Privacy Policy

Privacy Policy

Effective date: 2026-05-23 · Last updated: 2026-05-23 · Version française

ValveAtlas Industrial Solutions Inc. (“ValveAtlas”, “we”, “our”, “us”) respects your privacy and is committed to protecting personal information that we collect, use, and disclose. This Privacy Policy explains our practices when you interact with valve-atlas.com, communicate with us, or deal with us as a customer, supplier, or business partner.

Privacy Officer
Burak Padır, Owner — designated Privacy Officer pursuant to PIPEDA Schedule 1, Principle 4.1 and Quebec Act respecting the protection of personal information in the private sector, s. 3.1
ValveAtlas Industrial Solutions Inc.
27 Bathurst St, Suite 416W, Toronto, ON M5V 0R1, Canada
Telephone: +1 (647) 553-7109
Email: info@valve-atlas.com (subject line “Privacy”)

1. Scope and Application

This Policy applies to personal information that ValveAtlas collects in the course of its commercial activities as a Canadian B2B wholesale distributor of industrial valves, fire-protection equipment, HVAC components, and piping serving Canada, the United States, and the United Kingdom.

1.1 Business contact information exemption. Pursuant to PIPEDA s. 4.01, this Policy does not apply to business contact information (name, position, employer, work address, work telephone, work email) that we collect, use, or disclose solely for the purpose of communicating with you in relation to your employment, business, or profession. Most of the information we handle in our wholesale operations falls within this exemption.

1.2 Out of scope. This Policy does not cover third-party websites linked from our site (the privacy practices of those sites are governed by their own policies), nor does it apply to information collected for journalistic, artistic, or literary purposes (PIPEDA s. 4(2)(c)).

2. Information We Collect

  • Business contact information (PIPEDA s. 4.01): name, job title, employer, work address, work email, work telephone — collected when you submit a quote request, place an order, or sign up for our newsletter.
  • Account and transaction information: order history, quotes, invoices, payment method on file (we do not store full payment-card numbers — these are tokenized by our payment processor), credit terms and account balance.
  • Technical and usage information: IP address, device type, browser, pages viewed, time on site, referring sources, cookies (see our Cookie Policy). We use Google Analytics 4 with IP anonymization, Microsoft Clarity for session recording, and HubSpot for marketing automation. Use of these tools is described in §3 below.
  • Communications: emails, web-form inquiries, call notes where lawfully recorded, support tickets.
  • Information from third parties: business directories, credit-bureau commercial credit reports (with your written consent on credit application), publicly available registries — used for credit evaluation and fraud prevention.

2.1 What we do not collect: we do not knowingly collect biometric data, genetic data, religious beliefs, political opinions, union membership, sexual orientation, criminal-history information beyond what is volunteered in customer credit applications, or personal information of minors. We do not store full payment-card numbers on our servers (PCI-DSS scope is limited to our payment processor).

3. Purposes and Legal Basis for Processing

  • Performance of contract (PIPEDA Schedule 1 Principle 4.3 / GDPR Art. 6(1)(b)): processing orders, issuing quotes and invoices, delivering products, providing post-sale support, handling RMAs.
  • Legal obligations (PIPEDA Principle 4.3.4 / GDPR Art. 6(1)(c)): tax recordkeeping (six years per Income Tax Act R.S.C. 1985, c. 1 (5th Supp.) s. 230), customs and trade-compliance records, breach-record retention (PIPEDA s. 10.3 — minimum 24 months).
  • Legitimate business interests (GDPR Art. 6(1)(f)): site improvement, fraud prevention, system security, B2B contact with existing customers within the meaning of CASL s. 10(9) (existing business relationship — purchase within the prior 24 months).
  • Consent (PIPEDA Schedule 1 Principle 4.3 / GDPR Art. 6(1)(a) / CASL s. 6): express opt-in for commercial electronic messages outside an existing business relationship; consent for non-essential cookies as recorded by our cookie banner.

3.1 Use of analytics processors. Google Analytics 4 (Google LLC, USA — IP anonymization enabled), Microsoft Clarity (Microsoft Corporation, USA — session recording with masking of input fields), and HubSpot (HubSpot Inc., USA — marketing automation and CRM). These processors act on our instructions under their published privacy terms. We do not combine their outputs with on-site identifiers in a way that profiles individuals for automated decision-making (Quebec Law 25 s. 12.1).

4. CASL — Commercial Electronic Messages

If you receive marketing emails from us, you have either (a) given express consent through our newsletter signup or quote-request form (CASL s. 10), or (b) we are relying on implied consent arising from an existing business relationship as defined in CASL s. 10(9) — typically a purchase, lease, or contract within the previous 24 months, or an inquiry within the previous 6 months. Every commercial electronic message we send includes a clearly-displayed unsubscribe mechanism. To unsubscribe immediately, click the link at the bottom of any email or contact us at info@valve-atlas.com. We honour unsubscribe requests within ten (10) business days as required by CASL s. 11(3).

