Privacy Policy

Last updated: 18 June 2025

This policy applies to BraveHeart First Aid Incorporated ("BraveHeart," "we," "us," "our") and all training courses and related services we deliver, whether certified through BraveHeart's proprietary programmes, the Canadian Red Cross, Rescue 7, or any future recognised certification body (collectively the "Certification Bodies").

1-Purpose & Scope

This policy explains what personal information we collect, why we collect it, how we protect it, and the rights of learners, clients, contractors and employees.

It satisfies:

the confidentiality & privacy obligations set out by the Certification Bodies;
Canada's federal Personal Information Protection and Electronic Documents Act ("PIPEDA"); and
any applicable provincial statutes (e.g., Nova Scotia's Personal Information International Disclosure Protection Act).

2-What We Collect

  
      Category
      Examples
      Source
    
      Identification
      Name, course-certificate number
      Course roster, enrolment form
    
      Contact details
      Email, phone, mailing address
      Booking form, customer-support interactions
    
      Training data
      Course type, completion status, assessment results, expiry/recertification dates
      Instructor uploads
    
      Payment info
      Card token or e-Transfer confirmation (processed by PCI-compliant gateway; we never store full card numbers)
      Secure checkout
    
      Accessibility / medical notes (optional)
      Information provided by the learner for accommodation
      Learner or parent/guardian
    
      Employment data (staff & contractors)
      Resume, credentials, police-records checks
      HR onboarding

Note: We do not intentionally collect information from children under 13 unless a parent or guardian provides consent.

3-Why We Use Personal Information

Deliver and administer courses – register learners, verify prerequisites, issue certificates, upload rosters, send recertification reminders.
Comply with law & Certification-Body standards – mandatory record-keeping, insurance audits, incident reporting.
Process payments and refunds through accredited processors.
Provide learner support – answer enquiries, send course materials, arrange accessibility accommodations.
Quality assurance & improvement – anonymised analytics and post-course surveys.
Marketing – only with express, revocable consent (opt-in during booking).

BraveHeart will never sell or trade personal information.

4-Sharing & Disclosure

We disclose data only on a need-to-know basis:

  
      Recipient
      Purpose
      Safeguard
    
      Canadian Red Cross, Rescue 7, or any other accredited Certification Body
      Course validation, certificate issuance, programme statistics
      Secure portals, contractual confidentiality
    
      Payment processor (e.g., Stripe, Moneris)
      Transaction completion
      PCI-DSS contracts
    
      Insurers / legal counsel
      Claims defence, compliance
      NDAs & confidentiality undertakings
    
      Government & regulators
      Occupational-health, tax or lawful compliance
      As required by law
    
      IT service providers (cloud hosting, CRM)
      Booking system, email delivery, secure data storage
      Data-processing agreements; servers located in Canada or jurisdictions with comparable protections

No cross-border transfer occurs unless the third-party provider offers PIPEDA equivalent safeguards and contractual Standard Contractual Clauses.

5-Retention & Destruction

  
      Record
      Minimum retention
      Rationale
    
      Course rosters & certification data
      7 years from course end
      Certification-Body audit & recertification cycles
    
      Payment records
      7 years
      CRA tax obligations
    
      Incident / insurance files
      10 years or until claim closed
      Limitation periods
    
      HR & instructor files
      Duration of engagement + 7 years
      Employment legislation

After expiry, records are securely destroyed: digital files are irretrievably erased; paper is cross-shredded and pulped.

6-Security Measures

Physical – locked filing cabinets; controlled office entry.
Administrative – role-based access; confidentiality agreements for staff & contractors.
Technical – AES-256-encrypted cloud storage; TLS 1.3 transport encryption; multi-factor authentication on admin accounts; daily off-site backups.
Incident response – breach-notification procedure within 72 hours to affected individuals and the Office of the Privacy Commissioner of Canada where required.

7-Individual Rights

Individuals may request access, correction or deletion of their personal information:

Submit a written request to the Privacy Officer (details below).
We respond within 30 days, verifying identity first.
Corrections are made promptly; deletions are honoured unless records must be retained by law or Certification-Body requirements.
Complaints can be directed to the Privacy Officer or escalated to the Office of the Privacy Commissioner of Canada.

8-Cookies & Online Tracking

Our website uses session cookies and privacy-respecting analytics to improve usability. Data are aggregated and de-identified; IP-anonymisation is enabled. You may disable cookies via your browser settings without affecting course registration.

9-Policy Governance

Accountability: Eli Castson (Owner/CEO) is designated Privacy Officer.
Review cycle: Annual review each June or sooner if Certification-Body requirements or legislation change.
Version control: Previous versions are archived for audit purposes.

Contact Information

Privacy Officer

BraveHeart First Aid Incorporated

Email: privacy@braveheartfirstaid.ca

Phone: 902-670-1383

Mail: 9049 Commercial Street, Suite 2000
New Minas, NS B4N 5A4