GRANT & FUNDING
Canadian R&D Tax Credits & Grants

Grant & Funding Trust Center

Privacy Policy

Last updated: February 15, 2026

1. Information We Collect

We collect information that you provide directly to us, including:

  • Account Information: Name, email address, company name, and business details.
  • Business Profile: Province, city, industry sector, headcount, revenue, and incorporation details used for eligibility matching.
  • Application Documents: Financial statements, project descriptions, and other evidence files uploaded to our Evidence Lockers.
  • Consent Data: We record the IP address, timestamp, and source of your marketing consent to comply with CASL.

2. Compliance with Canadian Laws

Our data practices are designed to comply with the federal PIPEDA and provincial laws including Quebec's Law 25.

  • Meaningful Consent: We only process your data based on your explicit consent for specific funding discovery purposes.
  • Privacy Impact Assessments (PIA): We conduct formal PIAs for all AI-driven components, including our 2026 Transformation Engine, to ensure algorithmic fairness and data protection.
  • Data Portability: You have the right to export your business profile and case data in a structured JSON format via your dashboard.

3. Data Storage and Security

Your data is stored within SOC 2 Type II compliant environments with specific hardening for Canadian standards:

  • Immutable Audit Logging: All access to sensitive funding data is recorded in an immutable audit trail for forensic transparency.
  • Encryption at Rest: Sensitive OAuth tokens and API keys are application-level encrypted using AES-GCM-256.
  • Request Correlation: We use unique request tracing to monitor and protect data flows across our systems.

4. CASL Compliance

In accordance with Canada's Anti-Spam Legislation (CASL):

  • We only send commercial electronic messages (CEMs) with your express consent or where an existing business relationship exists.
  • Every automated email includes a functional one-click unsubscribe mechanism.
  • Unsubscribe requests are processed immediately and enforced across all system-generated alerts and newsletters.

5. Data Retention & Erasure

As per our Data Minimization policy:

  • Audit logs are retained for 2 years to satisfy compliance obligations.
  • Account deletion requests (Right to Erasure) are processed automatically within 30 days of submission.
  • Temporary session data and OAuth states are purged within 24 hours of expiry.

6. Contact Us

For privacy inquiries or to contact our Data Protection Officer (DPO), please reach out to:

Email: [email protected]

Address: Digid Inc. Compliance Department, Toronto, ON, Canada.