Privacy Policy

Last Updated: October 23, 2024

This Privacy Policy outlines how Ninja Solutions, Inc. (“NinjaVA” or “the Company“), a Canadian-based organization, collects, uses, and protects the personal information of individuals in Canada, the United States, and under the jurisdiction of California. This policy is designed to comply with the applicable privacy laws and regulations, including the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the United States’ federal and state privacy laws, and the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). We may update and make changes to this policy, so we encourage you to review it periodically.

Key Terms

It would be helpful to start by explaining some key terms used in this policy:

We, us, our	Ninja Solutions, Inc.
Our representative	Brandon Lazar, hello@ninjava.com
Personal information	Any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household.
Sensitive personal information	Personal information revealing a consumer’s social security number, driver’s license and passport numbers, account numbers and credentials, precise geolocation, racial or ethnic origin, religious beliefs, or union membership, personal information concerning a consumer’s health, sex life, or sexual orientation, contents of a consumer’s mail, email and text messages where the business is not the intended recipient, genetic data, biometric information, and citizenship or immigration status.
Biometric Information	An individual’s physiological, biological, or behavioral characteristics, including information about an individual’s deoxyribonucleic acid (DNA), that is used or is intended to be used singly or with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

Personal Information We Collect About You

In the preceding 12 months, we have collected the following categories and specific types of consumer personal information:

Categories of Personal Information	Specific Types of Personal Information Collected
Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers)	Name, postal Address, IP Address
Characteristics of protected classifications under California or federal law
Commercial information (e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)	VA seat purchase history
Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer’s interaction with an Internet Website, application, or advertisement)	IP Address
Geolocation data	IP Address
Professional or employment-related information
Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA)
Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
Sensitive Personal Information

How Your Personal Information is Collected

In some instances, we collect most of this personal information directly from you—in person, by telephone, text or email and/or via our website and apps. However, we may also collect information from the following categories of sources:

Publicly accessible sources (e.g., property records);
Third party (e.g., sanctions screening providers, credit reporting agencies, customer due diligence providers, advertising networks, internet service providers, social networks, data analytics providers, government entities, and data brokers);
Third party with your consent (e.g., your bank);
Cookies on our website;
Automated information collection;

Consent Mechanisms

This section outlines the mechanisms by which NinjaVA obtains, manages, and documents consent for data processing activities, in compliance with the legal standards for consent as applicable in Canada, the United States, and the European Union (EU).

Obtaining Consent:
1. Canada: In accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), the Company obtains express or implied consent from individuals prior to collecting, using, or disclosing their personal information. The form of consent sought by the Company is appropriate to the sensitivity of the information and the reasonable expectations of the individual.
2. United States: The Company complies with applicable federal and state privacy laws, obtaining consent where required, and ensuring that individuals are informed about the nature and extent of data collection, the precise information being collected, the purpose of the data collection, and how it will be used or disclosed.
3. European Union: For EU residents, in alignment with the General Data Protection Regulation (GDPR), consent is obtained through a clear affirmative action or statement indicating the data subject’s agreement to the processing of their personal data. The Company ensures that consent is freely given, specific, informed, and unambiguous for each of the purposes for which data is processed.
Managing Consent:
1. Documentation: The Company maintains comprehensive records of consent obtained, including the identity of the consenting individual, the date of consent, the method through which consent was obtained, and the specific purposes for which consent was given.
2. Withdrawal of Consent: Individuals have the right to withdraw their consent at any time. The Company provides easily accessible means by which individuals can withdraw consent, such as through a link on the Company’s website, via email, or through the Company’s customer service. Upon receipt of a withdrawal of consent, the Company will stop processing the individual’s personal data for the purposes for which consent was originally obtained, unless another legal basis for processing exists.
Adapting to Jurisdictional Differences:
1. The Company recognizes the variations in legal standards for consent across jurisdictions and adapts its consent mechanisms accordingly. In jurisdictions with stricter requirements (e.g., the GDPR in the EU), the Company implements additional measures to ensure compliance, such as enhanced transparency and the provision of detailed information regarding data processing activities.
2. In cases where the legal framework requires it, the Company will obtain explicit consent for the processing of sensitive personal information, ensuring that individuals are fully informed of the context and implications of the processing.
Updates and Amendments: The Company will review and update its consent mechanisms as necessary to remain compliant with evolving legal standards and best practices in data protection across all jurisdictions in which it operates. Any changes to the Company’s consent mechanisms will be communicated to individuals in a timely manner, ensuring that they are informed of their rights and the means by which they can exercise them.

