RoundAssist Privacy Policy & Procedure

1. Purpose

RoundAssist is committed to safeguarding the privacy and security of personal data. This policy outlines our procedures for compliance with EU GDPR, Canada’s PIPEDA, and relevant U.S. state privacy laws (including the California Consumer Privacy Rights Act – CPRA).

Our objective is to ensure that all data processing is lawful, transparent, secure, and respectful of the rights of individuals.

2. Scope

This procedure applies to all RoundAssist employees, contractors, systems, services, and vendors that process personal data belonging to customers, employees, partners, or end-users.

3. Definitions

  • Personal Data – Any information that identifies or could identify a person.
  • Processing – Any activity involving personal data (collecting, using, storing, deleting, etc.).
  • Controller – RoundAssist (decides how/why data is processed).
  • Processor – Third-party vendors processing data on our behalf.
  • DPIA – Data Protection Impact Assessment (risk analysis of processing).

4. Roles & Responsibilities

  • Executive Sponsor (CEO) — Approves privacy strategy and ensures resources.
  • Privacy Lead / Data Protection Officer (DPO) — Oversees compliance, manages rights requests, maintains data inventory.
  • CTO / Security Lead — Implements and monitors security controls.
  • Product Managers — Ensure “privacy by design” in product development.
  • All Employees — Follow privacy requirements and report incidents.

5. Data Inventory & Mapping

RoundAssist maintains a Data Inventory Register that documents:

  • Categories of personal data processed
  • Purposes of processing
  • Lawful basis/consent mechanism
  • Storage location & retention period
  • Access permissions
  • International transfers & vendor details

This register is updated whenever new systems, processes, or vendors are introduced.

6. Lawful Basis & Consent

  • EU (GDPR): Processing must have a lawful basis (consent, contract, legal obligation, legitimate interests, etc.).
  • Canada (PIPEDA): Knowledge and consent required for data collection, use, or disclosure, unless exceptions apply.
  • U.S. (CPRA/CCPA): Customers may opt-out of data “sale/sharing” and limit sensitive data use.

RoundAssist ensures consent is informed, explicit where required, and easily withdrawable.

7. Transparency & Privacy Notices

RoundAssist publishes clear, accessible Privacy Notices:

  • Customer Privacy Policy – available on our website.
  • Employee Privacy Notice – provided to all staff.

Each notice outlines: what data we collect, how we use it, retention periods, security measures, rights available, and how to contact our DPO.

8. Data Subject Rights

RoundAssist provides mechanisms to exercise rights including:

  • Access and portability of data
  • Correction and deletion
  • Restriction or objection to processing
  • Opt-out of data sharing (CPRA)
  • Withdrawal of consent (GDPR & PIPEDA)

Requests can be submitted via [email protected]. All requests are logged and responded to within legal timelines.

9. DPIA (Data Protection Impact Assessments)

Before launching new high-risk projects, RoundAssist conducts DPIAs to evaluate privacy risks, document mitigations, and consult regulators where required.

10. Security Measures

  • Encryption of data in transit and at rest
  • Multi-factor authentication for admin access
  • Access restricted on a need-to-know basis
  • Logging, monitoring, and vulnerability management
  • Regular penetration testing and security audits

11. Vendor & Processor Management

  • Vendors must sign Data Processing Agreements (DPAs) including GDPR clauses or U.S./Canada equivalents.
  • Cross-border transfers from the EU use SCCs or recognized adequacy mechanisms.
  • RoundAssist maintains a Vendor Register with review dates and compliance status.

12. Data Retention & Deletion

Data is retained only as long as necessary for business/legal purposes. Deletion workflows include:

  • Regular purging of old records
  • Backup deletion policies
  • Documentation of retention justifications

13. Breach Notification & Incident Response

RoundAssist follows a structured Incident Response Plan:

  1. Contain and investigate suspected breach
  2. Notify Privacy Lead and Security Lead
  3. Report to authorities within required timeframes (e.g., GDPR’s 72 hours)
  4. Notify affected individuals if risk is significant
  5. Maintain a Breach Register and lessons-learned log

14. Training & Awareness

  • All employees complete annual privacy and security training
  • Product and engineering staff receive role-specific privacy training
  • Training completion is tracked and reported

15. Monitoring & Review

RoundAssist conducts:

  • Annual privacy audits (internal and external as needed)
  • Regular reviews of the Data Inventory, Vendor Register, and Privacy Notices
  • Annual review of this Privacy Policy Procedure

16. Contact Information

For questions, rights requests, or complaints:

Data Protection Officer – RoundAssist
📧 [email protected]
📍100 Broadview Ave, unit 300
Toronto, ON, M4M 3H3,
Canada

Scroll to Top