Privacy Policy

Effective date: September 30, 2025

K&P CPAs (“K&P,” “we,” “us,” or the “Firm”) respects your privacy and the confidentiality that is fundamental to professional accounting services. This Policy explains how we collect, use, disclose, and protect personal information in the course of our business, including on kpcpa.ca and related client portals (the “Services”). It is designed to comply with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial rules. PIPEDA generally excludes an individual’s business contact information when used solely to communicate with them about their employment, business, or profession.

1) Scope

This Policy applies to personal information we handle about clients (individuals) and client representatives of business entities; individuals connected to our engagements (e.g., employees of audit clients, vendors, shareholders and beneficial owners); website visitors and portal users; and job applicants and former applicants. It does not cover information of federal public bodies or purely corporate information.

2) What we collect

We collect only what is needed for identified purposes:

• Client and engagement information. Name and contact details; government identifiers (such as SIN where required by law); financial and tax records; payroll and HR records; investment and banking details; ownership and control information (including beneficial ownership); board and management materials; legal correspondence; valuation and forensics files; and related working papers.
• Identity and compliance information. Copies of identification; KYC results and screening outcomes where required for anti‑money laundering or sanctions compliance.
• Website/portal data. Device and log data (IP address, browser, pages viewed), cookies and similar technologies used for functionality, security, and analytics. See Cookies & similar technologies.
• Recruitment data. CVs, credentials, transcripts, and background/reference checks (where lawful).

We may collect personal information from you, your organization, third‑party advisors, public sources, prior accountants/auditors, tax authorities and regulators, banks and other financial institutions, data rooms, and screening service providers, as permitted by law.

3) Purposes (why we use personal information)

• Provide services (assurance, review, compilation, tax, valuations, advisory, forensics) and manage engagements
• Perform independence, conflict and quality checks
• Communicate about services, billing and collections
• Meet legal, regulatory and professional obligations (including PIPEDA, CPA professional standards, tax legislation, and when applicable to certain activities, PCMLTFA/FINTRAC obligations)
• Operate and secure our IT systems and portals; improve our website
• Conduct internal analytics (in aggregated or de‑identified form where feasible)
• Recruit, evaluate and onboard candidates
• Market our services in accordance with Canada’s Anti‑Spam Legislation (see Section 11)

We do not use solely automated decision‑making that produces legal or similarly significant effects about you.

4) Our privacy principles

K&P follows PIPEDA’s 10 fair information principles: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure and retention; accuracy; safeguards; openness; individual access; and challenging compliance.

5) Consent and your choices

We generally collect, use and disclose personal information with meaningful consent, except where not required or permitted by law (for example, audits/investigations, fraud detection, or compliance activities). You may withdraw consent at any time, subject to legal and contractual limits. We provide clear, context‑appropriate explanations to support informed choices.

6) Cookies & similar technologies

We use necessary cookies for site and portal functionality and may use optional analytics cookies to understand usage and improve content. You can manage cookies in your browser and through our site’s cookie preferences. Disabling some cookies may degrade functionality. We do not engage in online behavioural advertising without transparency and an effective opt‑out.

Manage preferences: if your browser supports it, visit our cookie settings link in the footer of this site.

7) Disclosures (who we share with)

We disclose personal information only as needed for the purposes above or as required by law, including to:

• Service providers under contract (IT hosting, portals, communications, e‑signature, storage, payment processing, identity and sanctions screening). We require confidentiality and appropriate safeguards, including for cross‑border processing.
• Regulators and professional oversight bodies (e.g., CPA Ontario/Canada) for inspections, investigations, or practice reviews.
• Government authorities and courts where required or permitted by law (e.g., tax authorities, law enforcement, subpoenas).
• Corporate transactions involving the Firm, subject to PIPEDA rules for business transfers.

