Northwen Privacy Policy

Effective Date: March 31, 2025

Introduction

Northwen (“we,” “us,” or “our”) is committed to protecting your privacy and safeguarding your personal information. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our website and services. It applies to all visitors, including vendors and government or business representatives, who interact with Northwen’s site. We comply with applicable privacy laws and regulations, including Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, the European Union’s General Data Protection Regulation (GDPR). By using our site or providing your information, you agree to the practices described in this Privacy Policy.

Information We Collect

We do not require user accounts for site access. However, we may collect personal information in the following ways:

  • Information You Provide Directly: When you fill out contact forms, newsletter sign-up forms, vendor application forms, or payment/application forms on our site, you may provide personal details. This can include your name, business name, email address, phone number, mailing address, job title, and any information you choose to include in messages or form fields. For example, vendors applying for subcontracting opportunities might provide information about their services, qualifications, or references.

  • Payment Information: If our site facilitates payments (e.g. for application fees or service fees), you might provide payment details. In such cases, payments are typically processed through a secure third-party payment processor. We generally do not store full credit card numbers on our servers; only necessary transaction information is retained for records (e.g. confirmation of payment, billing name, and contact).

  • Automatically Collected Information: When you visit our site, we and third-party tools may collect certain technical data automatically. This includes your IP address, browser type, device type, operating system, referring website, pages viewed, and the dates/times of access. We collect this through cookies and similar tracking technologies (described below) for analytics and security purposes. This usage data helps us understand how our site is used and improve its functionality.

  • Cookies and Tracking Technologies: We use cookies (small text files stored on your device) and similar technologies (like web beacons or pixels) to enhance user experience and analyze web traffic. For instance, cookies may remember your preferences (such as language selection) or collect aggregate information on how visitors navigate our site. You can control or disable cookies through your browser settings; however, note that some site features might not function properly without cookies. (See Cookies and Tracking below for more details.)

  • Information from Third Parties: In general, we collect data directly from you. We do not usually obtain personal information from third-party sources about you, except in specific contexts related to our services. For example, if you are a vendor applicant, we may receive references or verification information from third parties you have directed to share information (such as a reference you list on an application). Additionally, if you engage with us on social media or other platforms, we might receive your username or contact via those platforms under their privacy rules.

We limit our collection to information necessary for the purposes identified in this policy. You have choices about the information you provide, but not providing certain details (such as contact information) may limit your ability to use some services (for example, we cannot respond to a contact inquiry without an email address).

How We Use Your Information

Northwen uses the personal information we collect for legitimate business purposes and as otherwise permitted or required by law. These uses include:

  • Providing and Improving Services: We use contact information (like your name and email) to respond to inquiries you send through our contact form or email. For example, if you ask about our procurement brokering services, we will use your information to communicate with you and provide details. If you apply as a vendor or subcontractor, we use the information in your application to evaluate your qualifications, match you with suitable government procurement opportunities, and facilitate the subcontracting/brokering process.

  • Communication and Updates: With your consent, we use your email address to send newsletters or updates. For instance, if you sign up for our mailing list, we will send you periodic emails about Northwen’s services, relevant government contract opportunities, industry news, or events. You can opt out of these marketing communications at any time (see Your Rights and Choices below for how to unsubscribe). We may also send administrative or transaction-related communications (for example, confirmation of receiving your inquiry or changes to our policies), which are necessary for our interactions with you.

  • Facilitating Transactions: If payments are involved (such as paying a fee through our site), we use the provided financial or billing information to process those transactions and maintain proper records. This may include sending receipts or invoices and ensuring payments are securely handled.

  • Analytics and Site Improvement: We analyze usage data (e.g. site visitation patterns, page interactions, and referring sources) to understand how users engage with our website. This helps us troubleshoot issues, improve site design and content, and tailor our services to user needs. For example, understanding that many users visit a particular page can guide us to provide more information on that topic. We typically use Google Analytics and similar tools for this purpose (see Third-Party Tools below), which provide aggregated insights.

  • Cookies and Tracking Usage: Information collected through cookies and similar technologies is used to remember user preferences and provide a smoother browsing experience. For example, a cookie might save your form inputs temporarily so that if you navigate away and come back, you don’t have to re-enter data. Cookies also allow us to provide a more personalized experience (such as recognizing repeat visitors) and measure the effectiveness of our site content or campaigns (like tracking how many users read a particular article).

