Legal Policies & Disclosures

LEAFVA is an Ontario-registered information technology services business providing managed IT support, system administration, networking, application development, and AI-powered automation. Our registered address and business details are available at leafva.ca.

Privacy Officer: Sunday Ayodele · privacy@leafva.ca

We collect personal information only for identified, lawful purposes:

• Contact details: name, email address, phone number, company name
• Account credentials: hashed passwords and authentication tokens (via Supabase)
• Communication content: support ticket descriptions, message threads, notes
• Billing information: invoice amounts, payment status (we do not store full card numbers — payment processing is handled by PayPal and Stripe under their own PCI-DSS compliance)
• Technical data: IP addresses, browser type, device information collected in logs for security purposes
• Usage data: pages visited, actions taken within the platform (staff-side only)

We rely on the following legal bases for processing personal information:

• Express consent: when you create an account, submit a support ticket, or sign up to receive communications
• Implied consent: for operational purposes directly related to delivering our IT services to you
• Legitimate interests: security monitoring, fraud prevention, and platform integrity
• Legal obligation: where required by Canadian federal or Ontario provincial law

You may withdraw consent at any time by contacting our Privacy Officer. Withdrawal may affect our ability to provide services.

• Delivering IT services, projects, and managed support as contracted
• Sending transactional emails: ticket confirmations, invoice receipts, renewal reminders
• Sending commercial communications (with your express or implied CASL-compliant consent)
• Improving platform features and troubleshooting technical issues
• Complying with legal and regulatory obligations
• Preventing fraud and maintaining platform security

We share personal data only with trusted processors to operate our platform:

• Supabase Inc. — database hosting and authentication (servers in US; appropriate data transfer safeguards apply)
• Postmark (ActiveCampaign) — transactional email delivery
• PayPal Inc. — payment processing (subject to PayPal's Privacy Policy)
• Stripe Inc. — payment processing (subject to Stripe's Privacy Policy)
• Cloudflare Inc. — DNS, CDN, and Workers runtime hosting
• Groq Inc. — AI inference (only non-personal operational queries sent)

We do not sell your personal information to any third party.

We retain personal information only as long as necessary for the purposes identified or as required by law:

• Active client records: retained for the duration of the service relationship plus 7 years (CRA tax record-keeping requirement)
• Support tickets: retained for 3 years after closure
• Authentication logs: retained for 90 days
• Email communications: retained for 2 years

You may request deletion of your personal information subject to any overriding legal obligations.

As a Canadian resident, you have the right to:

• Know what personal information we hold about you (right of access)
• Request correction of inaccurate information
• Withdraw consent for non-essential processing
• Request deletion subject to legal retention requirements
• File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca

To exercise any of these rights, contact: privacy@leafva.ca

All commercial email messages sent by LEAFVA comply with Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23):

• We send commercial messages only with your express or implied consent as defined by CASL
• Every commercial message clearly identifies LEAFVA as the sender
• Every commercial message includes a working unsubscribe mechanism
• Unsubscribe requests are honoured within 10 business days
• Implied consent based on an existing business relationship expires after 2 years

We protect personal information using administrative, technical, and physical safeguards appropriate to the sensitivity of the data, including:

• TLS 1.2+ encryption in transit for all data
• AES-256 encryption at rest via Supabase
• Row-level security policies limiting data access by role
• Supabase authentication with session token expiry
• Audit logging for all administrative actions

We use only essential session cookies required for platform authentication. We do not use third-party tracking cookies, advertising pixels, or cross-site analytics on the authenticated platform. The public landing page (leafva.ca) does not use advertising or tracking cookies.

To raise a privacy concern, contact our Privacy Officer at privacy@leafva.ca.

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada: priv.gc.ca · 1-800-282-1376.