By adhering to these principles, NinjaVA is committed to respecting individual privacy preferences and ensuring compliance with the diverse legal requirements governing consent for data processing activities in Canada, the United States, and the European Union.

Why We Use Your Personal Information

We collect and/or share consumer personal information for the following business purposes:

Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards;
Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes;
Debugging to identify and repair errors that impair existing intended functionality;
Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, provided the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business;
Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business or service provider;
Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer;
Undertaking internal research for technological development and demonstration;
Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business;
To comply with our legal and regulatory obligations;
For the performance of our contract with you or to take steps at your request before entering into a contract;
For our legitimate interests or those of a third party; or
Where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

The table below explains what we use (process) your personal information for and our reasons for doing so:

What we use your personal information for	Our reasons
To provide products AND/OR services to you	For the performance of our contract with you or to take steps at your request before entering into a contract
To prevent and detect fraud against you or NinjaVA	For our legitimate interests or those of a third party, i.e., to minimize fraud that could be damaging for us and for you
Conducting checks to identify our customers and verify their identity	Screening for financial and other sanctions or embargoes
Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business, e.g., under health and safety regulation or rules issued by our professional regulator	To comply with our legal and regulatory obligations
Gathering and providing information required by or relating to audits, enquiries, or investigations by regulatory bodies	To comply with our legal and regulatory obligations
Ensuring business policies are adhered to, e.g., policies covering security and internet use	For our legitimate interests or those of a third party, i.e., to make sure we are following our own internal procedures so we can deliver the best service to you
Operational reasons, such as improving efficiency, training, and quality control	For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price
Ensuring the confidentiality of commercially sensitive information	For our legitimate interests or those of a third party, i.e., to protect trade secrets and other commercially valuable information To comply with our legal and regulatory obligations
Statistical analysis to help us manage our business, e.g., in relation to our financial performance, customer base, product range or other efficiency measures	For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for you at the best price
Preventing unauthorized access and modifications to systems	For our legitimate interests or those of a third party, i.e., to prevent and detect criminal activity that could be damaging for us and for you To comply with our legal and regulatory obligations
Updating and enhancing customer records	For the performance of our contract with you or to take steps at your request before entering into a contract To comply with our legal and regulatory obligations For our legitimate interests or those of a third party, e.g., making sure that we can keep in touch with our customers about existing orders and new products
Statutory returns	To comply with our legal and regulatory obligations
Ensuring safe working practices, staff administration and assessments	To comply with our legal and regulatory obligations For our legitimate interests or those of a third party, e.g., to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you
Marketing our services and those of selected third parties to: – existing and former customers; – third parties who have previously expressed an interest in our services; – third parties with whom we have had no previous dealings.	For our legitimate interests or those of a third party, i.e., to promote our business to existing and former customers
Credit reference checks via external credit reference agencies	For our legitimate interests or those of a third party, i.e., to ensure our customers are likely to be able to pay for our products and services
External audits and quality checks, e.g., for accreditations and the audit of our accounts	For our legitimate interests or a those of a third party, i.e., to maintain our accreditations so we can demonstrate we operate at the highest standards To comply with our legal and regulatory obligations

Who We Share Your Personal Information With

In the preceding 12 months, we have shared consumers’ personal information with:

Our affiliates, including companies within the NinjaVA group;
Service providers we use to help deliver our products and/or services to you, such as payment service providers and virtual assistant service providers;
Other third parties we use to help us run our business, such as marketing agencies or website hosts;
Third parties approved by you, including social media sites you choose to link your account to or third-party payment providers;
Credit reporting agencies;
Our insurers and brokers;
Our bank[s];
External auditors.

