Privacy Policy

Last updated: March 2026

Introduction

Indigenious Inc. (and its affiliate Indigenious LP) is committed to protecting your privacy and ensuring transparency about how we handle data. This Privacy Policy explains what information we collect, how we use it, and your rights under Canadian law.

We operate the Indigenious platform as a B2B business verification and bridging service for Indigenous communities and businesses across Canada. Indigenous data sovereignty is not a feature of our platform—it is our foundation.

Information We Collect

Business Registration Data

When you register your business on Indigenious, we collect:

Business legal name and operating names
Business registration number and incorporation jurisdiction
Business address and mailing address
Owner/principal contact information (name, email, phone)
Business sector classification and services offered
Community affiliation (which Indigenous community or territory the business serves)

Verification Data

To verify your business legitimacy, we collect:

Documentation supporting business registration (articles of incorporation, business license)
Proof of community connection (letters of support, community validator approval)
Financial and compliance records relevant to verification (tax clearance certificates, insurance documents)

Usage Data

We collect information about how you use our platform:

Login frequency and session duration
Features accessed and actions taken
Search and matching activity
Communication through the platform (matched introductions, messages)

Technical Data

Standard web analytics:

IP address
Browser type and version
Device type
Pages visited and time spent
Referring URL

What We Never Collect

We have a strict prohibition on collecting certain data categories that pose privacy risks to Indigenous peoples:

Status card numbers or other Indigenous identity document numbers — NEVER collected, regardless of circumstances
Scans or photographs of status cards or Indigenous identity documents — NEVER collected
Personal health information — not collected
Biometric data — not collected
Religious or spiritual affiliation details — not collected beyond general community self-identification

        Why? Status cards and Indigenous identity documents are sensitive records. Collecting them creates unnecessary privacy risk and violates OCAP principles. Community validators confirm Indigenous business legitimacy through other means: documentation, references, and community knowledge.
      

How We Use Information

Verification and Matching

We use your registration and verification data to:

Confirm your business legitimacy and good standing
Match Indigenous businesses with procurement opportunities, financing, and partners
Enable community validators to confirm your community connection
Maintain accuracy of business directory information

Platform Improvement

We use usage data to:

Understand how businesses use the platform
Identify and fix technical issues
Improve features and user experience
Develop new tools for Indigenous business verification

Compliance Reporting

Where legally required, we may use your data to:

Comply with federal procurement regulations (PSIB, Indigenous content requirements)
Report program outcomes to government partners
Prevent fraud and protect platform integrity

What We Do NOT Do

Sell your data to third parties
Share data without explicit consent
Use your data for marketing to non-Indigenous companies without approval
Profile or discriminate based on Indigenous status

With Your Consent

We share your data only when you explicitly consent. Common scenarios:

You match with a business partner and approve the introduction
You apply for financing and authorize us to share your profile with a lender
You request a community validator check and consent to information sharing within your community

With Community Validators

Your community validator (designated by Unations) receives:

Business registration information
Community affiliation claim
Supporting documentation

Validators use this to confirm legitimacy. They follow OCAP principles and are bound by confidentiality.

With Government Partners

To support federal procurement and Indigenous business development programs, we may share aggregated, anonymized data with:

Indigenous Services Canada (ISC)
Economic Development Canada
Other federal Indigenous business programs

This data is aggregated (not individual business profiles) and does not identify you personally.

With Service Providers

We engage third-party service providers for:

Cloud hosting (data storage in Canada)
Payment processing
Email communication

All service providers sign data processing agreements and are prohibited from using your data for their own purposes.

OCAP Compliance

OCAP (Ownership, Control, Access, Possession) is a framework created by Indigenous communities to govern Indigenous data rights. Indigenious is built on OCAP principles:

Ownership

Communities own their data. We do not claim ownership of community data, business data, or validation records. Your business profile belongs to you. Community validation records belong to the validating community.

Control

You control how your data is used. You decide:

What information appears in your business profile
Who can see your profile
Which opportunities you engage with
Whether to share data with partners or lenders

Access

You have full access to your data. You can:

Download your complete business profile
Review all data we hold about you
Request corrections or updates
See what data is being shared and with whom

Possession

Your data is held securely in Canada. We store all business data in Canadian servers controlled by Indigenious or Canadian service providers. Community data is accessible to communities at any time.

Data Retention and Deletion

We retain your data only as long as necessary:

Active accounts: Data retained while your business profile is active
Inactive accounts: Data retained for 3 years after account closure (for compliance and dispute resolution)
On request: We delete your data immediately upon written request, with no questions asked

Deletion means complete removal from all systems, with the exception of anonymized aggregated data used for program reporting.

        Right to Deletion: You can request deletion of your data at any time by contacting privacy@indigenious.ca. We will confirm deletion within 30 days.
      

Security Measures

We protect your data with industry-standard security:

Encryption in transit: All data transmitted to Indigenious is encrypted (HTTPS, TLS)
Encryption at rest: Sensitive data stored in our systems is encrypted
W3C VC verification: Business verification status is issued as W3C Verifiable Credentials, creating a tamper-proof, privacy-preserving record
Access controls: Only authorized staff can access personal data, and access is logged
Regular audits: We conduct security audits and penetration testing annually
Incident response: We have documented procedures for responding to data breaches

PIPEDA Rights

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

Access: Request access to all personal information we hold about you
Correction: Request correction of inaccurate information
Deletion: Request deletion of your personal information
Portability: Request your data in a portable format
Withdraw consent: Withdraw consent for data processing at any time

To exercise these rights, contact our Privacy Officer at privacy@indigenious.ca with your request and proof of identity.

Contact Us

Privacy Officer
Indigenious Inc.
Email: privacy@indigenious.ca
Response time: 30 days

If you have concerns about how we handle your data or believe we have violated your privacy rights, you can file a complaint with:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, QC K1A 1H8
Phone: 1-800-282-1376
Website: priv.gc.ca