  • Safety and Security: We may use information (like IP addresses or user activity logs) to protect the security of our website, our company, and our users. This includes detecting and preventing fraudulent activity, spam, or unauthorized access to our systems. For example, if we detect repeated suspicious attempts to access non-public parts of the site, we may use the logged IP information to block those attempts and investigate potential threats.

  • Legal Compliance and Enforcement: We may process and retain personal information to comply with our legal obligations and to enforce our agreements. For example, we could use or disclose information as necessary to meet record-keeping requirements, tax and financial reporting obligations, or lawful requests by public authorities. If required, we may also use information to enforce our Terms of Use, to investigate or respond to potential violations of law or contracts, or to protect our rights, property, or safety (or that of our users or others). This can include using personal data to address disputes or legal claims involving Northwen.

We will only use your personal information for the purposes for which we collected it, or for compatible purposes such as internal record-keeping or audits. If we need to use your data for an unrelated new purpose, we will notify you and, if required, seek your consent.

Legal Bases for Processing (GDPR Notice)

For individuals in the European Union/European Economic Area, we process personal data under the following legal bases, as allowed by the GDPR:

  • Consent: In certain cases, we rely on your consent to process your personal information. For example, we will obtain your consent before sending you marketing emails (such as our newsletter) or placing non-essential cookies on your device. You have the right to withdraw consent at any time, as described in Your Rights and Choices. Withdrawal of consent will not affect the lawfulness of processing that occurred before you withdrew consent.

  • Performance of a Contract: When we need to process your information to fulfill a contract with you or to take steps at your request before entering a contract. For instance, if you are a vendor providing information to become a subcontractor through our platform, we process that data as part of offering our brokering services to you (a contractual arrangement). Similarly, if you pay for a service, we process payment and contact details to complete the transaction.

  • Legitimate Interests: We may process your data when it is in our legitimate interests to do so, and those interests are not overridden by your data protection rights. Our legitimate interests include maintaining and improving our website, responding to your inquiries, ensuring IT security, and carrying out our business operations (for example, using analytics to understand usage patterns or using contact information to communicate with you about your inquiry). When relying on legitimate interests, we carefully consider and balance any potential impact on you (both positive and negative) and your rights under privacy laws. You have the right to object to processing based on our legitimate interests (see Your Rights and Choices).

  • Legal Obligation: In some situations, we must process personal data to comply with a legal or regulatory obligation. For example, Canadian privacy law may require us to retain certain transaction records for a minimum period, or we might have to disclose information in response to a court order or government regulation. In these cases, the law constitutes the basis for processing and we will limit the information handled to what is necessary for compliance.

If you have questions about the legal basis of how we process your data, feel free to contact us (see Contact Us at the end of this policy). We will provide additional information or clarification as needed.

Cookies and Tracking

Our website uses cookies and similar tracking technologies to distinguish you from other users and to improve your experience. This section describes how we use these technologies and your choices:

  • Types of Cookies We Use:

    • Essential Cookies: These are necessary for the basic functioning of our website. For example, if we have a multi-step form or a secure area (even without user accounts, perhaps a protected form), essential cookies might maintain the state of your session. Without these cookies, certain features may not work correctly.

    • Analytics and Performance Cookies: We use these to collect information about how visitors use our site. For example, Google Analytics cookies help us count visitors, see which pages are most popular, or understand how users move through our site. This data is aggregated and does not directly identify individuals; it helps us improve site performance and design.

    • Functional Cookies: These cookies remember choices you make to personalize your experience (such as your language preference or any customization on the site). They ensure that when you return to the site, we can offer you the same settings you previously selected.

    • Third-Party Cookies: Some third-party services we use (described below under Third-Party Tools) may set their own cookies when you visit our site. For instance, if we embed a Typeform on our site to collect your response, Typeform might use cookies to enable that form to function properly. Similarly, our analytics provider sets cookies to track usage. We do not use third-party advertising networks that set targeting cookies, and we do not serve targeted advertising on our site.

  • Cookie Consent: When you first visit our site, you may see a notification about our use of cookies. By continuing to use the site, you consent to the placement of cookies as described (where required by law, we will explicitly request your consent for non-essential cookies). You can manage or delete cookies at any time through your browser settings. Most browsers allow you to block cookies or alert you when cookies are being sent. However, please note that if you disable all cookies, some parts of our site may not function optimally. For example, disabling cookies might prevent certain forms from remembering your input or could disable analytics (which is fine for you as a user, but it limits the data we gather for improvements).