We only allow our service providers to handle your personal information if we are satisfied, they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers, contractors, and third parties to ensure they can only use your personal information to provide services to us and to you.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. We will typically anonymize information, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

Categories of Personal Information We Sold or Shared

In the preceding 12 months, we have shared the following categories of personal information:

Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers);
Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
Characteristics of protected classifications under California or federal law;
Commercial information (e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies);
Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer’s interaction with an Internet Website, application, or advertisement);
Geolocation data;
Professional or employment-related information;
Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes; and
Sensitive personal information

Categories of Personal Information We Disclosed for a Business Purpose

In the preceding 12 months, we have disclosed the following categories of personal information for a business purpose:

Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers);
Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
Characteristics of protected classifications under California or federal law;
Commercial information (e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies);
Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer’s interaction with an Internet Website, application, or advertisement);
Geolocation data;
Professional or employment-related information;
Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes;
Sensitive personal information.

How Long Your Personal Information Will Be Kept

We will keep your personal information while you have an account with us or while we are providing products AND/OR services to you. Thereafter, we will keep your personal information for as long as is necessary:

To respond to any questions, complaints or claims made by you or on your behalf;
To show that we treated you fairly; or
To keep records required by law.

We will not retain your personal information for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information.

When it is no longer necessary to retain your personal information, we will delete or anonymize it.

Your Rights Under the CCPA/CPRA

You have the right under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and certain other privacy and data protection laws, as applicable, to exercise free of charge:

Disclosure of Personal Information We Collect About You	You have the right to know, and request disclosure of: • The categories of personal information we have collected about you, including sensitive personal information; • The categories of sources from which the personal information is collected; • Our business or commercial purpose for collecting, selling, or sharing personal information; • The categories of third parties to whom we disclose personal information, if any; and • The specific pieces of personal information we have collected about you.Please note that we are not required to: • Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained; • Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or • Provide the personal information to you more than twice in a 12-month period.
Disclosure of Personal Information Sold, Shared, or Disclosed for a Business Purpose	In connection with any personal information we may sell, share, or disclose to a third party for a business purpose, you have the right to know: • The categories of personal information about you that we sold or shared and the categories of third parties to whom the personal information was sold or shared; and • The categories of personal information that we disclosed about you for a business purpose and the categories of persons to whom the personal information was disclosed for a business purpose. You have the right to opt-out of the sale of your personal information or sharing of your personal information for targeted behavioral advertising. If you exercise your right to opt-out of the sale or sharing of your personal information, we will refrain from selling or sharing your personal information, unless you subsequently provide express authorization for the sale or sharing of your personal information. To opt-out of the sale or sharing of your personal information, visit our homepage and click on the Do Not Sell or Share My Personal Information link here: [URL].
Right to Limit Use of Sensitive Personal Information	You have the right to limit the use and disclosure of your sensitive personal information to the use which is necessary to: • Perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services; • To perform the following services: (1) Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes; (2) Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, if the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business; (3) Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business; and (4) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business; and • As authorized by further regulations. You have a right to know if your sensitive personal information may be used, or disclosed to a service provider or contractor, for additional, specified purposes. To limit the use of your sensitive personal information, visit our homepage and click on the “Limit the Use of My Sensitive Personal Information” link here: [url]
Right to Deletion	Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will: • Delete your personal information from our records; and • Direct any service providers or contractors to delete your personal information from their records. • Direct third parties to whom the business has sold or shared your personal information to delete your personal information unless this proves impossible or involves disproportionate effort. Please note that we may not delete your personal information if it is reasonably necessary to: • Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us; • Help to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for those purposes; • Debug to identify and repair errors that impair existing intended functionality; • Exercise free speech, ensure the right of another consumer to exercise their right of free speech, or exercise another right provided for by law; • Comply with the California Electronic Communications Privacy Act; • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent; • Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us; • Comply with an existing legal obligation; or • Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.
Right of Correction	If we maintain inaccurate personal information about you, you have the right to request us to correct that inaccurate personal information. Upon receipt of a verifiable request from you, we will use commercially reasonable efforts to correct the inaccurate personal information.
Protection Against Retaliation	You have the right to not be retaliated against by us because you exercised any of your rights under the CCPA/CPRA. This means we cannot, among other things: • Deny goods or services to you; • Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; • Provide a different level or quality of goods or services to you; or • Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services. Please note that we may charge a different price or rate or provide a different level or quality of goods and/or services to you, if that difference is reasonably related to the value provided to our business by your personal information. We may also offer loyalty, rewards, premium features, discounts, or club card programs consistent with these rights or payments as compensation, for the collection of personal information, the sale of personal information, or the retention of personal information.

