Canadian Privacy

PIPEDA (Federal — Private Sector Privacy Act)

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to federally regulated organizations and to provincial organizations that collect, use, or disclose personal information in the course of commercial activity.

Pulse is designed around the 10 fair information principles in PIPEDA Schedule 1:

1. Accountability — Pulse designates a Privacy Officer responsible for compliance.
2. Identifying Purposes — We collect data only for stated, specific purposes.
3. Consent — We obtain and record express or implied consent before collecting personal information.
4. Limiting Collection — We collect only what is necessary for the purpose.
5. Limiting Use, Disclosure, and Retention — Data is not sold. Retention periods are documented.
6. Accuracy — Businesses and clients can correct their information at any time.
7. Safeguards — Encryption, access controls, audit logs, and breach monitoring. See our Security page.
8. Openness — Our policies are publicly available.
9. Individual Access — Users can access, correct, or request deletion of their data.
10. Challenging Compliance — Contact us at privacy@pulseappointments.com with any concerns.

Alberta PIPA

The Personal Information Protection Act(PIPA) applies to private-sector organizations operating in Alberta. Alberta's PIPA is substantially similar to PIPEDA. Pulse complies with PIPA obligations for Alberta-based businesses using our platform, including the requirement to notify the Office of the Information and Privacy Commissioner of Alberta of breaches involving significant harm.

CASL (Canada's Anti-Spam Legislation)

CASL requires express or implied consent before sending commercial electronic messages (CEM). Pulse supports CASL compliance in the following ways:

• Marketing emails and SMS require client consent. Pulse records whether a client has opted in to marketing messages.
• Every marketing message includes a one-click unsubscribe link. Unsubscribe requests are processed immediately.
• Transactional messages (booking confirmations, reminders, receipts) are CASL-exempt as they directly relate to an existing commercial relationship.
• Consent records include the date, method, and IP address of consent — available in your dashboard for audit purposes.
• Implied consent applies for existing clients for 2 years after their last transaction (CASL Section 10(9)(a)).

Businesses are responsible for ensuring their own marketing campaigns sent through Pulse comply with CASL.

Data residency and cross-border transfers

Pulse's servers are hosted on Railway's infrastructure, which may be located in the United States. Cross-border data transfers are permitted under PIPEDA Schedule 1 Principle 7 when equivalent protections are in place. Railway is a SOC 2 Type II certified provider.

If your business requires Canadian data residency (e.g., for regulated health professions), please contact us at privacy@pulseappointments.com to discuss your requirements.

Health information (massage therapists, estheticians, and health-adjacent professionals)

PIPEDA applies to health information collected by private-sector organizations in provinces without substantially similar legislation. If your business collects health information (e.g., skin conditions, medical history, allergy information) via intake forms or client notes, you have additional obligations:

• Obtain informed consent before collecting health information.
• Use health information only for the stated purpose (e.g., service delivery).
• Do not use client health information for marketing without separate, express consent.
• Health information must be retained only as long as necessary and securely deleted when no longer needed.

Note for regulated health professionals: If your practice is regulated under provincial health legislation (e.g., regulated massage therapists in Ontario under RHPA), sector-specific legislation may apply in addition to PIPEDA. Pulse does not constitute an Electronic Health Records (EHR) system and is not intended for use in highly regulated clinical settings.

Your rights as a Canadian individual

Under PIPEDA, individuals have the right to:

• Know that an organization holds information about them and how it is used.
• Access their personal information (within 30 days of a written request).
• Correct inaccurate information.
• Withdraw consent for use of their information (subject to legal and business obligations).
• Complain to the Office of the Privacy Commissioner of Canada (OPC) if they believe their rights have been violated.

To exercise any of these rights, email privacy@pulseappointments.com. Client accounts can also submit a data deletion request from the client portal under Settings.