Privacy Policy

Introduction

This notice tells you what personal information we collect, why we collect it, what we do with it, and what choices you have.


We are a Canadian law and consulting practice. We operate from Ontario, and we are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), to Canada’s Anti-Spam Legislation (CASL) for our marketing communications, and — when we provide legal services — to the Law Society of Ontario’s Rules of Professional Conduct. Information you give us in connection with a legal retainer is also protected by solicitor-client privilege.


If you are looking for the short answer, we collect very little. We use what we collect to deliver our services, to run a mailing list, and to operate this website. We do not sell personal information. We do not share email addresses for marketing without consent. We do not run third-party advertising on this site.

1. Who we are and how to contact us

Constantine Karbaliotis, Barrister & Solicitor, Professional Corporation, operating as Privacy Legal™.


11–285 Taunton Road East, Oshawa, Ontario, L1G 3B2


For privacy questions, requests about your personal information, or complaints, contact:


Privacy Officer: Constantine Karbaliotis


Email: privacy@privacylegal.ca

2. What information we collect

We collect personal information in three contexts.


Legal and consulting clients. When we act for you, we collect identifying information needed for conflicts checks and the Law Society of Ontario’s “know-your-client” rules, billing information, and whatever information about your matter is necessary to provide advice. Depending on the work, this can include financial information, health information, or other sensitive details. We collect this directly from you, or with your knowledge from third parties involved in the matter.


Mailing list subscribers. If you sign up for The Privacy Briefing or another mailing list, we collect your first name, last name, email address and, if you choose to provide them, your job title and employment role.


Website visitors. When you visit www.privacylegal.ca, we automatically collect limited technical information — your IP address, browser type, operating system, language preference, access time, and pages viewed. This is described in section 9 (Cookies and similar technologies) and section 10 (Analytics and fonts).


We do not knowingly collect more than we need.

3. Why we collect it

For clients: to give you legal or consulting advice, to comply with our professional obligations, to bill you, and to keep records the law requires us to keep.


For mailing list subscribers: to send you The Privacy Briefing Newsletter and Reports, and occasional notices of speaking engagements, training, and services. Nothing else.


For website visitors: to operate and improve the website, to understand, in aggregate, how it is used, and — where you provide your information through a form — to associate your activity with your contact record in order to respond to your inquiry and manage our communications with you. 

4. How we use and share information

With staff and contractors. We use the information internally to do the work. Where we engage administrative or technical service providers — for file management, website hosting, customer relationship management, email delivery, accounting, and related functions  — we require them to protect personal information to at least the standard we apply ourselves. When you provide your information through forms on the website, we use a customer relationship management platform — HubSpot — to store that information and to maintain a contact record. This record may include the information you provide, as well as information about your interactions with the website and our communications (such as pages visited or email engagement), which are associated with that record after submission. For more information about how HubSpot processes personal information, see its privacy policy and data processing agreement.


With co-counsel and other professionals. Where a matter requires it, we may work with another law firm, consultant, or expert. We do this only with your consent or where the engagement letter contemplates it.


On legal demand. We may disclose information to comply with a subpoena, court order, regulatory demand, or other legal obligation; to investigate suspected wrongdoing or threats to safety; or to defend ourselves against a legal claim. PIPEDA permits these disclosures without consent under section 7(3).


In a corporate transaction. If the practice is sold, merged, or transferred — unlikely as a planned event but possible — your information may be transferred to the successor under the same obligations.


We do not sell personal information. We do not share email addresses or contact information with marketers.

5. Where your information is stored

Some of our records are stored on cloud services operated by providers headquartered in Canada, which may be operated by companies in the United States. Wherever it is stored, this means your information may in defined circumstances, be accessible to law enforcement and national security agencies under applicable law (including the Foreign Intelligence Surveillance Act and the CLOUD Act on terms that differ from Canadian law). We have written agreements with our service providers that require them to protect your information and to notify us of legal demands when permitted. This includes information contained in email communications and other correspondence with us. 


Where available, we configure our service providers to store personal information in Canada or the European Union. These measures are intended to limit cross-border data transfers; however, some providers are headquartered in the United States, and personal information may still be subject to access by U.S. authorities in accordance with applicable law. 


We do not currently transfer personal information outside Canada for processing in jurisdictions other than the United States.

6. How long we keep it

Client files. At least six years, as required by the Law Society of Ontario, and longer where the nature of the matter requires it (for example, where a limitation period or a statutory record-keeping obligation applies).


Mailing list. Until you unsubscribe. After you unsubscribe, we retain your email address and a record of the unsubscribe so that we can honour your request and comply with applicable law. 


Website and contact data. Information collected through the website, including contact records created through form submissions and associated activity, is retained for as long as necessary to respond to your inquiry, manage communications, and maintain appropriate business records, unless deletion is requested and we are not required to retain it. 


Website analytics. Technical and usage information collected through analytics tools is retained in accordance with our service providers’ standard retention settings and is used only in aggregate to understand how the site is used. 