  • Do-Not-Track Signals: Some browsers offer a “Do Not Track” (DNT) feature that, when enabled, sends a signal to websites indicating you do not wish to be tracked. Currently, there is no standard interpretation or practice for responding to DNT signals. As such, our site does not respond differently to a browser’s DNT signal. We continue to honor any cookie preferences you have set (for instance, if you have blocked third-party cookies, those will be blocked), and you can always opt out of analytics as described.

  • Analytics Opt-Out: If you wish to opt out of Google Analytics tracking, Google provides an Analytics Opt-out Browser Add-on that you can install in your browser. This add-on prevents Google Analytics from collecting information on visits to sites that use GA. Additionally, some privacy browser settings or extensions can automatically block analytics scripts. Keep in mind that our analytics data is not used to identify you personally; it is primarily used to improve our service and your experience.

For more detailed information about the cookies and similar technologies we use, or to change your preferences, you can contact us or refer to any Cookie Notice on our site (if available). By using our site without disabling cookies, you indicate your consent to our use of cookies as described in this Privacy Policy.

Third-Party Tools and Service Providers

Northwen uses trusted third-party service providers to operate our website and deliver certain functionalities. We ensure that any third parties who process personal information on our behalf are bound by appropriate confidentiality and data protection obligations. The key third-party tools and services we use include:

  • Google Analytics: We utilize Google Analytics to gather information about website usage and visitor interactions. Google Analytics uses cookies and similar technologies to collect data such as your IP address, browser type, pages visited, and time spent on pages. This information is transmitted to Google’s servers (which may be located outside of Canada, including in the United States or other countries) and aggregated for us. Google provides reports that help us understand website traffic and webpage usage. We use these reports to improve content and navigation on our site. Importantly, we do not allow Google to use or share our analytics data for its own purposes (such as advertising). Google may truncate or anonymize IP addresses when stored. For more details on how Google Analytics works, you can refer to Google’s own Privacy Policy. If you prefer to opt-out of Google Analytics, please see the Cookies and Tracking section above for options.

  • Typeform: We may use Typeform (an online form service) to create and process certain forms on our site, such as detailed contact questionnaires or vendor application forms. When you fill out a Typeform embedded on our website (or accessed via a link we provide), the information you enter is transmitted to Typeform’s servers, where it is stored on our behalf. Typeform’s infrastructure is hosted on Amazon Web Services; according to Typeform, primary data storage is in the United States (with possible backups in other regions). This means that the personal data you submit via a Typeform may be transferred to and processed in the U.S. Typeform, as our data processor, is contractually obligated to protect your information and only process it according to our instructions. We have ensured our use of Typeform is GDPR-compliant by executing a Data Processing Agreement with them. If you prefer not to use the Typeform, you may contact us through alternative means (e.g., directly via email or phone as listed on our site).

  • Email Newsletter Provider: To manage our newsletter and mass email communications, we use a third-party email marketing service (e.g., Mailchimp, SendinBlue, or a similar provider). When you subscribe to our newsletter, your name and email address are stored by this provider on our behalf. They facilitate the sending of our newsletters and allow us to manage subscription lists and compliance with email regulations (such as unsubscribe functions). These email services typically store data on servers in the United States or other jurisdictions. We ensure any such provider we use has strong privacy and security practices and, if applicable, has GDPR-compliant measures (like EU Standard Contractual Clauses or participation in recognized transfer frameworks) in place for international data transfers. Each newsletter we send will include an easy way to opt out or unsubscribe, as required by Canada’s Anti-Spam Legislation (CASL) and other laws.

  • Hosting and IT Service Providers: Our website may be hosted by a third-party hosting company. That means all data transmitted to our site (including any personal information you submit) passes through and may be stored on servers operated by that hosting provider. We choose reputable hosting services with data centers that implement strong security measures. These providers may also store backup copies of our website data for reliability. Additionally, we may use IT consultants or cloud service providers for maintenance, backup, or additional functionality of the site. All such providers are contractually required to keep any personal data confidential and secure.

  • Other Plugins or Tools: From time to time, we might incorporate other third-party plugins or services to enhance user experience (for example, an embedded map from Google Maps to show our office location, or a social media “share” button). These features might collect your IP address or set a cookie in order to function. We will endeavor to list any significant data-collecting plugins here in our Privacy Policy. If you have specific questions about a particular feature on our site, please contact us for details on any third-party data processing it may involve.

Third-Party Privacy Practices: While we carefully select our service providers, this Privacy Policy does not cover the practices of third parties we don’t own or control. For example, if you navigate to a third-party website from our site (such as a government portal or a vendor’s site via a link), their privacy policies and practices will govern any data you provide there. We encourage you to review the privacy policies of any third-party websites or services before providing your personal information to them. Northwen is not responsible for the privacy practices of external sites or services that are not acting under our direction.

