Biz-Dash Privacy Policy

Effective Date: Jan 1, 2026
Last Updated: Jan 4, 2026

1. Overview

This Privacy Policy details how Biz‑Dash (“Biz‑Dash,” “we,” “us,” or “our”), located in Québec, Canada, collects, uses, discloses, and protects personal and business information in compliance with PIPEDA, Québec Privacy Act (Bill 25), GDPR (for EU users), and CCPA/CPRA (for California residents). It forms part of the EULA and Data Processing Addendum (DPA) [ from prior].

By using the Service, you provide explicit, informed consent to these practices as your data controller (for your financial data) with Biz‑Dash acting as data processor per applicable laws.

2. Information We Collect

a. Account Information (Controller Data)

Name, email, business details, billing info—collected directly from you.

b. Connected Account Data (Processor Data)

Financial/transaction data from QuickBooks Online, Shopify, etc., via OAuth APIs—only as authorized.

3. Legal Basis and Use

We process data on these bases:

Contract/Consent (PIPEDA/GDPR Art. 6): Service delivery, API connections.

Legitimate Interests (GDPR): Security, analytics improvements.

Compliance (Bill 25/CCPA): Audits, legal obligations.

Uses: Analytics, AI insights, support—never for external training/sales.

4. Data Sharing and Subprocessors

No sales/sharing. Disclosures limited to:

Service Providers (e.g., AWS Canada, listed in DPA): Bound by contracts mirroring these protections.

Third-Party APIs: Your authorization only.

Legal: Court orders (with notice where possible).

DPA governs subprocessors, audits, and transfers..

5. International Transfers

Data stored in Canada (PIPEDA/Bill 25 compliant). EU transfers use Standard Contractual Clauses (SCCs) per DPA. You consent to Québec/Canadian processing.

6. Data Security and Privacy Impact Assessments

Safeguards: AES-256 encryption, TLS 1.3, RBAC, annual pentests.

PIAs/DPIAs: Conducted for AI/high-risk processing (Bill 25/GDPR required).
No system is 100% secure—report issues to [email protected].

7. Data Retention and Deletion

Active accounts: As needed for Service.

Termination: Deletion within 30 days (PIPEDA/Bill 25) or 90 days max (legal holds).
Anonymized data retained indefinitely for benchmarking.

8. AI and Anonymization

Identifiable data stripped (e.g., hashed IDs, aggregated metrics) before AI—exempt from "personal data" rules. Numbers are changed slightly (<1%) to ensure anonymity. PIAs confirm no re-identification risk. Outputs informational only.

9. Your Rights Under Privacy Laws

Submit requests to [email protected] :

10. Breach Notification

Notified within:

PIPEDA: Prompt ("real risk of harm").

Bill 25: 30 days to CAI/users.

GDPR: 72 hours to supervisors.

CCPA: 45-90 days to AG/users.

11. Children’s Privacy

Not for under-18s. Data deleted if discovered.

12. Changes

Material updates: 30-day email/in-app notice. Continued use = acceptance.

13. Contact and Complaints
[email protected]

Authorities:

PIPEDA: privacycommissioner.gc.ca

Bill 25: cai.gouv.qc.ca

GDPR: Local DPA

CCPA: oag.ca.gov/privacy

514-629-0588| [email protected] | Book a Consultation

Your time matters. Your growth starts with PCS.