LAST UPDATED ON: January 14, 2019
4. PRIVACY RIGHTS. All businesses in Canada engaged in commercial activities, including Concept, are required to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA, or the “Act”) and the Canadian Standards Association Model Code for the Protection of Personal Information, which it incorporates. The Act gives all individuals, including Service Users, rights concerning the privacy of their personal information.
Personal information is any information that personally identifies an individual or from which an individual could be identified. This may include the individual’s name, address, telephone number, email address, profession or occupation, or other personally identifiable information.
(c) where Concept’s Services involve cross-border products, processes, structures and systems and personal information of Service Users is transmitted across international borders. The Customer is responsible for advising its Service Users accordingly.
6. PURPOSES FOR COLLECTION OF PERSONAL INFORMATION. Concept collects personal information only by lawful means and not in an intrusive way, primarily directly from the Service User through the Service User’s access and use of the Services, including Concept’s products, services, websites, platforms, portals, communication services, mobile services, databases and applications, but also through submission of online data and conversations or communications between the Customer or a Service User with a Concept representative. Concept collects, holds, stores, uses and manages personal information for the following purposes:
(a) to manage the relationship of the Customer with Concept and the interaction of the Customer and Service Users with Concept;
(b) to better serve the Customer and Service Users in their use of the Services;
(c) to provide products, services and maintenance and support to the Customer and Service Users;
(d) to inform the Customer and Service Users of new products and services;
(e) to prevent and detect security threats, fraud or other malicious activity;
(f) to improve and develop products, services and support including through quality control, research and data analysis activities;
(g) to assess and improve the performance and operation of Concept websites, platforms and portals;
(h) to process and respond to information requests or complaints made by the Customer or Service Users;
(i) to respond to product or service orders, activations, and registrations by the Customer or Service Users;
(j) to permit profile creation and user verification for online services for the Customer and Service Users; and
(k) to manage visits or browsing by the Customer or Service Users on Concept’s websites, platforms, or portals.
7. TYPES OF PERSONAL INFORMATION COLLECTED. Concept may collect, hold, store, use and manage the following types of personal information about Service Users:
(a) personal and business contact information, such as name, address, telephone number(s), email address(es), profession or occupation;
(b) in some cases, a Service User’s business contact information may be provided to Concept by a designated entity within the Service User’s business or enterprise (such as a member of the IT department) or by the Customer under which the Service User has obtained or gained access to or use of the Services;
(c) financial information, such as a Service User’s credit card or debit card details or other billing information;
(d) other unique information such as user IDs and passwords of a Service User, product functionality, product and service preferences, contact preferences, educational and employment background, and job interest data;
(e) geo-location data such as a Service User’s IP address or physical location when location based services are requested;
(f) details of the products and Services a Service User has used or enquired about, together with any additional information necessary to deliver those products and Services and to respond to enquiries; and
(g) any additional information relating to a Service User that a Service User from time to time provides directly to Concept through its websites, service centre or representatives, or indirectly through use of Concept’s Services, websites or online presence or otherwise.
The Customer is responsible for cautioning its Service Users that in addition to the information a Service User provides to Concept, Concept may also collect personal information during a Service User’s visit to a Concept website, platform or portal, or to a web-based application, or a website “powered by” another company on behalf of Concept, through automatic data collection tools, which may include web beacons, cookies, and embedded web links. These tools collect certain traffic information that a Service User’s browser sends to a website, such as the browser type and language, access times, and the address of the website from which the Service User arrived. Concept may also collect information about a Service User’s Internet Protocol (IP) address, unique device identifier, clickstream behavior (i.e., the pages viewed, the links accessed, and other actions taken in connection with Concept websites or “powered by” websites) and product information. Concept may also use automatic data collection tools in connection with certain emails and communications sent from Concept and therefore may collect information using these tools when a Service User opens the email or clicks on a link contained in the email.
The Customer is responsible for also cautioning its Service Users that Concept may also collect information from publicly or commercially available sources that it deems credible. Such information may include a Service User’s name, address, email address, preferences, interests, and demographic/profile data. The information Concept collects from such public or commercial sources may be used along with the information Concept collects when a Service User visits Concept’s websites, platforms, or portals. For example, Concept may compare the geographic information acquired from commercial sources with the IP address collected by automatic data collection tools to derive a Service User’s general geographic area.
