You drafted it with AI or copied a template. Now get a Canadian business lawyer to make it PIPEDA-compliant and enforceable. Flat-fee pricing.
Choose Review Only for a written memo of issues identified, or Review and Edit for a fully revised Privacy Policy with tracked changes.
We check for compliance with Canadian federal privacy law (PIPEDA), Quebec's Law 25, and provincial privacy statutes — not just U.S. CCPA boilerplate.
Drafts checked for Ontario jurisdiction, PIPEDA privacy compliance, Consumer Protection Act requirements, and enforceable limitation of liability.
Review Only in 2-3 business days. Review and Edit in 3-5 business days. Urgent options available.
Ready to skip the reading? Send us your draft now.
More Canadian businesses are using ChatGPT, Claude, and other AI tools to produce first drafts of their Privacy Policies. That is a smart use of technology — but it is not the finish line.
AI-generated Privacy Policies are generic. They often default to U.S. privacy frameworks (CCPA, GDPR), omit critical Canadian disclosures required under PIPEDA, fail to address Quebec’s Law 25 obligations, and miss provincial privacy law requirements. A Privacy Policy that is non-compliant exposes your business to complaints to the Privacy Commissioner and potential regulatory penalties.
At Onley Law, we work with exactly this scenario every day. Whether your Privacy Policy was drafted by AI, copied from a template, or written in-house, we offer two clear services to make sure it actually protects your business and complies with Canadian privacy law.
What it includes: A complete legal review of your existing Privacy Policy. We provide a written summary of issues identified, risks flagged, and specific recommendations for changes — delivered as a clear memo you can act on.
Best for: Businesses that have an internal team who can implement edits, and want a legal second opinion before going live.
Turnaround: Typically 2-3 business days. Flat-fee pricing provided after document review.
What it includes: Everything in the Review Only option, plus a fully revised version of your Privacy Policy returned as a Word document with tracked changes. Every edit is visible so you know exactly what changed and why.
Best for: Businesses that want a finished, lawyer-revised document ready to use — not just a list of issues to fix themselves.
Why tracked changes? Transparency. You should see every revision a lawyer makes to your document, with full ability to accept or reject any edit.
Turnaround: Typically 3-5 business days. Flat-fee pricing provided after document review.
Choose Review Only or Review and Edit — we will quote within one business day.
Personal Information Defined: Your Privacy Policy must clearly identify what personal information you collect. Under PIPEDA, this is broader than many U.S. frameworks — it includes any information about an identifiable individual.
Purposes of Collection: PIPEDA requires you to identify the purposes for which personal information is collected at or before the time of collection. Generic language like “to provide services” is not enough.
Consent Mechanisms: Express consent is required for sensitive information. Implied consent has limits. Your Privacy Policy must explain how consent is obtained and how it can be withdrawn.
Use, Disclosure, and Retention: Disclose third parties who receive personal information (cloud providers, analytics, payment processors). Specify retention periods.
Safeguards: Describe the security measures protecting personal information — administrative, technical, and physical.
Quebec Law 25 Compliance: If you have Quebec users, your Privacy Policy must address Law 25 obligations including privacy officer designation, privacy impact assessments for cross-border transfers, and the right to data portability.
Cross-Border Data Transfers: If personal information is processed outside Canada (most SaaS), this must be clearly disclosed.
Access and Correction Rights: Individuals have the right to access their personal information and correct inaccuracies. Your Privacy Policy must explain how to make such a request.
Breach Notification: Reference your breach notification protocols. Under PIPEDA, breaches of security safeguards involving real risk of significant harm must be reported.
Contact Information: Name and contact details of your Privacy Officer or accountable individual.
SaaS and Software Companies: If you process customer data, you almost certainly fall under PIPEDA. Your Privacy Policy is the foundation of your privacy compliance posture.
E-Commerce Businesses: Collecting customer information, payment details, and analytics data triggers privacy obligations. Your Privacy Policy must address all data collection touchpoints.
Businesses with Quebec Users: Quebec’s Law 25 imposes specific requirements beyond PIPEDA — including the right to data portability and mandatory privacy impact assessments for certain cross-border transfers.
Healthcare and Health-Tech Companies: Health information triggers additional obligations under provincial health privacy laws (PHIPA in Ontario, others elsewhere).
Marketplace and Platform Businesses: User-generated content, identity verification, and platform-to-platform data flows all require precise disclosure.
Any Business Using an AI-Generated Privacy Policy: AI tools produce reasonable starting points but rarely understand Canadian privacy law nuances. Review is essential.
Canadian privacy law is its own framework — not GDPR Lite and not CCPA. PIPEDA (the federal Personal Information Protection and Electronic Documents Act) applies to most commercial activity in Canada. Quebec, Alberta, and British Columbia have substantially-similar provincial statutes. Quebec’s Law 25 (which came into full effect September 2023) significantly expanded obligations for businesses with Quebec users.
If your business operates in Canada or has Canadian users, your Privacy Policy must be drafted for Canadian privacy law — not adapted from a U.S. CCPA template or a European GDPR notice.
If you collect any personal information from users — including via a contact form, analytics cookies, or account signup — you are subject to PIPEDA. A Privacy Policy is the standard way to satisfy disclosure obligations under the law.
The problem is rarely the format — AI tools produce well-formatted policies. The problem is substantive: missing PIPEDA disclosures, U.S.-centric framing, no Law 25 references, and generic boilerplate that does not match your actual data practices. A legal review catches these issues.
If you have users in Quebec — even one — Law 25 may apply to you. The law is broad in its territorial scope. We assess this as part of every Privacy Policy review.
Yes. Update your Privacy Policy whenever you add new data collection, change third-party processors, expand to new jurisdictions, or when privacy law changes. We can flag which sections are most likely to need updating.
Yes. We offer the same Review Only and Review and Edit service for Terms & Conditions, Acceptable Use Policies, Master Services Agreements, Cookie Policies, and Data Processing Agreements. Many clients review them together as a complete website legal package.
Send us your draft Privacy Policy using the form below. We will review it and provide a flat-fee quote within one business day — no obligation to proceed.
No retainer required. No billable-hour surprises.
Tell us about your draft below. We will reply within one business day with a flat-fee quote and instructions for sending us your document (if you have one ready). No retainer required. No billable-hour surprises.
The legal foundation of your website — governs user relationship, IP, liability
Cookie consent banners and tracking disclosures for Canadian compliance
Enforceable conduct rules and termination rights for your platform
B2B contract governing your most important commercial relationships
Privacy addendum required by enterprise customers and regulated industries
At Onley Law, we’re entrepreneurs like you, specializing in Business Law to address your unique challenges and get business done.
Contact us for a free, no-obligation consultation, and let’s navigate the legal landscape together, empowering your business to thrive.
With our office located in downtown Oshawa, we work in the heart of one of Ontario’s most historic, hardworking cities – powered by builders and doers.
Operating inside the Spark Centre, we operate and work alongside entrepreneurs inside Durham’s top business accelerator.
Find us at: 2 Simcoe Street South, Suite 300, Oshawa, Ontario, L1H 8C1.
© 2026 Onley Law Professional Corporation. All rights reserved.
Fractional GC | Contracts | M&A | IP & Trademarks | Contact