How We Share Your Information

Northwen respects the confidentiality of your personal information. We do not sell or rent your personal data to third-party marketers. However, in the normal course of business, we may share information with others in the following circumstances:

  • With Service Providers and Partners: As described above, we share personal information with third-party service providers who need access to such information to perform services on our behalf. For example, we share data with our email service provider to send you newsletters, or with our form processing provider (Typeform) to collect your application responses. We only share the information that is necessary for these providers to carry out their functions, and they are contractually bound to use it solely for that purpose and to protect it.

  • Within Northwen (Affiliates and Personnel): Personal information may be accessed by authorized Northwen personnel or affiliated entities who require it to perform their duties (for instance, our team members who respond to inquiries or who assess vendor applications). All staff and contractors with access to personal data are subject to strict confidentiality obligations. If Northwen operates through multiple corporate entities (e.g., a parent or subsidiary company in another province), we may share data internally between those entities, but always under the same privacy standards described here.

  • With Government Agencies or Procurement Partners: A core part of Northwen’s business is brokering government procurement contracts, which means connecting vendors with government entities or prime contractors. If you are a vendor applicant or subcontractor, we may share some of the information you provide with relevant third parties strictly as necessary to fulfill our role. For example, if you submit a profile or proposal to be considered for a federal, provincial, or municipal contract, we might share your application details with the government department managing that contract or with a prime contractor who is seeking subcontractors. This sharing is done to advance the procurement opportunity you are pursuing and only with parties involved in that process. We will not share vendor application information with unrelated third parties outside of a procurement context without your consent. Furthermore, any sensitive information (like proprietary business data in your proposal) will be handled with due confidentiality and only disclosed to those who have a need to know for evaluation purposes, subject to any confidentiality agreements or procurement rules in place.

  • For Legal Requirements: We may disclose personal information if required to do so by law or in response to valid requests by public authorities. For instance, if a court order, subpoena, or government regulation compels us to disclose certain data, we will comply with that legal obligation. Additionally, we may disclose information to regulatory or enforcement authorities if necessary to report a lawful activity, respond to claims, or protect the rights, property, or safety of Northwen, our users, or the public. Where appropriate and legally permissible, we will inform you if we are required to provide your personal information in this manner.

  • Business Transactions: If Northwen undergoes a business transaction such as a merger, acquisition by another company, corporate reorganization, or sale of all or part of its assets, personal information in our possession may be transferred as part of that transaction. We would ensure that any successor entity continues to handle your personal information in accordance with this Privacy Policy or provides notice of changes. Similarly, if we engage in a partnership or joint venture that affects how your data is used, we will communicate the relevant details to you and ensure your privacy rights are maintained.

  • With Your Consent: In any situations other than those above, if we intend to share your personal information with third parties, we will inform you and obtain your consent as required. For example, if we ever want to use a testimonial you provided along with your name or if we consider sharing your contact with a specific partner not covered by the scenarios above, we would only do so if you agree.

We remain responsible for personal information that we share with third-party agents or service providers as per our obligations under applicable law. If any third-party misuse of personal data occurs, we will take appropriate action to address it.

International Data Transfers

Northwen is based in Canada, and the personal information we collect is primarily stored and processed in Canada. However, some of the third-party service providers we use (such as those in Third-Party Tools above) are located in other countries (including the United States and possibly countries in the European Union). This means your personal information may be transferred to, stored in, or accessed from jurisdictions outside of your home province, state, or country.

  • Data Transfers from the EU/EEA: The European Commission has recognized Canada’s private-sector privacy laws (under PIPEDA) as providing an adequate level of data protection for personal data transferred from the EU to Canadian organizations. This “adequacy” decision allows for the free flow of personal data from the EU/EEA to Canada without additional safeguards. However, when we transfer EU personal data to third parties in countries not covered by an adequacy decision (for example, to the United States for services like Google Analytics or Typeform), we rely on appropriate safeguards as required by GDPR. Typically, these safeguards include Standard Contractual Clauses (SCCs) or equivalent data transfer agreements with our service providers, which contractually ensure that your personal information receives a level of protection equivalent to that in the EU. We will also seek your explicit consent for transfers in special cases where required by GDPR.

  • Data Transfers from Other Jurisdictions: If you are located in a country with data protection laws that require certain protections for cross-border transfers (such as the UK or other countries with similar laws), we will similarly ensure compliance. This may include implementing contractual safeguards or obtaining consent, in line with those legal requirements.