Where Concept deems it necessary, Concept may also use information provided by a Service User or their employer, together with information from publicly available and other online and offline sources, to conduct due diligence checks on business contacts as part of Concept’s anti-corruption program.
Concept may also collect information that is not personal information because it does not identify a particular individual. For example, this may include anonymous answers to surveys or aggregated information about how Service Users use Concept’s websites, platforms, portals or Services.
8. SHARING OF PERSONAL INFORMATION. Concept will not share, sell, rent or lease a Service User’s personal information to other non-Concept parties without such Service User’s permission or the Customer’s permission, as the case may be, which may be in writing, oral or in some cases implied through the Service User’s conduct with Concept, except as follows:
(a) to comply with any law, regulation, subpoena, or court order;
(b) to respond to duly authorized information requests of police and governmental authorities;
(c) to report any activity that it suspects violates any applicable laws to appropriate law enforcement agencies, regulators, or other appropriate third parties;
(e) to enforce and/or protect the rights and properties of Concept, its subsidiaries and affiliates;
(f) to protect the rights or personal safety of Concept, its employees, and third parties on or using Concept property when allowed and in line with the requirements of applicable law;
(g) where Concept deems it necessary in relation to providing the Services to or for the Service User; and
(h) to service providers and suppliers retained by Concept to manage or support its business operations, provide professional services, deliver complete products, services and customer solutions and to assist Concept with marketing and communication initiatives. These providers and suppliers may be located anywhere in the world and may include, for example, providers of customer support and live-help, marketing and communications, hosting and IT service providers, email service providers, automated data processors, shipping agents, management and support of Concept websites, platforms or portals, and order fulfillment and delivery. Such service providers and suppliers are required by contract to keep confidential and secure the information received on behalf of Concept and may not use it for any purpose other than to carry out the services they are performing for Concept.
Concept may for strategic or other business reasons decide to sell, buy, merge or otherwise reorganize some or all of its business. Such transactions may necessarily involve the disclosure of personal information to prospective or actual purchasers, or the receipt of personal information from sellers. Concept will seek appropriate protection for personal information in these types of transactions.
9. ACCESS TO AND ACCURACY OF PERSONAL INFORMATION. Concept strives to keep a Service User’s personal information accurately recorded. Concept has implemented technology, management processes and policies to help maintain data accuracy. Concept provides Service Users with reasonable access and ability to review personal information provided to Concept. To protect a Service User’s privacy and security, Concept will also take reasonable steps to verify identity, such as requiring a password and user ID, before granting access to such Service User’s data. To view and change the personal information provided to Concept in relation to a Service User, the Service User must deal directly with the Customer through whom the personal information was provided. Where such personal information has been archived because it is no longer current, or where such personal information has already been deleted by Concept, Concept may refuse to take any further steps in relation to such personal information. Access to such information may also be denied where denial of access is required or authorized by applicable law, where the granting of access may have an unreasonable impact on the privacy of others, where Concept deems the request frivolous or vexatious, or where Concept is protecting its own rights and property.
10. KEEPING SERVICE USER’S PERSONAL INFORMATION SECURE. Concept takes seriously the trust the Customer places in Concept. To prevent unauthorized access or disclosure, to maintain data accuracy, and to ensure the appropriate use of personal information, Concept utilizes reasonable and appropriate physical, technical, and administrative procedures to safeguard the personal information collected and processed. Concept retains personal information only as required or permitted by Canadian law and while Concept has a legitimate business purpose.
When collecting or transferring sensitive personal information of Service Users, such as credit card information, Concept uses a variety of additional security technologies and procedures to help protect such personal information from unauthorized access, use, or disclosure. The personal information provided to Concept is stored on computer systems located in controlled Microsoft facilities to which there is limited access, but over which Concept has no control. Such facilities may or may not be in Canada. When Concept transmits highly confidential information (such as credit card numbers or passwords) over the internet, such information is protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol.