fbpx

Privacy Policy

Updated July 22, 2024

 1. Introduction

As a purpose driven brand, our values are the foundation of Phil’s business choices and are reflected in everything we do. We recognise that our stakeholders trust us with their personal and organisational information including offline and/or online data that identifies them such as names, addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data etc.

As a marketing and communications firm, it’s important that we lead by example and educate our clients, suppliers and partners to help ensure they are also compliant with the most rigorous current rules and guidelines.

Phil’s Data Security & Protection Policy (herein referred to as the Policy) refers to our commitment to treat information of clients, staff, collaborators, suppliers and followers with the utmost care and confidentiality. To achieve this goal, we abide by Canadian and Quebec data legislation while aspiring to follow the General Data Protection Regulation (GDPR),  the toughest privacy and security laws in the world. 

With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.

To exercise data protection we’re committed to:

  • Restrict and monitor access to sensitive data
  • Develop transparent data collection procedures
  • Train staff in online privacy and security measures
  • Build secure networks to protect online data from cyberattacks
  • Establish clear procedures for reporting privacy breaches or data misuse
  • Include contract clauses or communicate statements on how we handle data
  • Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)

All principles described in this policy must be strictly followed. A breach of data protection guidelines will invoke disciplinary and possibly legal action.

1.1 Purpose 

Our data security and privacy policy governs Phil’s collection, use, maintenance, sharing and disclosure of information collected from data points through our work with clients and wider operations as a social enterprise.

Data is a valuable asset that generates, acquires, saves, and exchanges for any company. Protecting it from internal or external corruption and illegal access protects a company from financial loss, reputational harm, consumer trust degradation, and brand erosion. Furthermore, regulations for securing data, imposed by the government and the industry, make it critical for a company to achieve and maintain compliance wherever it does business.

1.2 Definitions

Data Security safeguards digital data from unwanted access, corruption, or theft. It is a notion that imparts physical security to hardware and software devices and covers all aspects of information security. It also imparts administrative and access controls and logical security to software applications. It also covers policies and procedures to be followed by a company.

Privacy Policy refers to a document which outlines how our company processes and safeguards personal data.

Stakeholders refers to any individual or group that has an interest in any of Phil’s decisions or activities, including but not limited to staff, collaborators, partners, prospects, clients, and suppliers.

1.3 Scope

This Policy applies to all staff and third parties associated with Phil, or any of our collaborators, no matter where they are located.  The Policy also applies to Officers, Trustees, Board and/or Committee members at any level.  In the context of this Policy, third-party refers to any individual or organisation that Phil meets and works with including but not limited to suppliers, contractors, distributors agents and clients. 

1.4 Who it affects

Our Policy applies to both past and present stakeholders. Canadian private sector privacy laws generally require the knowledge and consent of the individual, except in certain circumstances where consent is not required. Phil must be open and transparent about our practices and inform individuals about the information collected, used, and disclosed, as well as the purposes for such activities, among other requirements. Our public-facing privacy policy is one way to ensure our stakeholders are aware.

1.4.1 Clients

Phil is responsible for a number of sensitive documents and data on organizations, their stakeholders (such as staff, volunteers and donors) as well as being responsible for clients’ usernames and passwords that we are trusted with. We also collect personal transactional information such as contact  information, account transactions, and personal financial information including account balances and payment history.

1.4.2 Staff, collaborators & contractors 

Personal data is collected on staff, collaborators and contractors in order to process their job applications, payments or payroll and other personal data for human resources purposes.

1.4.3 Suppliers & partners

The Policy also applies to suppliers, partners, service providers and vendors who conduct business with Phil. We collect bank information from suppliers so that we can pay them. Personal transactional information includes account transactions, personal financial information including account balances, account numbers, and payment history.

1.4.4 Followers

There are three ways that people follow us: by visiting Phil’s website, subscribing to our newsletter or following us on our social media. The Policy applies to all data gathered through each of these platforms.

1.5 Guiding principles

Phil is committed to maintaining the highest standards of data security and privacy on behalf of our stakeholders.  To that end we are guided by the following:

1.5.1 GDPR – The EU general data protection regulation (GDPR) is the strongest privacy and security law in the world. This regulation updated and modernised the principles of the 1995 data protection directive.

