MinuteKeep ("we," "our," or "us") is operated by Robert Onley, Barrister & Solicitor, practising as Onley Law, with offices at 2 Simcoe Street South, Oshawa, Ontario, L1H 8C1, Canada. We are committed to protecting your privacy and handling your personal information in compliance with Canadian privacy legislation.
This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, who we share it with, and your rights under applicable law. This policy is designed to meet the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5), Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23), and applicable provincial privacy legislation, including British Columbia's Personal Information Protection Act (PIPA), Alberta's Personal Information Protection Act (PIPA), and Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25).
By creating an account or using MinuteKeep, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. If you do not agree with this policy, you must not use the Service. If you have questions, email us at support@minutekeep.ca.
1. Definitions
In this Privacy Policy:
- "Personal Information" means information about an identifiable individual, as defined under PIPEDA, but does not include the name, title, business address, or business telephone number of an employee of an organization.
- "Corporate Data" means information about a corporation that you enter into the Service, including corporate details, director and officer information, shareholder records, and financial details.
- "Service" means the MinuteKeep web application and all related services.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Your full name
- Your email address
- A password (stored only as a cryptographic hash using industry-standard algorithms — we never store or have access to your plaintext password)
- If you authenticate via Google or Microsoft SSO, we receive your name and email address from the identity provider. We do not receive or store your Google or Microsoft password.
2.2 Corporate Data You Enter
To generate your corporate documents, you provide us with information about your corporation(s), which may include:
- Corporation name, corporation number, jurisdiction of incorporation, and incorporation date
- Registered office and records office addresses
- Director and officer names, residential addresses, and dates of appointment or resignation
- Shareholder names, addresses, share classes, and share ownership details
- Financial year-end information
- Banking and financial institution details
- Corporate bylaws and special provisions in articles of incorporation
- Any other information you choose to enter for the purpose of generating corporate documents
Important: Some of this Corporate Data constitutes Personal Information about individuals (such as directors, officers, and shareholders). We treat all such information with the care required by PIPEDA and applicable provincial privacy legislation.
This Corporate Data is used solely to generate your corporate documents and provide the Service. We do not sell, rent, or share your Corporate Data with any third party for marketing or any purpose unrelated to providing the Service.
2.3 Payment Information
Payments are processed by Stripe, Inc., a PCI-DSS Level 1 certified third-party payment processor. When you subscribe to the Professional tier:
- Your credit card number, expiration date, and CVC are collected and processed directly by Stripe. This payment card information is never transmitted to or stored on our servers.
- We receive and store only: the last four digits of your card number, the card brand (e.g., Visa, Mastercard), the card expiry date, your billing postal code, and a Stripe customer identifier.
- We store transaction records including the amount, date, currency, and subscription status for our billing and accounting purposes.
2.4 Usage and Technical Information
We automatically collect certain technical and usage information when you access the Service, including:
- IP address
- Browser type and version
- Operating system and device type
- Pages visited and features used within the application
- Date and time of access
- Referring URL
- Error logs and performance data
This information is used to operate, maintain, and improve the Service, diagnose technical issues, and analyze aggregate usage patterns.
2.5 Information from Third-Party Sources
When you use the ISED federal registry lookup feature, we retrieve publicly available corporate information from Innovation, Science and Economic Development Canada (ISED) on your behalf. This information is provided by the Government of Canada and is publicly available. We use it solely to pre-populate corporate details in your account for your convenience.
3. Cookies and Tracking Technologies
3.1 Cookies We Use
We use cookies and similar technologies for the following purposes:
- Essential / Authentication: We store an authentication token in your browser's local storage to keep you signed in. This is necessary for the Service to function. Without it, you would need to sign in on every page load.
- Preferences: We may use cookies to remember your settings and preferences within the application.
- Analytics (Google Analytics): We use Google Analytics to understand how users navigate the Service, which features are most used, and to identify areas for improvement. Google Analytics uses cookies to collect anonymized and aggregated usage data. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
- Advertising (Facebook Pixel): We use the Facebook (Meta) Pixel to measure the effectiveness of our advertising campaigns and to serve relevant advertisements. The Facebook Pixel may collect information about your browsing activity. You can manage your Facebook ad preferences at facebook.com/adpreferences, or opt out of interest-based advertising through the Digital Advertising Alliance of Canada.
