Legal Compliance

1. Introduction

Studio Orfolio is committed to operating in full compliance with all applicable Canadian federal and provincial laws, including privacy, consumer protection, electronic commerce, and data security regulations. This document outlines our adherence to these legal frameworks and our commitment to transparency and accountability.

2. Compliance with Quebec's Law 25 and PIPEDA

Orfolio is fully compliant with:

• Law 25 (Act to modernize legislative provisions as regards the protection of personal information) — Quebec's modernized privacy law, in effect since September 2023.
• PIPEDA (Personal Information Protection and Electronic Documents Act) — Canada's federal privacy law governing the collection, use, and disclosure of personal information in commercial activities.

Our compliance measures include:

• Obtaining explicit, informed consent before collecting personal data.
• Providing clear information about how data is used, stored, and shared.
• Ensuring users have the right to access, correct, and delete their personal information.
• Implementing robust security measures to protect against unauthorized access or breaches.
• Designating a Responsible for Personal Data Protection (RPDP) to oversee compliance.

3. Data hosting and sovereignty

All personal and sensitive data collected by Orfolio is hosted exclusively in Canada, ensuring compliance with data sovereignty requirements under Law 25.

• Primary hosting: Microsoft Azure Canada (Toronto region).
• Media storage: Azure Blob Storage for user images and files.
• Certifications: Azure complies with ISO 27001, SOC 2 Type II, and CSA STAR, ensuring world-class security and privacy standards.

By hosting data exclusively in Canada, we ensure that user information remains under Canadian legal jurisdiction and is not subject to foreign surveillance laws.

4. Data security and encryption

Orfolio employs industry-leading security practices to protect user data from unauthorized access, disclosure, or loss.

4.1 Password security

• User passwords are hashed using bcrypt, a cryptographically secure algorithm designed to resist brute-force attacks.
• Passwords are never stored in plaintext and cannot be recovered by Orfolio staff.
• Password reset functionality uses time-limited, cryptographically signed tokens sent via email.

4.2 Authentication and session management

• User sessions are secured using JSON Web Tokens (JWT) with expiration and refresh token mechanisms.
• Tokens are transmitted exclusively over HTTPS to prevent interception.
• Session cookies use HttpOnly and Secure attributes to prevent XSS attacks.
• Two-factor authentication (2FA) is available to all users and mandatory for administrative accounts.

4.3 Data encryption

• In transit: all data is encrypted via TLS 1.3 (HTTPS).
• At rest: sensitive data is encrypted using AES-256.
• Backups: encrypted and stored in geographically redundant locations within Canada.

5. Explicit consent and data collection

Orfolio adheres to the principle of informed consent as required by Law 25 and PIPEDA.

• Users are informed of what data is collected, why it is collected, and how it will be used before providing consent.
• Consent is obtained explicitly during account registration and when enabling optional features (e.g., analytics, AI processing).
• Users can withdraw consent at any time through account settings or by contacting rgpd@orfolio.ca.
• No data is collected or processed for purposes beyond those disclosed and consented to by the user.

6. User rights: access, portability, and erasure

In accordance with Law 25 and PIPEDA, Orfolio guarantees the following rights to all users:

6.1 Right to access

Users have the right to request a copy of all personal data Orfolio holds about them. Requests can be submitted via email to rgpd@orfolio.ca and will be processed within 30 days.

6.2 Right to portability

Users can request their data be exported in structured, machine-readable formats (JSON, CSV) on request via support@orfolio.ca. This includes:

• Account information and preferences.
• Website content, pages, and media assets.
• Subscription and billing history.

6.3 Right to erasure ("right to be forgotten")

Users can request permanent deletion of their account and all associated data. Once confirmed, data is deleted within 30 days and cannot be recovered. Exceptions apply for data that must be retained for legal, tax, or regulatory purposes (e.g., billing records).

7. Data Protection Officer and accountability

Orfolio has designated a Responsible for Personal Data Protection (RPDP) as required by Law 25. The RPDP is responsible for:

• Ensuring compliance with privacy laws and regulations.
• Overseeing data governance policies and procedures.
• Handling user inquiries, complaints, and data access requests.
• Coordinating incident response and breach notification procedures.
• Conducting regular privacy impact assessments and audits.