5. How We Share Information

We share personal information only with the following categories of recipient, and only to the extent necessary for the stated purpose:

  • Service providers bound by contract to confidentiality and security obligations: web hosting (Canada / US), payment processors, shipping carriers, accounting and legal advisors, analytics processors (see §3.1).
  • Manufacturers when necessary to process a warranty claim, technical inquiry, or product registration.
  • Public authorities when required by law (e.g., subpoenas under Canada Evidence Act, customs inquiries, court orders) — disclosure without consent under PIPEDA s. 7(3)(c).
  • Successors in the event of merger, acquisition, or sale of all or part of our business, subject to PIPEDA s. 7.2 and Quebec Law 25 s. 18.4 confidentiality undertakings.
  • With your consent for any other purpose.

5.1 No sale of personal information. We do not “sell” personal information within the meaning of the California Consumer Privacy Act (Cal. Civ. Code §1798.140(t)), nor do we “share” personal information for cross-context behavioral advertising within the meaning of the California Privacy Rights Act (Cal. Civ. Code §1798.140(ah)).

6. International Data Transfers

Some of our processors are located outside Canada, principally in the United States and the European Union. When personal information is transferred outside Canada it may be subject to the laws of the receiving jurisdiction, including lawful access by foreign public authorities. We rely on contractual safeguards (data processing addenda and Standard Contractual Clauses where applicable) and technical controls to maintain a level of protection comparable to that required by Canadian law (PIPEDA Schedule 1 Principle 4.1.3 — accountability for transferred information).

7. Data Retention

We retain personal information only as long as necessary for the purposes set out in this Policy, and to comply with our legal obligations:

  • Customer-account and transaction records: six (6) years from the end of the fiscal year in which the transaction occurred (Income Tax Act s. 230 and Excise Tax Act s. 286).
  • Inactive prospect / newsletter contact records: up to five (5) years without interaction, then deleted or anonymized.
  • Privacy breach records: minimum twenty-four (24) months (PIPEDA s. 10.3 / Breach of Security Safeguards Regulations SOR/2018-64 s. 6).
  • Web server logs: typically ninety (90) days.

8. Your Rights

Subject to applicable law and reasonable identity verification, you may exercise the following rights:

  • Access (PIPEDA Schedule 1 Principle 4.9 / Law 25 s. 27 / GDPR Art. 15 / CCPA §1798.100): a copy of the personal information we hold about you.
  • Correction (PIPEDA Principle 4.9.5 / Law 25 s. 28 / GDPR Art. 16 / CPRA §1798.106): correction of inaccurate or incomplete information.
  • Deletion (Law 25 s. 28.1 — “right to be de-indexed” / GDPR Art. 17 / CCPA §1798.105): subject to our legal-retention obligations under §7.
  • Withdrawal of consent (PIPEDA Principle 4.3.8): for any processing where we rely on consent, including marketing.
  • Portability (Law 25 s. 27 / GDPR Art. 20): receive your data in a structured commonly-used format where technically feasible.
  • Objection (GDPR Art. 21): to processing based on legitimate interests.
  • No automated decision-making with significant effects (Law 25 s. 12.1 / GDPR Art. 22): we confirm that we do not make decisions based solely on automated processing that produce legal or similarly significant effects on individuals. Credit decisions are made by our Owner with input from human-reviewed credit-bureau reports.
  • Complaint: file a complaint with the regulator listed in §10–§11.

8.1 How to exercise. Contact the Privacy Officer at info@valve-atlas.com (subject line “Privacy”). We will respond within thirty (30) days of receiving a complete request, as required by Quebec Law 25 s. 32 and PIPEDA Principle 4.9.4. We may request government-issued ID or another reasonable form of identity verification to prevent unauthorized disclosure. There is no fee for the first request in a 12-month period; subsequent requests within that window may attract a reasonable cost-recovery fee (PIPEDA Principle 4.9.4).

9. Security and Breach Notification

9.1 Safeguards. We maintain administrative, technical, and physical safeguards proportionate to the sensitivity of the information, as required by PIPEDA Schedule 1 Principle 4.7 and Quebec Law 25 s. 10. These include role-based access controls; TLS encryption in transit; encrypted storage of customer-account data at rest; vendor due-diligence on processors; periodic credential rotation; written confidentiality undertakings from employees; and a written incident-response procedure.

9.2 Limitations. No method of internet transmission or electronic storage is fully secure. Users are responsible for safeguarding their own credentials and for notifying us promptly of any suspected compromise.

9.3 Incident response. If we become aware of a confirmed or reasonably-suspected privacy breach affecting personal information under our control, we will contain, investigate, and remediate the incident as soon as commercially practicable. Where required by applicable law we will notify affected individuals and the appropriate regulator(s) without unreasonable delay.