How to Exercise Your Rights

If you would like to exercise any of your rights as described in this Privacy Policy, you can do so here: https://ninjava.com. You may also call us at 778-471-2828, or email/write to us at hello@ninjava.com.

Please note that you may only make a CCPA/CPRA-related data access or data portability disclosure request twice within a 12-month period.

If you choose to contact us directly by website/email/phone/in writing, you will need to provide us with:

Enough information to identify you (e.g., your full name, address and customer or matter reference number);
Proof of your identity and address (e.g., a copy of your driving license or passport and a recent utility or credit card bill); and
A description of what right you want to exercise and the information to which your request relates.

We are not obligated to make a data access or data portability disclosure if we cannot verify that the person making the request is the person about whom we collected information, or is someone authorized to act on such person’s behalf.

Any personal information we collect from you to verify your identity in connection with you request will be used solely for the purposes of verification.

GDPR Compliance

Notwithstanding our primary operations within Canada and the United States, NinjaVA acknowledges the importance of compliance with the General Data Protection Regulation (GDPR) due to our interactions with residents of the European Union (EU). This section of our Privacy Policy is dedicated to addressing our practices concerning the collection, use, and protection of personal data from EU residents, in accordance with GDPR requirements.

Legal Basis for Processing Personal Data: NinjaVA processes personal data of EU residents based on the following legal grounds:

Consent: We may process personal data when we have obtained explicit consent from the data subject for one or more specific purposes.
Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.
Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject.
Vital Interests: Processing is necessary to protect the vital interests of the data subject or of another natural person.
Public Interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Legitimate Interests: Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Data Subject Rights: Under the GDPR, EU residents have the following rights concerning their personal data:

The right to be informed about the collection and use of their personal data.
The right of access to their personal data and how it is processed.
The right to rectification of inaccurate personal data.
The right to erasure (to be forgotten) under certain circumstances.
The right to restrict processing under certain conditions.
The right to data portability, allowing data subjects to obtain and reuse their personal data across different services.
The right to object to processing based on legitimate interests, direct marketing, and processing for scientific or historical research and statistics.
Rights related to automated decision making, including profiling.

Data Protection Officer (DPO): NinjaVA has appointed a Data Protection Officer responsible for overseeing our data protection strategy and its implementation to ensure compliance with GDPR requirements. Data subjects may contact our DPO for any concerns or inquiries regarding the processing of their personal data or to exercise their rights under the GDPR at the following contact details: Brandon Lazar hello@ninjava.com.

Transfers of Personal Data: NinjaVA ensures that any transfer of personal data outside the EU is undertaken in compliance with GDPR, utilizing appropriate safeguards such as Standard Contractual Clauses or adherence to an adequacy decision by the European Commission.

For further information on our data protection practices or to exercise your rights under the GDPR, please contact our Data Protection Officer at the provided contact details.

Your Rights Under PIPEDA

If you are a resident of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws grant you certain rights regarding the collection, use, and disclosure of your personal information by us. These rights include:

The right to be informed of the existence, use, and disclosure of your personal information and to be given access to it. You are entitled to question the accuracy and completeness of the information and have it amended as appropriate.
The right to know why we collect, use, or disclose your personal information.
The right to expect us to collect, use, or disclose your personal information reasonably and for purposes that are clear to you.
The right to expect us to protect your personal information by using appropriate security safeguards.
The right to complain to the Privacy Commissioner of Canada if you believe your rights have been violated.

If you wish to inquire about your personal information held by NinjaVA, or if you wish to exercise any of your rights under PIPEDA, please contact our Privacy Officer at the contact details provided in this policy. We will take steps to verify your identity before granting access or making corrections to ensure the protection and privacy of your information.

