Privacy Policy

01 Who this applies to

This Privacy Policy explains how Governance 360 ("we," "our," "us") handles personal information when you visit thegovernance360.ca, complete our Governance Health Check, subscribe to our newsletter, book a discovery call, or otherwise engage with our practice.

Governance 360 is a boutique governance advisory practice incorporated in Canada and headquartered in London, Ontario. We serve clients across Canada, the United Kingdom, and Asia. Where applicable, this policy is intended to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the UK Data Protection Act 2018 and UK GDPR, and equivalent privacy frameworks in the jurisdictions where our clients operate.

02 What we collect

We collect only what we need to deliver our services, respond to enquiries, and run our practice. Specifically:

Information you give us directly

• Health Check submissions — your name, email address, organisation type (where provided), and your responses to the ten diagnostic questions, so we can send your personalised report.
• Discovery call bookings — your name, email address, organisation, and any context you share when booking through our scheduling tool.
• Newsletter subscriptions — your email address (and first name, if provided).
• Direct correspondence — anything you send us by email, including attachments, signatures, and metadata in those messages.
• Engagement information — if we work together, this includes information necessary for the engagement, such as governance documents, board materials, and contact details for those involved.

Information collected automatically

• Basic technical data — IP address, browser type, device type, referring page, and pages visited. This is logged by our hosting provider for security and operational reasons.
• Cookies set by embedded services — see section 10 for details.

We do not use marketing analytics, advertising trackers, behavioural profiling tools, or third-party retargeting pixels on this website.

03 How we use it

Personal information is used for the specific purpose for which it was collected, including to:

• Score and return your Governance Health Check report.
• Schedule and conduct discovery calls and client meetings.
• Send you our newsletter or podcast updates if you have subscribed.
• Respond to enquiries and provide governance advisory services to clients.
• Maintain accurate engagement records for legal, regulatory, and professional standards purposes.
• Protect the security and integrity of our website and email systems.

We do not sell personal information. We do not rent or trade contact lists. We do not use personal information to train AI models.

04 Legal basis for processing

Where applicable law requires a legal basis for processing personal information, we rely on:

• Consent — for newsletter subscriptions and the optional information you submit through the Health Check email gate.
• Contract — to deliver services to clients we are formally engaged with.
• Legitimate interests — to operate our website securely, respond to enquiries, and develop our practice. Where we rely on this basis, we have considered whether our interests are overridden by your rights or expectations.
• Legal obligation — where retention or disclosure is required by Canadian law or the law of another jurisdiction in which we operate.

You can withdraw consent at any time by contacting us using the details in section 13.

05 Who we share it with

We do not sell personal information, rent contact lists, or share personal information with third parties for their own marketing purposes.

We use trusted service providers only where needed to operate the website, receive form submissions, schedule calls, deliver email, host embedded media, and provide our services. These providers process information for those limited purposes under their own privacy and security commitments.

We may also disclose personal information where required by law, by court order, or to protect our legal rights or those of others.

06 International transfers

Because we work across Canada, the UK, and Asia, and because some of the services we use operate internationally, personal information may be transferred to and processed in countries with different privacy frameworks than your own, including the United States and the European Union.

Where we transfer personal information internationally, we take reasonable steps to ensure it remains protected through appropriate contractual and security commitments.

07 How long we keep it

• Health Check submissions — retained for up to 24 months from submission, unless the contact converts into a client engagement, in which case engagement retention rules apply.
• Newsletter subscriptions — retained until you unsubscribe, plus a short suppression record afterward to honour the unsubscribe.
• Discovery call records — retained for up to 24 months unless engagement begins.
• Client engagement records — retained for the duration of the engagement plus seven years, in line with professional and tax record-keeping standards in Canada.
• Email correspondence — retained for as long as reasonably necessary, generally not exceeding seven years.

We delete or anonymise personal information once it is no longer needed for the purpose it was collected.

08 How we protect it

We use reasonable technical and organisational measures to protect personal information, including:

• HTTPS encryption across the entire website.
• Access controls on email and engagement records.
• Use of established service providers with their own published security commitments.
• A practice of collecting only the personal information genuinely needed for each purpose.

No system can be guaranteed completely secure. If a breach affects your personal information, we will notify you and the appropriate regulators where required by law.

09 Your rights

Subject to the law of your jurisdiction, you have rights in relation to your personal information, which may include:

• Access — to ask what personal information we hold about you.
• Correction — to ask us to correct information that is inaccurate or incomplete.
• Deletion — to ask us to delete personal information where there is no overriding legal or professional reason to retain it.
• Withdraw consent — to withdraw consent for processing that relies on consent (such as newsletter subscriptions).
• Object or restrict — to object to or restrict certain processing where law gives you that right.
• Portability — to receive certain information in a portable format, where applicable.
• Complain — to complain to a regulator. In Canada, that is the Office of the Privacy Commissioner of Canada (priv.gc.ca). In the UK, the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, contact us using the details in section 13. We will respond within 30 days, or sooner where the law requires.

10 Cookies and embedded services

This website does not run its own analytics, advertising, or behavioural tracking. It does, however, embed services that may set their own cookies in order to function, including scheduling, podcast, video, form, hosting, and font services.

For full detail on what these embedded services do, what cookies they set, and how to manage them, see our Cookie Notice.

11 Children's privacy

Our services are designed for boards, executives, and governance professionals. The website and our services are not directed at children, and we do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us personal information, please contact us and we will delete it.

12 Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page reflects the most recent change. Material changes will be communicated by updating the date and, where appropriate, by a notice on our website or to subscribers.

13 How to contact us

For privacy questions, requests, or complaints, contact us directly. We aim to respond within five business days and resolve substantive requests within 30 days.