Privacy Policy — Grandco

Section 1

Who We Are

Grandco Inc. is a corporation incorporated under the laws of Ontario, Canada. We provide a software-as-a-service platform combining payment processing, point-of-sale software, and a white-label marketing suite (powered by Grandco) to Canadian small and medium-sized businesses.

Grandco acts as the data controller for personal information collected from merchants, resellers, and visitors to our websites and marketing pages. Where Grandco processes personal information on behalf of merchants in connection with their customer relationship management (CRM) activities on our platform, Grandco acts as a data processor on the merchant's behalf.

Payment processing services are provided by Elavon Canada Inc., a separate legal entity. Elavon is the data controller for cardholder transaction data processed through its Converge gateway. See Section 11 for cardholder-specific privacy rights.

Section 2

Scope & Applicability

This Privacy Policy applies to personal information collected by Grandco Inc. through:

Our websites, including grandco.ca and all subdomains;
The Grandco SaaS platform accessed by merchants and resellers;
Merchant applications, onboarding forms, and account setup processes;
Marketing, sales, and support communications by email, SMS, or telephone;
Any other interaction between you and Grandco.

This Policy does not govern:

Personal information of cardholders or end-customers stored in a merchant's CRM on the Grandco platform — that data is controlled by the merchant, not Grandco. End-customers should consult the privacy policy of the business they transacted with.
Data processed by Elavon Canada Inc. in connection with payment processing — see Elavon's Privacy Policy.
Data processed by HighLevel Inc. — see HighLevel's Privacy Policy.

2.1 Applicable Laws

Grandco's privacy practices are governed by:

PIPEDA — the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), applicable to commercial activities in most Canadian provinces;
Quebec Law 25 — Act respecting the protection of personal information in the private sector (Bill 64, as amended), which applies to personal information of Quebec residents with enhanced rights including portability and profiling disclosure;
Alberta PIPA — Personal Information Protection Act, SA 2003 c P-6.5;
British Columbia PIPA — Personal Information Protection Act, SBC 2003, c 63;
CASL — Canada's Anti-Spam Legislation governing electronic commercial messages;
Applicable Card Scheme Rules regarding cardholder data protection and PCI DSS.

Section 3

Information We Collect

3.1 Account & Identity Information

When you apply for a Grandco account, onboard as a merchant or reseller, or contact us, we collect:

Information	Examples	Required?
Business identity	Legal business name, trading name, CRA Business Number, HST/GST number, incorporation details	Required
Owner / officer identity	Full legal name, date of birth, SIN (last 4 digits), government ID type and number for KYC/AML purposes	Required
Contact information	Business address, mailing address, email address, phone number	Required
Banking information	Bank institution number, transit number, account number, void cheque	Required
Business information	Industry type, MCC, years in business, annual revenue, website URL, business description	Required
Beneficial ownership	Names, ownership percentages, and ID for individuals owning 25%+ of the business (FINTRAC requirement)	Required
Profile preferences	Platform preferences, notification settings, branding settings, timezone	Optional

3.2 Payment & Transaction Data

In connection with payment processing through Elavon/Converge, Grandco receives and stores the following data for reporting, reconciliation, and chargeback management purposes:

Data Type	Details	Controller
Transaction records	Transaction amounts, dates, times, card type (not full PAN), merchant location, authorisation codes, transaction IDs	Grandco + Elavon
Settlement reports	Daily and monthly settlement summaries, net amounts, fee breakdowns, surcharge totals	Grandco + Elavon
Chargeback data	Chargeback reason codes, dispute documentation, resolution outcomes	Elavon (shared with Grandco)
Fee and billing data	Platform subscription charges, processing fee calculations, invoice history	Grandco

Note on Full Card Numbers Grandco does not store full card numbers (PANs), CVV codes, or magnetic stripe data at any time. These are processed exclusively by Elavon/Converge through PCI-DSS-certified infrastructure. Grandco's systems only receive masked card data (last 4 digits) and transaction metadata.

3.3 Platform Usage Data

When you use the Grandco platform, we automatically collect:

Log data — IP addresses, browser type and version, operating system, device identifiers, pages visited, time and duration of visits, clicks and interactions;
Feature usage — which platform features you use, campaign creation activity, automation triggers and actions, CRM pipeline activity (in aggregate, not contact-level content);
Performance data — page load times, error reports, API response times, used for platform improvement and support;
Session data — session tokens, login timestamps, last active time, for security and session management.

