1. Purpose of Privacy Policy
CF&R Services Inc. promotes responsible and transparent practices in Data Privacy. CF&R Services Inc. supports and promotes electronic commerce by protecting personal information that is collected, used or disclosed. Technology increasingly facilitates the circulation and exchange of information, and there are rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information. At no time shall this information be knowingly disclosed or shared with individuals who are not entitled to the data. All transfer of personal data between systems must be protected with the appropriate level of security as outlined by the client. CF&R Services Inc. follows the Personal Information Protection and Electronic Documents Act (PIPEDA) , Canada’s Anti-Spam Law (CASL) and EU General Data Protection Regulations (GDPR) as the guiding principles in our collection and maintenance of personal information in our databases.
2. Purpose of Collecting Personal Information
CF&R Services Inc. collects personal information for statistical purposes on behalf of clients. CF&R Services Inc. collects personal information for order fulfillment purposes. CF&R Services Inc. also receives personal information in the form of databases from clients. CF&R Services Inc. is expected to use these databases to perform services, such as direct mail, order fulfilment, send emails, etc. on behalf of the client.
3. Consent
It is CF&R Services Inc’s policy to make all attempts to obtain Express Consent either in writing or through an opt-in mechanism where the end-user must take a positive action to indicate their consent. If oral consent is obtained, the conversation either must be recorded and logged with a supervisor or a witness to attest to the consent given. An individual can choose not to provide CF&R Services Inc. some or all of the personal information at any time. Implied Consent is assumed for databases received from clients. CF&R Services Inc. assumes that databases sent from clients have been collected using the PIPEDA as their guiding principle. Express Consent is required should the database received is to be used for emailing on behalf of the client. The client must fill out CF&R Services Inc’s CASL Compliance Form which confirms that all of the intended email recipients have provided express consent. This Privacy Policy does not cover statistical data from which the identity of individuals cannot be determined. CF&R Services Inc. retains the right to use and disclose statistical data as it determines appropriate.
4. Information Collection
Personal information may be collected through CF&R Services Inc. applications, and/or other forms. The Personal Information collected may include, but is not limited to:
  • E-mail address
  • First name and last name
  • Address, City, Province/State, Postal Code/Zip Code, Country
  • Telephone
  • Cookies and Usage Data
CF&R Services does not knowingly collect Personal Information from anyone under the age of 18 (“Children”). If we become aware that we have collected Personal Information from children without verification of parental consent, we take steps to remove that information from our servers.
5. Limiting Use, Disclosure and Retention
5.1. Use of Personal Information
CF&R Services Inc. uses the collected data for various purposes:
  • for statistical purposes on behalf of clients.
  • for order fulfillment purposes.
  • to provide customer care and support.
  • to perform services, such as direct mail, order fulfilment, send emails etc. on behalf of the client.
CF&R Services will use personal information only those purposes to which the individual has consented.
5.2. Transfer of Personal Information
CF&R Services will take all steps reasonably necessary to ensure that your personal information is treated securely and in accordance with this Privacy Policy. No transfer of personal information to a third party will take place unless there are adequate controls in place. CF&R Services Inc. will ensure, by contractual or other means, that the third party protects the information and uses it only for the purposes for which it was transferred.
5.3. Disclosure of Personal Information
Personal information will be disclosed to only those CF&R Employees that need to know the information for the purposes of their work. CF&R Services Inc. may employ third party companies and individuals to assist us in providing services to our clients. These third parties will be given access only to the information required to perform the tasks on our behalf and are obligated not to disclose or use it for any other purpose. CF&R Services may disclose your Personal Data in the good faith belief that such action is necessary as permitted under PIPEDA:
  • the organization has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
  • an emergency exists that threatens an individual’s life, health or security;
  • the information is for statistical study or research;
  • the information is publicly available;
  • the use is clearly in the individual’s interest, and consent is not available in a timely way;
  • knowledge and consent would compromise the availability or accuracy of the information, and
  • collection is required to investigate a breach of an agreement.
5.4. Retention of Personal Information
Personal information will be retained as long as the project is active and for such periods of time as may be prescribed by applicable laws and regulations. Personal information in client supplied databases, unless specified by the client, will be retained for a period of 12 months.
6. Accuracy
CF&R Services Inc. endeavors to ensure that any personal information provided by the individual in his or her active file(s) is accurate, current and complete as is necessary to fulfill the purposes for which the information has been collected, used, retained and disclosed. Individuals are requested to notify CF&R Services Inc. of any change in personal or business information. Information contained in inactive files is not updated.
7. Individual Access
An Individual who wishes to review or verify what personal information is held by CF&R Services Inc., or to whom the information has been disclosed (as permitted by the Act), may make any of the following requests:
7.1. Request Access
to their personal data (commonly known as a “data subject access request”). This enables them to receive a copy of the personal data we hold and to check that we are lawfully processing it.
