COMP-04 v2.0CONFIDENTIAL

Privacy Policy

PIPEDA-Compliant Data Stewardship

Company: VisaNauta Technologies

Jurisdiction: Ontario, Canada

Applicable Law: PIPEDA, S.C. 2000, c. 5

Applies To: All users of visanauta.com and visanauta.ca

Effective Date: March 3, 2026

Last Updated: March 3, 2026

Document ID: COMP-04 v2.0

Your Trust, Our Commitment

This Privacy Policy explains how VisaNauta Technologies collects, uses, discloses, and protects your personal information in compliance with PIPEDA. We are committed to transparency and safeguarding your data throughout every interaction with our platform. Before accessing or using the Platform, please ensure that you have read and understood this policy. By accessing or using the Platform, you are accepting and consenting to the practices described herein.

1. DEFINITIONS

In this Privacy Policy, the following defined terms apply:

“Personal Information” means information about an identifiable individual, as defined by PIPEDA, including but not limited to name, email address, phone number, IP address, and any data that can directly or indirectly identify you.

“Aggregate Data” means information collected about a group or category of services or users from which individual identities have been removed. Aggregate Data is not Personal Information.

“Client” means an individual who uses the Platform to find, connect with, and engage an RCIC for immigration consulting services.

“Content” means any information, documents, files, messages, or materials uploaded, posted, or transmitted through the Platform by any user.

“Platform” means the VisaNauta website (visanauta.com and visanauta.ca), and all associated software, tools, features, and services operated by VisaNauta Technologies.

“Privacy Officer” means the individual(s) designated by VisaNauta Technologies as responsible for compliance with PIPEDA and this policy.

“RCIC” means a Regulated Canadian Immigration Consultant licensed by the College of Immigration and Citizenship Consultants (CICC).

“Services” means all features and functionality provided through the Platform, including consultant discovery, booking, secure messaging, document exchange, and workspace tools.

“Third-Party Services” means products, services, or content provided by third parties integrated with or accessible through the Platform, including Stripe (payment processing) and Wasabi (cloud storage).

“Usage Data” means anonymized, aggregated data generated from use of the Platform, such as technical logs, usage patterns, and feature interaction metrics, which does not personally identify any individual.

2. ACCOUNTABILITY (PIPEDA PRINCIPLE 1)

2.1 VisaNauta Technologies (“we,” “us,” “our”) is fully accountable for all Personal Information under our control, including information transferred to third-party service providers for processing on our behalf. We ensure that our service providers maintain equivalent safeguards through binding Data Processing Agreements (DPAs).

2.2 We have designated a Privacy Officer who is responsible for ensuring compliance with PIPEDA, administering this policy, receiving and responding to privacy-related inquiries and complaints, and ensuring staff training on privacy obligations.

Privacy Officer Contact

Email: support@visanauta.com
Address: Brampton, Ontario, Canada
Hours: 9:00 AM – 5:00 PM EST, Monday to Friday

3. IDENTIFYING PURPOSES (PRINCIPLE 2)

3.1 We collect Personal Information strictly for the following identified and documented purposes:

•Connecting Clients with licensed RCICs through our marketplace platform
•Facilitating secure messaging and encrypted document exchange between Clients and RCICs
•Processing bookings and payments through our integrated payment system (Stripe Connect)
•Verifying RCIC licensing status with the CICC
•Providing platform support, customer service, and service quality improvements
•Maintaining platform security, preventing fraud, and ensuring system integrity
•Conducting anonymized usage analytics to improve Platform features and performance
•Sending transactional communications (booking confirmations, security alerts, archival reminders)
•Sending marketing communications (only with express opt-in consent)
•Meeting legal and regulatory obligations under PIPEDA, CICC By-Laws, CRA requirements, and applicable Canadian law

3.2 We identify the purposes for which Personal Information is collected at or before the time of collection. We will not use or disclose your information for purposes other than those for which it was collected, except with your further consent or as required or permitted by law.