3.4 Marketing & Sales Data

When you interact with Grandco's marketing activities, we may collect:

Email address and name provided through our website contact forms, demo booking forms, or lead magnets;
Information submitted through free trial sign-up or consultation requests;
Records of demo calls including notes taken by Grandco sales staff (not recordings, unless consent is obtained);
Communication preferences and topics of interest expressed during sales interactions;
Referral source (e.g. which reseller referred you) for commission tracking purposes.

3.5 Merchant Customer Data (CRM Data)

Merchants using the Grandco CRM on the Grandco platform may upload or collect personal information about their own customers and contacts ("Merchant Customer Data"), including names, phone numbers, email addresses, appointment history, and purchase history.

Merchants are the controllers of their customers' data. Grandco processes Merchant Customer Data as a data processor on the merchant's instructions. Grandco does not use, access, or analyse individual Merchant Customer Data except to provide the platform service. Merchants are solely responsible for obtaining valid consent from their customers under CASL and applicable privacy law before uploading customer data to the Grandco platform or sending marketing messages through it.

Section 4

How We Use Your Information

We use the personal information we collect for the following purposes. We will not use your information for purposes incompatible with those listed below without first notifying you and, where required, obtaining your consent.

Purpose	Types of Data Used	Legal Basis
Account setup and onboarding	Identity, banking, business information	Contract
Providing platform services (CRM, POS, SMS, email)	Account data, platform usage, Merchant Customer Data	Contract
Payment processing and settlement	Banking, transaction data	Contract
Billing and fee calculation	Transaction data, account data	Contract
KYC and AML compliance (FINTRAC)	Identity, beneficial ownership, ID documents	Legal Obligation
Fraud prevention and security monitoring	Transaction data, log data, device identifiers	Legitimate Interest
Chargeback management and dispute resolution	Transaction data, cardholder data (last 4)	Contract
Customer support and troubleshooting	Account data, platform usage, log data	Contract
Platform improvement and analytics	Usage data (aggregated and anonymised)	Legitimate Interest
Sending service notifications (billing, security, downtime)	Contact information	Contract
Sending marketing emails and product updates	Contact information, preferences	Consent (CASL)
Reseller commission calculation	Referral data, Sub-Merchant transaction volume	Contract
Legal compliance and regulatory reporting	As required by applicable law	Legal Obligation
Enforcing our Terms of Service	Account data, transaction data	Legitimate Interest

Section 5

Legal Bases for Processing

Under PIPEDA and applicable provincial privacy laws, Grandco processes personal information on the following legal bases:

5.1 Express Consent

We rely on your express consent for: sending commercial electronic messages (email newsletters, product updates, promotional offers) under CASL; placing non-essential cookies on your device; and any processing not covered by the bases below. You may withdraw consent at any time as described in Section 8 and Section 9. Withdrawing consent will not affect the lawfulness of processing before withdrawal.

5.2 Implied Consent

Under PIPEDA, we may rely on implied consent for: processing personal information provided as part of entering into a business relationship with Grandco; processing personal information that is reasonably required to fulfil the purposes for which a business relationship has been established; and sending service communications directly related to the account relationship. Implied consent exists where the purpose for collection is obvious given the context and a reasonable person would expect it.

5.3 Contractual Necessity

Processing your personal information is necessary to perform the services described in our Terms of Service — including account creation, payment processing, platform access, and customer support. Without this processing, we cannot provide the Grandco service.

5.4 Legal Obligation

We are required by law to collect and retain certain personal information, including: identity verification documents under FINTRAC (Proceeds of Crime (Money Laundering) and Terrorist Financing Act); tax records under the Income Tax Act; records for applicable provincial and federal regulatory purposes; and cardholder data records under Card Scheme Rules and PCI DSS requirements.

5.5 Legitimate Business Interests

We process some personal information based on our legitimate interests in: preventing fraud and financial crime; ensuring the security and integrity of our platform; conducting internal analytics to improve our services (using anonymised and aggregated data); and enforcing our legal rights under our Terms of Service. Where we rely on legitimate interests, we ensure that our interests are not overridden by the privacy rights of the individuals concerned.

Section 6

Who We Share Data With

We never sell personal data. Grandco does not sell, rent, or trade personal information to any third party for their own marketing, advertising, or commercial purposes. Data is shared only as described in this section and only to the minimum extent necessary.

