Last Updated: April 9, 2026
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law. Enacted in 2000, PIPEDA sets the rules for how private-sector organizations collect, use, and disclose personal information in the course of commercial activities.
The law applies to organizations operating in Canada that handle personal information as part of for-profit business activities. It covers federally regulated businesses (banks, airlines, telecommunications companies), organizations that transfer personal information across provincial or national borders, and businesses in provinces that have not enacted their own substantially similar privacy legislation.
Quebec, British Columbia, and Alberta have their own provincial privacy laws that the federal government has deemed substantially similar to PIPEDA. Businesses operating solely within those provinces are generally governed by their provincial legislation instead.
PIPEDA is built on ten fair information principles outlined in Schedule 1 of the Act. These principles form the backbone of Canadian privacy law and guide how organizations should handle personal information.
Organizations are responsible for the personal information they hold and must designate an individual to oversee compliance. This includes maintaining policies, training staff, and implementing a privacy management program.
The purposes for collecting personal information must be identified before or at the time of collection. Organizations must clearly communicate why they are collecting information and how it will be used.
An individual's knowledge and consent are required for the collection, use, or disclosure of personal information. Consent must be meaningful — individuals need clear, timely information about how their data will be used.
Collection must be limited to what is necessary for the identified purposes. Organizations should only collect information that is directly relevant to their business needs, using fair and lawful means.
Personal information may only be used or disclosed for the purposes for which it was collected, unless the individual consents otherwise or the law requires it. Organizations must establish data retention schedules and dispose of information that is no longer needed.
Personal information must be accurate, complete, and up-to-date for the purposes for which it is used. Organizations must have processes in place to correct inaccurate data when notified.
Personal information must be protected by security safeguards appropriate to the sensitivity of the information. This includes physical measures, organizational controls, and technological protections against loss, theft, unauthorized access, modification, or destruction.
Organizations must make their privacy policies and practices readily available to the public. Transparency about how personal information is managed builds trust and ensures individuals can make informed decisions.
Upon request, individuals must be informed of what personal information an organization holds about them, how it is being used, and to whom it has been disclosed. Individuals have the right to access their data and request corrections to inaccurate information.
Individuals must be able to challenge an organization's compliance with these principles. Organizations are required to have a process for addressing complaints, typically through a designated privacy officer.
Vocatively was built with Canadian privacy law in mind from day one. Here is how we uphold each of the ten fair information principles:
All customer data is stored in Canada. Our database infrastructure is hosted in Canadian data centres, ensuring your information never leaves the country. This is a foundational commitment — not an afterthought.
We only collect information that is directly necessary to provide our AI call answering service. When our AI handles a call, it captures the caller's name, reason for calling, and contact information — nothing more. We do not collect or store information beyond what is needed to deliver your call summaries and manage your account.
Every call handled by Vocatively begins with a clear disclosure. Callers are informed that they are speaking with an AI assistant and that the call is being recorded. If a caller objects to recording, the AI offers to take a message instead. This ensures callers give informed, meaningful consent — exactly as PIPEDA requires.
All data transmitted to and from Vocatively is encrypted using industry-standard protocols. Data stored in our Canadian database is encrypted at rest. Sensitive fields such as caller phone numbers receive additional encryption. Email notifications containing call summaries can be sent via encrypted email for clients who require an extra layer of protection.
We do not keep personal information indefinitely. Detailed call records — including caller names, phone numbers, and call summaries — are automatically purged after 90 days. After purging, only anonymized, aggregate-level analytics remain. This three-tier retention model (detailed records, account analytics, anonymized aggregates) ensures we retain data only as long as it serves a legitimate purpose.
You can view, export, or request deletion of your data at any time by contacting us at support@vocatively.app. We respond to all access and correction requests within 30 days, as required by PIPEDA.
Our five-layer spam detection system screens calls before they reach the AI. Spam and telemarketing calls are blocked automatically, which means fewer unwanted callers have their information processed in the first place. This aligns with PIPEDA's principle of limiting collection to what is necessary.
In the unlikely event of a data breach involving a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada promptly, as required by PIPEDA's breach notification provisions. We maintain records of all security incidents and our responses.
Vocatively has a designated compliance lead responsible for overseeing our privacy practices. We regularly review our policies, train our team on privacy obligations, and conduct assessments to ensure ongoing compliance with PIPEDA and applicable provincial privacy laws.
Vocatively serves businesses across North America. If you are based in the United States, here is what you should know about how your data is handled.
Your data is stored in Canada, protected by PIPEDA — one of the world's strongest national privacy frameworks. The European Union recognizes Canadian privacy law as meeting its own high standard under GDPR, a distinction the United States has not received.
No US federal law requires general business data to remain within the United States. By storing your data in Canada, Vocatively provides you with privacy protections that go beyond what most US-based services offer.
Vocatively's practices are designed to meet the requirements of US state privacy laws, including the California Consumer Privacy Act (CCPA/CPRA). You have the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. Vocatively does not sell personal information. To exercise any of these rights, contact us at support@vocatively.app.
Some US states — including California, Illinois, and Florida — require all parties to consent to a call being recorded. Vocatively's AI assistant discloses at the start of every call that it is an AI and that the call is being recorded. This upfront disclosure satisfies two-party consent requirements across all US jurisdictions.
If you have questions about how Vocatively handles your personal information, or if you would like to make an access or correction request, please contact us:
Email: compliance@vocatively.app
We are committed to resolving any privacy concerns promptly and transparently.
For more information about PIPEDA, visit the Office of the Privacy Commissioner of Canada.