4. CONSENT (PRINCIPLE 3)

4.1 We obtain meaningful consent for the collection, use, and disclosure of Personal Information. The form of consent varies depending on the sensitivity of the information and the reasonable expectations of the individual.

4.1 Express Consent (Required)

•Account Registration: During sign-up, users must actively acknowledge: "I consent to VisaNauta storing my personal information in Canadian data centres for platform operations."
•Document Upload: Before each document upload, users must confirm: "I consent to storing this document in VisaNauta's Secure Workspace for the designated retention period."
•Payment Processing: Explicit authorization is obtained before processing any payment via Stripe Connect.
•Marketing Communications: Opt-in consent is required for promotional or marketing communications. You may opt out at any time via the unsubscribe link in any marketing email or by updating preferences in Account Settings.

4.2 Implied Consent (Limited)

•Strictly necessary cookies required for session management and platform functionality (no opt-out available)
•Transactional service emails, including booking confirmations, security alerts, archival reminders, and account notifications

4.3 Withdrawal of Consent

4.3.1 You may withdraw your consent at any time by contacting support@visanauta.com or by deleting your account through Account Settings. Withdrawal of consent may limit your ability to use certain Platform features or may result in the termination of services, in accordance with our Terms of Service.

4.3.2 Withdrawal of consent does not affect the lawfulness of processing based on consent obtained before withdrawal, and does not affect our right to retain certain information where required by law (e.g., audit logs retained for 7 years).

5. LIMITING COLLECTION (PRINCIPLE 4)

5.1 We limit the collection of Personal Information to that which is necessary for the identified purposes. Information is collected by fair and lawful means.

5.2 If you choose not to provide certain Personal Information, we may not be able to provide the Platform Services to you or respond to your requests.

5.3 Information You Provide Directly

User Type	Information Collected	Purpose
Clients	Full name, email address, phone number, case documents, secure messages	Connect with RCIC, case management, service delivery
RCICs	Full name, CICC license number, email, firm details, professional documents, messages, billing information	License verification, service delivery, compliance, subscription management
All Users	Account credentials (hashed password), profile information, communication preferences	Account authentication, personalization, service delivery

5.4 Information Collected Automatically

Category	Details	Purpose
Device and Usage Data	IP address, browser type, device type, operating system, referring pages, time spent on pages, clickstream data	Platform security, performance optimization, analytics
Session Data	Login timestamps, session duration, feature interaction logs	Security monitoring, fraud prevention, service improvement
Cookies and Similar Technologies	Session cookies, authentication tokens (see Section 12 for full Cookie Policy)	Session management, authentication, analytics

5.5 Information We Receive from Third Parties

5.5.1 We may receive Personal Information from RCICs when they designate you as a client on the Platform. We may also receive limited information from Stripe in connection with payment processing (e.g., payment confirmation, card last-four digits).

5.5.2 We do not purchase or obtain Personal Information from data brokers, advertising networks, or social media platforms.

5.6 Information We Do NOT Collect

•Biometric data (fingerprints, facial recognition, voice prints)
•Social Insurance Numbers (SIN) or government-issued identification numbers
•Health or medical records (unless voluntarily uploaded by a Client specifically for their immigration case)
•Precise geolocation tracking beyond IP address-based approximate location
•Financial information beyond what is processed through Stripe Connect (we never store full credit card numbers or CVV codes)
•Information from children under the age of 16 (see Section 14)

6. LIMITING USE, DISCLOSURE AND RETENTION (PRINCIPLE 5)

6.1 Personal Information is used and disclosed only for the purposes for which it was collected, and is retained only as long as necessary to fulfill those purposes or as required by law.

6.2 Retention Schedule

Data Category	Retention Period	Deletion Method
Case documents	30 days (Essentials) / 180 days (Professional/Enterprise)	Automated deletion via Wasabi lifecycle policies
Audit and access logs	7 years	Immutable storage (AWS Glacier Deep Archive)
Account profile data	Until account deletion + 30 days grace period	Secure cryptographic wipe
Payment and transaction records	7 years (CRA legal requirement)	Encrypted archival storage
Secure messages	Co-terminus with case document retention	Automated deletion with associated case
Marketing consent records	Duration of account + 3 years	Secure deletion
Cookie data	Session cookies: deleted on browser close; Analytics: up to 13 months	Automated expiry

6.2.1 To determine appropriate retention periods, we consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the information, and applicable legal requirements.

