Legal Document

Canadian Clients

PIPEDA Compliance Statement

How MARKSMAN handles personal information belonging to Canadian residents and businesses under the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5

Last Updated: April 3, 2026 Effective: April 3, 2026 Governing Statute: PIPEDA, S.C. 2000, c. 5

Canadian Clients Only This Statement applies specifically to personal information belonging to individuals located in Canada that is collected and processed by MARKSMAN. It supplements the Privacy Policy and Terms of Service. If you are not a Canadian resident or business, refer to the Privacy Policy for applicable terms.

Scope and Application

1.1 PIPEDA Coverage. The Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5 ("PIPEDA") governs the collection, use, and disclosure of personal information in the course of commercial activities in Canada. PIPEDA applies to MachenTagar Research Institute LLC's handling of personal information belonging to Canadian residents and businesses in the context of our commercial operations.

1.2 What Constitutes Personal Information. Under PIPEDA, "personal information" means information about an identifiable individual. In the context of MARKSMAN, this includes:

account holder names, email addresses, phone numbers, and mailing addresses;
billing and payment information associated with a Canadian subscriber;
any personal information about the subscriber's own customers that the subscriber submits to the Platform (in encrypted form).

1.3 Business Contact Information. PIPEDA does not cover business contact information used solely to communicate in a business-to-business context (e.g., a business name, business telephone number, or business title). Such information falls outside PIPEDA's personal information definition.

1.4 Dual Role. In relation to subscriber-facing personal information (account and billing data), MARKSMAN acts as a data controller. In relation to subscriber customers' personal information stored in the Platform, MARKSMAN acts as a data processor on the subscriber's behalf.

Our Accountability

2.1 Designated Privacy Officer. MachenTagar Research Institute LLC has designated a Privacy Officer responsible for the Company's compliance with PIPEDA. The Privacy Officer oversees the implementation of this Statement, responds to access and correction requests, investigates complaints, and conducts periodic reviews of privacy practices.

2.2 Contact. The Privacy Officer can be reached at: [email protected]

2.3 Third-Party Accountability. Where we transfer personal information to third-party service providers (such as Stripe and Cloudflare) for processing on our behalf, we hold those providers accountable through contractual data processing agreements that require privacy protections at least equivalent to our own.

The Ten PIPEDA Principles

Schedule 1 of PIPEDA sets out ten fair information principles. The following explains how MARKSMAN implements each principle:

Principle 1

Accountability

We are responsible for all personal information under our custody or control, including information shared with our third-party processors. Our designated Privacy Officer is accountable for PIPEDA compliance. Contractual obligations flow down to processors (Stripe, Cloudflare).

Principle 2

Identifying Purposes

We identify the purposes for collecting personal information before or at the time of collection. Purposes are documented in our Privacy Policy (Section 4) and this Statement. We do not collect personal information for undisclosed purposes.

Principle 3

Consent

We obtain meaningful consent — express or implied — for the collection, use, and disclosure of personal information. By creating a MARKSMAN account and accepting our Terms of Service and Privacy Policy, you provide express consent to collection and use as described therein. You may withdraw consent subject to legal and contractual restrictions, which may result in termination of your Subscription.

Principle 4

Limiting Collection

We collect only the personal information necessary for the identified purposes. We do not collect personal information indiscriminately. Account information, billing data, and usage metadata are collected because they are operationally necessary. We do not read the contents of your encrypted Client Content — collection at the content level is technically impossible under our zero-knowledge architecture.

Principle 5

Limiting Use, Disclosure, and Retention

Personal information is used only for the purposes identified at collection, unless you consent to a new purpose or the new use is required by law. We do not disclose personal information to third parties except as described in the Privacy Policy (Section 6). We retain personal information only as long as necessary to fulfill identified purposes or as required by law. Our retention schedule is set out in Privacy Policy Section 9.

Principle 6

Accuracy

We maintain personal information in as accurate, complete, and up-to-date a form as necessary for the purposes for which it is used. You may update your account information at any time through your account settings. We do not independently verify the accuracy of information you provide; it is your responsibility to keep your account details current.