7.2. Request Correction
of the personal data that we hold about them. This enables them to have any incomplete or inaccurate data we hold about them corrected, though we may need to verify the accuracy of the new data they provide to us.
7.3. Request Erasure
of their personal data. This enables them to ask us to delete or remove personal data where there is no good reason for us continuing to process it. They also have the right to ask us to delete or remove their personal data where they have successfully exercised their right to object to processing (see below), where we may have processed their information unlawfully or where we are required to erase their personal data to comply with local law. Note, however, that we may not always be able to comply with their request of erasure for specific legal reasons which will be notified to them, if applicable, at the time of their request.
7.4. Object to processing
of their personal data where we are relying on a legitimate interest (or those of a third party) and there is something about their particular situation which makes them want to object to processing on this ground as they feel it impacts on their fundamental rights and freedoms. They also have the right to object where we are processing their personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process their information which overrides their rights and freedoms.
7.5. Request Restriction of Processing
of their personal data. This enables them to ask us to suspend the processing of their personal data in the following scenarios:
  1. if they want us to establish the data’s accuracy;
  2. where our use of the data is unlawful but they do not want us to erase it;
  3. where they need us to hold the data even if we no longer require it as they need it to establish, exercise or defend legal claims; or
  4. they have objected to our use of their data but we need to verify whether we have overriding legitimate grounds to use it.
7.6. Request the Transfer
of their personal data to them or to a third party. We will provide to them, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with them.
7.7. Withdraw Consent at any time
where we are relying on consent to process their personal data. However, this will not affect the lawfulness of any processing carried out before they withdraw their consent. If they withdraw their consent, we may not be able to provide certain products or services to them. We will advise them if this is the case at the time they withdraw their consent. Any of these requests can be made in writing, to the CF&R Services' Privacy Officer. CF&R Services may need to request specific information from the individual in order to help us confirm the identity and ensure the right to access personal data (or to exercise any other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact the individual to ask you further information in relation to the request in order to speed up our response. For CF&R owned databases, we try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if the request is particularly complex or the individual has made a number of requests. In this case, we will notify the individual and keep them updated. For CF&R maintained on behalf of a client databases, we will:
  • notify the client of the Individual’s Access Request with any information we may have received
  • reply to the individual with the client’s contact information for their privacy officer and advise the individual that their request has been transferred to the client.
8. Cookies
8.1. What are cookies and how and why we use them CF&R Services Inc. may use cookies on any of our websites.
8.2.1. A cookie is a small piece of information that is placed on your computer when you visit certain websites.
When we refer to “cookies” we include other technologies with similar purposes, such as tags and identifiers. We use that information for customer analytics.
8.2.2. On websites where CF&R have implemented the use of cookies,
CF&R will provide you with a cookies permission banner seeking your consent to the use of cookies when you first visit our site using a new browser.
8.2.3. We may use the following types of cookie.
  1. Analytics cookies that anonymously remember your computer or mobile device when you visit our website. They keep track of browsing patterns and help us to build up a profile of how our readers use the website.
  2. Service cookies that help us to make our website work as efficiently as possible; remember your registration and login details; remember your settings preferences; to detect what device you are using and adapt how we present our services according to the screen size of that device.
8.2. How to manage your cookies
Most browsers allow you to turn off cookies. To do this look at the “help” menu on your browser. Switching off cookies may restrict your use of the website and/or delay or affect the way in which it operates.
9. Safeguards
CF&R Services Inc. will use physical, organizational, and technological measures to safeguard personal information to only those CF&R Services Inc employees, or third parties who need to know this information for the purposes set out in this Privacy Policy. Organizational Safeguards: Access to personal information is limited to only the information that is required and only to the employees on a “need-to-know” basis in order to carry out the client’s specific needs. CF&R Services Inc employees are required to sign a confidentiality agreement binding them to maintaining the confidentiality of all personal information to which they have access. Physical Safeguards: Personal information no longer required are securely shredded to prevent inadvertent disclosure to unauthorized persons. Technological Safeguards: Personal information contained in CF&R Services Inc computers and electronic databases are password protected in accordance with CF&R Services Inc 's Information Security Policy. Access to any of the CF&R Services Inc 's computers also is password protected. CF&R Services Inc 's Internet router or server has firewall protection sufficient to protect personal and confidential business information against virus attacks and "sniffer" software arising from Internet activity.
10. Openness
CF&R Services Inc will endeavor to make its privacy policies and procedures known to the individual via this Privacy Policy CF&R Services Inc. reserves the right to update our Privacy Policy, and any of our related policies and procedures, without notice. Any changes to the Privacy Policy will become effective upon posting the revised Privacy Policy on the respective website.
11. Complaints / Recourse
For questions or concerns regarding our Privacy Policy please contact CF&R Services' Privacy officer:
privacy@cfrservices.com