Privacy Policy

Last updated: 2026 · Effective: 2026 · Governing law: Canada (PIPEDA)

// 01

Communications data stays in Canada

Messaging, encryption keys, and channel content are held in Ontario, Canada infrastructure — not subject to US CLOUD Act jurisdiction. Billing data is handled separately; see Section 03.

// 02

We cannot read your messages

End-to-end encryption. Canium staff have zero technical access to communications.

// 03

Your data, your rights

Export or delete at any time. No advertising. No selling. PIPEDA compliant.


01 — Who We Are

Canium Inc. is a Canadian company incorporated under the Canada Business Corporations Act. Our registered address and our communications infrastructure are located in Canada. Canium Inc. is the organization responsible for the personal information you provide when using our platform.

Privacy Officer: privacy@canium.ca

02 — What Personal Information We Collect and Why

We collect only what is necessary to provide the service.

InformationPurposeRetained until
Email addressAccount authentication and transactional notificationsAccount deleted
Display nameIdentity within channels and messagingAccount deleted
OPAQUE authentication recordAuthentication — the server never receives your password or any derivative of itAccount deleted
TOTP secret (encrypted)Multi-factor authentication, if enrolledMFA disabled or account deleted
Channel attendance metadataCompliance audit trail, abuse prevention2 years, then anonymised
Device fingerprint (hash only)Trusted-device recognitionDevice revoked or account deleted

We do not collect:

See Section 12 — zero cookies, privacy-first website analytics.

03 — Data Residency

All communications data — messages, encryption keys, and channel content — is stored exclusively in Ontario, Canada and is not transferred to, processed in, or subject to the laws of any foreign jurisdiction. Our communications infrastructure is not subject to US CLOUD Act compelled disclosure; our hosting providers are contractually bound to keep this data within Canada.

Billing and account administration information (name, email, billing address, and payment card details) is processed by a third-party payment processor, currently US-based and subject to the US CLOUD Act and its own jurisdictional terms. This processor does not have access to your communications content. We are evaluating a migration to a Canadian payment processor for enterprise and government clients who require full billing-data residency. The identity of our current payment processor is available on request to privacy@canium.ca.

04 — Confidentiality of Communications

Canium uses end-to-end encryption (MLS, RFC 9420) for all channels and direct messages. We do not have the technical ability to access the content of your communications.

Metadata (who participated in a channel, when) is retained for audit purposes as described in Section 02, but the substance of what was said or written is not stored on our servers in any form accessible to Canium staff.

05 — How We Use Your Information

We use your personal information solely to:

We do not sell, rent, or share your personal information with third parties for commercial purposes.

06 — Your Rights Under PIPEDA

As a Canadian resident you have the right to:

RightDescription
AccessRequest a copy of all personal information we hold about you
CorrectionRequest correction of inaccurate information
DeletionRequest permanent deletion of your account and all associated personal data, completed within 30 days
Withdraw consentYou may withdraw consent at any time by deleting your account

To exercise any of these rights: privacy@canium.ca

07 — Data Retention

Account data is retained until you delete your account. Audit log entries are anonymised after 2 years (user identifier replaced with a one-way hash). Backup copies are purged within 90 days of account deletion.

08 — Security Safeguards

SafeguardDetail
Data in transitTLS 1.3 for all connections. Messages are additionally protected by end-to-end encryption (MLS, RFC 9420) — encrypted on the sender's device and decryptable only by recipients. The server handles ciphertext only and has no access to message content.
Data at restAES-256-GCM
Password authenticationOPAQUE (RFC 9807) — server never receives your password
System access controlsMFA required for all staff access + full audit log

09 — Breach Notification

In the event of a breach affecting your personal information, we will notify you and the Privacy Commissioner of Canada within 72 hours of becoming aware, as required under PIPEDA.

10 — Changes to This Policy

We will notify you of material changes by email and in-app notice at least 14 days before the change takes effect. Continued use of the platform after the notice period constitutes acceptance of the updated policy.

11 — Contact and Complaints

Privacy Officer: privacy@canium.ca

If you are not satisfied with our response to a privacy inquiry, you may file a complaint with the Office of the Privacy Commissioner of Canada: www.priv.gc.ca

12 — Cookies and Analytics

Zero cookies. canium.ca uses a self-hosted, in-house web analytics service, run on Canium's own infrastructure, to understand aggregate site traffic — page views by section and referring site. This service sets no cookies, uses no persistent identifiers, and cannot identify, profile, or track an individual visitor across sites or sessions.

No consent is required to enable this service, since it collects no personal information, but we disclose it here for transparency. It is distinct from the behavioural or advertising data described in Section 02 — no third party, advertiser, or data broker has access to it, and no data leaves Canium's own infrastructure.

We do not use advertising cookies, tracking pixels, third-party analytics providers, or cross-site tracking technology of any kind on this site.