Principle 7

Safeguards

We protect personal information with security safeguards appropriate to the sensitivity of the information, including: AES-256-GCM zero-knowledge encryption for Client Content; TLS/HTTPS for all data in transit; per-user data isolation; access controls; Cloudflare security infrastructure; and periodic security assessments. See Privacy Policy Section 14 for full details.

Principle 8

Openness

We make our privacy policies and practices readily available. This PIPEDA Compliance Statement, our Privacy Policy, and our Terms of Service are all publicly accessible at getmarksman.ca. Our Privacy Officer is accessible at [email protected]. We describe our information management practices in plain language.

Principle 9

Individual Access

Upon written request, we will tell you what personal information we hold about you, how it is being used, and to whom it has been disclosed. We will respond within thirty (30) calendar days or provide a written explanation of any extension or refusal, as required by PIPEDA. We may require identity verification before fulfilling an access request. See Section 6 of this Statement for how to submit a request.

Principle 10

Challenging Compliance

You may challenge our compliance with PIPEDA by filing a complaint with our Privacy Officer. If the matter is not resolved to your satisfaction, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada. See Section 9 of this Statement for the complaint process.

Cross-Border Transfers to the United States

US Storage — PIPEDA Notice Personal information you provide to MARKSMAN is transferred to and stored in the United States, where it may be subject to access by US law enforcement and regulatory authorities under US law. By subscribing to MARKSMAN, you consent to this transfer.

4.1 Transfer Circumstances. MachenTagar Research Institute LLC is incorporated in Wyoming, USA. Platform infrastructure, account information, billing records, and usage metadata are stored in the United States. This constitutes a cross-border transfer of personal information within the meaning of PIPEDA.

4.2 Accountability Upon Transfer. PIPEDA requires that we remain accountable for personal information transferred to third parties for processing, including those located outside Canada. We maintain this accountability by:

entering into contractual data processing agreements with all processors that impose privacy obligations at least equivalent to our own;
selecting processors with established privacy programs and security certifications (e.g., Stripe's SOC 2 compliance; Cloudflare's global security infrastructure); and
monitoring our processors' compliance on an ongoing basis.

4.3 US Law Enforcement Access. Canadian subscribers should be aware that personal information stored in the United States may be subject to lawful access by US federal agencies under the USA PATRIOT Act, FISA orders, and other US national security legislation, without notice to you or to us. This is beyond our control.

4.4 Zero-Knowledge Mitigation. The Client Content you store on the Platform is protected by zero-knowledge AES-256-GCM encryption. Even if US authorities compel us to produce encrypted data, we cannot provide decrypted content because we do not hold your encryption keys. This architecture provides meaningful protection for the substantive content of your business records, though it does not protect metadata (account details, billing records, usage logs).

Breach Notification

5.1 Applicable Standard. PIPEDA's breach notification provisions PIPEDA, Part 1, Div. 1.1 require organizations to notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals of any breach of security safeguards involving personal information that creates a "real risk of significant harm" to affected individuals.

5.2 Our Notification Commitment. If we determine that a security breach involving your personal information creates a real risk of significant harm, we will:

notify the OPC as soon as feasible after determining that a reportable breach has occurred;
notify you directly as soon as feasible, by email to your registered address, with a description of the breach, the personal information involved, the steps we have taken or plan to take to address the breach, and recommendations for steps you may take to reduce your risk of harm; and
maintain a record of all breaches involving personal information for a minimum of twenty-four (24) months, as required by the Breach of Security Safeguards Regulations.

5.3 Zero-Knowledge Limitation. In the event of a breach of our encrypted storage infrastructure, the Company cannot read the contents of encrypted Client Content. Any breach of encrypted storage would expose only ciphertext. We will nonetheless assess the risk presented by any ciphertext exposure and notify as required.

Your Rights Under PIPEDA

As a Canadian resident whose personal information we hold, PIPEDA gives you the following rights:

6.1 Right of Access. You have the right to request access to personal information we hold about you and information about how we have used and disclosed it. We will respond within thirty (30) calendar days. We may charge a minimal fee for providing access in certain circumstances, of which we will give you advance notice.

6.2 Right to Challenge Accuracy. If you believe that personal information we hold about you is inaccurate, incomplete, or out of date, you have the right to request correction. We will amend the information as required, or note your requested amendment and our reasons for not making it.