3.2 Managing Cookies
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, if you disable essential cookies or clear your local storage, you will need to sign in again each time you visit the Service. Disabling analytics or advertising cookies will not affect the core functionality of the Service.
4. How We Use Your Information
We use the personal information we collect for the following purposes:
- Providing the Service: To operate MinuteKeep, generate your corporate documents, store your corporate records, and provide related functionality
- Account management: To create and manage your account, authenticate your identity, and provide customer support
- Payment processing: To process subscription payments, issue receipts, and manage billing
- Transactional communications: To send you document delivery emails, billing receipts, subscription confirmations, account notifications, and security alerts
- Service improvement: To analyze usage patterns, diagnose bugs, improve features, and develop new functionality
- Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues
- Legal compliance: To comply with applicable laws, regulations, court orders, and legal processes
- Commercial communications: With your express consent (as required by CASL), to send you product updates, new feature announcements, and promotional offers. You may withdraw this consent at any time.
We do not sell, rent, or trade your personal information to any third party for their own marketing purposes.
5. Legal Basis for Processing Under PIPEDA
Under PIPEDA, we collect, use, and disclose your personal information based on the following legal grounds:
- Consent: You provide consent when you create an account, enter Corporate Data, subscribe to the Service, and agree to this Privacy Policy. For commercial electronic messages, we obtain your express consent as required by CASL.
- Contractual necessity: Processing your personal information is necessary to perform our contract with you (the Terms of Service) and to provide the Service you have requested.
- Legitimate purposes: Under PIPEDA Principle 4.3, we collect personal information only for purposes that a reasonable person would consider appropriate in the circumstances, including operating and improving the Service, and ensuring its security.
- Legal obligations: We may process personal information where required by law, including tax and financial reporting obligations, court orders, and regulatory requirements.
You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent may limit our ability to provide certain features of the Service. To withdraw consent, contact us at support@minutekeep.ca.
6. Third-Party Services and Data Sharing
We use a limited number of third-party service providers to operate MinuteKeep. We share only the minimum personal information necessary for each provider to perform its function. Each provider is bound by contractual obligations to protect your data and to use it only for the purposes specified.
6.1 Service Providers
- Stripe, Inc. (San Francisco, CA, USA) — Payment processing. Stripe receives your payment card details, billing address, email, and transaction amounts. Stripe Privacy Policy
- Cloudflare, Inc. (R2 Storage) (San Francisco, CA, USA) — File storage. Your generated documents (PDFs, DOCX files) and uploaded files are stored on Cloudflare R2 infrastructure. Cloudflare Privacy Policy
- Render Services, Inc. (San Francisco, CA, USA) — Application hosting. Our application servers run on Render's infrastructure. Your data passes through and is processed on Render's servers. Render Privacy Policy
- Resend, Inc. (San Francisco, CA, USA) — Transactional email delivery. Resend processes your email address and name to deliver document emails, billing notifications, and account communications. Resend Privacy Policy
- Google LLC (Mountain View, CA, USA) — SSO authentication (for users who choose Google sign-in) and Google Analytics for website usage analytics. Google Privacy Policy
- Microsoft Corporation (Redmond, WA, USA) — SSO authentication for users who choose Microsoft sign-in. Microsoft Privacy Statement
- Meta Platforms, Inc. (Menlo Park, CA, USA) — Facebook Pixel for advertising measurement and conversion tracking. Meta Privacy Policy
- Innovation, Science and Economic Development Canada (ISED) (Ottawa, ON, Canada) — Federal corporate registry API. We query ISED's publicly accessible database to retrieve corporate information for federally incorporated corporations. Only the corporation number or name is transmitted in the query. ISED is a Government of Canada institution subject to the Privacy Act (R.S.C., 1985, c. P-21).
