ÓRIVON — Privacy-led GRC consulting

Legal

Privacy notice

Last updated: June 18, 2026 · Maintained by ÓRIVON Consulting Inc.

1. Who we are and scope

ÓRIVON Consulting Inc. ("ÓRIVON", "we", "us") is a privacy, governance, risk and compliance consultancy based in Vancouver, British Columbia, Canada. We are accountable for personal information under our control.

This notice applies to personal information we collect through orivon.com and related forms (contact, the free privacy maturity assessment, and email correspondence). It is written to comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA), the British Columbia Personal Information Protection Act (BC PIPA) and the Alberta Personal Information Protection Act (Alberta PIPA), as applicable.

Personal information we handle on behalf of clients under a consulting engagement is governed by that engagement's contract and data-processing terms — not by this notice.

2. Our commitments

We operate on the ten fair-information principles set out in Schedule 1 of PIPEDA, which are mirrored in BC PIPA and Alberta PIPA: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and a clear path to challenge our compliance.

3. Personal information we collect

  • Contact form: full name, work email, company (optional), phone (optional), subject and the contents of your message.
  • Privacy maturity assessment: full name, work email, company, role (optional), phone (optional), the Canadian privacy regime you selected, and your answers to the ten assessment questions.
  • Server logs: standard request metadata (IP address, user-agent, timestamp, requested URL) kept short-term by our hosting provider for security, abuse prevention and debugging.

We do not knowingly collect personal information from children. We do not request, and ask that you do not send, sensitive information (health, financial account details, government IDs, etc.) through our website forms.

4. Purposes and legal basis

We use your personal information to:

  • respond to your enquiry and deliver the materials you request;
  • score and email your privacy maturity assessment result and, with your consent, follow up about how we can help close the identified gaps;
  • maintain the security, integrity and availability of the site;
  • meet legal, regulatory and professional record-keeping obligations.

Under Canadian privacy law our handling is based on your knowledge and consent (express where you submit a form and tick the consent box; implied where reasonably necessary to provide a service you asked for, such as replying to your email).

You can withdraw consent for marketing follow-up at any time by emailing privacy@orivongrc.com or by replying "unsubscribe" to any message we send you. Withdrawing consent does not affect processing already carried out, and may mean we can no longer provide certain services (for example, we cannot email you assessment results if you withdraw the email contact).

6. Disclosure and service providers

We do not sell, rent or trade personal information. We disclose personal information only:

  • to vetted service providers acting on our behalf under written confidentiality and security obligations (currently: our hosting and database provider, and our transactional email provider);
  • where required or permitted by Canadian law (e.g. lawful request from a regulator or court);
  • to protect our rights, safety or property, or those of others.

7. Cross-border storage and access

Our hosting and email providers operate globally and may store or process personal information outside Canada (including in the United States and the European Union). While outside Canada, that information may be subject to the laws of those jurisdictions, including lawful access by foreign authorities. We use providers with comparable protection and contractual safeguards. If you would like additional information about our cross-border practices, please contact our Privacy Officer.

8. Retention and deletion

  • Contact messages: kept for up to 24 months after our last meaningful exchange, then deleted or anonymised.
  • Assessment submissions: kept for up to 24 months to enable follow-up and benchmarking in aggregate form, then deleted or anonymised.
  • Server logs: typically retained for up to 30 days by our hosting provider.
  • Engagement records: kept for the period required by our professional and tax obligations (generally up to 7 years).

You can ask us to delete your information sooner — see "Your rights" below.

9. Safeguards

We apply administrative, technical and physical safeguards proportionate to the sensitivity of the information, including access controls, encryption in transit (TLS), encryption at rest in our database, least-privilege access, audit logging, and contractual security obligations on our service providers. No method of transmission or storage is perfectly secure; if we ever become aware of a breach that creates a real risk of significant harm, we will notify you and the appropriate regulator as required by law.

10. Cookies and tracking

This site uses only strictly necessary first-party storage — for example, to keep a signed-in administrator's session. We do not use advertising cookies, cross-site trackers, or third-party analytics scripts. Web fonts are loaded from Google Fonts, which may log standard request metadata as part of serving the font files. If we ever introduce non-essential analytics or marketing cookies, we will update this notice and ask for your consent first.

11. Your rights and how to exercise them

Under PIPEDA, BC PIPA and Alberta PIPA you have the right to:

  • be told what personal information of yours we hold and how it has been used and disclosed;
  • access that information and request a copy;
  • request correction of inaccurate or incomplete information;
  • withdraw consent (subject to legal or contractual restrictions);
  • ask us to delete information we no longer need.

To exercise any of these rights, email privacy@orivongrc.com. We respond within 30 days, as required by Canadian law, and may need to verify your identity before disclosing or changing information.

12. Complaints to a regulator

If you are not satisfied with how we have handled your personal information, you may complain to the appropriate Canadian regulator:

  • Office of the Privacy Commissioner of Canada (PIPEDA): priv.gc.ca
  • Office of the Information and Privacy Commissioner for British Columbia (BC PIPA): oipc.bc.ca
  • Office of the Information and Privacy Commissioner of Alberta (Alberta PIPA): oipc.ab.ca

13. Contacting our Privacy Officer

ÓRIVON Consulting Inc.
Attention: Privacy Officer
Vancouver, British Columbia, Canada
Email: privacy@orivongrc.com

14. Changes to this notice

We may update this notice to reflect changes in our practices or in the law. We will revise the "Last updated" date at the top, and for material changes we will provide a more prominent notice (for example, an in-page banner) before the change takes effect.