For questions or to exercise your privacy rights, contact:

Data Protection Officer — Studio Orfolio
Montreal, QC, Canada
Email: rgpd@orfolio.ca

8. Security incidents and breach notification

In the event of a data breach or security incident involving personal information, Orfolio will:

• Notify affected users within 72 hours of discovering the breach, as required by Law 25.
• Report the incident to the Commission d'acces a l'information du Quebec (CAI) and other relevant authorities.
• Provide clear information about the nature of the breach, the data affected, and steps taken to mitigate harm.
• Offer guidance on protective measures users can take (e.g., password resets, monitoring for fraud).

Incident notifications will be sent via email and posted on our official status page and communication channels.

9. Compliance with Canadian e-commerce laws

Orfolio complies with Canadian laws governing electronic commerce, including:

• Canada's Anti-Spam Legislation (CASL) — We only send commercial electronic messages to users who have provided express or implied consent. All marketing emails include clear unsubscribe options.
• Consumer protection laws — We provide transparent pricing, clear terms of service, and fair refund policies in accordance with Quebec's Consumer Protection Act.
• Accessibility standards — We strive to ensure Orfolio meets WCAG 2.1 accessibility guidelines (international standards for making websites accessible to everyone, including people with disabilities).

10. AI algorithm transparency and processing

Orfolio uses artificial intelligence to assist users in website creation, content generation, and design recommendations. We are committed to transparency in how AI is used and the data it processes.

10.1 AI models used

Orfolio integrates the following third-party AI models based on user selection:

• OpenAI (GPT) — For AI-powered website generation in HTML/Tailwind.
• Anthropic (Claude AI) — For AI-powered website generation in HTML/Tailwind.
• Google (Gemini) — For AI-powered website generation in HTML/Tailwind.
• DeepSeek — For AI-powered website generation in HTML/Tailwind.

10.2 User consent and data processing

• Users must explicitly consent to AI processing before using AI-powered features.
• User prompts and inputs may be sent to third-party AI providers to generate responses.
• AI providers are bound by Data Processing Agreements (DPAs) ensuring compliance with Law 25 and PIPEDA.
• AI-generated content is reviewed and validated by users before publication; Orfolio is not responsible for inaccuracies or legal issues arising from AI output.

10.3 Transparency and explainability

• Users are informed when content is AI-generated and can opt out of AI features at any time.
• AI models do not make automated decisions affecting user rights, subscriptions, or account status without human oversight.
• Users can request information about how AI processing affects their data by contacting rgpd@orfolio.ca.

11. Annual policy review and updates

Orfolio conducts an annual review of all compliance policies to ensure alignment with:

• Changes in Canadian and Quebec privacy legislation.
• Updates to third-party services and integrations.
• Emerging best practices in data security and governance.
• User feedback and regulatory guidance.

Users will be notified of significant policy changes via email or in-platform notifications. The "Last updated" date at the bottom of each policy reflects the most recent revision.

12. Third-party audits and certifications

Orfolio's infrastructure and security practices are regularly audited by independent third parties to ensure compliance and identify areas for improvement.

• Security audits: annual penetration testing and vulnerability assessments by certified professionals.
• Infrastructure compliance: hosting on Azure Canada ensures compliance with ISO 27001, SOC 2 Type II, and CSA STAR certifications.
• Payment security: Stripe, our payment processor, is PCI-DSS Level 1 compliant, the highest standard for payment security.

13. Regulatory authorities and complaints

Users have the right to file complaints with regulatory authorities if they believe their privacy rights have been violated.

13.1 Commission d'acces a l'information du Quebec (CAI)

Quebec residents can contact the CAI for privacy-related complaints:

Commission d'acces a l'information du Quebec
Website: www.cai.gouv.qc.ca
Phone: 1-888-528-7741

13.2 Office of the Privacy Commissioner of Canada (OPC)

For federal privacy matters under PIPEDA:

Office of the Privacy Commissioner of Canada
Website: www.priv.gc.ca
Phone: 1-800-282-1376

14. Contact information

For legal inquiries, compliance questions, or to exercise your privacy rights, please contact:

Studio Orfolio — Legal Department
Montreal, QC, Canada
Email: rgpd@orfolio.ca
General inquiries: support@orfolio.ca