What Is PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law for private-sector organizations. It establishes the rules that businesses must follow when they collect, use, or disclose personal information in the course of commercial activities. PIPEDA applies to most businesses that operate in Canada or handle the personal information of Canadians, unless a substantially similar provincial law has been enacted.
PIPEDA is built on ten fair information principles that together define what responsible data handling looks like. Below, we explain each principle and describe how Surveh puts it into practice.
The Ten Fair Information Principles
1. Accountability
An organization is responsible for the personal information under its control and must designate an individual to be accountable for compliance. Surveh has appointed a Privacy Officer who oversees our privacy program, responds to inquiries, and ensures that our policies and practices remain current. You can reach the Privacy Officer at privacy@surveh.ca.
2. Identifying Purposes
The purposes for which personal information is collected must be identified before or at the time of collection. When you create an account, subscribe to a plan, or submit a support request, we tell you why we need the information and how it will be used. Our Privacy Policy provides a complete overview of the purposes for which we collect information.
3. Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate (for example, where collection is clearly in the individual's interest and consent cannot be obtained in a timely way). Surveh obtains consent through clear, affirmative actions: you agree to our Terms and Privacy Policy when you register, and we ask for separate, granular consent for non-essential analytics and advertising cookies through our cookie-preferences panel.
4. Limiting Collection
The collection of personal information must be limited to what is necessary for the identified purposes. We collect only the data we need to provide the Services—your name and email for authentication, payment details for billing, and survey responses on behalf of our customers. Technical metadata such as IP addresses is truncated and retained only for a limited period.
5. Limiting Use, Disclosure, and Retention
Personal information must not be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law. We do not sell personal information. We share data with our subprocessors only to the extent necessary to operate the Services, and we retain information only as long as required to fulfil the purposes identified in our Privacy Policy. Specific retention periods—for example, 90 days for response metadata and up to seven years for consent records—are published in our Privacy Policy.
6. Accuracy
Personal information must be as accurate, complete, and up to date as necessary for the purposes for which it is used. You can update your account information at any time through the dashboard settings. If you believe that information we hold about you is inaccurate, you may request a correction by contacting us.
7. Safeguards
Personal information must be protected by security safeguards appropriate to the sensitivity of the information. Surveh encrypts data in transit using TLS and at rest using AES-256 encryption. We enforce role-based access controls with the principle of least privilege, monitor access logs, and perform regular dependency reviews. Our primary database is hosted in Canada (AWS Canada Central, Montreal). A full description of our security measures is available in the Security section of our Privacy Policy.
8. Openness
An organization must make detailed information about its policies and practices readily available. This page, together with our Privacy Policy, Terms of Service, and Cookie Policy, constitutes our public documentation of how we handle personal information. We also publish our subprocessor list, data-retention periods, and cross-border transfer details so that you and your respondents can make informed decisions.
9. Individual Access
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and must be given access to it. You may request a copy of the personal information we hold about you by emailing privacy@surveh.ca. We also provide an in-app data-export feature that lets you download your account data and survey responses in a machine-readable format. We aim to respond to access requests within 30 days.
10. Challenging Compliance
An individual must be able to challenge an organization's compliance with these principles. If you believe Surveh has not handled your personal information in accordance with PIPEDA, you may contact our Privacy Officer at privacy@surveh.ca. We will investigate your concern and respond within 30 days. If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada.
How Surveh Supports Your Compliance
If you use Surveh to collect personal information from your own customers, employees, or research participants, you are the “organization” under PIPEDA and bear primary responsibility for compliance. Surveh acts as a service provider (processor) on your behalf. Here is how our platform is designed to help:
Canadian-first data residency
Survey responses and core account data are stored in Canada. This simplifies your compliance obligations, because you can assure respondents that their data remains within Canadian jurisdiction. We do rely on a small number of subprocessors that operate outside Canada (detailed in our Privacy Policy), and we apply contractual safeguards and data-minimization practices to each transfer.
Consent-aware workflows
The Surveh platform includes a cookie-preferences panel that lets visitors opt in or out of analytics and advertising cookies. For your own surveys, we recommend including a clear consent statement at the beginning of any form that collects personal information. Our form builder supports introductory text blocks where you can provide this context to respondents.
Data minimization by design
Surveh does not force you to collect any particular data field. You choose which questions to ask and what information to gather. We encourage you to collect only what you need, in line with PIPEDA's limiting-collection principle.
Security infrastructure
All connections to and from Surveh are encrypted with TLS. Data at rest is encrypted using AES-256. Access to production systems is restricted to authorized personnel and protected by multi-factor authentication. We monitor for vulnerabilities and apply security patches promptly.
Transparency and access
You can export your survey data at any time through the dashboard. If a respondent asks you for access to the information they submitted, you can retrieve it from your response records and provide it directly. Surveh also supports account-level data exports and deletion requests to help you fulfil your own obligations under PIPEDA.
Questions?
If you have questions about PIPEDA compliance or how Surveh handles personal information, our team is happy to help.
Email: privacy@surveh.ca