Privacy Policy

This policy covers personal information we collect through calculateandquote.ca, through any quote or contact forms on the site, and through correspondence with us about our insurance services. It does not apply to the privacy practices of insurance carriers who issue a policy to you — those carriers are separate data controllers with their own privacy policies.

Effective date: April 24, 2026. Earlier versions of this policy are superseded by this version.

We collect personal information in three ways: directly from you, automatically from your device when you visit the site, and from third parties.

a. Information you provide

When you request a quote, use a calculator, or contact us, you may voluntarily provide information such as:

• Identity and contact details: name, email address, phone number, and general mailing location.
• Date of birth and other demographic inputs needed to estimate insurance coverage or pricing.
• Coverage needs: family status, dependants, mortgage and debt figures, income, and savings goals — i.e. the values required for the calculator to produce a recommendation.
• Health indicators: high-level health information such as smoking status, general health rating, or pre-existing conditions that you choose to share.
• Financial information: information relevant to evaluating coverage recommendations, such as household income, assets, and debts.
• Communications: messages, questions, and feedback you send us.

b. Information collected automatically

When you visit the site, we automatically collect a limited amount of technical information to operate the site, understand traffic patterns, and improve the experience:

• IP address: used only to derive your approximate country, region, and city, and then discarded. The raw IP is not retained alongside your visit record.
• Device and browser information: browser name and version, operating system, viewport size, and user-agent string.
• Page views: the URLs you visit on the site, the referrer that brought you here, and UTM/campaign parameters.
• Session identifier: a random session ID stored in your browser's sessionStorage (not cookies) so we can group page views from the same visit. It is cleared when you close the tab.
• Session recordings (Microsoft Clarity): anonymized replays of clicks, scrolls, and navigation. Clarity is configured in strict masking mode, which means text you type into any input field — including calculator inputs, contact form fields, and anything containing health or financial information — is masked before it leaves your browser. Clarity does not see the values you enter.

c. Information from third parties

We do not currently receive personal information about you from third-party data brokers, lead lists, or any other external source. If that changes, we will update this policy and obtain the consent required under PIPEDA before relying on any such information.

We use the personal information described above to:

• Produce the coverage estimates and quote comparisons you request.
• Follow up on quote inquiries, answer questions, and deliver the insurance advisory services you ask us to provide.
• Improve the site — identify broken pages, confusing layouts, and opportunities to make the calculators more useful.
• Comply with our regulatory obligations as an insurance agent in Ontario, including record-keeping, suitability analysis, and reporting requirements under the Ontario Insurance Act and related regulations.
• Send marketing or educational communications (for example, articles or coverage reminders) with your consent. You can withdraw this consent at any time — see section 9.

Under PIPEDA, consent is the primary basis on which we handle your personal information. Consent may be either express (for example, checking a box to receive marketing emails) or implied (for example, submitting a quote form implies consent to use that information to prepare a quote).

• Express consent — used for marketing communications, any referral of your information to a third party, and any secondary use that a reasonable person would not expect from the original context.
• Implied consent — used for delivering the core service you have requested (e.g., preparing a quote, following up on your inquiry, providing ongoing advice on an active file).
• Legal or regulatory obligation — used where PIPEDA, the Ontario Insurance Act, or another applicable law requires us to collect, use, or retain information (for example, client file retention or responding to a regulator). Consent is not required for these limited purposes under PIPEDA s. 7.

We do not sell your personal information. We share it only with the service providers and regulated partners listed below, and only to the extent needed for each purpose. Each processor has a Data Processing Addendum (DPA) or equivalent written agreement on file.

We may also disclose information where required by law, to regulators with jurisdiction over our licensing, or to professional advisors (lawyers, accountants, auditors) bound by confidentiality obligations.

Several of the processors in the table above are located in the United States (Vercel, Resend, Google, Microsoft, IPInfo). When your information is processed by those providers, it is transferred outside Canada and may be accessed by U.S. government authorities under laws such as the CLOUD Act and the USA PATRIOT Act, subject to those laws' own safeguards and limitations.

We mitigate this by:

• Choosing providers that publish detailed privacy and security commitments and will sign a Data Processing Addendum.
• Minimizing what we send to U.S.-based processors in the first place (for example, the visitor analytics pipeline strips the raw IP after geolookup, and Clarity masks every form field).
• Storing the primary database of quote and client information in Supabase's Canadian region (ca-central-1), so information you submit through our forms is not routinely stored outside Canada.

Regardless of where data is processed, Canadian law — including PIPEDA and the Ontario Insurance Act — governs our collection, use, and disclosure of your personal information.

• Quote inquiries and calculator data: kept for up to two (2) years from your last interaction with us, then deleted or fully anonymized unless you have become an active client.
• Active client records: kept for the duration of your policy and for seven (7) years after the policy terminates, as required by record-keeping rules under the Ontario Insurance Act and related regulations.
• Marketing contacts: kept until you withdraw consent or unsubscribe, at which point we remove your information from the marketing list and retain only a minimal suppression record as required by Canada's Anti-Spam Legislation (CASL).
• Website analytics records: kept for up to 24 months, then deleted or fully anonymized.
• Microsoft Clarity session replays: retained by Microsoft for up to one year in accordance with its data retention policies.

