PIPEDA Compliance
How Cram upholds Canada's federal privacy law
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law. As a Canadian company handling sensitive financial data on behalf of accounting firms and their clients, PIPEDA compliance is foundational to how we build Cram — not an afterthought.
PIPEDA is built around ten Fair Information Principles, which set out the obligations of organizations that collect, use, or disclose personal information in the course of commercial activities. Below, we explain how each principle applies to Cram.
Last updated: March 22, 2026 — Cram Inc., Ontario, Canada
The 10 PIPEDA Fair Information Principles
Accountability
Cram Inc. is accountable for all personal information in its control. We have designated a Privacy Officer who is responsible for our compliance with PIPEDA. Our Privacy Officer can be reached at privacy@clientbook.ca.
Identifying Purposes
We identify the purposes for collecting personal information before or at the time of collection. We only collect what is necessary to provide the Service — for example, account registration details, client contact information, and files uploaded to the platform.
Consent
We obtain meaningful consent from individuals for the collection, use, or disclosure of their personal information. Consent may be withdrawn at any time by contacting privacy@clientbook.ca, subject to legal and contractual restrictions.
Limiting Collection
We collect only the information necessary to fulfill the identified purposes. We do not collect information indiscriminately. If we wish to use personal information for a new purpose, we obtain fresh consent before doing so.
Limiting Use, Disclosure, and Retention
Personal information is used only for the purposes for which it was collected. We do not sell your data. We retain data only as long as necessary to fulfill those purposes, and delete it securely upon account closure within 90 days.
Accuracy
We keep personal information as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used. You can review and update your account information at any time from your Settings page.
Safeguards
We protect personal information with security safeguards appropriate to the sensitivity of the information — including 256-bit AES encryption at rest, TLS 1.3 in transit, role-based access controls, and annual independent security reviews.
Openness
Our privacy practices are documented and available to anyone. We are transparent about how we handle your data, who we share it with, and how long we keep it. Our Privacy Policy is available at clientbook.ca/privacy.
Individual Access
Upon written request, we will provide individuals with access to the personal information we hold about them within 30 days. We will also explain how the information is being used and to whom it has been disclosed. Contact privacy@clientbook.ca to make a request.
Challenging Compliance
Individuals can challenge our compliance with PIPEDA by contacting our Privacy Officer at privacy@clientbook.ca. We will investigate all complaints and respond promptly. If a complaint is found to be justified, we will take appropriate corrective measures. If unresolved, you may contact the Office of the Privacy Commissioner of Canada.
Data Residency
All data processed by Cram is stored in data centres located in Canada or the United States with appropriate data transfer agreements in place, including standard contractual clauses where required. We ensure that any cross-border transfer of personal information is subject to comparable privacy protections.
We are actively working toward 100% Canadian data residency for the core Cram platform. If data residency is a specific requirement for your firm, please contact us at privacy@clientbook.ca to discuss your options.
Contact & Resources
For questions about our privacy practices or to exercise your rights under PIPEDA, please contact our Privacy Officer:
- Privacy Officer, Cram Inc. — privacy@clientbook.ca
- Office of the Privacy Commissioner of Canada — priv.gc.ca
You may also review our full Privacy Policy and our Security overview.