1. What PIPEDA is
The Personal Information Protection and Electronic Documents Act(PIPEDA) is the Canadian federal law that governs how private-sector organizations collect, use and disclose personal information in the course of commercial activity. It applies in every province and territory except British Columbia, Alberta and Quebec, which have their own substantially-similar legislation.
2. PIPEDA's 10 fair-information principles — and how we map to them
Each principle in PIPEDA Schedule 1, mapped to a concrete control inside DealerMatrix:
1. Accountability
We have a designated Privacy Officer reachable at support@dealermatrix.ca. Our DPA with each customer dealership names them as data controller and us as data processor for end-shopper personal information.
2. Identifying purposes
Every form on every dealer site states the purpose of data collection in plain language before the submit button. We never re-purpose data without fresh consent.
3. Consent
Consent is opt-in — checkboxes are never pre-checked. Sensitive collection (credit checks, financial information) requires a separate explicit consent step with an audit trail.
4. Limiting collection
Forms collect the minimum required to deliver the requested service. The credit application asks only for the fields the lender will actually need.
5. Limiting use, disclosure & retention
Data is used only for the stated purpose. Default retention is 24 months for unsuccessful credit applications and 7 years for closed sales records (Canadian tax requirement). Customers can shorten retention windows from billing settings.
6. Accuracy
Shoppers can request correction of inaccurate data — both at the dealership directly, and via support@dealermatrix.ca.
7. Safeguards
- TLS 1.3 in transit, AES-256 at rest.
- Bcrypt password hashing with per-record salt.
- Row-level security on the multi-tenant database — one dealership cannot read another's data, period.
- Separate, encrypted backups with 35-day retention.
- Annual third-party penetration test.
- Mandatory MFA on all DealerMatrix employee accounts.
8. Openness
This page, our Privacy Policy and our Terms of Service are publicly accessible at any time.
9. Individual access
Any individual can request a copy of their personal information. We respond within 30 days. support@dealermatrix.ca.
10. Challenging compliance
Complaints are first investigated by our Privacy Officer; unresolved matters can be escalated to the Office of the Privacy Commissioner of Canada.
3. Breach response
We follow PIPEDA's mandatory breach-notification rules: any "breach of security safeguards involving personal information that creates a real risk of significant harm" is reported to the Privacy Commissioner and to affected individuals as soon as feasible, and a record is kept for 24 months. Internal time-to-detect target is 4 hours; time-to-notify target is 72 hours from confirmation.
4. Cross-border transfers
Our primary infrastructure is in Canadian Supabase regions. Backups are in U.S. AWS regions, encrypted with keys we hold. Cross-border transfers are governed by Standard Contractual Clauses and PIPEDA-equivalent contractual terms with each sub-processor.
5. Sub-processors
- Supabase — primary database, file storage (Canada/US).
- Vercel — CDN + edge runtime for our marketing and dealer sites.
- Twilio — voice + SMS.
- SendGrid (Twilio) — transactional email.
- Stripe — billing.
- Equifax Canada, TransUnion Canada — soft-pull credit, only with shopper consent.
- Meta Marketing API, Google Ads — opt-in by the dealership.
6. Data Processing Agreement
Every customer dealership receives a Data Processing Agreement on signup that names DealerMatrix as data processor and the dealership as data controller for end-shopper personal information. A copy of the current DPA is available on request from your account manager or support@dealermatrix.ca.
7. Questions
DealerMatrix Privacy Officer
79 Bramsteele Rd, Unit #203, Brampton, ON L6W 3K6
support@dealermatrix.ca