6.3 Disclosure to Third Parties

6.3.1 We disclose Personal Information only in the following circumstances:

•To RCICs: Client information is shared with the selected RCIC only after a booking is confirmed, strictly to facilitate the immigration consulting service.
•To Stripe (Payment Processor): Payment details are processed via Stripe Connect, where the RCIC acts as the merchant of record. VisaNauta does not store credit card numbers or CVV codes.
•To Wasabi Cloud Storage: Documents are stored in Wasabi's Toronto data centre (ca-tor-1) under a strict Data Processing Agreement (DPA).
•To Service Providers: We engage a limited number of service providers (e.g., email delivery, analytics) who process Personal Information on our behalf under binding DPAs and only as necessary to provide services to us.
•Legal Requirements: We may disclose information pursuant to a court order, subpoena, or investigation by the Office of the Privacy Commissioner (OPC), law enforcement, or other government authority. We will notify affected individuals where permitted by law.
•Business Transactions: Personal Information may be disclosed in connection with a merger, acquisition, reorganization, or sale of assets. We will notify affected users by email and/or prominent notice on the Platform of any change in ownership that impacts the use of Personal Information.

6.3.2 We never sell, rent, or trade Personal Information to advertisers, data brokers, or any third party for marketing purposes. VisaNauta has not sold Personal Information in the 12 months preceding the effective date of this policy.

6.4 Subprocessors

6.4.1 We maintain a list of authorized subprocessors who process Personal Information on our behalf. Current subprocessors include:

Subprocessor	Service	Data Location	Safeguards
Stripe, Inc.	Payment processing	Canada / US (PCI DSS compliant)	DPA, PCI DSS Level 1
Wasabi Technologies	Document storage	Toronto, Canada (ca-tor-1)	DPA, SOC 2 Type II, AES-256
Amazon Web Services (AWS)	Infrastructure, audit log archival	Canada Central region	DPA, SOC 2, ISO 27001
Email Provider (Resend)	Transactional email delivery	US (TLS encrypted)	DPA, TLS encryption

6.4.2 All subprocessors are bound by DPAs containing PIPEDA-aligned data protection clauses. We conduct due diligence on subprocessors before engagement and periodically review their compliance.

6.4.3 We will provide 30 days' advance notice before adding a new subprocessor that processes Personal Information, posted at visanauta.ca/subprocessors.

Cross-Border Data Notice

Wasabi, Inc. and Stripe, Inc. are United States-based companies. While your data resides physically in Toronto, Canada (ca-tor-1 region for Wasabi), these companies may be subject to US laws, including the CLOUD Act and Patriot Act. By using VisaNauta, you expressly consent to this arrangement. We have verified that all subprocessors maintain appropriate certifications (SOC 2 Type II, PCI DSS) and that data is subject to Canadian data residency controls and AES-256 encryption at rest.

6.6 Anonymization and Aggregation

6.6.1 We may anonymize and aggregate Personal Information so that it does not identify any individual. We may use Aggregate Data for Platform improvement, analytics, research, testing, and developing new features. We may share Aggregate Data with third parties for lawful business purposes, provided that Aggregate Data never identifies you or any individual.

6.6.2 Once Personal Information has been anonymized, it is no longer considered Personal Information under PIPEDA and is not subject to the restrictions of this policy.

7. ACCURACY (PRINCIPLE 6)

7.1 We take reasonable steps to ensure that Personal Information is accurate, complete, and up-to-date as necessary for the purposes for which it is used.