  • Your Consent to Transfer: By providing information to Northwen or using our site, you acknowledge and consent that your personal information may be transferred across national borders to countries where our third-party service providers are located. We understand that different countries may have different data protection standards. Rest assured, we take steps to ensure that any party handling your data, regardless of location, abides by stringent privacy protection obligations.

  • Storage Location: To be transparent, here is an overview of where key data is typically stored:

    • Contact form inquiries and vendor applications submitted through our site are stored on our secure servers in Canada, or forwarded to our business email (which is hosted in a secure cloud service possibly in the U.S. or Canada).

    • Newsletter subscription information is stored by our email service provider’s servers (commonly in the United States, unless our provider offers a Canadian or EU data center and we use it).

    • Analytics data collected by Google may be processed on Google’s global infrastructure (with main analytics servers in the United States and backups elsewhere). We have enabled data privacy features where possible (like IP anonymization) to limit personal data in these analytics.

    • Any data processed via Typeform will reside on Typeform/AWS servers in the United States (with potential backups in the EU).

    • Backup copies of our website data (including form submissions) may be stored in secure cloud storage which could be in Canada or the United States, but protected via encryption and access controls.

If you have questions about international data transfers or want more information about our safeguards for cross-border data, please contact us. We can provide additional details such as copies of relevant contractual clauses upon request (subject to any confidentiality requirements).

Data Retention

Northwen will retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or to meet legal and contractual obligations. In practice, this means:

  • General Inquiries: If you contact us with a question but do not engage our services further, we may retain your inquiry and our response for a certain period (for example, 1–2 years) in case you follow up or to improve our customer service. This also allows us to reference past communications if you reach out again. We regularly review stored inquiries and securely delete information that is no longer needed.

  • Newsletter Subscription: We retain your email and related profile information on our mailing list until you unsubscribe or until we determine that our emails are consistently bouncing (indicating the address is no longer active). If you unsubscribe from the newsletter, we will stop sending you emails immediately. We may, however, keep your email on a suppression list (to ensure we honor your opt-out) or in our archives for record-keeping, unless you request complete erasure (in which case, we will remove it to the extent feasible).

  • Vendor Applications and Business Records: If you submit a vendor application or otherwise participate in a procurement opportunity through Northwen, we will retain the information you provided for the duration of the evaluation process and, if you are selected or engaged, for the duration of your relationship with us or the relevant project. Even if you are not immediately selected for a contract, we may keep your application on file for a period (e.g., a few years) in case future opportunities arise or for audit and compliance purposes related to the procurement. We understand that vendor information can be sensitive, so we store it securely and limit retention to what is necessary. If you wish to have your vendor application removed sooner, you can contact us (unless we are required by law or legitimate business needs to retain it).

  • Payment and Transaction Data: Any billing records, invoices, or payment transaction details will be kept as long as required by financial reporting and tax laws. For example, Canadian law may require us to maintain financial records for a minimum of 6–7 years. During this retention, your payment information is protected and only accessible to authorized personnel or as needed for accounting.

  • Analytics Data: Data collected via Google Analytics is aggregated and anonymized; Google provides options to control how long user-level and event-level data is stored (commonly options are 14 months, 26 months, etc.). We have configured our analytics to retain data only as long as necessary (typically 26 months or less), after which it is deleted automatically on a rolling basis. We do not store raw analytics logs indefinitely.

  • Backup Retention: Our systems may create periodic backups of data (including personal information contained in our site database or email systems). These backups are for recovery in case of system failure. Backup files are retained for a limited time and are securely stored. When backups expire, they are deleted or overwritten. In cases where we delete specific data from our live systems at your request, it’s possible that the data could remain in encrypted backups for a short period until those backups are cycled out. We have procedures to ensure that if we restore from a backup, any deleted data is re-deleted or anonymized in accordance with your requests.

  • Legal Holds and Disputes: On occasion, we may need to retain information for longer than our standard periods if it is subject to a legal hold. For instance, if we are involved in a legal dispute or investigation that requires certain data to be preserved as evidence, we will retain that data until the issue is resolved and we are legally permitted to delete it.

Once personal information is no longer necessary for the purposes for which it was collected or any legal requirement, we will either irreversibly anonymize it (so that it can no longer be associated with an identifiable individual) or securely destroy/delete it. We use secure methods to dispose of both electronic and physical records containing personal information.