6.1 Elavon Canada Inc. / Converge

We share merchant identity, banking, and transaction data with Elavon Canada Inc. as necessary to provide payment processing services. Elavon is an independent data controller for the data it receives and processes it under its own privacy policy and the Elavon Merchant Agreement. Elavon is a US Bancorp company operating in Canada and may transfer data to its US affiliates for fraud prevention and compliance purposes, subject to contractual data protection safeguards.

6.2 HighLevel Inc.

Merchant Customer Data stored in the CRM is hosted on Grandco platform. Grandco processes this data as a sub-processor under our data processing agreement. Grandco's servers are primarily located in the United States. We have contractual data protection obligations in place with Grandco. Merchants should review Grandco's sub-processor list if they require full visibility of onward data transfers.

6.3 Card Schemes (Visa, Mastercard, Interac)

Elavon is required to share transaction-level data with Visa, Mastercard, and Interac as part of the card payment processing network. This may include merchant identity, transaction amounts and dates, and Card Scheme network data. This sharing is governed by Card Scheme Rules and is necessary to operate the payment network.

6.4 Service Providers & Sub-Processors

We use carefully selected third-party service providers who process personal data on our behalf under strict data processing agreements. These providers are listed in Section 7. We do not allow our service providers to use your personal information for their own purposes and require them to process it only for the purposes we specify.

6.5 Resellers

If your Grandco account was established through a Grandco-approved Reseller, we may share account status, subscription information, and billing summaries with that Reseller for the purpose of calculating commissions and providing account support. We do not share payment processing rates or detailed transaction data with Resellers beyond what is required for residual calculations. Resellers are contractually prohibited from using your information for any other purpose.

6.6 Law Enforcement & Regulatory Authorities

We may disclose personal information to law enforcement agencies, regulatory authorities, or other government bodies where required or permitted by applicable Canadian law, including: in response to a valid court order, subpoena, or search warrant; to FINTRAC for anti-money laundering reporting; to the Canada Revenue Agency as required; or where we have reasonable grounds to believe the information is necessary to prevent or investigate fraud, a serious threat to safety, or a criminal offence.

6.7 Business Transfers

If Grandco is involved in a merger, acquisition, sale of assets, or other corporate restructuring, personal information may be transferred as part of that transaction. We will notify affected customers prior to any such transfer and, where required by law, obtain consent. Any successor organisation will be bound by privacy obligations at least as protective as those in this Policy.

Section 7

Third-Party Processors

Grandco uses the following categories of third-party processors that may handle personal information in connection with the Grandco platform:

💳

Elavon Canada Inc. / Converge

Payment Processor & Acquirer

Processes all card transaction data, performs merchant underwriting, manages settlement and chargebacks. Independent data controller for transaction data. Servers in Canada and US.

↗ Elavon Privacy Policy

📣

HighLevel Inc. (GoHighLevel)

CRM, SMS & Email Marketing Platform

Hosts the white-label marketing suite powering CRM contacts, pipelines, SMS, email campaigns, automations, funnels, and appointment booking. Processes Merchant Customer Data as a sub-processor. Servers primarily in the United States.

↗ HighLevel Privacy Policy

☁️

Cloud Infrastructure Provider

Hosting & Data Storage

Grandco's platform backend, databases, and file storage are hosted in Canadian data centres. Servers are located in Canada (Toronto / Montreal regions). The provider processes data on Grandco's instructions under a data processing agreement with equivalent privacy protections.

📧

Transactional Email Provider

Platform Notification Emails

Sends automated platform emails including welcome emails, billing notifications, security alerts, and password resets. Processes email addresses and email delivery metadata. Data is retained for delivery tracking purposes only and not used for marketing by the provider.

📞

Twilio Inc. (via HighLevel)

SMS Delivery Infrastructure

SMS messages sent through the Grandco platform are delivered through Twilio's infrastructure via Grandco. Twilio processes phone numbers and message content for delivery. Merchants are responsible for CASL compliance for all SMS campaigns initiated through the platform.

↗ Twilio Privacy Policy

📊

Analytics & Monitoring Tools

Platform Performance & Error Tracking

We use analytics tools to monitor platform performance, track errors, and understand usage patterns. These tools process anonymised or pseudonymised usage data. We do not use third-party behavioural advertising trackers on merchant-facing platform pages.

Our full sub-processor list is available on request by emailing [email protected]. We will notify affected merchants at least thirty (30) days before adding any new sub-processor that processes personal information.