  • Canada (PIPEDA s. 10.1). Where a breach creates a “real risk of significant harm” (RROSH) under PIPEDA s. 10.1(7) — assessed by the sensitivity of the information and the probability of misuse — we will notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals as soon as feasible. Notice will be given directly (mail, email, telephone, or in person — Breach of Security Safeguards Regulations s. 4(1)) and will include: a description of the circumstances, the date or period of the breach, a description of the personal information affected, the steps we have taken to mitigate, the steps the individual can take to protect themselves, and contact information. Indirect notification (public announcement) is used only where direct notification would cause further harm or undue hardship, or where contact information is unavailable (Regulations s. 4(2)). We retain a breach record for a minimum of twenty-four (24) months (PIPEDA s. 10.3).
  • Quebec (Law 25 s. 3.5). Where an incident presents a “risk of serious injury” we will notify the Commission d’accès à l’information (CAI) and affected Quebec residents promptly, maintain an internal incident register containing the date, description, information categories, harm assessment, and mitigation steps (Law 25 s. 3.8 — Regulation respecting confidentiality incidents, CQLR c. P-39.1, r. 2), and take reasonable measures to reduce the risk of injury and prevent recurrence.
  • EEA / UK (GDPR / UK GDPR Art. 33–34). Where the breach is likely to result in a risk to the rights and freedoms of EEA or UK data subjects, we will notify the competent supervisory authority within seventy-two (72) hours of becoming aware where feasible, and will notify affected data subjects without undue delay where the risk is high.
  • United States. We will provide notice in accordance with applicable state breach-notification statutes (e.g., California Civ. Code §1798.82, New York Gen. Bus. Law §899-aa, Massachusetts 201 CMR 17.00), in the timing, content, and method required by the applicable statute.

9.4 Reporting a suspected incident. If you believe your personal information may have been compromised, contact the Privacy Officer immediately at info@valve-atlas.com or +1 (647) 553-7109 with the subject “Privacy Incident”.

10. Quebec Residents — Law 25 Notice

Pursuant to the Quebec Act respecting the protection of personal information in the private sector, CQLR c. P-39.1:

  • Privacy Officer (s. 3.1): Burak Padır, Owner. Contact details published above and at the top of this Policy.
  • Confidentiality incidents (s. 3.5–3.8): as set out in §9.3 above.
  • Privacy impact assessment (s. 3.3): we conduct a privacy impact assessment before any acquisition, development, or major overhaul of an information system that involves the processing of personal information.
  • No automated profiling for decisions (s. 12.1): we do not use personal information to render a decision based exclusively on automated processing.
  • Cross-border transfers (s. 17): personal information transferred outside Quebec is subject to a privacy impact assessment and adequate contractual protections.
  • Right to complain: Commission d’accès à l’information du Québec, 525, boul. René-Lévesque Est, bureau 2.36, Québec (Québec) G1R 5S9, www.cai.gouv.qc.ca.

11. California Residents — CCPA / CPRA Notice

Pursuant to the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.) as amended by the California Privacy Rights Act, California residents have the right to know, access, delete, correct, limit the use of sensitive personal information, opt out of the sale or sharing of personal information for cross-context behavioral advertising, and be free from retaliation. As stated in §5.1, ValveAtlas does not sell personal information and does not share personal information for cross-context behavioral advertising. To exercise any CCPA/CPRA right, contact us at info@valve-atlas.com. We will respond within forty-five (45) days as required by §1798.130(a)(2).

12. UK and EEA Residents — UK GDPR / GDPR Notice

Where we process personal information of UK or EEA residents we act as a “controller” within the meaning of Article 4(7) of the UK GDPR / GDPR. The legal bases on which we rely are set out in §3. UK and EEA data subjects have the rights set out in §8 and may complain to the UK Information Commissioner’s Office (ico.org.uk) or their national supervisory authority (edpb.europa.eu). We have no establishment in the UK or EEA and have not, to date, met the Article 27 threshold requiring designation of a UK/EU representative; we will reassess this requirement annually.

13. Children’s Privacy

Our site and services are directed at businesses, not children. We do not knowingly collect personal information from individuals under the age of sixteen (16). If you believe a minor has submitted information to us, please contact the Privacy Officer and we will delete the information.

14. Changes to This Policy

We may amend this Policy to reflect changes in our practices, applicable law, or our services. The “Effective date” and “Last updated” fields at the top will be revised accordingly. Material changes will be announced by a prominent notice on our website and, where appropriate, by direct email to active customers.

15. Severability and Contact

If any provision of this Policy is held invalid or unenforceable, the remaining provisions remain in force.

For any question, complaint, or to exercise a right under this Policy, contact:

Burak Padır — Privacy Officer
ValveAtlas Industrial Solutions Inc.
27 Bathurst St, Suite 416W, Toronto, ON M5V 0R1, Canada
Email: info@valve-atlas.com (subject line “Privacy”)
Telephone: +1 (647) 553-7109