
- Enforcement: Significantly increased penalties (up to 5% of global revenue or C$25M, whichever is greater).
- Artificial Intelligence: Bill C-27 (packaged with C-26) includes the Artificial Intelligence and Data Act (AIDA), introducing requirements for high-impact AI systems.
Flowtriq will update its compliance documentation when Bill C-26/C-27 receives Royal Assent and its provisions enter into force.
Canadian privacy requests: To exercise your rights under PIPEDA (access, correction, withdrawal of consent), contact [email protected]. Response within 30 days. To escalate unresolved complaints: Office of the Privacy Commissioner of Canada.