Section 8

Marketing Communications

8.1 CASL Compliance

Grandco complies with Canada's Anti-Spam Legislation (CASL). We will not send commercial electronic messages (CEMs) — including marketing emails, promotional SMS, or commercial push notifications — without your express or implied consent, as defined under CASL.

8.2 Basis for Marketing Messages

We may send marketing messages to you based on:

Express consent — where you have explicitly opted in to receive marketing messages from Grandco, typically through a sign-up form, checkbox, or verbal confirmation during onboarding;
Existing business relationship (implied consent) — under CASL, we may send CEMs for up to two (2) years following the date you entered into a commercial relationship with Grandco (e.g. when your account was activated), unless you opt out sooner.

8.3 Types of Marketing Messages We Send

Product updates and new feature announcements for the Grandco platform;
Educational content about payment processing, surcharging, and Canadian small business tips;
Promotional offers and pricing updates;
Reseller programme updates and residual payment notifications;
Invitations to webinars, demos, or educational events.

We do not send marketing messages on behalf of third parties or share your contact information with third parties for their own marketing purposes.

8.4 Service vs. Marketing Communications

The following types of messages are sent based on contractual necessity and do not require marketing consent. You cannot opt out of these while your account is active:

Account activation, password reset, and security alerts;
Billing notifications, invoices, and payment confirmations;
Chargeback notifications and retrieval requests requiring action;
Platform maintenance and outage notifications;
Regulatory or legal notices required by applicable law;
Changes to Terms of Service or Privacy Policy.

8.5 How to Unsubscribe

You may withdraw marketing consent and unsubscribe from marketing messages at any time by:

Clicking the "Unsubscribe" link in any marketing email (we process unsubscribe requests within 10 business days as required by CASL);
Replying STOP to any marketing SMS;
Updating your communication preferences in the Grandco platform settings;
Emailing [email protected] with your unsubscribe request.

Unsubscribing from marketing communications will not affect your receipt of service communications or your ability to use the platform.

Section 9

Cookies & Tracking Technologies

Grandco's websites and platform use cookies and similar technologies (including local storage, session tokens, and web beacons) to operate the platform, improve your experience, and understand how our services are used.

9.1 Types of Cookies We Use

9.2 Managing Cookies

You can manage cookie preferences at any time through:

The cookie preferences centre accessible from the footer of our website;
Your browser settings — most browsers allow you to refuse cookies, delete existing cookies, or be notified when cookies are set;
Opt-out tools provided by analytics providers (e.g. Google Analytics opt-out browser add-on).

Note: Blocking all cookies may prevent some features of the Grandco platform from functioning correctly.

9.3 Do Not Track

Our website currently does not respond to "Do Not Track" (DNT) browser signals, as there is no universally accepted standard for DNT. However, you can control tracking through the cookie preference centre described above.

Section 10

Your Privacy Rights

Under PIPEDA and applicable provincial privacy laws, you have the following rights with respect to your personal information held by Grandco. To exercise any of these rights, contact our Privacy Officer at [email protected].

🔍

Right to Access

Request a copy of the personal information we hold about you, the purposes for which it is used, and the third parties to whom it has been disclosed. We will respond within 30 days of receiving your request (extendable by an additional 30 days with notice).

✏️

Right to Correction

Request correction of any personal information that is inaccurate, incomplete, or outdated. Once corrected, we will notify any third parties to whom we have disclosed the incorrect information where feasible.

🚫

Right to Withdraw Consent

Withdraw consent for any processing based on consent (including marketing communications) at any time. Note that some processing is required to provide the service — withdrawing consent for required processing may result in account termination.

📋

Right to Know

Know what personal information we hold about you, why we hold it, and who we have shared it with. This right can be exercised through an access request.

🗑️

Right to Deletion (Quebec / PIPA)

Quebec residents and BC/Alberta residents under applicable PIPA may request deletion of personal information that is no longer necessary for the purposes for which it was collected, subject to legal retention requirements. We cannot delete information required by law or needed to resolve disputes.

📤

Right to Portability (Quebec Law 25)

Quebec residents may request that we provide their personal information in a structured, commonly used, and machine-readable format, or that we transmit it directly to another organisation where technically feasible.

🛑

Right to Object to Automated Decision-Making

Where automated decision-making (including profiling) is used to make decisions that significantly affect you — such as account approval or fraud detection — you have the right to request human review of such decisions.

📣

Right to Lodge a Complaint

If you believe your privacy rights have been violated, you may contact the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca, or your provincial privacy commissioner where applicable.

