Privacy Policy

1. Purpose and Scope

This policy applies to BraveHeart First Aid Incorporated and all training and services delivered by us. It explains how we collect, protect, and use personal information for learners, clients, contractors, and employees in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial statutes.

Our designated Privacy Officer is the Owner/CEO, Eli Castson, who oversees an annual review of these practices every June, or sooner if required by legislation or certification-body requirements.

2. Personal Information We Collect

We collect several categories of personal information:

• Identification — Names, course-certificate numbers, course rosters, and enrollment forms.
• Contact Details — Email addresses, phone numbers, and mailing addresses.
• Training Data — Course types, completion status, assessment results, and expiry/recertification dates.
• Payment Information — Payment processing is handled by a PCI-compliant gateway. We do not store full credit card numbers.
• Accessibility/Medical Notes — Optional information provided by learners for accommodation purposes.
• Employment Data — Information related to staff and contractors, such as resumes and police-records checks.

We do not intentionally collect information from children under 13 without parental or guardian consent.

3. How We Use Your Information

• Deliver Services — Registering learners, verifying prerequisites, issuing certificates, and sending recertification reminders.
• Legal and Compliance — Meeting requirements for certification bodies, insurance audits, incident reporting, and mandatory record-keeping.
• Operations — Processing payments and refunds.

4. Consent

We obtain meaningful consent before collecting, using, or disclosing personal information. By registering for a course or service, you consent to the collection and use of your information as described in this policy. You may withdraw your consent at any time by contacting the Privacy Officer, subject to legal or contractual obligations.

5. Third-Party Sharing

We utilize third-party providers for services such as booking systems and email delivery. We maintain data-processing agreements to ensure these providers maintain secure data storage.

No cross-border transfer of data occurs unless the third-party provider offers safeguards equivalent to PIPEDA and adheres to contractual Standard Contractual Clauses.

6. Data Retention

We follow a specific retention schedule based on the type of record:

Once the retention period expires, digital files are irretrievably erased and paper records are cross-shredded and pulped.

7. Security Safeguards

We employ physical, administrative, and technical measures to protect your data:

• Physical — Locked filing cabinets and controlled office entry.
• Administrative — Role-based access and confidentiality agreements for staff and contractors.
• Technical — AES-256-encrypted cloud storage, TLS 1.3 transport encryption, multi-factor authentication on admin accounts, and daily off-site backups.

8. Breach Notification

Our incident response plan includes a procedure to provide breach notification within 72 hours to affected individuals and the Office of the Privacy Commissioner of Canada where required.

9. Cookies and Website Analytics

This website uses session cookies and privacy-respecting analytics to improve usability. All data is aggregated and de-identified, and IP-anonymization is enabled. You can disable cookies via your browser settings without impacting course registration.

10. Your Rights

You have the right to request access to, correction of, or deletion of your personal information.

• Submit a written request to our Privacy Officer.
• We will verify your identity and respond within 30 days.
• Corrections are made promptly. Deletion requests are honored, except where records are legally required to be retained by law or certification-body requirements.