How we protect your data.

ExpatReady Technologies Inc. ("ExpatReady," "we") provides software-as-a-service for Canadian immigration practitioners. This policy explains how we collect, use, and protect Personal Data.

In short: data stays in Canada (AWS ca-central-1). We process it only to provide the service. We don't sell data, don't advertise off it, don't train AI on it.

ExpatReady Technologies Inc., Ontario corporation, Toronto, Canada. Privacy Officer: privacy@expatready.com.

Customer (immigration firm): ExpatReady is the processor. Your firm is the controller of end-client data you upload.

End-client (immigration applicant): processed under your firm's retainer + consent terms. Reach out via your immigration practitioner first.

Account data (firm-side): name, email, phone, license number (RCIC R-XXXXXX), office address, billing info.

Client data uploaded by firm: passport info, family info, employment history, education, addresses, financial info, medical & police certificates, IRCC correspondence, case notes.

Operational: IP address, browser, log timestamps, audit log entries.

Operating the Service, billing, support, security incident response, compliance with law, product improvements (aggregated/de-identified only). We do not use Customer Data to train AI models.

Consent. For firm-side: express consent at sign-up. For end-client data: lawful basis flows through your firm's retainer agreement with the applicant.

We share data only with subprocessors listed publicly at /legal/subprocessors. Each is bound by data processing terms no less protective than this policy. We do not sell, rent, or trade Personal Data.

Primary storage: AWS Canada Central (ca-central-1). Some operational processing crosses into US infrastructure for Stripe (payments) and Postmark (transactional email). We rely on Standard Contractual Clauses (Module Two) equivalents where applicable. Privacy Impact Assessments available on request.

The Smart Questionnaire (SQR) uses a deterministic rules engine to recommend document checklists and IRCC form sets. This is automated processing - disclosed here for transparency.

The rules engine does NOT make legal decisions, predict eligibility for sponsorship, or generate facts for filings. All recommendations are reviewed by the firm's licensed practitioner before submission to IRCC.

Account data: while you're a customer + 24 months after termination. Client data: retained per CICC record-keeping requirements (typically 6 years from case closure) at your firm's direction. After authorized deletion, backups follow standard schedules with maximum 90 days lag.

Access · correction · deletion · portability · withdraw consent · complain to a regulator. Requests to privacy@expatready.com; responded within 30 days. Regulator: Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca/).

ExpatReady is not intended for direct use by individuals under 18. Where firms upload data about dependant children (e.g., family sponsorship), the firm holds consent from the parent/guardian.

Minimal cookies. Detail at /legal/cookies. No advertising trackers.

AES-256 at rest, TLS 1.3 in transit, bcrypt password hashing, refresh-token rotation, role-based access control, append-only audit log. Detail at /security.

If a breach poses real risk of significant harm, we notify the Privacy Commissioner and affected individuals as required by PIPEDA - typically within 72 hours of becoming aware.

We update this policy when material changes occur. We'll email customers and post an in-app banner for 30 days before material changes take effect.

privacy@expatready.com · Privacy Officer, ExpatReady Technologies Inc., Toronto, Canada.