Privacy Policy

1. Introduction BoardSkillz (“BoardSkillz Inc.,” “we,” “our,” “us”) is a Canada-based subscription platform that equips corporate, nonprofit, and public-sector board members with curated courses, peer forums, and governance analytics. This Privacy Policy explains how personal information is collected, used, stored, and disclosed when directors, governance professionals, instructors, corporate administrators, or visitors engage with our website, mobile app, or customer-support channels.

2. Privacy Policy
   • Information we collect
   (a) Profile data — name, work email, province, organisation, role (director, committee chair, governance officer), preferred language, multi-factor authentication seed, sign-in IP history.
   (b) Learning records — programme enrolments, quiz scores, case-study uploads, board-simulation feedback, certificate progress.
   (c) Board-room artefacts — meeting packs you upload, annotated agendas, voting results, self-assessment surveys (handled under strict access controls).
   (d) Payment data — tokenised card reference, billing postal code, GST/HST allocation, invoice status.
   (e) Organisation data — corporate name, business number, licence inventory, participant roster, aggregate engagement metrics.
   (f) Device telemetry — browser build, mobile OS, feature clicks, session duration, crash traces. (g) Support artefacts — chat transcripts, call recordings, screen-share files.

• Purposes
– create and manage accounts, course paths, and board-simulation environments;
– personalise content recommendations and governance-risk dashboards;
– issue verifiable certificates that satisfy securities-market or nonprofit-regulator training requirements;
– process subscription fees and send CRA-compliant receipts;
– analyse de-identified aggregates to improve curriculum design and platform reliability; – detect fraud, enforce the Code of Conduct, and comply with statutory record-keeping obligations.

• Retention Learning transcripts and certificate logs persist for the life of the account plus seven years. Board-room artefacts are retained only for the term specified by the uploader (default 18 months) unless longer retention is required by law or the organisation’s bylaws. Financial and tax records are stored at least seven years under CRA rules. Encrypted backups purge on a 35-day rolling schedule.

• Access & Correction
Authorised users may review or update profile and learning data at any time via Settings → Profile or by emailing privacy@boardskillz.com.

• Consent Express consent is obtained at registration and whenever you upload confidential board documents, connect a payment method, or join an organisation workspace. Implied consent applies to security logs essential for service integrity. Withdrawal requests are honoured unless overriding legal or contractual duties apply; we outline any impact before completing the request.

• Accountability A designated Privacy Officer conducts annual compliance audits, trains staff, and responds to written privacy inquiries within 30 days.

3. GDPR
   Although BoardSkillz focuses on Canada, some users may reside in the European Economic Area (EEA). Where the EU General Data Protection Regulation (GDPR) applies, BoardSkillz Inc. is controller for account profiles and billing data and processor for board documents you upload. Processing bases: performance of a contract (Art. 6 (1)(b)), legitimate interest in platform security and educational integrity (Art. 6 (1)(f)), and legal obligation (Art. 6 (1)(c)). EEA residents may request access, rectification, erasure, restriction, portability, or objection via dpo@boardskillz.com and may lodge complaints with their supervisory authority.

4. Cookie Policy

4.1. Types of Cookies
• Essential — session tokens, CSRF guards, load-balancer cookies required for secure login.
• Preference — stores language, dark-mode toggle, and dashboard layout.
• Analytics — first-party Matomo cookies with IP truncation that measure lesson-completion rates and latency. • Marketing — optional cookies announcing new governance modules or partner conferences; never shared with ad networks.

4.2. How to Disable Cookies Most browsers allow you to block or delete cookies. Essential cookies are mandatory for console access; disabling them prevents login. Preference and analytics cookies can be declined via our consent banner or by enabling “Do Not Track.” Marketing cookies load only after explicit opt-in and can be revoked under Account → Privacy.

5. Transfer to Third Parties
   We do not sell personal information. Disclosures occur only to:
   • Canadian cloud providers hosting encrypted data in Toronto and Montréal;
   • PCI-DSS Level 1 payment processors;
   • Accreditation partners that verify certificates (only when you request validation);
   • Legal counsel, regulators, or courts when compelled by law or to defend claims;
   • Law-enforcement agencies if disclosure is necessary to investigate fraud or protect public safety. All vendors sign Data Processing Agreements mandating safeguards equivalent to PIPEDA and, where relevant, EU Standard Contractual Clauses.

6. Data-Security Measures
   • AES-256-GCM encryption at rest with tenant-specific keys stored in FIPS 140-2 Level 3 Hardware Security Modules.
   • TLS 1.3 with Perfect Forward Secrecy for all data in transit.
   • Zero-trust segmentation isolating each organisation workspace.
   • Role-based access control enforced by hardware-backed multi-factor authentication.
   • Hourly incremental and nightly full backups replicated across two Canadian regions (RPO 15 min, RTO 4 h).
   • Continuous vulnerability scanning, quarterly penetration tests, and annual SOC 2 Type II audit. • Incident-response plan that notifies affected users within 72 hours of a confirmed breach and provides remediation updates.

7. Effective Date This Privacy Policy is effective as of 19 June 2025 and supersedes all previous versions. Material updates will be announced by email and in-app notice at least 30 days before enforcement.