International Data Transfers

In the course of our operations, NinjaVA may transfer personal information across geographical borders to other countries or regions in connection with storage, processing, or fulfilling our business obligations and operational requirements. To ensure the protection and lawful transfer of your personal information, we adhere to various mechanisms and safeguards as outlined below:

Standard Contractual Clauses (SCCs): For the transfer of personal information to countries outside of Canada, the United States, and the European Economic Area (EEA), NinjaVA relies on Standard Contractual Clauses approved by the European Commission. These clauses provide specific data protection standards and obligations on both the data exporter and the data importer, ensuring the protection of your personal information.
Binding Corporate Rules (BCRs): NinjaVA has implemented Binding Corporate Rules that have been approved by relevant data protection authorities. BCRs are internal rules that define the global policy with regard to international transfers of personal information within the same corporate group, ensuring that all data transfers within NinjaVA adhere to the highest standard of data protection, regardless of where the information is transferred.
Adequacy Decisions: Where applicable, NinjaVA may rely on adequacy decisions made by the European Union, which determine that certain countries outside of the EEA offer an adequate level of data protection. In such cases, personal information can be transferred without the need for additional safeguards.
Additional Safeguards: Recognizing that some countries may not have equivalent data protection laws, NinjaVA implements additional safeguards to protect your personal information. These may include enhanced encryption methods, anonymization of data prior to transfer, and stringent contractual obligations imposed on recipients of personal information to ensure that all data is processed in accordance with the high standards set forth in this Privacy Policy and applicable law.
By employing these mechanisms and safeguards, NinjaVA is committed to ensuring the secure and lawful transfer of personal information across borders, upholding our dedication to protecting your privacy and complying with international data protection standards.

Cross-Border Data Transfer Impact Assessments

NinjaVA acknowledges the importance of privacy and data protection, especially in the context of cross-border data transfers. In line with this commitment, the Company conducts Data Protection Impact Assessments (DPIAs) for all cross-border data transfers. These assessments are meticulously designed to identify and mitigate risks associated with the transfer of personal information across international borders. The DPIA process evaluates the necessity and proportionality of the data transfer, taking into consideration the nature of the data, the purpose of the transfer, and the country’s data protection laws to which the data is being transferred. Through the implementation of DPIAs, NinjaVA ensures that all cross-border data transfers adhere to the highest standards of privacy and data protection, thereby safeguarding the personal information of our clients against unauthorized access, use, or disclosure.

Third-Party Data Processors

In order to facilitate our international operations and to provide you with the highest quality of service, NinjaVA engages a variety of third-party data processors and sub-processors, including international partners and affiliates, to process personal information on our behalf. These third-party processors are carefully selected and vetted to ensure they meet our strict privacy, security, and data protection standards.
Our engagement with third-party data processors covers a range of activities necessary for the delivery of our services, including but not limited to data storage, analytics, customer support, and payment processing. These processors may be located outside of Canada, the United States, and the European Economic Area (EEA), in countries with different data protection laws.

When we transfer personal information to third-party processors in other countries, we do so in compliance with applicable data protection laws. This includes the use of Standard Contractual Clauses (SCCs) approved by the European Commission, Binding Corporate Rules (BCRs) for transfers within our corporate group, or relying on an adequacy decision by the European Commission, where applicable.

We maintain a list of our third-party processors and sub-processors, including the names, locations, and roles of such processors in handling personal information. This list is reviewed and updated regularly to reflect any changes in our operational needs or the engagement of new processors. We impose strict contractual obligations on all our third-party processors to ensure they can only process personal information according to our instructions and for the specified purposes, providing the same level of protection as set out in this Privacy Policy.

By engaging these third-party data processors, NinjaVA demonstrates its commitment to safeguarding personal information, regardless of where it is processed. We remain responsible for your personal information when it is transferred to our third-party processors and take all reasonable measures to protect it against unauthorized access, use, or disclosure.

Data Localization Requirements

To comply with data localization requirements mandated by specific jurisdictions, NinjaVA acknowledges and adheres to regulations that require the storage and processing of personal information within certain geographic boundaries. Where applicable, personal information collected from residents of such jurisdictions will be stored and processed exclusively within the territorial limits of the respective jurisdiction, in accordance with its data protection laws and regulations.
This adherence to data localization requirements is designed to ensure that all personal information under our control is managed in a way that respects local laws and regulations concerning data storage and processing. NinjaVA has implemented appropriate technical and organizational measures to guarantee that data localization requirements are met, including but not limited to, deploying servers within the required jurisdictions, engaging local data processors compliant with local laws, and restricting data transfer across borders unless stringent compliance measures are in place.

