Legal
Privacy Policy
Last updated: March 2026
CultureIQ Labs Corp. (“CultureIQ Labs,” “we,” “us,” or “our”) is committed to protecting the privacy of individuals who use our platform and website. This Privacy Policy describes how we collect, use, disclose, and protect personal information, including health information, in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), the Personal Health Information Protection Act (PHIPA) (Ontario), Canada’s Anti-Spam Legislation (CASL), and applicable provincial privacy law.
1. Who We Are
CultureIQ Labs is a corporation incorporated under the laws of Ontario, Canada. We provide a software-as-a-service platform that helps Canadian organizations measure psychological safety and manage return-to-work (RTW) cases.
Our designated Privacy Officer is responsible for overseeing compliance with this policy and applicable privacy legislation.
Contact: privacy@cultureiqlabs.ca
2. Scope of This Policy
This Privacy Policy applies to:
- Visitors to our website at cultureiqlabs.ca
- Account administrators and authorized users of the CultureIQ Labs platform
- Employees of customer organizations whose information is entered into the platform by authorized HR personnel
This policy does not apply to third-party websites or services linked from our platform.
3. Information We Collect
3.1 Information you provide directly
When you create an account or use our platform, we collect: your name, work email address, job title, department, and organization name. Account administrators may also provide billing contact information.
3.2 Organizational and platform data
Authorized users of the platform may enter organizational information including team structures, department configurations, compliance scores, and workforce data. This information is governed by the agreement between CultureIQ Labs and your organization.
3.3 Psychological safety assessment data
The platform administers psychological safety assessments to employees. Responses are collected at the individual level but reported in aggregate to protect individual confidentiality.
3.4 Return-to-work case data
Where your organization uses our RTW case management module, authorized HR personnel may enter information about individual employees’ return-to-work plans, including:
- Dates and duration of absence
- Functional limitations and work restrictions provided by healthcare providers
- Accommodation requirements
- Supervisor notes
- RTW plan milestones and progress
This category of information is treated as health information under PHIPA and subject to heightened protections described in Section 5.
3.5 Training and certification data
When you use our A.R.T. Leadership Certification or RTW Supervisor Training programs, we collect lesson progress, quiz scores, scenario simulation responses, workbook entries (including values sort, action plans, and self-assessments), and certification completion status.
3.6 Technical and usage data
We automatically collect certain technical information when you access our platform: IP address, browser type and version, operating system, pages visited, time spent on pages, session duration, referring URL, and error logs.
3.7 AI assistant interactions
When you interact with Eunosa by CultureIQ Labs, our AI assistant, we send contextual platform data (such as assessment scores, training progress, and anonymized team metrics) to Anthropic’s Claude API to generate personalized coaching and recommendations. No personally identifiable information, health information, or employee names are sent to the AI provider. All AI interactions are logged within the platform for audit purposes.
3.8 Payment information
Payment processing is handled by Stripe. CultureIQ Labs does not store credit card numbers, bank account details, or other financial account information.
3.9 Communications
If you contact us by email or through our platform, we retain records of those communications to respond to your inquiry and improve our customer support.
4. How We Use Your Information
To provide the platform and services: Operating, maintaining, and improving the CultureIQ Labs platform; processing transactions; providing customer support; sending account and billing notifications.
To improve our platform: Analyzing anonymized and aggregated usage patterns to understand how the platform is used and to develop new features. We do not use identifiable personal information for product development purposes.
To communicate with you: Sending transactional communications related to your account, platform updates, security alerts, and—with your express consent—product news and research insights.
To comply with legal obligations: Responding to lawful requests from regulators, courts, and law enforcement; fulfilling our obligations under PIPEDA, PHIPA, and applicable law.
To protect our platform and users: Detecting and preventing fraud, security incidents, and unauthorized access; enforcing our Terms of Service.
We do not sell personal information to third parties. We do not use personal information for advertising or marketing purposes unrelated to CultureIQ Labs services.
5. Health Information
Information relating to the physical or mental health of an identifiable individual is treated as personal health information under PHIPA and handled with heightened protection.
Collection and consent: Health information is collected and entered into the platform by authorized HR personnel at your organization. Your organization is responsible for obtaining valid employee consent.
Purpose limitation: Health information is used only to support occupational health and return-to-work case management as directed by your organization.
Access controls: Health information is accessible only to authorized users within your organization. CultureIQ Labs personnel do not access health information except as required for technical support.
Audit logging: All access to health information within the platform is logged. Audit logs are retained for 24 months.