1.5.2 OCAP – The First Nations principles of ownership, control, access, and possession – more commonly known as OCAP® – assert that First Nations have control over data collection processes, and that they own and control how this information can be used.

2. Governance

Compliance with this Policy extends to Phil’s staff, collaborators and Advisory Circle.  

The leadership team (Directors), led by the Chief Executive Officer, has the ultimate responsibility and accountability for ensuring compliance with this Policy.  The Directors will be consulted where any key decision points arise or in case of any breach of this Policy.   

All staff, collaborators and third parties who have any responsibility for the activities which this Policy relates to, will be required to understand and agree to this Policy. 

Any violation of this Policy will result in disciplinary action.

Phil will not work with any partner unwilling to comply with this Policy.  

Phil will ensure that its advisory circle or a third party expert reviews this Policy at least once every three years as part of its strategic planning.

2.1 Training & Communication

All team members have access to this Policy via a shared online portal (Phil’s wiki).

Phil will provide regular Data Security & Privacy training to all staff, collaborators and the Advisory Circle.  The HR Director must ensure all staff have attended training and agreed to this Policy.  

Phil will communicate this Policy to all third parties at the outset of any business relationship.

2.2 How to communicate with Phil

Anyone who wishes to raise any issues with Phil’s privacy policy or data collection can contact our Administrative and IT support via email: [email protected] 

3. Phil’s processes and practices

3.1 First & foremost, how do we control your data?

3.1.1 Subject to any exemptions provided by law, you may have the right to request access to your information, as well as to seek to update, delete or correct this information.

3.1.2 To the extent that Phil’s processing of your data is subject to Protection Regulation or other applicable laws requiring a legal basis for processing data, Phil primarily relies on its legitimate interests, described above, to process your data. Where we rely on legitimate interests to process your data, you can object to that processing by contacting us as described in the ‘How to contact us’ section below. In response to your objection, we will stop processing your information for the relevant purposes unless we have compelling grounds in the circumstances or the processing is necessary in the context of legal claims. Phil may also process other information that constitutes your data for marketing purposes, and you have a right to object to Phil’s use of your data for this purpose at any time.

3.1.3 We provide choices about how you control your account information:

          • You can request access, correction or deletion of the data Phil holds by contacting [email protected]; and
          • You can opt out of receiving marketing messages in the “Message Preferences” section of Your Account settings here or by clicking on the “unsubscribe link” provided in such communications. However, you may not opt out of service-related communications (e.g., account verification, purchase and billing confirmations and reminders, technical and security notices, and other related communications)

3.2 How do we collect your data & what does this mean for you?

When we decide to work together, we will need certain information in order to meet our contractual commitments. These include:

3.2.1 Information you provide us directly

We may ask for certain information when you decide to work with Phil or correspond with us (such as your first and last names, organisation, phone number, profession, physical and e-mail address).

We also collect any messages you send us, and may collect information you provide in those messages (such as text, documents and photos uploaded). We use this information to operate, maintain, and provide services to you, to correspond with you, and to address any issues you raise about our services.

3.2.2 Information needed to work together

We collect information provided by you when using our services. Without it, we may not be able to provide all services requested. This information includes but is not limited to:

  • Payment transaction information. Such as payment instrument used, date and time, payment amount, payment instrument expiration date and billing postcode, billing address, and other related transaction details.
  • Project-specific information. Such as databases, reports, financial statements, and other related project-specific documents and information. 
  • Information about others. Such as information about donors, new contact information for suppliers, and other related information. By providing us with personal information about others, you certify that you have permission to provide that information to Phil for the purposes described in this Privacy Policy.
  • Other information. Such as when you fill in a form, respond to surveys, communicate with Phil Support and other Members, or share your experience with us.

3.2.3 Additional information provided to us 

We will directly collect analytics data, or use third-party analytics tools, to help us measure traffic and usage trends for our services. These tools collect information sent by your browser or mobile device, including the pages you visit and other information that assists us in improving our services.