8) Cross‑border processing

Some service providers may be located outside Canada (for example, in the United States). PIPEDA permits cross‑border transfers for processing where the transferring organization remains accountable and ensures comparable protections. Information in another jurisdiction may be accessed by courts, law enforcement and national security authorities of that jurisdiction. We assess vendors, include contractual safeguards, and apply risk‑appropriate technical and organizational measures.

9) Safeguards

We maintain administrative, technical and physical safeguards appropriate to the sensitivity of information, including role‑based access, encryption in transit and at rest where feasible, secure configurations, multi‑factor authentication, staff training, and vendor due diligence. No safeguard is perfect, but we design controls aligned to PIPEDA’s Safeguards principle.

10) Anti‑money laundering (when applicable)

Accountants and accounting firms are reporting entities under Canada’s PCMLTFA when carrying out certain activities on behalf of clients. Where those activities apply, we collect and keep specific records (for example, identity verification; large cash or large virtual currency transactions; receipt of funds) and retain them for at least five years, consistent with FINTRAC guidance.

11) Marketing and CASL

If we send you promotional emails or similar messages, we do so in line with Canada’s Anti‑Spam Legislation (CASL): consent, identification, and a functional unsubscribe in every message. You can opt out at any time via the unsubscribe link or by contacting us. Transactional or engagement communications may still be sent.

12) SMS communications

We offer one‑to‑one, service‑related SMS messaging between clients and their assigned K&P professional. Examples include scheduling, document requests, deadline reminders, and engagement updates. This is not a marketing program.

• How we use your number: solely to deliver service‑related text messages about your engagement.
• We do not sell or share your mobile opt‑in data or consent with third parties for their marketing or promotional purposes.
• Processors only: we may disclose your number to service providers acting as our processors to send messages and maintain delivery and consent records.
• Opt‑out: reply STOP to any message to stop; you will receive a one‑time confirmation. To resume, reply START. For help, reply HELP or email info@kpcpa.ca.
• Message frequency: varies based on engagement activity. Message and data rates may apply.
• Security: SMS is not a secure channel for sensitive information. For document exchange we will direct you to our secure client portal.
• More info: see our SMS Terms.

13) Retention

We keep personal information only as long as necessary for the purposes identified and to meet legal, regulatory and professional requirements, then securely destroy or anonymize it.

• Engagement documentation and working papers. Retained for a period sufficient to meet professional, legal and risk requirements; firms commonly retain for at least the CRA reassessment period and often longer given professional standards and potential claims.
• Tax records. CRA generally requires records be kept for six years from the end of the last tax year they relate to.
• AML/ATF records. Where FINTRAC obligations apply to our activities, specified records must be kept at least five years.

14) Access and correction

Subject to limited exceptions, you have the right to access personal information we hold about you and to request corrections if it is inaccurate or incomplete. We respond within reasonable timelines and may require verification of identity. If we refuse a request, we will explain why and the options available to you.

15) Breaches and incident response

If a breach of security safeguards poses a real risk of significant harm, we will notify affected individuals and report to the Office of the Privacy Commissioner of Canada, and keep required records of all breaches, in accordance with PIPEDA. We will also notify third parties where appropriate to reduce risk.

16) Québec residents (Law 25)

If you are in Québec, we apply additional requirements of the Act respecting the protection of personal information in the private sector (as amended by Law 25). These include designating a person in charge of personal information and publishing their title and contact details, conducting privacy impact assessments for certain projects and cross‑border disclosures, special consent rules for minors under 14, and the right to data portability as it becomes technically available.

17) Children’s privacy

Our Services are for professional use and not directed to children under 13. If you believe a child under 13 has provided us personal information without appropriate consent, contact us and we will take appropriate steps.

18) Third‑party links and portals

Our site and client portals may contain links to third‑party sites. Their privacy practices are not our responsibility. Review their policies before providing personal information.

19) Updates to this Policy

We may update this Policy to reflect changes to our practices or legal requirements. Material changes will be posted with an updated effective date.

20) How to contact us or make a complaint