•Users may update their profile information at any time through Account Settings.
•RCICs are required to maintain current CICC license status; we conduct quarterly verification checks against the CICC public register.
•Inaccuracies may be reported to support@visanauta.com and will be corrected within 30 calendar days.
•User-uploaded documents reflect the content provided by the user; VisaNauta does not modify, alter, or verify the contents of uploaded files.
•If Personal Information is disclosed to a third party (e.g., an RCIC) and is subsequently corrected, we will make reasonable efforts to notify the third party of the correction where appropriate.

8. SAFEGUARDS (PRINCIPLE 7)

8.1 We protect Personal Information with security safeguards appropriate to the sensitivity of the information, guarding against loss, theft, unauthorized access, disclosure, copying, use, or modification.

8.2 Technical Safeguards

Security Layer	Implementation Details
Data Storage	Wasabi Toronto (ca-tor-1) with AES-256 encryption at rest; all data physically in Canada
Data in Transit	TLS 1.3+ encryption enforced for all data transfers
Password Protection	All passwords hashed using bcrypt with per-user salts; plaintext passwords are never stored or logged
Access Control	Role-Based Access Control (RBAC) with least-privilege principle; MFA mandatory for all RCIC accounts
Network Security	AWS Canada Central firewalls, VPC isolation, DDoS protection, WAF
Audit Trail	Immutable, tamper-proof logs of all data access, download, and modification events
Application Security	Regular penetration testing, vulnerability scanning, SSDLC practices, dependency monitoring
Server Monitoring	24/7 infrastructure monitoring, intrusion detection, and automated alerting

8.3 Organizational Safeguards

•All employees and contractors are bound by confidentiality agreements covering Personal Information handling.
•Annual PIPEDA compliance training is mandatory for all staff with access to Personal Information.
•Strict "need-to-know" access policies limit Personal Information access to authorized personnel only.
•DPAs are in place with all third-party vendors (Wasabi, Stripe, AWS) containing PIPEDA-aligned data protection clauses.
•Documented incident response procedures are tested regularly to ensure timely breach notification.
•Access to Personal Information is logged and auditable; access logs are reviewed periodically.

8.4 Security Breach Notification

8.4.1 In the event of a breach of security safeguards involving Personal Information that creates a real risk of significant harm to individuals, VisaNauta will:

(a) Report the breach to the Office of the Privacy Commissioner of Canada as soon as feasible after determining the breach has occurred, as required by PIPEDA's mandatory breach notification provisions;

(b) Notify affected individuals as soon as feasible, and in any event within 72 hours of confirming the breach, providing all relevant details including the nature of the breach, the types of Personal Information involved, steps we are taking to mitigate harm, and actions individuals can take to protect themselves;

8.4.2 VisaNauta will cooperate with affected individuals to identify affected Content, investigate the breach, and use commercially reasonable efforts to mitigate harmful effects and prevent recurrence.

While we take all reasonable precautions, no transmission of information via the internet is completely secure, and we cannot guarantee absolute security. Any transmission of Personal Information is at your own risk.

9. OPENNESS (PRINCIPLE 8)

9.1 We are committed to making our privacy practices readily available and easy to understand.

•This Privacy Policy is published at visanauta.ca/privacy and linked prominently in the website footer and all registration workflows.
•This policy is available in English, with a French translation available upon request.
•Material changes to this policy will be communicated with a minimum of 30 days' advance notice via email notification and Platform posting.
•A plain-language summary of our privacy practices is provided during the account registration process.
•A current list of authorized subprocessors is maintained at visanauta.ca/subprocessors.
•Information about our security practices is available upon reasonable request.

10. INDIVIDUAL ACCESS (PRINCIPLE 9)

10.1 You have the right to access the Personal Information we hold about you, to challenge its accuracy, and to request corrections where appropriate. In accordance with PIPEDA and applicable privacy law, you have the following specific rights:

10.1 Your Privacy Rights

•Right of Access: The right to obtain access to your Personal Information and to receive that information in a commonly used format.
•Right to Rectification: The right to have inaccurate or incomplete Personal Information corrected without undue delay.
•Right to Erasure: The right to request deletion of your Personal Information where it is no longer necessary for the purposes for which it was collected, subject to our legal retention obligations (e.g., 7-year audit log retention).
•Right to Withdraw Consent: The right to withdraw consent at any time, as described in Section 4.3.
•Right to Non-Discrimination: The right to not be denied services, charged different prices, or receive different quality of service for exercising your privacy rights.
•Right to Complaint: The right to file a complaint with the OPC if you believe your privacy rights have been violated (see Section 11).