10.1 How to Submit a Privacy Request

Privacy requests must be submitted in writing to:

Preferred Method

Email

[email protected]

Response within 30 days

Mail

Privacy Officer
Grandco Inc.
Ontario, Canada

To verify your identity, we may ask you to confirm your name, business name, email address, and account details. We will not charge a fee for access requests unless they are manifestly unfounded or excessive.

Section 11

Cardholder Privacy Rights

If you are a cardholder whose card was used to make a payment at a business using the Grandco platform — rather than the business owner themselves — please note the following:

11.1 Grandco's Limited Role

Grandco does not directly collect or store your full card number, CVV, or card expiry date. These are processed exclusively by Elavon Canada Inc. through its Converge payment gateway. Grandco's systems only receive anonymised transaction metadata (amount, date, masked card number, and authorisation code) for reporting and reconciliation purposes.

11.2 Cardholder Data Held by Elavon

For questions about how your payment card data was processed in a transaction, please contact Elavon Canada Inc. directly:

Elavon Privacy Policy: elavon.com/privacy-promise.html
Elavon Canada customer service: elavon.com/canada

11.3 Merchant CRM Data

If a business has stored your contact details or purchase history in their CRM on the Grandco platform, that data is under the control of the merchant (the business owner), not Grandco. To request access, correction, or deletion of data held by a specific merchant, please contact that merchant directly. The merchant is the data controller and is responsible for responding to your request under applicable privacy law.

11.4 Surcharge Disclosures

If you paid a credit card surcharge at a business using the Grandco platform, the surcharge was collected by the merchant and passed through to offset their card processing costs. The surcharge is disclosed on your transaction receipt. Surcharge complaints should be directed to the merchant. For questions about the legality or rate of surcharging in Canada, see the October 2022 Visa/Mastercard class action settlement or contact the Financial Consumer Agency of Canada (FCAC) at canada.ca/fcac.

Section 12

Data Security

12.1 Security Measures

Grandco implements appropriate technical and organisational security measures to protect personal information against unauthorised access, disclosure, alteration, and destruction. Our security measures include:

Encryption in transit — all data transmitted between your browser and Grandco's servers is encrypted using TLS 1.2 or higher;
Encryption at rest — sensitive personal information stored in Grandco's databases is encrypted at rest using AES-256 or equivalent;
Access controls — role-based access control limits which Grandco employees can access personal information; access is granted on a need-to-know basis and is logged and audited;
Multi-factor authentication — required for all Grandco staff accessing production systems and strongly recommended for all merchant accounts;
PCI DSS compliance — our payment gateway integration is certified PCI DSS Level 1 through Elavon/Converge. Grandco does not handle raw card data and is therefore not a primary PCI data environment;
Penetration testing — we conduct regular third-party penetration tests and vulnerability scans of our platform;
Incident response — we maintain a documented security incident response plan and conduct regular drills.

12.2 Breach Notification

In the event of a breach of security safeguards involving personal information under Grandco's control that creates a real risk of significant harm to affected individuals, Grandco will:

Notify the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible after we become aware of the breach;
Notify all affected individuals as soon as feasible, in accordance with PIPEDA's mandatory breach notification requirements;
Maintain a record of all breaches for a minimum of 24 months, regardless of whether notification was required.

Quebec residents will be notified in accordance with the additional requirements of Law 25 (Bill 64), including reporting to the Commission d'accès à l'information (CAI) where required.

12.3 Your Responsibility

While we take extensive measures to protect your information, you are also responsible for maintaining the security of your Grandco account. We recommend: using a strong, unique password; enabling multi-factor authentication; not sharing your login credentials with others; and logging out of the platform when using shared devices. Notify us immediately at [email protected] if you suspect unauthorised access to your account.

Section 13

Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention schedules are as follows:

Data Type	Retention Period	Reason
Merchant account information (identity, banking)	7 years after account closure	FINTRAC / CRA / tax compliance
Payment transaction records	7 years after transaction date	Tax law, Card Scheme Rules, chargeback risk (13 months minimum under Elavon agreement)
Chargeback documentation	5 years from final resolution	Legal limitation periods, Card Scheme requirements
Merchant KYC / identity documents	7 years after account closure	FINTRAC obligations
Platform CRM data (Merchant Customer Data)	For the account lifetime; exportable within 30 days of closure; deleted 60 days post-closure	Contract (platform service provision)
SMS & email marketing consent records	3 years from withdrawal of consent	CASL compliance — proof of consent must be retained
Platform usage logs (anonymised)	24 months rolling	Security monitoring, fraud prevention
Support and communication records	3 years from last interaction	Legitimate business interests, dispute resolution
Cookies (session)	Duration of browser session	Platform operation
Cookies (persistent analytics)	Up to 24 months	Platform analytics (where consent is given)

After the applicable retention period expires, personal information is securely deleted or anonymised so that it can no longer be associated with an individual. Physical records are cross-cut shredded; electronic records are securely overwritten or cryptographically erased.