6.3 Limitations. We may decline to provide access to personal information if doing so would reveal confidential commercial information about our systems or other clients, or where access is restricted by law. We will inform you of any refusal and provide a brief explanation as required by PIPEDA s. 9.

6.4 How to Submit a Request. All access, correction, and rights requests must be submitted in writing to:

Privacy Officer, MachenTagar Research Institute LLC
Email: [email protected]

Please include your full name, email address registered to your MARKSMAN account, and a description of the information requested or the correction sought. We may require identity verification before processing your request.

Zero-Knowledge Architecture and PIPEDA

Important Interaction Between Encryption and Your PIPEDA Rights Our zero-knowledge encryption architecture affects how we can respond to certain PIPEDA requests. We can respond to requests about account and billing information. We cannot respond to requests about the contents of your encrypted Client Content — because we cannot read it.

7.1 What We Can Access. For PIPEDA access request purposes, we can provide you with:

your account registration information (name, email, business name, billing address);
your subscription and billing history;
usage metadata logs associated with your account;
records of any communications with our support team; and
records of disclosures we have made of your personal information to third parties.

7.2 What We Cannot Access. We cannot access, retrieve, or provide the contents of your encrypted Client Content (invoices, financial records, documents, client records, etc.) because we do not hold decryption keys. This is not a refusal — it is a technical impossibility. The zero-knowledge architecture that protects your business data also means that we cannot produce that data in response to PIPEDA requests.

7.3 PIPEDA Principle 4 Interaction. The zero-knowledge architecture directly implements PIPEDA Principle 4 (Limiting Collection). Because we have designed the system so that we technically cannot access Client Content, we have not collected personal information at the content level. Only metadata is available to us and therefore subject to PIPEDA obligations.

MARKSMAN Clients as Data Controllers for Their Customers

8.1 Your Obligations. If you are a MARKSMAN subscriber who uses the Platform's CRM, invoicing, or client management features to store personal information about your own customers, you are the data controller for that personal information under PIPEDA. You are responsible for:

obtaining all necessary consents from your customers for the collection and use of their personal information;
ensuring your own privacy policy accurately describes how you handle your customers' personal information;
responding to your customers' PIPEDA access, correction, and deletion requests;
complying with PIPEDA's breach notification obligations with respect to breaches affecting your customers' data; and
not submitting personal information to the Platform that you are not legally authorized to process.

8.2 Our Role as Data Processor. In relation to your customers' personal information stored on the Platform, we act as a data processor — we process it only at your direction and for the purpose of providing the Platform's services to you. We do not use your customers' personal information for our own purposes (and cannot access it in any event due to zero-knowledge encryption).

8.3 Data Processing Agreement. These Terms of Service and Privacy Policy together constitute the data processing agreement between you (as data controller) and MARKSMAN (as data processor) for the purposes of your customers' personal information. If your business requires a separate formal Data Processing Agreement (DPA) for compliance purposes, contact [email protected].

Filing a Complaint

9.1 Internal Complaint Process. If you believe MARKSMAN has violated your rights under PIPEDA, we encourage you to first contact our Privacy Officer so we can attempt to resolve the matter directly:

Privacy Officer
MachenTagar Research Institute LLC
Email: [email protected]

We will acknowledge receipt of your complaint within five (5) business days and provide a substantive response within thirty (30) calendar days. If additional time is required, we will notify you in writing with an estimated response timeline.

9.2 Office of the Privacy Commissioner of Canada. If you are not satisfied with our response, or if we fail to respond within the required timeline, you have the right under PIPEDA s. 11 to file a complaint with the Office of the Privacy Commissioner of Canada (OPC):

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
TTY: 1-613-947-1185
Website: www.priv.gc.ca
Online complaints: www.priv.gc.ca/en/report-a-concern/

9.3 Federal Court. Following an OPC investigation, if you are not satisfied with the outcome, you may apply to the Federal Court of Canada for a hearing under PIPEDA s. 14.

Contact Us

For all PIPEDA-related inquiries — access requests, corrections, complaints, or questions about this Statement:

MachenTagar Research Institute LLC
Attn: Privacy Officer
Email: [email protected]
Platform: getmarksman.ca

This Statement is reviewed annually and updated as required to reflect changes in our practices or legal requirements. The most current version will always be available at getmarksman.ca/pipeda.