We also receive Other Information when submitted to our Websites or in other ways, such as responses or opinions that you provide if you participate in a focus group, activity or event, feedback that you provide about our products or services, information that you provide if you apply for a job with Phil, enrol in a workshop or other educational programme hosted by Phil or a vendor, request support, interact with our social media accounts or otherwise communicate with Phil.

3.3 How do we use your information once we have it?

We use the information we collect about you for the purposes set out below:

3.3.1 Providing you with our services. We use the information that you directly give us to provide our services to you. This includes developing final deliverables, operating and maintaining our services, giving you access to your final deliverables (such as reports, designs, documents, videos, and other related deliverables) and billing you for transactions that you. We also use information we collect about you automatically to remember information about you so that you will not have to re-enter it the next time you use our services.

3.3.2 For data analytics. We use information about you to help us improve Phil’s services and stakeholder experience, including monitoring aggregate metrics such as total number of visitors, traffic, and demographic patterns on our website.

3.3.3 Customising our services for you. We use and combine the information you provide us and information about you that we collect automatically and receive from other sources to make sure that your use of our services is customised to your needs.

3.3.4 To communicate with you about our service. We use your contact information to get in touch with you and to send communications about critical elements of our service. For example, we may send you emails about technical issues, security alerts or administrative matters.

3.3.5 To promote and drive engagement with Phil. We use your contact information to get in touch with you about taking part in our surveys or about features and offers relating to our services that we think you would be interested in. You can opt-out of these communications as described in the “How you control your information” section.

3.3.6 To improve our services. We analyse information about your use of our services and your content to better understand how others are engaging with our services and measure the effectiveness of our services so we can make improvements and develop our services for others.

3.3.7 For matters that you have specifically consented to. From time to time Phil may seek your consent to use your information for a particular purpose. Where you consent to our doing so, we will use it for that purpose. Where you no longer want us to use your information for that purpose you may withdraw your consent to this use.

3.3.8 For troubleshooting, error resolution and service improvement. We may need to review your deliverables to support your request for help, correct general errors or improve our services.

3.3.9 For matters that we are required to use your information by law. Phil will use or disclose your information where we reasonably believe that such action is necessary to (a) comply with the law and the reasonable requests of law enforcement; (b) to enforce our Terms and Conditions or to protect the security or integrity of our services; and/or (c) to exercise or protect the rights, property, or personal safety of Phil, our stakeholders or others.

3.3.10 Provide payment services. Personal information is used to enable, or authorise third parties to use, payment services, such as to enforce the payment terms and other payment policies, and provide and improve payment services.

3.4 For how long do we keep your information?

Following termination or deactivation of your account at Phil, we will retain your information and content for a commercially reasonable time, and for as long as we have a valid purpose to do so. In particular, Phil will retain your information for the purpose of complying with its legal and audit obligations, for backup and archival purposes, and for promotional purposes, such as our case studies and website portfolio.

3.5 How and with whom do we share your data?

3.5.1 With your consent 

Phil may share and disclose information in accordance with your instructions and with appropriate consent, including any applicable terms in our agreement and your use of our services functionality and in compliance with applicable law and legal process.

3.5.2 Professional advisers 

We may share your information with professional advisers acting as service providers, processors, controllers or joint controllers who provide consultancy, banking, legal, insurance and accounting services, and to the extent we are legally obliged to share or have a legitimate interest in sharing your information containing personal data.

3.5.3 Third-party service providers

We share your information with third-party service providers for the purpose of providing our services to you and to facilitate Phil’s legitimate interests. Those service providers will only be provided with access to your information as is reasonably necessary for the purpose that Phil has engaged the service provider, and we will require that such third parties comply with this Privacy Policy, appropriate data processing terms, our non-disclosure agreement and any applicable laws.

Some of the third parties with whom Phil may share your personal information are service providers who assist Phil with functions such as:

  • Billing
  • Email services
  • Hosting and storage
  • Data analytics and predictive analytics;
  • Security
  • Domain name registration
  • Delivery of physical products; and
  • Other service providers.