10.2 How to Submit an Access Request

Email: support@visanauta.com

Subject Line: “PIPEDA Access Request – [Your Full Name]”

Please include:

•Your full name and the email address associated with your VisaNauta account
•A specific description of the information requested (e.g., "All documents from Case #123")
•A copy of government-issued photo identification for identity verification

10.2.1 We may request identity verification before processing any access request. We will not process requests that cannot be verified.

10.3 Response Timeline

•Acknowledgement: Within 3 business days of receipt.
•Full Response: Within 30 calendar days, as required by PIPEDA.
•Complex Requests: If additional time is needed, we will notify you of the extension and reasons, with a maximum total processing time of 60 calendar days.

10.3.1 A minimal fee may be charged for excessive or repetitive requests, in accordance with PIPEDA guidelines. Any applicable fees will be communicated before processing.

10.3.2 In certain circumstances permitted by law, we may not disclose certain information. For example, we may not disclose information where other individuals are referenced, where there are legal or security restrictions, or where disclosure would reveal confidential commercial information. We will explain the reasons for any refusal.

10.4 Account Data Access

10.4.1 You may access, correct, or update most of your Personal Information directly by logging into your VisaNauta account via Account Settings. You may also download your Content through the Platform's export functionality.

11. CHALLENGING COMPLIANCE (PRINCIPLE 10)

11.1 If you believe VisaNauta has not handled your Personal Information in compliance with PIPEDA, you have the right to challenge our compliance.

11.1 Internal Complaint Process

11.1.1 As a first step, contact our Privacy Officer at support@visanauta.com. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 calendar days. All complaints are investigated promptly, and documented resolutions are maintained for at least 24 months.

11.2 External Complaint Process

If your complaint is not resolved to your satisfaction through our internal process, you may file a complaint with:

Office of the Privacy Commissioner of Canada

Website: www.priv.gc.ca

Phone: 1-800-282-1376

Address: 30 Victoria Street, Gatineau, QC K1A 1H3

12. COOKIES AND SIMILAR TECHNOLOGIES

12.1 The Platform uses cookies and similar technologies (collectively “cookies”) to distinguish you from other users, maintain your session, and improve your experience. This section describes what cookies we use and how you can manage them.

12.2 Types of Cookies We Use

Cookie Type	Purpose	Opt-Out Available
Strictly Necessary	Required for core Platform functionality: authentication, session management, security, CSRF protection. The Platform cannot function without these.	No
Functional	Remember your preferences (language, region, display settings) when you return to the Platform.	Yes
Analytical / Performance	Help us understand how the Platform is used by counting visitors, identifying popular features, and measuring page load times. All data is anonymized.	Yes

VisaNauta does NOT use targeting or advertising cookies. We do not serve third-party advertisements on the Platform, and we do not use cookies to track you across other websites.

12.3 Managing Cookies

12.3.1 You can manage non-essential cookies through the cookie preferences banner displayed when you first visit the Platform, or through your browser settings at any time. If you disable strictly necessary cookies, you may not be able to access the Platform.

12.3.2 Browser-specific cookie management instructions are available at:

•Chrome: support.google.com/chrome/answer/95647
•Firefox: support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
•Safari: support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471
•Microsoft Edge: support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge

12.4 Do Not Track

12.4.1 Some browsers offer a “Do Not Track” (DNT) signal. As there is currently no industry-standard for recognizing or honoring DNT signals, the Platform does not currently respond to DNT signals. If a standard is established in the future, we will reassess this practice.