Breach notification: In the event of a security breach involving health information, we will notify your organization within 24 hours of discovery and report to the Ontario Information and Privacy Commissioner as required under PHIPA.
6. Data Residency and Storage
All customer data is stored in Supabase Canada Central (Toronto, Ontario). Your data does not leave Canada.
The CultureIQ Labs application layer is hosted on Vercel’s global content delivery network. Vercel processes application requests but does not persistently store health data or personal information.
7. Disclosure of Personal Information
We share personal information only in the following circumstances:
Service providers: We engage the following third-party service providers who process data on our behalf under written data protection agreements:
| Service Provider | Purpose | Data Location |
|---|---|---|
| Supabase, Inc. | Database hosting and authentication | Canada (Central) |
| Vercel, Inc. | Application hosting and CDN | United States (application logs only) |
| Stripe, Inc. | Payment processing | United States (payment data only) |
| Microsoft Clarity | Anonymized analytics and session recording | United States (anonymized only) |
| Anthropic, PBC | AI assistant (Eunosa by CultureIQ Labs) — contextual coaching and recommendations | United States (anonymized platform context only; no health information or personally identifiable data is sent) |
| HubSpot, Inc. | Meeting scheduling and marketing forms | United States (contact information only) |
Legal requirements: We may disclose personal information if required to do so by law, court order, or lawful request from a regulatory authority.
Business transfers: In the event of a merger, acquisition, or sale of substantially all of our assets, personal information may be transferred to the acquiring entity, subject to equivalent privacy protections.
8. Data Retention
We retain personal information only as long as necessary for the purposes identified in this policy or as required by law.
| Data Category | Retention Period |
|---|---|
| Account and profile data | Duration of subscription + 30 days |
| Assessment responses (individual) | Duration of subscription + 30 days |
| RTW case and health information | Duration of active case + 30 days, or end of subscription + 30 days |
| Audit logs | 24 months from creation |
| Anonymized analytics | Up to 24 months |
| Payment records | 7 years (Canadian tax law requirement) |
| Support communications | 3 years from last contact |
9. Security
CultureIQ Labs implements administrative, physical, and technical security measures appropriate to the sensitivity of the information we hold.
Technical measures include: TLS 1.2+ encryption for all data in transit; AES-256 encryption for data at rest; role-based access controls; multi-factor authentication; session timeout enforcement; continuous infrastructure monitoring; and automated daily backups.
Organizational measures include: Confidentiality obligations for all personnel; vendor assessment before third-party data access; and annual review of security practices.
If you have reason to believe your data has been compromised, please contact us at security@cultureiqlabs.ca.
10. Data Breach Notification
In the event of a breach creating a real risk of significant harm, we will:
- Investigate and contain the breach as quickly as possible
- Notify affected customers within 72 hours of determining a breach has occurred
- Notify affected individuals as required by applicable law
- Report to the Office of the Privacy Commissioner of Canada as required under PIPEDA
- Report to the Ontario Information and Privacy Commissioner as required under PHIPA for health information breaches
11. Your Rights
Under PIPEDA and applicable provincial privacy law, you have the following rights:
Right of access: You may request a copy of the personal information we hold about you. We will respond within 30 days.
Right of correction: You may request that we correct inaccurate or incomplete personal information.
Right to withdraw consent: Where we process your personal information based on your consent, you may withdraw that consent at any time.
Right to deletion: You may request the deletion of your personal information, subject to our legal obligations.
Right to complain: You have the right to file a complaint with the Office of the Privacy Commissioner of Canada or the Ontario Information and Privacy Commissioner.
To exercise any of these rights, contact: privacy@cultureiqlabs.ca.
12. Children’s Privacy
Our platform is designed for use by organizations and their HR personnel. We do not knowingly collect personal information from individuals under the age of 16.
13. Email Communications and CASL
We comply with Canada’s Anti-Spam Legislation (CASL). We will only send you commercial electronic messages with your express or implied consent, and every commercial message will include a functioning unsubscribe mechanism.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to account administrators by email at least 30 days before taking effect.
15. Contact Us
For questions, concerns, or requests related to this Privacy Policy:
Privacy Officer, CultureIQ Labs Corp.
Office 656, 145 1/2 Church Street, Unit 5, Toronto, ON M5B 1Y4, Canada
Email: meagan.angelucci@cultureiqlabs.ca
Privacy inquiries: privacy@cultureiqlabs.ca
Security concerns: security@cultureiqlabs.ca