Where a legal obligation requires a longer retention period, that obligation takes precedence over the periods above.

We use a small number of cookie-like technologies:

• Essential / session cookies: required for core site functionality (e.g., remembering your position in a multi-step calculator, protecting forms against abuse). These cannot be turned off without breaking the site.
• Analytics cookies: set by Google Analytics 4 and Microsoft Clarity to understand how visitors use the site. These are loaded only when analytics is enabled in our configuration and are subject to the masking and retention rules described in section 2(b).

You can disable cookies entirely through your browser settings, use your browser's private/incognito mode, or install an opt-out extension. Disabling analytics cookies will not affect your ability to request a quote or contact us.

As an individual in Canada, you have the right to:

• Access the personal information we hold about you, subject to the limited exceptions set out in PIPEDA (for example, information that would reveal another individual's personal information).
• Correct information that is inaccurate or incomplete, and ask us to notify any processors that received the uncorrected information.
• Withdraw consent to any use or disclosure of your personal information, subject to legal or contractual restrictions and reasonable notice. If you withdraw consent to the uses that are necessary to deliver our service — for example, sharing your information with a carrier to issue a policy — we may no longer be able to provide that service, and we will explain what that means before you confirm the withdrawal.
• Request deletion of your personal information, subject to the legal retention obligations described in section 7.
• File a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated: priv.gc.ca or 1-800-282-1376.

To exercise any of the rights in section 9, please send us a message through our contact form with a clear description of your request.

• Identity verification: we will confirm your identity before acting on access, correction, or deletion requests — typically by replying to the email address you submit with the form or asking you to confirm one or two data points we already hold. This protects you from someone else impersonating you.
• Response timeline: we aim to respond within 30 calendar days of receiving a complete, verified request, as required by PIPEDA s. 8(3). If we need more time in a particular case, we will tell you in writing within the 30-day window and explain why.
• Cost: there is no fee to make a request. If a request is unusually broad and would require significant effort to fulfill, we will tell you before doing the work and give you the option to narrow the request.

We protect personal information with administrative, technical, and physical safeguards appropriate to its sensitivity, including:

• Encryption in transit — all site traffic is served over HTTPS (TLS).
• Encryption at rest — databases and backups are encrypted by our hosting providers.
• Access controls — administrative access to systems that contain personal information requires two-factor authentication (2FA) and is limited to personnel who need the access to do their job.
• Database-level authorization — row-level security (RLS) policies are enforced on our Supabase database so that user-facing components cannot read or modify records outside of defined, audited pathways.
• Vendor Data Processing Addendums — each third-party processor in section 5 operates under a signed DPA or equivalent contract addressing security and confidentiality.
• Incident response plan — we have a documented process for detecting, containing, and assessing suspected privacy incidents, including the steps described in section 12.

No system is perfectly secure, and we cannot guarantee that security controls will never fail. If a failure does occur, we will handle it as described in section 12.

PIPEDA s. 10.1 requires that, where a breach of security safeguards creates a real risk of significant harm to an affected individual, an organization must (a) report the breach to the Office of the Privacy Commissioner of Canada, (b) notify the affected individual, and (c) keep a record of the breach — all as soon as feasible after determining that the breach has occurred.

Our internal target is to complete the assessment and initial notification within 72 hours of confirming that a reportable breach has occurred. This is an internal commitment, stricter than the PIPEDA baseline, and subject to the realities of a given investigation — the statutory standard remains “as soon as feasible.”

In any breach notification we send, we will describe: what happened, what information was involved, the steps we are taking to contain and remediate the breach, and the steps you can take to protect yourself. We will also keep a record of every reported breach for at least 24 months, in accordance with the Breach of Security Safeguards Regulations.

The site is intended for adults researching insurance and related financial products. We do not knowingly collect personal information from anyone under the age of 18 without the consent of a parent or legal guardian. If you believe a minor has submitted information to us, please contact us using the email in section 10 and we will delete the information.

We may update this Privacy Policy from time to time to reflect changes in our practices, the processors we use, or applicable law. The updated policy will be posted on this page with a revised “Last Updated” date at the top.

• Minor changes (for example, wording clarifications, or adding a new sub-processor that fits within an existing category) take effect when posted.
• Material changes (for example, new categories of information collected, new purposes of use, or new recipients of your information) will be communicated to affected individuals before they take effect, either by email where we have one on file, or through a prominent notice on the site.

If you continue to use the site after a change takes effect, you are acknowledging the updated policy. If you disagree with any change, please contact us so we can discuss your options, including withdrawing consent under section 9.

Questions, concerns, access requests, or complaints about this Privacy Policy or our handling of your personal information can be directed to:

• Privacy contact: Sean Gannage, Gannage Financial
• Online: Use our contact form
• Mail: Gannage Financial, Newmarket, Ontario, Canada

For written correspondence, please reach out through the contact form first so we can confirm a current mailing address for formal delivery.

If we have not resolved your concern to your satisfaction, you may also contact the Office of the Privacy Commissioner of Canada: priv.gc.ca or 1-800-282-1376.