13. RCIC OBLIGATIONS REGARDING CLIENT DATA

13.1 RCICs who use the Platform to store, process, or transmit Client Personal Information acknowledge and agree that:

(a) They have obtained all necessary consents from their Clients to upload and process Client data on the Platform, in accordance with PIPEDA, CICC By-Laws, and the Code of Professional Conduct;

(b) They are independently responsible for PIPEDA compliance in their handling of Client data obtained through or processed on the Platform;

(d) They will comply with their professional confidentiality obligations under the CICC Code of Professional Conduct;

(e) They will not use Client data obtained through the Platform for any purpose other than the contracted immigration consulting service.

13.2 VisaNauta acts as a processor of Client data on behalf of the RCIC (the controller). We process Client data only as directed by the RCIC and in accordance with this Privacy Policy and our DPA.

14. CHILDREN'S PRIVACY

14.1 The Platform is not directed at persons under the age of 16, and we do not knowingly collect Personal Information from children under 16. If you become aware that a child under 16 has provided us with Personal Information without appropriate parental or guardian consent, please contact us at support@visanauta.com so that we can take appropriate steps to delete such information.

14.2 If we discover that we have inadvertently collected Personal Information from a child under 16 without verified parental consent, we will delete that information as soon as reasonably possible.

15. THIRD-PARTY LINKS AND SERVICES

15.1 The Platform may contain links to third-party websites or services that are not owned or controlled by VisaNauta. These links are provided for your convenience only. We do not accept responsibility or liability for the privacy practices of third-party websites. Please review the privacy policies of any third-party sites before submitting Personal Information.

15.2 Third-Party Services integrated with the Platform (such as Stripe for payment processing) are subject to their own privacy policies and terms. By using such Third-Party Services through the Platform, you acknowledge that those third parties' privacy practices govern their use of your data.

15.3 The Platform may include social media features (e.g., share buttons, links to social media profiles). Interactions with these features are governed by the privacy policies of the respective social media companies, not this policy.

16. TESTIMONIALS AND REVIEWS

16.1 With your express consent, we may display testimonials, reviews, or endorsements on the Platform or our marketing materials. If you wish to update or delete your testimonial or review, contact support@visanauta.com.

16.2 Reviews posted on the Platform may include your first name, location (city), and the content of your review. Information posted in public reviews is visible to other users and may be indexed by search engines.

17. LEGAL COMPLIANCE AND LAW ENFORCEMENT

17.1 VisaNauta's primary duty is to protect Personal Information to the extent the law allows. We may disclose Personal Information where required and permitted by law, including in response to a court order, subpoena, warrant, regulatory investigation, or lawful request by a government authority (including the OPC, CICC, RCMP, or CBSA).

17.2 Where VisaNauta is required by law to disclose Personal Information, we will provide you with prompt written notice (to the extent permitted by law) prior to such disclosure so that you may seek a protective order or other appropriate relief. We will disclose only the portion of Personal Information legally required.

17.3 We will only accept legal requests for production of Personal Information or Content through formal legal process directed to support@visanauta.com.

18. POLICY UPDATES

18.1 We may update this Privacy Policy from time to time to reflect changes in legal requirements, technology, or our business practices. When material changes are made:

•The revised policy will be posted at visanauta.ca/privacy with an updated "Last Updated" date.
•Active users will receive an email notification describing the nature of the changes at least 30 days before the changes take effect.
•Users will be required to re-accept the updated policy during their next login session.

18.2 Non-material changes (such as typographical corrections, clarifications, or formatting updates) may be made without advance notice.

18.3 Your continued use of the Platform after the effective date of any updated policy constitutes your acceptance of the revised Privacy Policy. If you do not agree with any changes, you must discontinue use of the Platform and delete your account.

19. CONTACT INFORMATION

If you have any questions, comments, concerns, or requests regarding this Privacy Policy or our handling of your Personal Information:

VisaNauta Technologies

General Support: support@visanauta.com

Location: Brampton, Ontario, Canada

This Privacy Policy complies with the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, and aligns with the guidelines published by the Office of the Privacy Commissioner of Canada (OPC).