PIPEDA Compliance Statement
Last updated: April 17, 2026
About This Document
This statement describes how LocusBIM Inc. complies with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law. It is intended for Canadian Architecture and Engineering firms evaluating LocusBIM for use on government, healthcare, or other PIPEDA-regulated projects.
PIPEDA is built on ten Fair Information Principles. This document maps each principle to our practices.
Principle 1 — Accountability
LocusBIM Inc. is accountable for personal information under its control. Our designated Privacy Officer can be reached at privacy@locusbim.com.
Third-party service providers we use (AWS, Square) are bound by contractual privacy obligations consistent with PIPEDA. All cloud infrastructure is hosted in Canada (AWS ca-central-1, Montreal).
Principle 2 — Identifying Purposes
We identify the purposes for which personal information is collected before or at the time of collection:
- License activation: To validate entitlement and prevent unauthorized use
- Support communications: To respond to technical and billing inquiries
- Purchase records: To fulfill license orders and maintain financial records as required by law
We do not collect personal information for undisclosed secondary purposes.
Principle 3 — Consent
We obtain consent for the collection, use, or disclosure of personal information, except where the law permits or requires otherwise. Consent is obtained:
- At the time of software download (acceptance of Terms of Service)
- At the time of purchase (payment processor consent)
- Implicitly when you contact us for support (use of provided contact information)
You may withdraw consent at any time by contacting our Privacy Officer, subject to legal or contractual restrictions.
Principle 4 — Limiting Collection
We collect only the personal information necessary for the identified purposes. We do not collect:
- Project data (PDFs, models, markups, issues) — this stays on your device
- Biometric data
- Location data
- Browsing history or behavioural profiles
License validation collects a machine UUID and license key only. The UUID is a random identifier and cannot be linked back to a natural person without additional information we do not hold.
Principle 5 — Limiting Use, Disclosure, and Retention
Personal information is used only for the purposes identified at collection. We do not sell, trade, or otherwise share personal information with third parties for their own purposes.
Retention periods
| License activation logs | 90 days, then automatically deleted |
| Purchase records | 7 years (required by CRA for financial records) |
| Support correspondence | Duration of the support relationship, then deleted |
| Website access logs | 30 days |
Principle 6 — Accuracy
We take reasonable steps to ensure that personal information is accurate, complete, and up-to-date. If you believe information we hold about you is inaccurate, contact privacy@locusbim.com and we will correct it promptly.
Principle 7 — Safeguards
We protect personal information with security measures appropriate to the sensitivity of the information:
- In transit: TLS 1.3 for all data transmitted between the application and our servers
- License keys: Validated via HMAC-SHA256; no plaintext keys stored on our servers
- Infrastructure: AWS security groups restricting admin access by IP allowlist
- Access control: Principle of least privilege; production database accessible only through application service account
- Dependency management: Regular automated scanning for known vulnerabilities
To report a security vulnerability: security@locusbim.com.
Principle 8 — Openness
Our privacy practices are documented in this statement and in our Privacy Policy. Both are publicly accessible without registration. We will notify customers of material changes to our privacy practices at least 30 days before they take effect.
Principle 9 — Individual Access
Upon written request, we will tell you what personal information we hold about you, how it has been used, and to whom it has been disclosed. We will respond within 30 calendar days.
We may deny access only in limited circumstances permitted by PIPEDA (e.g., where disclosure would reveal information about a third party, or where legal privilege applies).
To submit an access request: privacy@locusbim.com — subject line "PIPEDA Access Request".
Principle 10 — Challenging Compliance
If you believe we are not complying with PIPEDA, you may:
- Contact our Privacy Officer at privacy@locusbim.com
- File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca
We will investigate all complaints and respond in writing within 30 days.
Data Residency Summary
For firms subject to provincial, federal, or sector-specific data residency requirements, here is a complete inventory of where LocusBIM data flows:
| Project files (PDFs, models) | Your device only — never transmitted |
| Markups, issues, annotations | Your device only — SQLite database on local disk |
| Signatures and stamps | Your device only |
| License validation | AWS ca-central-1 (Montreal, Canada) |
| Payment processing | Square Inc. (Canadian merchant account) |
| LocusSync sync (Phase 6) | AWS ca-central-1 (Montreal, Canada) — encrypted in transit and at rest |
| Website hosting | AWS ca-central-1 (Montreal, Canada) |
No project data is ever transmitted to US-hosted infrastructure. This satisfies the data residency requirements of most Canadian federal, provincial, healthcare, and municipal procurement policies.
Contact
Privacy Officer: privacy@locusbim.com
LocusBIM Inc., Canada