Privacy Policy

Alright, let's break down what we actually collect and why. Nothing here is collected just for kicks - everything serves a legitimate business purpose.

Personal Information You Provide Directly

• Contact Details: Name, business name, phone numbers, email addresses, mailing addresses. Pretty standard stuff you'd give any professional firm.
• Business Information: Company details, industry, size, structure. Helps us understand your specific needs and risks.
• Financial Records: When you engage us for forensic work or audits, we'll need access to relevant financial documents, bank statements, transaction records, etc. This is where the heavy lifting happens.
• Case-Specific Data: Details about suspected fraud, internal concerns, whistleblower information. This stuff gets locked down tight.

Information Collected Automatically

• Website Analytics: IP addresses, browser types, pages visited, time spent on site. Standard web tracking to see how people use our site.
• Device Information: Device type, operating system, screen resolution. Helps us make sure the site works properly for everyone.
• Cookies & Similar Tech: We use these (more details in the Cookies section below).

Third-Party Information

Sometimes during investigations, we'll receive information about you from other sources - banks, legal counsel, regulatory bodies, etc. This only happens when it's necessary for our engagement and legally permissible.

Here's the deal - we don't collect data just to hoard it. Everything we gather serves a specific purpose in delivering our services or improving how we operate.

Primary Service Delivery

• Conducting forensic accounting investigations and fraud examinations
• Performing financial risk assessments and audit procedures
• Providing tax planning, compliance services, and business valuations
• Delivering estate and trust accounting services
• Preparing reports, findings, and expert testimony when needed

Communication & Client Support

• Responding to inquiries and consultation requests
• Sending updates about your case or engagement
• Providing technical support or answering questions
• Scheduling meetings and coordinating document exchanges

Legal & Regulatory Compliance

• Meeting professional accounting standards and CPA requirements
• Complying with anti-money laundering (AML) regulations
• Responding to court orders, subpoenas, or regulatory requests
• Maintaining required records per Canadian law

Business Operations & Improvement

• Analyzing how our website gets used to make it better
• Improving our service delivery and methodologies
• Training staff (using anonymized case examples only)
• Managing invoicing and payment processing

We do NOT: Sell your data, use it for marketing without consent, or share it with third parties for their own purposes. That's not how we roll.

This is where things get nuanced. We don't share your info willy-nilly, but there are legitimate situations where disclosure happens. Let's be crystal clear about when and why.

With Your Consent

If you explicitly authorize us to share information with specific parties - your legal counsel, insurance company, board members, etc. - we'll do exactly that and nothing more.

Service Providers & Professional Partners

Sometimes we work with trusted third parties who help us deliver services:

• IT security firms managing our encrypted systems
• Cloud storage providers (all Canadian-based and PIPEDA compliant)
• Specialized forensic software vendors
• Legal advisors when cases require their expertise

These folks are contractually bound to keep your data confidential and can't use it for anything else.

Legal Obligations

We'll disclose information when legally required:

• Court orders or subpoenas
• Regulatory investigations by CRA, securities commissions, etc.
• Law enforcement requests with proper legal authority
• Reporting suspicious transactions under AML regulations

Business Transfers

If GrimThornyx ever gets acquired or merges with another firm (not planning on it, but who knows), your information would transfer to the new entity under the same privacy protections.

Protection of Rights

We may disclose information to protect our legal rights, prevent fraud against us, or protect someone's safety in emergency situations.

This is where we geek out a bit. Security isn't an afterthought for us - it's baked into everything we do. When you're handling fraud investigations and sensitive financial data, you can't cut corners.

Technical Security Measures

• Encryption Everywhere: All data gets encrypted both in transit (TLS 1.3) and at rest (AES-256). Your files are scrambled six ways from Sunday.
• Secure Cloud Infrastructure: We use Canadian data centers with SOC 2 Type II certification. Your data never leaves Canadian borders.
• Multi-Factor Authentication: Everyone on our team uses MFA. No exceptions.
• Regular Security Audits: Third-party penetration testing twice a year, plus continuous vulnerability scanning.
• Firewall & Intrusion Detection: Enterprise-grade network security with 24/7 monitoring.
• Secure File Transfer: When you send us documents, they go through encrypted portals - never regular email attachments.

Physical Security

• Our Vancouver office has controlled access with keycard entry
• All paper files stored in locked cabinets within a secured area
• Clean desk policy - nothing sensitive left out overnight
• Secure document destruction for retired files

Administrative Controls

• Background checks on all staff members
• Signed confidentiality agreements with every employee and contractor
• Need-to-know access principles - people only see what they need for their specific role
• Regular privacy and security training
• Incident response plan tested quarterly

What We Can't Guarantee

Look, I'll be straight with you - no system is 100% hack-proof. We've implemented industry-leading protections, but cybersecurity is an ongoing battle. What we CAN promise is that we're constantly updating our defenses, we take threats seriously, and if something ever did happen, we'd notify you immediately and handle it transparently.