Data Security

We take the security of your personal information very seriously. Northwen has implemented a variety of administrative, physical, and technical security measures to protect your data from unauthorized access, use, alteration, and disclosure. These measures include:

  • Encryption: Our website is secured via industry-standard encryption protocols (SSL/TLS). This means that when you submit information through our site (for example, by filling out a form), the data is encrypted in transit between your browser and our server. For sensitive data stored in our systems, we employ encryption at rest where appropriate, or secure hashing for things like passwords (though we do not have user accounts requiring passwords at this time).

  • Access Controls: We restrict access to personal information to employees and contractors who need that information to operate, develop, or improve our services. Access is granted on a least-privilege basis — only personnel who have job responsibilities requiring access to certain data (e.g., our business development team reviewing vendor applications, or IT staff maintaining the database) are able to view it. Those personnel are trained on confidentiality obligations and are subject to strict contractual confidentiality commitments.

  • Secure Hosting: Our website and databases are hosted on secure servers that are protected by firewalls and monitoring systems. We use reputable hosting providers with robust security certifications and protocols. Regular security audits and vulnerability scans are conducted to detect and address potential weaknesses.

  • Third-Party Security: When we use third-party processors (such as Typeform or email services), we review their security practices to ensure they meet high standards. We also include data protection clauses in our agreements with them. For example, Typeform and major email providers have security measures like encryption, access control, and regular testing in place. We stay updated on our providers’ security and privacy certifications (like SOC 2, ISO 27001, or others) to ensure your data remains safe.

  • Breach Prevention and Response: We maintain an incident response plan for handling potential data breaches or security incidents. This plan includes steps for containment, investigation, notification, and remediation. In the unlikely event of a data breach that poses a real risk of significant harm to you, we will notify you and relevant authorities as required by law (for instance, PIPEDA and some provincial laws in Canada mandate breach notification in certain circumstances, as does the GDPR for EU residents). Our goal is to react swiftly to security alerts or suspicious activity. We also perform regular data backups so that we can restore information in case of an accidental loss or corruption.

  • Employee Training: All Northwen team members are trained to follow best practices in security and privacy. This includes using strong passwords and two-factor authentication for accessing systems, recognizing and avoiding phishing attempts, and handling personal data in accordance with this Privacy Policy and our internal guidelines. We treat personal information with the same care we would treat our own sensitive information.

Despite all these precautions, it’s important to note that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. You play a role in security as well: for example, when communicating with us via email or forms, ensure you’re on our legitimate site and be cautious about the information you share, especially if it’s highly sensitive. If you have reason to believe that your interaction with us or your data might not be secure (for instance, if you suspect a vulnerability or if you receive suspicious communications purporting to be from Northwen), please notify us immediately so we can investigate.

Your Rights and Choices

We respect your rights to your personal information. Depending on your jurisdiction (e.g., Canada, the EU/EEA, or otherwise), you may have some or all of the following rights regarding the personal data we hold about you:

  • Access and Correction (Rectification): You have the right to request access to the personal information we hold about you and to receive an explanation of how we use it and who we share it with. You also have the right to request that we correct or update any inaccurate or incomplete personal information. For example, if you find that we have misspelled your name or have an outdated email address on file, you can ask us to fix it. Under PIPEDA in Canada, and similarly under GDPR, we will provide access to the information we have about you within a reasonable time frame, except in certain circumstances (for instance, if providing access would reveal personal information about another individual or if it’s subject to legal privilege).

  • Data Portability: If you are an EU/EEA resident, you have the right (in certain situations) to obtain the personal data you provided to us in a structured, commonly used, and machine-readable format, and to request that we transfer that data to another organization where technically feasible. Data portability rights generally apply when processing is based on consent or contract and carried out by automated means. If you require direct transfer to another service, we will try to accommodate if possible.

  • Withdrawal of Consent: Where we rely on your consent to process information (for example, for sending marketing emails or certain cookies), you have the right to withdraw that consent at any time. You can unsubscribe from our newsletter using the “unsubscribe” link in any marketing email, or adjust your cookie preferences through your browser or any provided consent tools on our site. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it may not affect processing that is not based on consent (for example, processing under another legal basis).

  • Object to Processing: In certain cases, you have the right to object to our processing of your personal information. EU individuals have the right to object to processing based on our legitimate interests or for direct marketing purposes. For example, if we process your data for our legitimate interest in improving services, and you feel this has a significant impact on your rights, you can object, and we will consider your request. If you object to direct marketing, we will honor that absolutely (we will stop using your data for that purpose). For Canadian users, while there isn’t an identical “object” right in PIPEDA, you always have the ability to opt out of marketing and to request we not use information for non-essential purposes.