6.2 Other Disclosures
We may also disclose your personal information in the following limited circumstances:
- Legal requirements: Where required by law, regulation, court order, subpoena, or other legal process
- Protection of rights: Where necessary to protect our rights, property, or safety, or the rights, property, or safety of our users or the public
- Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, in which case the acquiring entity would be bound by this Privacy Policy with respect to your personal information. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.
- With your consent: Where you have provided your express consent to a specific disclosure
7. Cross-Border Data Transfers
Important: Several of our third-party service providers are located in the United States. As a result, your personal information and Corporate Data may be transferred to, stored in, and processed in the United States. Specifically:
- Application hosting (Render) — United States
- File storage (Cloudflare R2) — United States
- Payment processing (Stripe) — United States
- Email delivery (Resend) — United States
- Authentication providers (Google, Microsoft) — United States
- Analytics and advertising (Google Analytics, Facebook Pixel) — United States
Under PIPEDA, an organization may transfer personal information to a third party in a foreign jurisdiction for processing, provided that the organization uses contractual or other means to ensure a comparable level of protection while the information is being processed by the third party (PIPEDA Principle 4.1.3). We have taken the following measures:
- We have entered into data processing agreements with our service providers that require them to protect your personal information to a standard comparable to Canadian law
- We conduct due diligence on our service providers' privacy and security practices
- We limit the personal information shared with each provider to the minimum necessary for their function
Please be aware that when your information is in the United States, it may be accessible to U.S. law enforcement and national security authorities under U.S. law (including the USA PATRIOT Act and the CLOUD Act). By using the Service, you acknowledge and consent to the transfer of your personal information to the United States for processing as described in this policy.
Quebec residents: Pursuant to Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), we confirm that a privacy impact assessment has been conducted regarding the transfer of personal information outside Quebec, and that we have taken contractual measures to ensure adequate protection of your personal information in the receiving jurisdiction.
8. Data Retention
We retain your personal information and Corporate Data in accordance with the following retention periods:
- Active accounts: Your personal information and Corporate Data are retained for the duration of your active account.
- Generated documents: Your generated documents (PDFs and DOCX files) are stored on Cloudflare R2 for the duration of your subscription and for 90 days following account closure, after which they are permanently deleted.
- Account closure — personal information: Upon account closure, your personal information (name, email, preferences) is deleted within 30 days, except where retention is required by law.
- Billing records: Transaction records, invoices, and related financial data are retained for seven (7) years following the transaction date, as required by the Income Tax Act (R.S.C., 1985, c. 1 (5th Supp.)) and applicable tax regulations.
- Server logs: Technical server logs containing IP addresses and usage data are retained for 90 days and then automatically purged.
- Analytics data: Aggregated, anonymized analytics data may be retained indefinitely as it does not constitute personal information.
- Support correspondence: Emails and support requests are retained for two (2) years following resolution, unless a longer retention period is required for legal purposes.
When personal information is no longer required for the purposes for which it was collected, or when the applicable retention period has expired, we will securely destroy, erase, or anonymize the information in accordance with PIPEDA Principle 4.5.
9. Data Security
We take the security of your personal information seriously and employ industry-standard technical and organizational measures to protect it, including:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (256-bit encryption)
- Encryption at rest: Sensitive data stored in our databases and file storage is encrypted at rest
- Password security: User passwords are hashed using industry-standard cryptographic algorithms. We never store plaintext passwords.
- Access controls: Access to production data and systems is restricted to authorized personnel on a need-to-know basis
- Infrastructure security: Our hosting provider (Render) maintains physical and network security controls, including firewalls, intrusion detection, and regular security audits
- Secure authentication: We support SSO via Google and Microsoft, which provide their own robust security controls. Session tokens are managed securely.
- Regular updates: We regularly update our software dependencies and apply security patches
No method of electronic transmission or storage is 100% secure. While we take these precautions seriously, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials and for any activity that occurs under your account.