Should the laws of any jurisdiction change to include data localization requirements, NinjaVA commits to promptly adjusting its data storage and processing practices to remain in compliance with such legal obligations. Moreover, NinjaVA will conduct regular reviews of its data storage and processing practices to ensure ongoing compliance with all applicable data localization laws and regulations.

For jurisdictions without explicit data localization laws, NinjaVA will continue to protect personal information by applying the principles outlined in this Privacy Policy, ensuring the secure and lawful transfer and processing of personal information across borders, in line with our commitment to upholding the highest standards of privacy and data protection.

Data Breach Notification

In the event of a data breach that is reasonably believed to involve unauthorized access to, disclosure of, or use of personal information that compromises the security, confidentiality, or integrity of such information under our control, NinjaVA commits to the following notification procedures:

Immediate Assessment and Containment: Upon discovery of a suspected or actual data breach, we will promptly assess the situation to verify the breach and take immediate steps to contain and limit any potential impact.
Notification to Authorities: Consistent with our obligations under applicable laws and regulations, including but not limited to PIPEDA, CCPA/CPRA, and GDPR, we will notify the relevant data protection authorities without undue delay and, where feasible, not later than 72 hours after having become aware of the data breach. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Notification to Affected Individuals: If the data breach is likely to result in a high risk to the rights and freedoms of individuals, NinjaVA will communicate the breach to the affected individuals without undue delay. This communication will clearly describe the nature of the data breach, the likely consequences of the data breach, the measures taken or proposed to be taken to address the data breach, and recommendations for individuals concerned to mitigate potential adverse effects.
Content of Notifications: Notifications to both authorities and affected individuals will include, where possible, the categories and approximate number of data subjects and personal data records concerned, the name and contact details of our data protection officer or another contact point, a description of the likely consequences of the data breach, and a description of the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Documentation: All data breaches and the actions taken in response will be documented in accordance with our data protection policies and applicable legal requirements. This documentation may be used to inform further protective measures or to provide evidence of compliance with data protection laws.
Cross-Border Considerations: In the case of a data breach affecting individuals in multiple jurisdictions, NinjaVA will ensure that notifications are made in accordance with the legal requirements specific to each jurisdiction, taking into account cross-border data transfer rules and regulations.

By implementing these procedures, NinjaVA aims to address data breaches effectively and in compliance with applicable laws, minimizing potential harm to individuals and upholding our commitment to data protection and privacy.

Governing Law and Venue

This Privacy Policy shall be governed by and construed in accordance with the laws of the Province of British Columbia, Canada, without regard to its conflict of law principles. Any legal suit, action, or proceeding arising out of, or related to, this Privacy Policy or the transactions contemplated hereby shall be instituted exclusively in the federal courts of Canada or the courts of the Province of British Columbia. Each party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.

Arbitration

For any dispute, claim, question, or disagreement arising from or relating to this Privacy Policy or the breach thereof, the parties hereto shall use their best efforts to settle the dispute, claim, question, or disagreement. To this effect, they shall consult and negotiate with each other in good faith and, recognizing their mutual interests, attempt to reach a just and equitable solution satisfactory to both parties. If they do not reach such solution within a period of 60 days, then, upon notice by either party to the other, all disputes, claims, questions, or disagreements shall be finally settled by arbitration administered by the American Arbitration Association in accordance with the provisions of its Commercial Arbitration Rules and, in the case of cross-border disputes or claims involving parties in Canada, the International Centre for Dispute Resolution Canada rules.
The number of arbitrators shall be one unless the claim exceeds $1,000,000, in which case the number of arbitrators shall be three. The place of arbitration shall be Toronto, Ontario, Canada, unless otherwise agreed by the parties. The arbitration proceedings shall be conducted in English.

The arbitral award shall be final and binding upon the parties without appeal or review except as permitted by Canada or United States law for arbitration decisions and may be entered in any court having jurisdiction thereof.

This arbitration clause shall survive the termination of this Privacy Policy. Notwithstanding the foregoing, the parties may seek preliminary injunctive relief from a court of competent jurisdiction while arbitration under this clause is pending, if necessary to protect the rights or property of the party seeking relief.