  • Erasure (Right to be Forgotten): You may request that we delete your personal information in certain circumstances. For EU residents, this right is available when the data is no longer needed for the purposes it was collected, or if you withdraw consent and no other legal basis for processing applies, or if you object to processing and we have no overriding legitimate grounds to continue, or if we unlawfully processed your data, or if required to erase to comply with a legal obligation. If you are not an EU resident, we will still consider requests for deletion. For example, a Canadian individual can ask that we delete personal data we hold about them; while PIPEDA doesn’t guarantee a right to erasure, we will accommodate such requests to the extent we are not required to retain the data for legal or business reasons. Keep in mind, some information we may anonymize rather than delete if deletion is not feasible or if the data is needed in aggregate form. If we have shared your information with third-party processors, we will convey deletion requests to them as well, where required.

  • Restriction of Processing: You have the right to ask us to limit the processing of your personal data in certain cases. For instance, if you contest the accuracy of the data, you can request we refrain from processing it (aside from just storing it) until we verify its accuracy. Similarly, if you have objected to processing (pending our verification of overriding interests) or if processing is unlawful but you prefer restriction over deletion, or if we no longer need the data but you need it for a legal claim – these are scenarios where restriction could apply. During a period of restriction, the data will be marked and only processed for certain purposes (e.g., legal compliance or with your consent).

  • Automated Decision-Making: Northwen does not make any decisions about you that have legal or similarly significant effects based solely on automated processing of personal data (no profiling or automated eligibility decisions without human involvement). If this changes in the future, and you are subject to such decisions, you would have the right to know and to request human intervention or to contest the decision.

  • Complaints to Authorities: If you believe your data protection rights have been violated, you have the right to lodge a complaint with the appropriate supervisory authority. For Canadian individuals, this might be the Office of the Privacy Commissioner of Canada (for PIPEDA issues) or a provincial privacy commissioner if applicable (e.g., in Quebec, British Columbia, or Alberta which have their own private-sector privacy laws). For EU individuals, you can contact the data protection authority in the country of your residence or work, or where the alleged infringement occurred. Of course, we encourage you to contact us first so we can address your concerns directly – your satisfaction and trust are extremely important to us.

Exercising Your Rights: To exercise any of the above rights, please contact us using the information in the Contact Us section. We may need to verify your identity before fulfilling certain requests (to ensure we don’t disclose data to the wrong person). Verification might involve confirming ownership of the email used to contact us or asking for additional information to confirm your identity. We will respond to requests within a reasonable timeframe and in accordance with applicable law (GDPR requires us to respond within one month, PIPEDA recommends we respond within 30 days, etc., which we strive to meet). If we need more time or if we cannot fulfill your request, we will inform you of the reason (for example, if an exception applies, such as we cannot delete data that we must keep for legal tax filings).

Please note that certain rights may not apply universally. For example, if you are in a jurisdiction that does not provide a specific right (such as data portability), our granting of that right will be at our discretion. However, we aim to honor the spirit of privacy and transparency for all our users, regardless of location. We will not discriminate against any individual for exercising their privacy rights (for instance, we won’t deny you service just because you made a data request).

Vendor Applications & Procurement Information

Because Northwen’s business involves facilitating government procurement contracts, we want to address how we handle information specifically related to vendors and procurement processes:

  • Vendor Application Data: If you are a vendor (contractor, supplier, consultant, or other service provider) submitting information to Northwen to be considered for government contracts or subcontracts, you may provide detailed business and personal information. This can include company profiles, resumes or CVs of key personnel, references, certifications (e.g., security clearances, professional licenses), financial information (for qualification), and past project experience. We treat this information with a high degree of confidentiality. Northwen will use vendor application data solely for evaluation and matching with procurement opportunities, as well as for communicating with you regarding those opportunities. We will share your application details only with relevant parties as needed (for example, with a government contracting officer or prime contractor looking for a subcontractor in your field, as noted in the How We Share Your Information section). We will not disclose your sensitive business information to any competitor or unrelated party. All Northwen staff handling vendor data are aware of the sensitivity and are bound by confidentiality agreements.