We don't keep your stuff forever. There's a method to what we retain and for how long, driven mostly by professional standards and legal requirements.

Active Client Files

While we're actively working on your case or engagement, we obviously keep everything. That's the easy part.

Closed Engagement Files

After an engagement wraps up, here's what happens:

• Forensic Investigation Files: Retained for 10 years minimum (often longer if litigation is ongoing). These might be needed for legal proceedings years down the road.
• Audit & Assurance Files: 7 years per CPA Canada standards
• Tax Files: 6 years as required by CRA regulations
• Business Valuation Files: 7 years typically
• General Correspondence: 3 years unless part of a longer retention category

Website & Marketing Data

• Analytics data - aggregated and anonymized after 26 months
• Cookie data - see our Cookies section below
• Inquiry forms from non-clients - 2 years then deleted

What Happens After Retention Periods

Once the required retention period expires, we don't just toss stuff in the regular trash. All data gets securely destroyed:

• Electronic files - securely wiped using DoD 5220.22-M standards (basically makes recovery impossible)
• Paper documents - cross-cut shredding through a certified destruction vendor
• Hard drives being decommissioned - physically destroyed

Exceptions & Extensions

Sometimes we need to keep data longer:

• Active litigation or regulatory investigations
• Ongoing appeals or disputes
• When you specifically request extended retention (like for historical reference)
• Criminal cases where statute of limitations hasn't run out

If you want your data deleted before the standard retention period ends, we can discuss it - but we might not be able to comply if we're legally required to keep it or if deletion would harm ongoing work.

Under Canadian privacy law (specifically PIPEDA), you've got some solid rights when it comes to your personal information. Here's what you can do and how to actually exercise these rights.

Right to Access

You can request to see what personal information we hold about you. We'll provide it within 30 days, usually in an electronic format that's easy to review. There might be exceptions if disclosure would reveal confidential commercial info or interfere with legal proceedings.

Right to Correction

Spotted an error in your info? Let us know and we'll fix it. If it's something factual like a wrong address or phone number, that's straightforward. If it's about the content of our findings or opinions in a forensic report, we might annotate your objection rather than change the document itself (professional standards thing).

Right to Deletion

You can request deletion of your data, but there are legit reasons we might say no:

• We're legally required to keep it (like tax records or audit files)
• It's needed for an ongoing investigation or litigation
• Deletion would prevent us from defending legal claims
• Professional standards require retention

Even if we can't delete everything, we'll delete what we legally can and explain why the rest stays.

Right to Withdraw Consent

If we're processing your data based on consent (rather than legal obligation), you can withdraw that consent anytime. Might affect our ability to provide certain services, but it's your call.

Right to Object

You can object to how we're using your information. We'll stop unless we've got compelling legitimate grounds to continue or need it for legal claims.

Right to Data Portability

Want your data transferred to another accounting firm? We can provide it in a structured, commonly used format. Note that this doesn't include our proprietary analysis or work product - just your underlying information.

How to Exercise These Rights

Email us at inquiries@grimthornyx.info with "Privacy Rights Request" in the subject line, or call (604) 782-9340 and ask for our Privacy Officer. We'll need to verify your identity (can't just hand over data to anyone claiming to be you), so be ready to provide some identifying information.

We'll respond within 30 days. If your request is complex or we've got a ton of requests at once, we might need an extra 30 days - but we'll let you know if that's the case.

Yeah, we use cookies. Not the chocolate chip kind (though I wish). Let's break down what these digital trackers do and why we use them.

What Are Cookies Anyway?

Small text files that websites drop on your device to remember stuff about you. Some are essential for making the site work, others help us understand how people use the site so we can make it better.

Types of Cookies We Use

Essential Cookies (The Non-Negotiables)

• Session management - keeps you logged into our secure client portal
• Security tokens - prevents nasty stuff like cross-site request forgery
• Load balancing - distributes traffic so the site doesn't crash

These cookies are necessary for the site to function. You can't really opt out without breaking everything.

Analytics Cookies (The Data Nerds)

• Google Analytics - tells us which pages people visit, how long they stay, etc.
• Heatmap tracking - shows us where people click and scroll
• Traffic source tracking - helps us know if people found us through search, social media, or direct visits

This data is anonymized and aggregated. We're not tracking individual users - just patterns.

Functionality Cookies (The Convenience Makers)

• Language preferences
• Font size adjustments
• Chat widget settings

Makes the site remember your preferences so you don't have to set them every time.

Third-Party Cookies

We try to minimize these, but a few sneak in:

• Google Analytics (already mentioned)
• LinkedIn Insight Tag (only on certain pages, helps us understand professional audience)

How Long Do Cookies Last?

