Legal & Compliance

1. Introduction

Studio Orfolio Inc. is committed to operating in full compliance with all applicable Canadian federal and provincial laws, including privacy, consumer protection, electronic commerce, and data security regulations. This Legal & Compliance document outlines our adherence to these legal frameworks and our commitment to transparency and accountability.

2. Compliance with Quebec's Law 25 and PIPEDA

Orfolio is fully compliant with:

• Law 25 (Loi modernisant des dispositions législatives en matière de protection des renseignements personnels) — Quebec's modernized privacy law, which came into effect in September 2023.
• PIPEDA (Personal Information Protection and Electronic Documents Act) — Canada's federal privacy law governing the collection, use, and disclosure of personal information in commercial activities.

Our compliance measures include:

• Obtaining explicit, informed consent before collecting personal data.
• Providing clear information about how data is used, stored, and shared.
• Ensuring users have the right to access, correct, and delete their personal information.
• Implementing robust security measures to protect against unauthorized access or breaches.
• Designating a Responsible for Personal Data Protection (RPDP) to oversee compliance.

3. Data Hosting and Sovereignty

All personal and sensitive data collected by Orfolio is hosted exclusively in Canada, ensuring compliance with data sovereignty requirements under Law 25.

• Primary Hosting: Microsoft Azure Canada (Toronto Region).
• Secondary Infrastructure: Vultr (Toronto) for redundancy and specific workloads.
• Certifications: Azure complies with ISO 27001, SOC 2 Type II, and CSA STAR, ensuring world-class security and privacy standards.

By hosting data exclusively in Canada, we ensure that user information remains under Canadian legal jurisdiction and is not subject to foreign surveillance laws such as the U.S. CLOUD Act.

4. Data Security and Encryption

Orfolio employs industry-leading security practices to protect user data from unauthorized access, disclosure, or loss.

4.1 Password Security

• User passwords are hashed using bcrypt, a cryptographically secure algorithm designed to resist brute-force attacks.
• Passwords are never stored in plaintext and cannot be recovered by Orfolio staff.
• Password reset functionality uses time-limited, cryptographically signed tokens sent via email.

4.2 Authentication and Session Management

• User sessions are secured using JSON Web Tokens (JWT) with expiration times and refresh token mechanisms.
• Tokens are transmitted exclusively over HTTPS to prevent interception.
• Session tokens are stored securely using HttpOnly and Secure cookie flags to prevent client-side access and cross-site scripting (XSS) attacks.
• Two-factor authentication (2FA) is available to all users and mandatory for administrative accounts.

4.3 Data Encryption

• In Transit: All data transmitted between users and Orfolio servers is encrypted using TLS 1.3 (HTTPS).
• At Rest: Sensitive data stored in databases is encrypted using AES-256 encryption.
• Backup Encryption: Database backups are encrypted and stored in geographically redundant locations within Canada.

5. Explicit Consent and Data Collection

Orfolio adheres to the principle of informed consent as required by Law 25 and PIPEDA.

• Users are informed of what data is collected, why it is collected, and how it will be used before providing consent.
• Consent is obtained explicitly during account registration and when enabling optional features (e.g., analytics, AI processing).
• Users can withdraw consent at any time through account settings or by contacting rdpd@orfolio.com.
• No data is collected or processed for purposes beyond those disclosed and consented to by the user.

6. User Rights: Access, Portability, and Erasure

In accordance with Law 25 and PIPEDA, Orfolio guarantees the following rights to all users:

6.1 Right to Access

Users have the right to request a copy of all personal data Orfolio holds about them. Requests can be submitted via email to rdpd@orfolio.com and will be processed within 30 days.

6.2 Right to Portability

Users can export their data in structured, machine-readable formats (JSON, CSV) through the account dashboard or by contacting support. This includes:

• Account information and preferences.
• Website content, pages, and media assets.
• Subscription and billing history.

6.3 Right to Erasure ("Right to Be Forgotten")

Users can request permanent deletion of their account and all associated data. Once confirmed, data is deleted within 30 days and cannot be recovered. Exceptions apply for data that must be retained for legal, tax, or regulatory purposes (e.g., billing records).

7. Data Protection Officer and Accountability

Orfolio has designated a Responsible for Personal Data Protection (RPDP) as required by Law 25. The RPDP is responsible for:

• Ensuring compliance with privacy laws and regulations.
• Overseeing data governance policies and procedures.
• Handling user inquiries, complaints, and data access requests.
• Coordinating incident response and breach notification procedures.
• Conducting regular privacy impact assessments and audits.