Phil will also share your information with third parties in certain circumstances, such as where you consent to sharing it with a third party for a particular purpose. You or your account administrator may also choose to work with third party applications so that you can provide or share elements to enhance your experience (e.g., Google, YouTube, LinkedIn, Facebook, etc.). For example, you may install a third-party document sharing app in order to store, share and edit content through our services. Integrating with third party applications could involve importing data from that third party and/or exporting data to that third party. These third-party apps are not controlled by us, and this privacy policy does not cover how third-party apps use your information. You should review the terms and conditions of any third party apps before connecting to them. If you object to information about you being shared with these third parties, do not install the app.

3.5.4 Your organisation

If you contact Phil with an email address issued to you by your organisation (either a business, non-profit or educational institution), and your organisation has established an account with Phil (or is considering doing so), you acknowledge that Phil may share your name, email, and the existence of your Phil account with your organisation.

3.5.5 Sharing with authorities

We access, preserve and share your information with regulators, law enforcement, police, intelligence sharing and take down services and others where we have a good-faith belief that it is necessary to detect, prevent or address fraud, breaches of our Terms and Conditions, harmful or illegal activity, to protect Phil (our rights, property or intellectual property), you or others, including as part of investigations or regulatory enquiries or to prevent death or imminent bodily harm.

3.6 With all of this in mind, how do we transfer, store and protect your data?

Your information collected through our services will be stored and processed in Canada, India and any other country in which Phil or its subsidiaries, affiliates or service providers maintain facilities, employ staff or contractors. Phil transfers information that we collect about you, including personal information, to affiliated entities, and to other third parties across borders and from your country or jurisdiction to other countries or jurisdictions around the world. As a result, we may transfer information, including personal information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction. However, we always take steps to ensure that your information remains protected wherever it is stored and processed in accordance with applicable laws. Where required under applicable laws, you consent to the transfer of information to Canada or any other country in which Phil or its affiliates or service providers maintain facilities and the use and disclosure of information about you as described in this Privacy Policy.

Given the nature of communications and information processing technology, Phil cannot guarantee that information during transmission through the Internet or while stored on our systems or otherwise in our care will be absolutely safe from intrusion by others. 

While no organisation can guarantee perfect security, we are continuously implementing and updating administrative and technical security measures to help protect your information against unlawful or unauthorised access, loss, destruction, or alteration.

3.7 Artificial Intelligence

There are growing linkages between data collection upstream, and data access and data analytics downstream.

3.7.1 We are using Artificial Intelligence (abbreviated as “AI” from this point forward) for some editing, translating and creating content and to support brainstorming and research, data analysis, and automate lead generation through our CRM and chatbot.

3.7.2 For advertising, Phil and clients, AI may be used for monitoring and analyzing campaign data, adjusting ad placements, targeting, and messaging in real-time to optimize performance.

3.8 Data residency

3.8.1 As we reside in Quebec, any of our client’s data is resident in this jurisdiction. As such, the data becomes subject to the laws, regulations, standards, rules and practices of Quebec, which influences our operations, legal accountabilities and reporting requirements.

3.9 Privacy

3.9.1 We adhere to the Quebec privacy regulations under the Act respecting the protection of personal information in the private sector, and ensure our adherence through a yearly audit of our privacy parameters, including provisions for the handling of complaints from clients,

3.9.2 As we reside in Quebec, we solely use the Quebec privacy regulations, even when we work with clients of different different jurisdictions.

3.10 Ethics

AI presents three major areas of ethical concern for our company: privacy and surveillance, bias, and discrimination. Phil will endeavour to ensure that the AI technologies we use have measures in place to handle these three areas of concern. 

Phil as a professional services organisation will never rely on AI in place of human judgment.

4. Provisions relating to specific processing situations 

4.1 Employment

Phil may provide more specific rules to ensure the protection of the rights and freedoms in respect to the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or client’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

4.2 OCAP®

We recognize the importance of properly handling the data of First Nations peoples and we strive to respect the principles of OCAP®. Data in this context encompasses data from First Nations, including languages, cultures, knowledge, stories, songs, and ceremonies, data about First Nations such as demographics, housing, health, economies, labor, education, and data on or about First Nations lands and resources, which includes waters, medicines, and animals. When working with First Nations data, we follow the same principles as with all our other data processes and include the principles of OCAP®.

5. Final provisions

This Policy shall enter into force on the 23rd day of September, 2023.