GDPR Compliance

Our Commitment to GDPR Compliance

Nova Fabric recognizes the importance of the General Data Protection Regulation and is committed to protecting the privacy rights of individuals in the European Union. While we're based in Canada, we work with clients worldwide, including entrepreneurs from EU member states who are establishing businesses in Canada.

This page explains how we comply with GDPR requirements and what rights you have regarding your personal data when you interact with our services.

Legal Basis for Processing

We process personal data only when we have a valid legal basis under GDPR. The specific basis depends on the nature of our relationship with you:

Contract Performance

When you engage our services for business incorporation or ongoing compliance support, we process your personal information to fulfill our contractual obligations. This includes preparing incorporation documents, filing registrations, maintaining corporate records, and providing advisory services you've requested.

Legal Obligations

Certain data processing is required to meet Canadian legal and regulatory requirements. For example, we must collect and verify identity information under anti-money laundering legislation, and we must maintain corporate records as required by business corporation statutes.

Legitimate Interests

We process some information based on legitimate business interests, such as improving our services, preventing fraud, and maintaining secure systems. We balance these interests against your privacy rights and only process data when our interests don't override your fundamental rights.

Consent

For certain processing activities, particularly marketing communications, we rely on your explicit consent. You can withdraw consent at any time, and we make it easy to do so.

Your Rights Under GDPR

If you're located in the European Union, you have specific rights regarding your personal data. We respect these rights and have established procedures to honor them:

Right to Access

You can request confirmation of whether we process your personal data and obtain a copy of that data. We'll provide this information in a clear, accessible format along with details about how we use it.

Right to Rectification

If personal information we hold about you is inaccurate or incomplete, you have the right to have it corrected. This is particularly important for corporate filing information, where accuracy is essential.

Right to Erasure

In certain circumstances, you can request deletion of your personal data. We'll honor these requests unless we have a legitimate reason to retain the information, such as legal obligations under Canadian business law or ongoing service delivery.

Right to Restrict Processing

You can ask us to limit how we use your personal data in specific situations, such as when you're disputing the accuracy of information or while we assess whether we have legitimate grounds to continue processing.

Right to Data Portability

You can obtain your personal data in a structured, machine-readable format and request that we transfer it directly to another service provider where technically feasible.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We'll stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making

We don't make significant decisions about you based solely on automated processing. Our services involve human judgment and personalized consultation at every stage.

How to Exercise Your Rights

To exercise any of these rights, send a detailed request to [email protected]. Include your full name, contact information, and specific details about what you're requesting.

We'll verify your identity before processing requests to protect against unauthorized access to your information. This may involve requesting additional identification or confirmation details.

We aim to respond to all requests within 30 days. If your request is complex or we receive multiple requests, we may extend this period by an additional 60 days and will explain the reason for the delay.

Data Transfers Outside the EU

When you use our services, your personal data will be transferred to Canada, where our operations are based. Canada has been recognized by the European Commission as providing adequate protection for personal data, which facilitates these transfers.

We store client information on secure servers located in Canada. Any third-party service providers we work with are carefully vetted and contractually required to maintain GDPR-compliant data protection standards.

Data Protection Officer

While Nova Fabric is not required to appoint a Data Protection Officer under GDPR, we've designated a privacy coordinator responsible for overseeing compliance with data protection obligations.

For questions about how we handle your data or to exercise your GDPR rights, contact our privacy coordinator at [email protected].

Information We Collect

The personal data we collect from EU clients typically includes:

• Contact information including name, email address, and physical address
• Identification documents required for corporate registration and regulatory compliance
• Business information such as proposed company names and business activities
• Director and shareholder details needed for incorporation filings
• Payment information for processing service fees
• Communications you send us regarding services or support

When you visit our website, we collect technical information such as IP address, browser type, and pages viewed. This helps us understand user behavior and improve the website experience.

How Long We Retain Data

We retain personal data only as long as necessary for the purposes we collected it, subject to legal and professional obligations that may require longer retention.

For active clients, we maintain complete records throughout our service relationship. Corporate documents and government filings are retained for seven years after a client relationship ends, consistent with Canadian business record-keeping requirements.

Website visitor data is retained for 24 months unless you consent to longer retention for analytics purposes. General inquiry information that doesn't lead to a service engagement is deleted after two years.

Cookies and Tracking Technologies

Our website uses cookies to enhance functionality and analyze usage patterns. When you first visit from the EU, you'll see a cookie consent banner allowing you to accept, decline, or customize your cookie preferences.

Essential cookies required for website operation are used based on legitimate interest. All other cookies require your consent. You can modify your preferences at any time through the cookie settings available in our website footer.

For detailed information about specific cookies we use, see our Cookies Policy.

Security Measures

We implement technical and organizational measures to protect personal data against unauthorized access, accidental loss, or destruction:

• Encryption of data in transit using SSL/TLS protocols
• Secure storage systems with access controls and authentication
• Regular security assessments and vulnerability testing
• Employee training on data protection obligations
• Incident response procedures for potential data breaches

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we'll notify you within 72 hours of becoming aware of the breach. The notification will explain the nature of the breach, likely consequences, and measures we're taking to address it.

We maintain detailed incident response procedures and work with cybersecurity professionals to minimize risks and respond quickly to any security incidents.

Third-Party Service Providers

We work with carefully selected service providers who assist with specific business functions. These providers may process personal data on our behalf as data processors.

All third-party processors are bound by contracts that require GDPR compliance, including appropriate security measures and restrictions on how they can use your data. We conduct due diligence on providers before engagement and monitor their compliance ongoing.

Marketing Communications

We send marketing communications only to individuals who have provided explicit consent or who have an existing relationship with us and haven't opted out.

Every marketing email includes a clear unsubscribe option. You can also opt out by contacting [email protected]. We'll process opt-out requests within 5 business days.

Even if you opt out of marketing communications, we'll still send essential service-related messages about your account or services you're using.

Children's Data

Our services are not directed at children, and we don't knowingly collect personal data from individuals under 16 years of age. If we discover we've inadvertently collected such information, we'll delete it immediately.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we're not complying with GDPR. While we encourage you to contact us first so we can address your concerns directly, you can reach out to your local data protection authority in the EU.

For matters involving both Canadian and EU privacy law, you may also contact the Office of the Privacy Commissioner of Canada.

Updates to This Information

We may update this GDPR compliance information to reflect changes in our practices or legal requirements. Significant updates will be communicated to EU clients via email, and we'll post the revised version on our website with a clear indication of what has changed.

Contact Information

For questions about GDPR compliance, to exercise your rights, or to raise privacy concerns:

Nova Fabric Business Services
Privacy Coordinator
1250 Bay Street, Suite 400
Toronto, ON M5R 2A5
Canada

Email: [email protected]