  • Confidentiality and Procurement Rules: We recognize that government procurement often involves strict rules around confidentiality and fairness. If as part of a procurement process you provide us with information that is labeled or intended to be confidential (like a bid proposal or proprietary solution), we will adhere to any confidentiality agreements or procurement guidelines associated with that process. For federal procurements in Canada, for example, there may be federal confidentiality provisions that we, as a broker or subcontractor, must follow. We will ensure that any evaluation teams or decision-makers only receive the necessary information and that it remains protected. Also, we commit to transparency and fairness: we won’t give any vendor an unfair advantage by disclosing insider information, and we won’t disclose one vendor’s proprietary information to another.

  • Transparency and Legal Disclosure: Vendors should be aware that certain information might become public as required by government transparency rules. For instance, if you are awarded a government contract (even facilitated by Northwen), the basic details of that contract (such as the contract award amount, the winning vendor’s name, and a description of the work) might be published by the government entity as part of proactive disclosure or could be obtainable by the public under freedom of information laws. Northwen is not typically subject to Freedom of Information or Access to Information legislation (since we are a private company), but the government clients are. This means that if your information is included in a submission to a government body (like as part of a proposal or bid), that body might later be required to disclose some information if requested under applicable laws. We will not voluntarily publish or reveal details of your proposals or applications, but we also have no authority to prevent a government agency from fulfilling its legal obligations. We advise vendors to avoid including unnecessary personal information in proposals (stick to business data) and to clearly mark any proprietary information so that all parties are aware of its sensitive nature.

  • Vendor Consent and Responsibility: By submitting any personal information or business data to Northwen as part of a vendor application or procurement process, you consent to our handling of that information as described in this Privacy Policy. This includes sharing with relevant government agencies or partners to further your business opportunity. If you provide personal information about third parties (for example, you list an employee’s name and credentials in your application, or give a reference contact), you should have the authority or permission to share that information with us. We will treat such third-party personal data in accordance with this Privacy Policy as well. It is your responsibility to ensure that any individuals whose personal data you include (like team members in your proposal or references) are aware their information may be shared with us and potentially with clients, and to direct them to this Privacy Policy if they want to learn how we handle data.

  • Retention of Procurement Data: As noted in Data Retention, we keep vendor application data for a period of time to facilitate current and future opportunities. If you want us to delete or return certain proprietary materials (like detailed proposals) after a procurement process is completed, please let us know. In some cases, we might be required to keep certain records by law or for audit purposes (e.g., government procurement integrity audits). We will securely store any retained data and purge it when it is no longer needed.

In summary, Northwen aims to balance confidentiality and transparency in line with government procurement expectations. We strive to protect sensitive vendor information while also complying with any requirements for openness and fairness in public sector contracting.

Children’s Privacy

Our website and services are not directed to individuals under the age of 13 (and in some jurisdictions, under 16). Northwen does not knowingly collect personal information from children. Given the nature of our services (government procurement brokering), it is very unlikely that children would be engaging with our site. If you are under 13, please do not submit any personal information through our contact forms or other features. If we become aware that we have inadvertently collected personal information from someone under the applicable age without proper consent, we will take steps to delete it as soon as possible.

Parents or guardians: if you believe that your child has provided personal information to us without your consent, please contact us immediately (see Contact Us below). We will then work to promptly investigate and remove the information.

Updates to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we do so, we will post the updated Privacy Policy on our website with a new effective date. If the changes are significant, we may also provide a more prominent notice (such as a banner on our site or an email notification, if appropriate).

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our website or services after any changes to this Policy constitutes your acceptance of the updated terms (to the extent permitted by law). If you do not agree with any changes, you should stop using the site and can contact us if you have concerns.

For historical reference or upon request, we can provide prior versions of this Privacy Policy. If required by applicable law, we will also keep an archive of past privacy policies.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or Northwen’s privacy practices, please contact us. We are here to address your inquiries and support you in exercising your rights.

Privacy Officer – Northwen
Email: privacy@northwen.com
Mailing Address: Northwen Inc., 1117 Cooke Boulevard, Burlington, Ontario, Canada, L7T0C6

Telephone (289) 635-4238

Please include your name and contact information and clearly describe your question or request. For security and privacy, we may need to verify your identity before fulfilling certain requests (as noted above). We will respond as promptly as possible, generally within 30 days.

Thank you for trusting Northwen with your personal information. We value your engagement and are committed to safeguarding your privacy while providing high-quality procurement brokering services

Northwen

Streamlining public-sector procurement for Canadian agencies.

Connect

Support

info@northwen.com

© 2025. All rights reserved.

Privacy Policy

Terms and Conditions

Northwen is a registered business in Ontario, Canada

By submitting your email, you agree to receive occasional updates from us.

Accessibility Statement

Data Processing Addendum (DPA)