For questions or to exercise your privacy rights, contact:

Data Protection Officer – Studio Orfolio Inc.
Montréal, QC, Canada
Email: rdpd@orfolio.com

8. Security Incident and Breach Notification

In the event of a data breach or security incident involving personal information, Orfolio will:

• Notify affected users within 72 hours of discovering the breach, as required by Law 25.
• Report the incident to the Commission d'accès à l'information du Québec (CAI) and other relevant authorities.
• Provide clear information about the nature of the breach, the data affected, and steps taken to mitigate harm.
• Offer guidance on protective measures users can take (e.g., password resets, monitoring for fraud).

Incident notifications will be sent via email and posted on our official status page and communication channels.

9. Compliance with Canadian E-Commerce Laws

Orfolio complies with Canadian laws governing electronic commerce, including:

• Canada's Anti-Spam Legislation (CASL) — We only send commercial electronic messages to users who have provided express or implied consent. All marketing emails include clear unsubscribe options.
• Consumer Protection Laws — We provide transparent pricing, clear terms of service, and fair refund policies in accordance with Quebec's Consumer Protection Act.
• Accessibility Standards — We strive to ensure Orfolio meets accessibility standards under the Accessible Canada Act (ACA) and WCAG 2.1 guidelines.

10. Transparency of AI Algorithms and Processing

Orfolio uses artificial intelligence to assist users in website creation, content generation, and design recommendations. We are committed to transparency in how AI is used and the data it processes.

10.1 AI Models Used

Orfolio integrates the following third-party AI models based on user selection:

• OpenAI (GPT-4 and GPT-4 Turbo) — For advanced text generation and conversational AI.
• Anthropic (Claude AI) — For context-aware content creation and structured output.
• DeepSeek — For specialized AI-powered design and optimization tasks.

10.2 User Consent and Data Processing

• Users must explicitly consent to AI processing before using AI-powered features.
• User prompts and inputs may be sent to third-party AI providers to generate responses.
• AI providers are bound by Data Processing Agreements (DPAs) ensuring compliance with Law 25 and PIPEDA.
• AI-generated content is reviewed and validated by users before publication; Orfolio is not responsible for inaccuracies or legal issues arising from AI output.

10.3 Transparency and Explainability

• Users are informed when content is AI-generated and can opt out of AI features at any time.
• AI models do not make automated decisions affecting user rights, subscriptions, or account status without human oversight.
• Users can request information about how AI processing affects their data by contacting rdpd@orfolio.com.

11. Annual Policy Review and Updates

Orfolio conducts an annual review of all compliance policies, including:

• Privacy Policy
• Terms and Conditions
• Cookie Policy
• Data Governance
• Refund Policy
• Legal & Compliance

This review ensures our policies remain aligned with:

• Changes in Canadian and Quebec privacy legislation.
• Updates to third-party services and integrations.
• Emerging best practices in data security and governance.
• User feedback and regulatory guidance.

Users will be notified of significant policy changes via email or in-platform notifications. The "Last updated" date at the bottom of each policy reflects the most recent revision.

12. Third-Party Audits and Certifications

Orfolio's infrastructure and security practices are regularly audited by independent third parties to ensure compliance and identify areas for improvement.

• Security Audits: Annual penetration testing and vulnerability assessments conducted by certified security professionals.
• Infrastructure Compliance: Hosting on Azure Canada ensures compliance with ISO 27001, SOC 2 Type II, and CSA STAR certifications.
• Payment Security: Stripe, our payment processor, is PCI-DSS Level 1 compliant, the highest standard for payment security.

13. Regulatory Authorities and Complaints

Users have the right to file complaints with regulatory authorities if they believe their privacy rights have been violated.

13.1 Commission d'accès à l'information du Québec (CAI)

Quebec residents can contact the CAI for privacy-related complaints:

Commission d'accès à l'information du Québec
Website: www.cai.gouv.qc.ca
Phone: 1-888-528-7741

13.2 Office of the Privacy Commissioner of Canada (OPC)

For federal privacy matters under PIPEDA:

Office of the Privacy Commissioner of Canada
Website: www.priv.gc.ca
Phone: 1-800-282-1376

14. Contact Information

For legal inquiries, compliance questions, or to exercise your privacy rights, please contact:

Studio Orfolio Inc. – Legal Department
Montréal, QC, Canada
Email: rdpd@orfolio.com
General Inquiries: contact@orfolio.com