Section 14

International Data Transfers

14.1 Data Residency in Canada

Grandco's own servers and databases are hosted in Canadian data centres (Toronto and/or Montreal regions). We have designed our architecture to keep merchant personal information within Canada to the maximum extent possible.

14.2 Transfers to the United States

Some personal information may be transferred to, or accessed from, the United States in the following circumstances:

Elavon / Converge — Elavon Canada Inc. shares data with its US parent company, Elavon Financial Services DAC and US Bancorp, for fraud prevention, compliance monitoring, and technical operations. This is governed by Elavon's intra-group data transfer agreements.
HighLevel Inc. — HighLevel's platform servers are primarily located in the United States. Merchant Customer Data stored in the CRM is therefore subject to HighLevel's US data handling practices. We have a Data Processing Agreement with HighLevel requiring compliance with applicable Canadian privacy standards.
Twilio Inc. — SMS delivery infrastructure operated by Twilio processes message data through US infrastructure.

You acknowledge that personal information transferred outside Canada may be subject to foreign laws, including US national security laws, that may permit access by US government authorities. Grandco mitigates this risk through contractual safeguards with all US-based processors.

14.3 No Other International Transfers

Other than as described in Section 14.2, Grandco does not transfer personal information outside of Canada or the United States. We will notify you if this changes and will take appropriate steps to ensure adequate protection is in place.

Section 15

Children's Privacy

The Grandco platform is intended for use by businesses and adults aged 18 years and older. We do not knowingly collect personal information from individuals under the age of 18.

If you are a parent or guardian and believe that a minor has provided personal information to Grandco without your consent, please contact us immediately at [email protected]. We will promptly delete any personal information relating to a child upon notification.

Section 16

Changes to This Policy

Grandco may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. When we make material changes, we will:

Update the "Last Updated" date at the top of this page;
Notify active merchants by email to their registered account address at least thirty (30) days before the changes take effect;
Post a prominent notice on the Grandco platform dashboard for thirty (30) days following the update;
Where required by applicable law, seek fresh consent for materially new uses of personal information.

Continued use of the Grandco platform after the effective date of any policy change constitutes acceptance of the updated policy. We recommend reviewing this policy periodically.

Previous versions of this policy are available upon written request to [email protected].

Section 17

Contact & Complaints

17.1 Privacy Officer

Grandco has designated a Privacy Officer who is responsible for overseeing compliance with this Privacy Policy and applicable privacy laws. Our Privacy Officer can be reached at:

Privacy Officer Contact

Grandco Inc.

Email: [email protected]
Subject line: "Privacy Request" or "Privacy Complaint"
Response time: within 30 days

General Information

General support: [email protected]
Security incidents: [email protected]
Legal matters: [email protected]

17.2 Our Complaint Process

If you have a complaint about how Grandco has handled your personal information:

Submit your complaint in writing to [email protected] with as much detail as possible about the issue;
Our Privacy Officer will acknowledge your complaint within five (5) business days;
We will investigate and provide a written response within thirty (30) days of receiving the complaint;
If we require additional time (up to a maximum of an additional thirty (30) days), we will notify you in writing with an explanation and the expected resolution date;
If you are not satisfied with our response, you have the right to escalate your complaint to the relevant regulator.

17.3 Regulatory Authorities

If you are unsatisfied with Grandco's response to your privacy complaint, or if you wish to make a complaint directly to a regulator, the following authorities have jurisdiction:

Jurisdiction	Authority	Contact
Federal (all provinces)	Office of the Privacy Commissioner of Canada (OPC)	priv.gc.ca
Quebec	Commission d'accès à l'information (CAI)	cai.gouv.qc.ca
Alberta	Office of the Information and Privacy Commissioner of Alberta	oipc.ab.ca
British Columbia	Office of the Information and Privacy Commissioner for BC	oipc.bc.ca