Inquiries that do not become engagements. Up to two years from last contact, then deleted unless the file shows we should keep it for conflict purposes.

We destroy or anonymize personal information when the retention period ends.

7. How we protect it

We treat client information as confidential by professional obligation; we treat all personal information with the same care. Our cloud services, including systems used for file management, communication, and customer relationship management, are secured with access controls, encryption in transit and at rest where supported, and authentication appropriate to the sensitivity of the information. Access to personal information is limited to those who require it for the purposes described in this notice. No system is perfectly secure. We expect users to keep their own credentials and devices reasonably secure as well.

8. Your rights

Under PIPEDA, you have the right to:


  • Ask what personal information we have about you, how we use it, and to whom we have disclosed it.
  • Ask us to correct it if it is inaccurate or incomplete.
  • Withdraw your consent to our continued use of it, subject to legal and contractual restrictions (for example, we cannot delete records the Law Society requires us to keep).


To exercise any of these rights, email privacy@privacylegal.ca. We will respond within 30 days. We may need to verify your identity before releasing information. There are limited circumstances under PIPEDA section 9 in which we may decline a request — including where the information is subject to solicitor-client privilege, where it would reveal personal information about another person, or where it was generated in the course of a formal dispute resolution process. If we decline, we will tell you why.

9. Marketing emails (CASL)

We send commercial electronic messages — The Privacy Briefing, occasional notices of speaking engagements and services — only with your consent.


When you provide your email address through the website’s subscription forms, you are giving express consent to receive these messages. We may also send commercial messages on the basis of an existing business relationship, as defined in CASL, for the period that the law provides.


Our email communications may include basic engagement tracking (such as whether an email is opened or a link is clicked) to understand how our communications are received and improve them. 


Every commercial message we send identifies the sender, gives a mailing address and contact email, and includes a one-click unsubscribe link. If you unsubscribe, we will stop sending commercial messages within 10 business days. You can also unsubscribe at any time by emailing admin@privacylegal.ca.


We may still send you non-commercial messages — for example, replies to your inquiries, or transactional notices about a matter we are working on — without consent under CASL.

10. Cookies and similar technologies

This website uses cookies, which are small files placed on your device when you visit a site.


  • Session cookies are stored only for your browsing session and are deleted when you close the browser.
  • Persistent cookies stay on your device between visits and let the site remember your preferences.
  • Third-party cookies are set by services that operate parts of the site, such as analytics and communication tools.


Cookies and similar technologies are used to operate the site, to understand, in aggregate, how it is used, and to support communication with users who have provided their information through the site. You can control cookies through your browser settings. Disabling cookies may affect how the site works. The site presents a cookie notice on first visit; by continuing to use the site after seeing this notice, you consent to the use of cookies as described here and in this notice. 


Analytics and fonts


We use analytics tools provided through our website platform and customer relationship management system to understand, in aggregate, how visitors use the site. These tools collect technical information such as IP address, browser type, and pages visited.



Where you provide your information through a form on the site, your activity may be associated with your contact record so that we can respond to your inquiry and understand how our communications are received.


We use Google Web Fonts so the site displays consistently across browsers. When your browser renders a page, font files may be requested from Google’s servers, which means your IP address is briefly visible to Google during that request.


We do not run third-party programmatic advertising, and we do not place advertising cookies on this site.

11. Automated decisions and artificial intelligence

We do not make decisions about you or clients based solely on automated processing. A person reviews and is responsible for every substantive decision in our work.


We use AI tools to help us draft, research, and analyze. Where personal information of a client is involved, we use those tools under engagement-specific safeguards, including controls to prevent training on client data where such controls are available, access restrictions, and review of tool-specific terms.


No AI tool processes visitor personal information for any purpose described in this notice.

12. Children

This website is not directed at children, and our services are provided to adults and organizations, not minors. We do not knowingly collect personal information from children. If you believe a child has given us personal information, contact privacy@privacylegal.ca, and we will delete it.

13. Complaints

If you have a concern about how we have handled your personal information, contact our Privacy Officer first at privacy@privacylegal.ca. We will investigate and respond within a reasonable time.


If you are not satisfied with our response, you have the right to complain to the Office of the Privacy Commissioner of Canada:


Address: 30 Victoria Street, Gatineau, Quebec K1A 1H3

Phone: 1-800-282-1376

Web: https://www.priv.gc.ca


You may also have rights to complain to other regulators if you reside in a jurisdiction with its own privacy authority.

14. Changes to this notice

We may update this notice from time to time. When we make a material change — a change that affects how we collect, use, or disclose your information — we will post the updated notice on this page and update the effective date below. For mailing list subscribers, we will send a notice by email. We will not rely on your continued use of the website as your consent to material changes.


Earlier versions are available on request from privacy@privacylegal.ca.

15. Effective date

This notice is effective May 1, 2026


Last modified: April 29, 2026