• Session cookies - disappear when you close your browser
• Persistent cookies - stick around for 1-24 months depending on type
• Analytics cookies - typically 2 years, then they expire

Managing Your Cookie Preferences

You've got options:

• Most browsers let you block or delete cookies (check Settings or Preferences)
• Opt out of Google Analytics specifically at https://tools.google.com/dlpage/gaoptout
• Use browser extensions like Privacy Badger or uBlock Origin

Fair Warning: If you block all cookies, some parts of the site might not work properly. The secure client portal especially needs cookies to function.

Do Not Track Signals

Browsers can send "Do Not Track" signals, but there's no industry standard for how websites should respond. Currently, our site doesn't change behavior based on DNT signals, but you can use the cookie controls above to achieve similar results.

Our website connects to various third-party services, and we need to be upfront about what that means for your privacy.

Services We Integrate

Cloud Storage & File Sharing

We use Canadian-based encrypted cloud storage for client files. These providers have their own privacy policies, but we've vetted them thoroughly and have data processing agreements in place requiring PIPEDA compliance.

Payment Processing

When you pay invoices online, the transaction goes through a PCI-DSS compliant payment processor. We never see or store your full credit card details - just confirmation that payment was processed.

Video Conferencing

For virtual meetings, we typically use Zoom or Microsoft Teams. Both have robust security, but be aware they collect usage data. You can review their privacy policies if you want the details.

Email Services

Our email is hosted through Microsoft 365 with Canadian data residency. Emails are encrypted in transit and at rest.

External Links

Our website might link to external resources - regulatory bodies, industry publications, news articles, etc. Once you click those links, you're leaving our site and entering their privacy jurisdiction. We're not responsible for how they handle your data.

We try to only link to reputable sources, but do your due diligence - especially if a site asks you to enter personal information.

Social Media

We've got LinkedIn and possibly other social media profiles. If you interact with us there, those platforms' privacy policies apply. They're notorious data collectors, so read their policies if privacy is a concern.

Our Vendor Standards

Any third party we work with has to meet certain criteria:

• Canadian data storage or explicit PIPEDA compliance
• Strong security certifications (SOC 2, ISO 27001, etc.)
• Written data processing agreements
• Regular security audits
• Incident response capabilities

We regularly review our vendors and drop anyone who doesn't maintain standards.

Privacy laws evolve, our business practices change, and technology advances. So yeah, this policy will get updated from time to time. Here's how we handle that.

When We'll Update This Policy

• Changes in Canadian privacy legislation (PIPEDA updates, new provincial laws, etc.)
• Introduction of new services or technology platforms
• Changes in how we process or store data
• Feedback from privacy audits or assessments
• Clarifications based on client questions

How You'll Know About Changes

Minor Updates: For small clarifications or non-material changes, we'll update the "Last Updated" date at the top and post the revised policy. You can check back periodically if you're curious.

Major Changes: If we make significant changes that affect how we handle your data - especially anything that expands our use of information - we'll notify you directly via:

• Email to your address on file
• Prominent notice on our website homepage
• Notice in our secure client portal

You'll have at least 30 days before major changes take effect, giving you time to review and decide if you're comfortable continuing.

Version History

We maintain previous versions of this policy for reference. Current version is 3.2 (updated November 18, 2025). If you want to see what changed between versions, just ask - we'll walk you through it.

Your Options After Changes

If you don't like the updated policy:

• For website visitors - you can stop using the site (though we'd miss you)
• For active clients - we can discuss your concerns and potentially accommodate different handling of your data within professional standards
• You can formally object to specific changes through our Privacy Officer

Continued use of our services after changes take effect means you accept the updated policy. But again, for major stuff, we'll give you plenty of heads up and options.

Got questions, concerns, or complaints about how we handle your personal information? Here's how to reach us. We actually respond to these - promise.

Privacy Officer

We've designated a specific person to handle privacy matters. Not just some random admin - someone who actually understands this stuff and has the authority to make decisions.

What to Include in Your Message

To help us respond quickly and accurately:

• Your full name and contact information
• Nature of your inquiry/request/complaint
• Any relevant case or file numbers
• Specific information or documents you're asking about
• Your preferred method of response

Response Timeline

We'll acknowledge receipt within 3 business days and provide a substantive response within 30 days. Complex requests might need the full 30 days (or occasionally up to 60 for really involved situations), but we'll keep you updated.

If You're Not Satisfied

We aim to resolve privacy concerns directly, but if you feel we haven't adequately addressed your issue, you can escalate to:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
Phone: 1-800-282-1376
Website: www.priv.gc.ca

General Inquiries

For non-privacy-specific questions about our services, you can reach us at:

• Phone: (604) 782-9340
• Email: inquiries@grimthornyx.info
• Visit: Our Vancouver office (appointments preferred)

We're here Monday through Friday, 8:30 AM to 5:00 PM Pacific Time. Outside those hours, leave a message and we'll get back to you next business day.