Privacy Policy
Introduction
CultureIQ Labs ("CultureIQ Labs," "we," "us," or "our") is a workplace culture consulting practice operated by Meagan Victoria Angelucci, registered in Ontario and Quebec, Canada. We are committed to protecting the privacy of individuals whose personal information we collect and process.
This Privacy Policy explains how we collect, use, disclose, and safeguard personal information in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25 (Act respecting the protection of personal information in the private sector) for Quebec-based operations.
Scope
This Policy applies to:
- Visitors to our website (cultureiqlabs.com)
- Employees of client organizations who participate in our assessments, training, or programs
- Managers and supervisors enrolled in our training programs
- Individuals involved in return-to-work (RTW) processes
- Our business contacts and prospective clients
Privacy Officer
You may contact our Privacy Officer for any privacy-related inquiries, to exercise your rights, or to file a complaint. We respond to all privacy inquiries within 30 days.
Personal Information We Collect
1.1 From Website Visitors
We collect information you voluntarily submit through our contact form (name, email, message) and through Microsoft 365 Bookings when booking a discovery call (name, email, and any information you provide). We use Plausible Analytics for website analytics — a privacy-first tool that does not collect personal data and uses no cookies.
1.2 From Client Organizations (B2B)
We collect business contact information (name, title, email, phone) for client relationship management, and billing information (company name, billing address, payment details) for invoicing and payment processing.
1.3 From Assessment Participants
- Identifiers: name, employee ID, email, team assignment
- Survey responses: psychological safety ratings and workplace perception scores (Sensitive)
- A.R.T. Assessment data: Acknowledge, Reclaim, and Thrive dimension scores (Sensitive)
- Open-text feedback: written comments about workplace culture (Sensitive)
1.4 From Training Participants
We collect identifiers (name, email, role, organization), training progress data (module completion, quiz scores, certification status), and learning analytics (time spent on modules, interaction patterns).
1.5 From Return-to-Work (RTW) Programs
We collect anonymous case identifiers, team assignment, RTW status (days absent, return date, accommodation status), and team readiness scores.
How We Collect Personal Information
- Direct collection: information you provide through our website contact form or when booking a consultation
- Assessment platforms: responses submitted through our assessment tools
- Training platforms: data generated through our learning management system
- Client organizations: information provided by employer clients under a Data Processing Agreement
Purposes for Collection, Use, and Disclosure
We collect and use personal information to:
- Respond to inquiries and book discovery calls
- Deliver assessment and consulting services
- Provide training programs and issue certifications
- Generate aggregated organizational reports for client organizations
- Support return-to-work culture initiatives
- Improve our services using anonymized analytics only
- Comply with legal obligations
We will not use personal information for any purpose other than those identified above without obtaining your consent.
Consent
For standard personal information (such as contact form submissions), implied consent is acceptable where the purpose is obvious and reasonable. For sensitive personal information (assessment responses, RTW data), we obtain express, informed consent that is freely given, specific to the identified purposes, clear and unambiguous, and separate from other terms and conditions.
You may withdraw your consent at any time by contacting our Privacy Officer at privacy@cultureiqlabs.com. Withdrawal of consent may affect your ability to participate in certain programs. We will explain the consequences of withdrawal upon request.
Disclosure of Personal Information
- Your employer: aggregated team reports only. We never share individual-level responses. A minimum of 5 respondents is required before any data is reported.
- Service providers: for hosting, analytics, and payment processing, under Data Processing Agreements with Canadian data residency where possible.
- Legal authorities: only when required by law, and only to the minimum extent required.
We do not sell personal information.
Some of our service providers are based outside Canada. Our primary data (assessments, personal information) is stored exclusively in Canada (Supabase, ca-central-1, Montreal). US-based providers — Vercel (hosting), Stripe (payments), Resend (transactional email), and Microsoft 365 Bookings (appointment scheduling) — are subject to contractual data processing terms that ensure protections equivalent to Canadian privacy law.
Data Residency
Our primary data storage is in Canada — Supabase PostgreSQL (ca-central-1, Montreal, Quebec). We are committed to keeping your personal information in Canada wherever feasible. Where sub-processors operate outside Canada, contractual safeguards are in place.
Security Safeguards
Technical
AES-256 encryption at rest, TLS 1.3 encryption in transit, multi-factor authentication for administrative access, role-based access controls, and regular security assessments.
Administrative
Confidentiality agreements with any contractors or service providers with data access, access limited to need-to-know basis, and annual policy reviews.
Physical
Secure, SOC 2 certified data center facilities. No local storage of personal information on portable devices.
Your Privacy Rights
Under PIPEDA and Law 25 (for Quebec operations), you have the following rights:
| Right | Description | Response Time |
|---|---|---|
| Access | Request a copy of your personal information | 30 days |
| Rectification | Correct inaccurate or incomplete information | 30 days |
| Erasure | Request deletion of your personal information (subject to legal retention requirements) | 30 days |
| Data Portability | Receive your data in a structured, commonly used format | 30 days |
| Withdrawal of Consent | Withdraw consent for future collection and use | Immediate |
| Information | Know what information we hold and how it is used | 30 days |
| Object to Automated Decisions | Challenge decisions made solely by automated processing | 30 days |
To exercise any of these rights, contact our Privacy Officer at privacy@cultureiqlabs.com. We will verify your identity before processing.
Retention
We retain personal information only as long as necessary to fulfil the purposes for which it was collected:
| Data Type | Retention Period |
|---|---|
| Contact form and inquiry records | 2 years from last contact |
| Assessment responses | Duration of client contract + 2 years |
| Training records | Duration of client contract + 3 years |
| Certification records | Duration of client contract + 5 years |
| Business contact information | Duration of relationship + 2 years |
| Consent records | Duration of data retention period + 2 years |
| Confidentiality incident records | Minimum 5 years |
After the retention period, personal information is securely destroyed using cryptographic erasure or secure overwrite.
Breach Notification
In the event of a confidentiality incident that presents a risk of serious harm, we will notify the appropriate privacy regulator as soon as feasible, notify affected individuals as soon as feasible, take measures to reduce risk and prevent future incidents, and record the incident in our confidentiality incident register.
Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated through our website and, where appropriate, by direct notification. The "Last Updated" date at the top of this page indicates when this Policy was most recently revised.
Complaints
If you have concerns about our privacy practices, please contact our Privacy Officer first at privacy@cultureiqlabs.com.
If you are not satisfied with our response, you may file a complaint with the appropriate regulator: