Privacy Policy

Last updated: 2026-05-01.

Northhaven Immigration ("Northhaven", "we", "us", or "our") respects the privacy of clients, prospective clients, and visitors to our website. This Privacy Policy explains what personal information we collect, how we use it, the lawful basis for processing, how long we retain it, who we share it with, and the rights you have under Canadian privacy law.

Information We Collect

We collect personal information in three contexts.

Information you provide directly

• Identifying information: name, date of birth, citizenship, immigration history.
• Contact information: email, phone number, postal address.
• Eligibility information: education, work experience, language test results, family composition.
• Documentary information: passport, certificates, references, financial records, where required for an immigration file.
• Engagement information: signed retainer agreements, fee payments, communications with our team.

Information you provide through the Eligibility Quiz

• Answers to the quiz questions you choose to submit.
• Your email address only if you choose to receive your result by email or forward it to us.

Information we collect automatically

• Standard server logs from our hosting provider (IP address, browser type, request timestamps).
• Privacy-respecting analytics that record which pages are visited but do not identify you personally.

How We Use Personal Information

• To provide immigration consulting services pursuant to a signed engagement letter.
• To respond to inquiries and schedule discovery calls.
• To deliver the result of the Eligibility Quiz.
• To meet our regulatory obligations to the College of Immigration and Citizenship Consultants.
• To comply with legal and tax obligations.
• To improve the website and service experience.

Lawful Basis

We process personal information on one or more of the following bases:

• Performance of a contract (the engagement letter).
• Consent (you have asked us to send you something or to assess your eligibility).
• Legal obligation (CICC regulatory requirements, tax, anti-money-laundering).
• Legitimate interest (operational security, anti-fraud, service improvement) where it does not override your rights.

Retention

• Active client files: retained for the duration of the engagement plus seven years following file closure, in line with CICC record-keeping requirements.
• Prospective client information (Eligibility Quiz responses, discovery call notes for cases that did not engage): retained for 24 months and then deleted, unless you request earlier deletion.
• General website inquiries: retained for 24 months.
• Financial records: retained for the period required by Canadian tax law (typically six years).

Third-Party Processors

We use a small set of vetted third-party services to operate our business. We share only the minimum data necessary and only for the purposes below.

• Hosting: Vercel (United States) — hosts the public website.
• Email delivery: Resend — delivers transactional emails (quiz results, scheduling confirmations, engagement-related correspondence).
• AI image generation (branding only): kie.ai — used exclusively to generate generic brand illustrations and headshots. No client data is ever sent to kie.ai.
• Case management and document storage: secure cloud storage with encryption at rest and in transit. Specific provider disclosed in the engagement letter.

We do not sell personal information. We do not share personal information with third parties for marketing purposes.

Your Rights

Under PIPEDA you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete information that we no longer need to retain (subject to regulatory and legal retention requirements).
• Portability — receive a copy of your information in a structured format.
• Withdraw consent for processing where consent is the basis (subject to existing engagement obligations).
• Complain to the Office of the Privacy Commissioner of Canada if you believe we have not handled your information properly.

To exercise any of these rights, contact our privacy officer using the details below.

Security

We use industry-standard technical and organizational measures to protect personal information: encryption in transit (TLS) and at rest, role-based access controls, multi-factor authentication for staff accounts, and a principle of least privilege for case access. Despite these measures, no system is perfectly secure. We will notify affected individuals and the OPC promptly in the event of a material breach involving personal information.

International Transfers

Our hosting and some processors operate in jurisdictions outside Canada (primarily the United States). When data is transferred internationally, we rely on contractual safeguards with our processors to ensure protections substantially equivalent to those required under PIPEDA.

Cookies

The website uses essential cookies for session continuity and analytics cookies in privacy-respecting mode. We do not use third-party advertising trackers.

Updates to This Policy

We may update this policy from time to time. The "last updated" date at the top of this page indicates the most recent revision. Material changes will be communicated to active clients directly.

Contact — Privacy Officer

To exercise rights, ask questions, or raise concerns about how Northhaven handles personal information, contact our privacy officer through the contact details on the Contact page. We respond to all privacy inquiries within 30 days.