Privacy Policy

1. Introduction

Bastion Assessments Inc. ("we," "our," or "us") is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

We comply with applicable Canadian privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy laws such as the Personal Information Protection Act (PIPA). For clients in the United States, we adhere to applicable state privacy laws.

2. Information We Collect

2.1 Information You Provide Directly

When you use our services, we collect information you voluntarily provide, including:

• Contact information (name, email address, phone number, practice name)
• Practice details (location, size, software systems used)
• Business information submitted through our intake forms
• Files and documents you upload (policies, procedures, organizational charts)
• Communications with us (emails, support requests)

2.2 Information We Do NOT Collect

We never collect, access, store, or process Protected Health Information (PHI) or patient data.Our entire service model is designed to assess your HIPAA readiness without ever touching patient information.

2.3 Automatically Collected Information

When you visit our website, we automatically collect certain technical information, including:

• IP address and general location (city/region level)
• Browser type and version
• Device information (type, operating system)
• Pages visited and time spent on our site
• Referring website or source

3. How We Use Your Information

We use your personal information only for the following purposes:

• Service Delivery: To conduct your HIPAA Security Rule Risk Assessment, provide your remediation roadmap, and deliver policy templates
• Communication: To respond to your inquiries, schedule debrief calls, and provide email support
• Improvement: To improve our services, website functionality, and user experience
• Legal Compliance: To comply with applicable laws, regulations, and legal processes
• Business Operations: To manage our business operations, including billing and record-keeping

We will never sell, rent, or trade your personal information to third parties for marketing purposes.

4. How We Share Your Information

We may share your personal information only in the following limited circumstances:

• Service Providers: With trusted third-party service providers who assist us in operating our website, conducting our business, or servicing you. Our current service providers are:
  • OpenAI: AI-powered risk analysis engine (via API) — United States
  • Google Workspace: Business email, document storage, calendar scheduling — United States
  • Stripe: Payment processing — United States
  • Resend: Transactional email delivery (e.g., confirmations, notifications) — United States
  • Manus: Website hosting and AI-assisted operational workflows — United States
  • DocuSign: Electronic signature for service agreements — United States
  These providers are contractually obligated to protect your information and use it only for the purposes we specify.
• Legal Requirements: When required by law, court order, or government regulation, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In connection with a merger, acquisition, or sale of all or a portion of our business, provided the receiving party agrees to treat your information in accordance with this Privacy Policy.

We do not share your information with third parties for their own marketing purposes.

4A. Payment Processing

All payment transactions are processed securely by Stripe, Inc. Bastion Assessments Inc. does not store, process, or have access to your full credit card information. Payment data is transmitted directly to Stripe via encrypted connection and is subject to Stripe’s Privacy Policy and PCI-DSS compliance standards.

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of data at rest
• Access controls and authentication
• Regular security assessments and updates
• Secure file storage and transmission protocols
• Client documents processed locally on encrypted systems (not stored in third-party cloud services)

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

• Active Client Data: Retained for the duration of our service relationship and for 30 days of email support thereafter
• Business Records: Retained for 7 years in accordance with Canadian business record-keeping requirements
• Marketing Communications: Retained until you unsubscribe or request deletion

When personal information is no longer needed, we securely delete or anonymize it.

7. Your Rights

Under PIPEDA, PIPA, and applicable US state laws, you have the following rights regarding your personal information:

• Access: You have the right to request access to the personal information we hold about you
• Correction: You have the right to request correction of inaccurate or incomplete personal information
• Deletion: You have the right to request deletion of your personal information, subject to legal retention requirements
• Withdrawal of Consent: You have the right to withdraw your consent to our use of your personal information at any time (though this may affect our ability to provide services)
• Portability: You have the right to request a copy of your personal information in a structured, commonly used format
• Complaint: You have the right to file a complaint with the Office of the Privacy Commissioner of Canada or your local privacy authority

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

8. Cookies and Tracking Technologies

Our website uses minimal tracking technologies to improve user experience and analyze website traffic:

• Essential Cookies: Required for website functionality (e.g., session management)
• Analytics: We use Manus built-in analytics to understand how visitors use our site (aggregated data only, no personal identification). We do not use Google Analytics or other third-party tracking services.

We do not use third-party advertising cookies or tracking pixels. We honor Global Privacy Control (GPC) signals. You can control cookies through your browser settings.

9. International Data Transfers

Bastion Assessments Inc. is based in Alberta, Canada. Our third-party service providers, including OpenAI, Google, and Stripe, process data on servers located in the United States. As our services are provided exclusively to clients in the United States, your information is processed in the same jurisdiction. We ensure all third-party providers maintain appropriate security measures to protect your information.

10. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on our website with a new "Last Updated" date. Your continued use of our services after such changes constitutes your acceptance of the updated Privacy Policy.

12. Automated Decision-Making and AI

We use artificial intelligence (AI) technology provided by OpenAI to assist in analyzing public websites and redacted documents you provide as part of our HIPAA readiness assessment services. This AI analysis helps us identify potential compliance gaps and generate recommendations more efficiently.

Important clarifications:

• AI is used only to analyze publicly available information and documents you provide that have been redacted of all PHI and sensitive personal information
• No automated decisions are made about you, your practice, or your compliance status without human review
• All final assessments, recommendations, and deliverables are reviewed and approved by qualified human consultants
• You have the right to request human review of any AI-generated analysis

13. California and Multi-State Privacy Rights

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, Montana, Oregon, Texas, Nevada, Indiana, Kentucky, Rhode Island, or another state with comprehensive privacy legislation, you have additional rights under your state's privacy law.

California Residents (CCPA/CPRA)

Categories of Personal Information We Collect:

• Identifiers: Name, email address, phone number, IP address
• Commercial Information: Practice details, service inquiries, transaction history
• Internet Activity: Website browsing behavior, pages visited
• Professional Information: Practice name, location, role, business details

We do NOT collect sensitive personal information as defined by the CCPA, including Social Security numbers, driver's license numbers, financial account information, precise geolocation, health information, or biometric data.

Sale or Sharing of Personal Information: We do NOT sell or share your personal information for cross-context behavioral advertising or any other purpose. We do not sell or share personal information of minors under 16 years of age.

Your California Rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect
• Right to Delete: Request deletion of your personal information (subject to legal exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the sale or sharing of your personal information (not applicable as we don't sell/share)
• Right to Limit: Limit the use of sensitive personal information (not applicable as we don't collect it)
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights

To exercise these rights, contact us at [email protected]. We will verify your identity and respond within 45 days.

Other State Residents

If you reside in another state with comprehensive privacy legislation, you may have similar rights to access, correct, delete, and port your personal information. Contact us using the information in Section 14 below to exercise your rights under your state's law.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact our Privacy Officer:

For privacy-specific inquiries or to exercise your rights under applicable privacy legislation, please email [email protected] with the subject line “Privacy Inquiry.”