Document IIS-GOV-PRV-001 • Version 1.0 • Effective 01 May 2026
Integrated IT Support Inc. (the “Company”, “we”, “our”) respects the privacy of every individual whose personal information we collect, use, or disclose in the course of our commercial activities. This Privacy Policy describes the principles and practices we apply, consistent with the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA), and other applicable Canadian privacy law.
Where the Company offers services internationally, additional or overriding requirements of other privacy regimes (such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)) may apply. In such cases the Company commits to the higher standard.
This Policy applies to personal information about identifiable individuals — including clients, prospective clients, end-users, employees, contractors, suppliers, website visitors, and third parties — that is collected, used, or disclosed by or on behalf of the Company in the course of its commercial activities, whether held in electronic or paper form.
Personal Information: information about an identifiable individual, excluding the name, title, business address, or business telephone number of an employee of an organisation when used in a business context.
Sensitive Personal Information: personal information whose unauthorised disclosure could create a heightened risk of significant harm, including health information, financial information, government identifiers, biometric information, and information concerning protected characteristics.
Processing: any operation or set of operations performed upon personal information, whether automated or not, including collection, use, organisation, storage, retrieval, disclosure, and destruction.
The Company has built its privacy program around the ten fair information principles set out in Schedule 1 of PIPEDA.
Principle 1 — Accountability
The Company is responsible for the personal information under its control and has designated a Privacy Officer who is accountable for compliance with this Policy. The Privacy Officer can be reached at ahmad.wasee@iisupp.net. The Company is responsible for personal information transferred to a third party for processing, and uses contractual or other means to provide comparable protection.
Principle 2 — Identifying Purposes
The Company identifies the purposes for which personal information is collected at or before the time of collection. Typical purposes include:
Establishing and managing client relationships and service delivery (IT support, managed services, AI automation, helpdesk, infrastructure, consulting).
Billing, invoicing, and managing payments.
Employee and contractor recruitment, on-boarding, and human-resources administration.
Compliance with legal and regulatory obligations, including tax, employment, and corporate-records law.
Security operations, fraud prevention, and protection of the Company's, clients', and third parties' rights and assets.
Communications about the Company's services, where consent has been given (CASL-compliant).
Principle 3 — Consent
The knowledge and consent of the individual is required for the collection, use, or disclosure of personal information, except where inappropriate (e.g., for legitimate investigation, legal process, or where the law otherwise permits). Consent may be express or implied, depending on the sensitivity of the information and the circumstances. Individuals may withdraw consent at any time, subject to legal and contractual limits and on reasonable notice, by contacting the Privacy Officer.
Commercial electronic communications are sent only with express or implied consent in accordance with Canada's Anti-Spam Legislation (CASL); all such communications include an unsubscribe mechanism.
Principle 4 — Limiting Collection
The Company collects only personal information that is necessary for the identified purposes, by fair and lawful means.
Principle 5 — Limiting Use, Disclosure, and Retention
Personal information is used or disclosed only for the purposes for which it was collected, except with the consent of the individual or as required by law. Personal information is retained only as long as necessary for the fulfilment of those purposes, after which it is destroyed, erased, or anonymised in accordance with the Company's Data Retention Schedule.
Principle 6 — Accuracy
Personal information is maintained as accurate, complete, and up-to-date as is necessary for the purposes for which it is used. Individuals may request correction of their personal information by contacting the Privacy Officer.
Principle 7 — Safeguards
Personal information is protected by physical, organisational, and technical safeguards appropriate to its sensitivity. These safeguards are operated under the Company's Information Security Policy (IIS-GOV-SEC-001) and supporting standards. They include access controls, multi-factor authentication, encryption in transit and at rest for Restricted information, secure development practices, vendor due diligence, and personnel training. Safeguards apply throughout the information lifecycle, including secure disposal.
Principle 8 — Openness
This Policy is made publicly available on the Company's website at iisupp.net/privacy. Additional information about the Company's privacy practices is available from the Privacy Officer on request.
Principle 9 — Individual Access
Upon written request and reasonable verification of identity, individuals may obtain confirmation of the existence, use, and disclosure of their personal information and may access that information. The Company will respond no later than thirty (30) days after receipt of the request, in accordance with PIPEDA. Where access is denied (e.g., to protect the privacy of others or under solicitor-client privilege), the Company will explain the reason and the recourse available.
Principle 10 — Challenging Compliance
Individuals may address any challenge concerning compliance with this Policy or with PIPEDA to the Privacy Officer at ahmad.wasee@iisupp.net. The Privacy Officer will acknowledge any complaint within ten (10) business days and respond substantively within thirty (30) days. Individuals also retain the right to bring concerns to the Office of the Privacy Commissioner of Canada (priv.gc.ca).
The Company may transfer personal information across provincial or national borders — for example to cloud-service providers or sub-processors — for processing on its behalf. Where this occurs, the Company:
Selects providers with credible security and privacy controls (typically evidenced by SOC 2 Type II or ISO 27001 / ISO 27018 reports).
Executes Data Processing Agreements that include data-protection commitments comparable to PIPEDA.
Notifies clients in client-facing engagements where personal information they entrust to the Company will be processed outside Canada, where this is contractually required.
Acknowledges that information processed outside Canada may be subject to lawful access by foreign authorities.
The Company's website and digital properties use cookies and similar technologies for purposes of authentication, security, analytics, and service performance. Where required by law, the Company obtains consent for non-essential cookies and provides cookie preference controls. Details are set out in the Cookie Notice on iisupp.net.
In the event of a breach of security safeguards involving personal information that poses a real risk of significant harm, the Company will, in accordance with PIPEDA's Breach of Security Safeguards Regulations:
Report the breach to the Office of the Privacy Commissioner of Canada as soon as feasible.
Notify affected individuals as soon as feasible, with sufficient information to enable them to take protective steps.
Notify any other organisation, government institution, or part of a government institution that may be able to reduce or mitigate harm.
Keep a written record of every breach involving personal information for at least 24 months, regardless of whether it triggered a notification obligation.
The Company does not knowingly direct services at children under the age of 13. Where the Company learns it has collected personal information from a child without verifiable parental consent, the information will be deleted unless legally required to be retained.
Personal information about employees and contractors is collected, used, and disclosed for purposes related to recruitment, on-boarding, compensation, benefits, performance management, training, security, and compliance, in accordance with applicable Ontario employment-standards and human-rights law. Workplace monitoring activities, where conducted, follow proportionality and transparency principles consistent with applicable law.
The Company applies enhanced safeguards to sensitive personal information, including stricter access controls, additional encryption requirements, dedicated retention rules, and explicit consent or legal basis for use. Examples include health information, financial information, biometric identifiers, and government-issued identifiers.
All inquiries, access requests, and complaints related to this Policy or the Company's privacy practices may be directed to:
Privacy Officer, Integrated IT Support Inc. — ahmad.wasee@iisupp.net — Postal address provided on request.
Approval and Authority
This document has been reviewed and approved by the Executive Leadership of Integrated IT Support Inc. and is issued under the authority of the Office of the Chief Executive Officer. The document is subject to periodic review and may be amended by the Approving Authority. Material amendments are communicated to all employees and key suppliers within thirty (30) days of issuance.
Signed for and on behalf of Integrated IT Support Inc.
Ahmad
Ahmad — Chief Executive Officer
Integrated IT Support Inc.
Date: 11 May 2026
Approved electronically by Ahmad, Chief Executive Officer, on 11 May 2026. This electronic signature is applied with the authority of the named signatory and is valid under the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Ontario Electronic Commerce Act, 2000.