10. Data Breach Notification
In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm to individuals, we will:
- Notify affected individuals as soon as feasible after determining that a breach has occurred, in accordance with PIPEDA's breach notification requirements (Division 1.1, sections 10.1-10.3)
- Report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA
- Notify any other organizations or government institutions that may be able to reduce the risk of harm to affected individuals
- Maintain records of every breach of security safeguards for at least 24 months, as required by PIPEDA
Breach notifications will include a description of the circumstances of the breach, the date or period of the breach, a description of the personal information involved, the steps we have taken to reduce the risk of harm, and contact information for further inquiries.
Quebec residents: Under Law 25, we will also notify the Commission d'accès à l'information du Québec (CAI) of any confidentiality incident involving personal information that presents a risk of serious injury.
11. Your Privacy Rights
11.1 Rights Under PIPEDA
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the following rights regarding your personal information:
- Right of access: You may request a copy of the personal information we hold about you. We will provide this information within 30 days of receiving your request, at minimal or no cost.
- Right of correction: You may request that we correct any personal information that is inaccurate or incomplete. You may also correct most of your information directly through the Service.
- Right to deletion: You may request that we delete your personal information, subject to legal retention requirements (such as tax records). We will delete your information within 30 days of your request, except where we are legally required to retain it.
- Right to withdraw consent: You may withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent may affect our ability to provide the Service to you.
- Right to complain: If you are not satisfied with how we handle your personal information, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada.
11.2 Additional Rights for Quebec Residents
If you are a resident of Quebec, you have the following additional rights under Law 25:
- The right to data portability — to receive your personal information in a structured, commonly used technological format
- The right to be informed of automated decision-making processes that produce legal or similarly significant effects
- The right to de-indexation (right to be forgotten) in certain circumstances
11.3 Additional Rights for BC and Alberta Residents
If you are a resident of British Columbia or Alberta, your personal information is also protected under the applicable provincial Personal Information Protection Act (PIPA), which provides substantially similar rights to those described above under PIPEDA.
11.4 Exercising Your Rights
To exercise any of your privacy rights, contact us at support@minutekeep.ca. Please include sufficient information to verify your identity. We will respond to your request within 30 days. If we require additional time, we will notify you of the extension and the reasons for it.
12. Children's Privacy
MinuteKeep is a business service designed for adults managing corporate records. The Service is not intended for or directed at individuals under 18 years of age. We do not knowingly collect personal information from anyone under the age of 18.
If we become aware that we have collected personal information from an individual under 18, we will take steps to delete that information as quickly as possible. If you believe that we have inadvertently collected personal information from a minor, please contact us immediately at support@minutekeep.ca.
13. Do Not Track Signals
Some web browsers transmit "Do Not Track" (DNT) signals. There is currently no universally accepted standard for how websites should respond to DNT signals. At this time, we do not alter our data collection and use practices in response to DNT signals. If a standard is established in the future, we will review and update our practices accordingly.
14. Links to Third-Party Websites
The Service may contain links to third-party websites or services that are not owned or controlled by us. This Privacy Policy applies only to MinuteKeep. We are not responsible for the privacy practices of any third-party websites. We encourage you to review the privacy policies of any third-party sites you visit.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:
- Update the "Effective date" at the top of this page
- Notify you by email to the address associated with your account at least 30 days before the changes take effect
- Where required by PIPEDA or applicable provincial legislation, obtain your renewed consent for any new uses of your personal information
Your continued use of the Service after the updated Privacy Policy becomes effective constitutes your acceptance of the revised policy. If you do not agree with the changes, you must stop using the Service and close your account.
We encourage you to review this Privacy Policy periodically. Previous versions of this policy are available upon request.
16. Privacy Officer
In accordance with PIPEDA Principle 4.1, we have designated the following individual as responsible for our compliance with this Privacy Policy and applicable privacy legislation:
- Privacy Officer: Robert Onley
- Email: support@minutekeep.ca
- Mailing address: MinuteKeep, c/o Onley Law, 2 Simcoe Street South, Oshawa, Ontario, L1H 8C1, Canada
17. Complaints and Regulatory Contacts
If you have a privacy concern or complaint, please contact us first at support@minutekeep.ca. We will investigate and respond within 30 days.
If you are not satisfied with our response, you may contact the appropriate regulatory authority: