OfficeEazeTerms of Service →

Privacy Officer

OfficeEaze has appointed a Privacy Officer responsible for our privacy program, handling privacy complaints, managing data subject requests, and overseeing vendor data protection.

Email: privacy@officeeaze.ca
Mailing address: [Ontario address]

To exercise your PIPEDA rights including access, correction, or withdrawal of consent, contact our Privacy Officer at the above email. We will respond within 30 days.

OfficeEaze Privacy Policy

Last updated: May 2026 Version 1.8 Governed by the laws of the Province of Ontario, Canada.

1. Our Commitment

Lou Squared Systems Inc., operating as OfficeEaze ("OfficeEaze", "we", "us"), respects your privacy and is committed to protecting your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation.

We are monitoring federal privacy law reform, including Bill C-27 and the proposed Consumer Privacy Protection Act (CPPA). As of the date of this policy, PIPEDA remains the applicable federal private sector privacy law in Canada. If and when replacement legislation comes into force, we will update our practices and this policy accordingly.

Scope of This Policy: OfficeEaze provides services exclusively to employers in Canadian provinces and territories outside Quebec. OfficeEaze does not serve employers in Quebec and this policy does not address obligations under Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25 / Bill 64). OfficeEaze is designed for use in non-unionized, provincially regulated workplaces only. Employers in federally regulated industries (banking, telecommunications, interprovincial transportation, and others under federal jurisdiction) are not the intended users of this Service and use it at their own risk.

OfficeEaze is a trade name of Lou Squared Systems Inc., a corporation incorporated under the Canada Business Corporations Act. References to "OfficeEaze", "we", and "us" in this Privacy Policy refer to Lou Squared Systems Inc.

2. Definitions

For clarity in this policy:

"Personal information" means information about an identifiable individual, as defined under PIPEDA.

"Sensitive personal information" means the subset of personal information that, if disclosed, could cause significant harm — specifically, in the context of OfficeEaze: Social Insurance Numbers, banking and direct deposit details, dates of birth, medical information stored for emergency contact purposes, and biometric clock-in photographs.

"Account holder" or "employer" means the business or individual who creates and controls an OfficeEaze account.

"Employee data" means personal information about an employer's workers that the employer enters into OfficeEaze.

"Service" means the OfficeEaze platform and all associated features.

3. Information We Collect

We collect:

(a) Account information — name, email address, business name, role, job title, and account credentials.

(b) Business information you input — employee records, vendor details, invoices, wages, CRA deadlines, expenses, and scheduling data.

(c) Sensitive personal information you choose to store — Social Insurance Numbers, banking details for direct deposit setup, dates of birth, and medical information for emergency contacts. This information is stored in encrypted form and is never transmitted to any AI model.

(d) Usage data — log files, IP addresses, browser type, pages visited, and feature usage patterns.

(e) Payment information — when you subscribe to OfficeEaze, your payment details (billing name, billing address, and card or banking information) are submitted directly to Helcim Inc., our Canadian payment processor headquartered in Calgary, Alberta. OfficeEaze never receives your card number, CVV, or full banking details. Helcim returns a secure payment token, which is the only payment reference stored in OfficeEaze. Helcim is PCI DSS Level 1 certified — the highest level of payment card industry compliance. Helcim is subject to its own privacy policy available at helcim.com. Payment data processed by Helcim remains in Canada.

(f) Communications — support emails and chat records when you contact us.

(g) Account holder authentication data — the mobile phone number you provide at signup is used for two-factor authentication and account recovery. It is transmitted to Twilio Inc. solely to deliver one-time authentication codes.

(h) Pre-employment screening records — where an employer uses the Background Checks module, OfficeEaze stores candidate name, email address, position applied for, types of checks requested, check status, credit check justification (where applicable), and hiring decisions. Consent records confirming the candidate authorized each check are stored alongside the screening record. This information is entered by and belongs to the employer and is processed by OfficeEaze as data processor on the employer's instructions. Candidates whose information is entered into the Background Checks module are not OfficeEaze users and should direct any privacy inquiries to the employer who initiated the screening.

(i) Clock-in photos — where an employer enables selfie clock-in, photographs of employees captured at clock-in are stored securely in OfficeEaze. These photos are used solely to verify employee attendance and are accessible only to the employer and their authorized managers. Employers are responsible for obtaining employee consent before enabling selfie clock-in. Clock-in photos are retained for 90 days after capture and then permanently deleted unless the employer has flagged the punch for payroll dispute review, in which case the photo is retained for the duration of the dispute plus 1 year.

(j) Client and contact information — employers may store names, email addresses, phone numbers, addresses, and business notes for their own clients, customers, and business contacts using the Client Management module. This information is stored on behalf of the employer as data controller and is used solely to provide the Service. The employer is responsible for ensuring they have a lawful basis under applicable privacy legislation to collect and store this information in OfficeEaze. OfficeEaze does not use client contact information for any purpose other than displaying it to the employer within the Service.

(k) Employee authentication data — employee mobile phone numbers provided for employee portal authentication are transmitted to Twilio Inc. solely for the purpose of delivering one-time authentication codes. Twilio does not receive any other employee personal information. Mobile phone numbers are stored in the employee record and used only for authentication purposes.

4. How We Use Your Information

We use your information to:

(a) Provide, operate, and improve the Service.

(b) Process subscription payments through Helcim.

(c) Send transactional emails — security alerts, remittance reminders, document signing requests, pay stub notifications, and account administration messages.

(d) Send marketing emails and product updates only to users who have provided express consent under CASL.

(e) Respond to support requests.

(f) Comply with legal obligations including CRA requirements and provincial employment standards.

(g) Detect and prevent fraud, abuse, and unauthorized access.

(h) Generate anonymized, aggregated product usage statistics that cannot identify you.

5. Lawful Basis

We process personal information based on:

(a) The contract between us — necessary to provide the Service.

(b) Your express consent — for sensitive personal data and marketing communications.

(c) Our legitimate interests — operating, securing, and improving the Service.

(d) Legal obligations — compliance with tax, employment, and privacy legislation.

6. Data Controller and Data Processor Roles

OfficeEaze operates in two distinct privacy roles:

As a data controller: OfficeEaze controls personal information collected directly from account holders — including name, email address, business name, billing information, and usage data. OfficeEaze determines the purposes and means of processing this information and is responsible for it under PIPEDA.

As a data processor: OfficeEaze processes personal information that employers input about their employees — including Social Insurance Numbers, banking details, dates of birth, wages, and other HR records. In this role, OfficeEaze acts solely on the instructions of the employer. The employer is the data controller for all employee personal information stored in OfficeEaze and is responsible for ensuring they have a lawful basis to collect, store, and process that information.

Employee personal information is never used by OfficeEaze for any purpose other than providing the Service to the employer. OfficeEaze does not contact employees directly regarding their personal data except where required by law or where the employer has specifically authorized a communication (such as a pay stub notification or document signing request).

7. Sharing of Information

We do not sell your personal information. We do not share your information with advertisers. We share information only with the following service providers as necessary to operate the Service:

Lovable Inc. — application hosting and platform infrastructure. Data is hosted on Amazon Web Services Canadian region (ca-central-1, Montreal). SOC 2 Type II and ISO 27001:2022 certified. trust.lovable.dev

Lovable Email (Lovable Inc.) — outbound transactional email delivery, including security alerts, notifications, document signing requests, and pay stub notifications. Email is sent from a verified OfficeEaze subdomain. Operated by Lovable Inc.

Amazon Web Services — underlying cloud infrastructure (via Lovable). Canadian region (ca-central-1, Montreal). SOC 2 Type II and ISO 27001 certified.

Helcim Inc. — payment processing. Canadian company headquartered in Calgary, Alberta. PCI DSS Level 1 certified. Helcim receives your billing name, billing address, and card or banking details directly from your browser — this data never passes through OfficeEaze servers. OfficeEaze stores only the payment token Helcim returns. Payment data stays in Canada.

Anthropic PBC — AI processing for the Harris assistant. Company profile context only — no SINs, banking details, dates of birth, employee names, or employee personal information. United States. See Section 8.

ElevenLabs Inc. — voice synthesis for the Harris AI assistant's spoken responses, used only when you interact with Harris by voice. ElevenLabs receives only the text of Harris's spoken responses, converted to speech audio. It never receives Social Insurance Numbers, banking details, dates of birth, employee names, or any sensitive personal information. United States. SOC 2 Type II certified.

HeyGen — animated avatar video streaming for the Harris AI assistant's on-screen visual presence, used only when you interact with Harris by voice. HeyGen receives only the audio stream of Harris's spoken responses in order to animate the on-screen avatar. It never receives business data or sensitive personal information. United States.

Resend Inc. — inbound email processing only (receipt forwarding into the platform and support email intake). Resend no longer handles outbound customer email. United States. SOC 2 Type II certified.

Twilio Inc. — SMS delivery for account holder two-factor authentication, account recovery, and employee portal authentication. United States. ISO 27001 and SOC 2 Type II certified. SMS messages contain only a 6-digit code — no personal information in message content.

Cloudflare Inc. — security infrastructure and DDoS protection. United States. SOC 2 Type II and ISO 27001 certified.

Open Exchange Rates — exchange rate data provider used for non-CAD/USD currency conversions. Invoice total amounts in foreign currencies are transmitted to retrieve current exchange rates. No personal information is transmitted.

Bank of Canada — exchange rate data for CAD/USD conversions. No personal information is transmitted. Canadian federal government service.

Instatus — system status page hosting and uptime monitoring at status.officeeaze.ca. Receives only the public availability status of OfficeEaze services and, for subscribers, the email address used to subscribe to status notifications. No business or employee data is transmitted.

Government authorities when legally required.

A complete and current list of all subprocessors is maintained at officeeaze.ca/subprocessors

OfficeEaze has a signed Data Processing Agreement with Lovable Inc. (executed November 2025). Each other processor is subject to contractual data protection obligations. A Data Processing Agreement is available to OfficeEaze customers on request at privacy@officeeaze.ca.

8. Harris AI Assistant

When you use the Harris AI assistant, the following information is transmitted to Anthropic's Claude API to generate responses:

What Harris receives: Your company name, province, industry type, employee count, revenue range, certain aggregated financial metrics such as outstanding invoice totals, the current screen or module you are viewing within OfficeEaze, and your business health score summary.

Voice and avatar: Harris is available by text and by voice. When you interact with Harris by voice, the text of Harris's responses is converted to speech audio by ElevenLabs and used to animate an on-screen avatar through HeyGen (see Section 7). Voice processing handles only the words Harris speaks aloud — it never includes sensitive personal information.

Harris memory: Harris stores the following information in your OfficeEaze account database to provide continuity — document routing patterns (recurring vendor names and filing folder preferences learned over time), payroll notes (per pay period reminders and adjustments you ask Harris to remember, stored per pay period number), and bookkeeping and HR notes (follow-up items you ask Harris to track). Harris memory is stored in your OfficeEaze account, not with Anthropic. It is not used to train AI models. You can view, edit, and delete all Harris memory from Settings → Harris Memory at any time. Harris memory is deleted when your account is deleted.

What Harris never receives: Employee Social Insurance Numbers, banking details, dates of birth, employee names, medical information, payroll amounts, or any other sensitive personal information. This is a technical restriction — Harris was never given access to this data and cannot share what it cannot see.

Anthropic does not use data submitted through the API to train its models. Your conversations with Harris are not used to improve Claude. ElevenLabs and HeyGen do not use voice or avatar data submitted through their APIs to train models.

You may choose not to use Harris at any time, and you may use Harris by text only without engaging the voice or avatar features.

Automated Processing Disclosure: Harris may surface compliance flags, generate document suggestions, highlight payroll anomalies, or provide recommendations based on your business data. These outputs are informational only. No automated decision with legal or significant effect on any individual is made by Harris without human review and approval. The employer remains solely responsible for all final decisions including payroll approvals, HR actions, and compliance filings. Harris is an assistant — not a decision-maker.

Financial Projections Disclosure: Harris may generate cash flow forecasts, budget projections, variance analyses, and other forward-looking financial estimates based on data entered into OfficeEaze. These estimates are informational tools only and are not financial advice. See the Financial Projections section of the Terms of Service for the full disclaimer applicable to financial projections.

9. Data Storage and Cross-Border Considerations

Where your data is stored: Your data is physically stored in the Canadian AWS region (ca-central-1) — a data centre located in Montreal, Quebec. All data is encrypted at rest using AES-256-GCM with separate encryption keys per data category.

Infrastructure: OfficeEaze is hosted on Lovable's platform which runs on Amazon Web Services infrastructure — the same cloud provider used by Canadian banks, the federal government, and major Canadian enterprises. Lovable maintains SOC 2 Type II, ISO 27001:2022, and GDPR certification. Current compliance documentation including penetration test attestation and Transfer Impact Assessment is available at trust.lovable.dev

CLOUD Act disclosure: Amazon Web Services is an American company subject to US law including the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which allows US law enforcement to compel American companies to produce data in certain circumstances. This exposure is identical to that faced by virtually every Canadian organization using cloud infrastructure — including major Canadian banks and federal government agencies that also use AWS Canadian regions.

Other service providers: Some service providers — including our AI assistant (Anthropic), voice synthesis (ElevenLabs), avatar streaming (HeyGen), SMS authentication (Twilio), inbound email (Resend), and security infrastructure (Cloudflare) — are based in the United States. These providers handle only the limited data necessary for their specific function. They never receive Social Insurance Numbers, banking details, dates of birth, or medical information in plain text.

Our commitment: We are actively evaluating fully Canadian-owned infrastructure options as they become viable and will update this policy if our data storage arrangements change.

9A. International Data Transfer Consent

By using OfficeEaze, you acknowledge and consent to the processing of limited technical data by service providers located in the United States as described in Sections 7 and 9. This includes the AI assistant (Anthropic), voice synthesis (ElevenLabs), avatar streaming (HeyGen), SMS authentication (Twilio), inbound email (Resend), and security infrastructure (Cloudflare). These providers never receive sensitive personal information in plain text.

If you do not wish to have data processed by United States voice providers, you can use Harris by text only and avoid the voice and avatar features entirely. For any other concerns about cross-border processing, contact privacy@officeeaze.ca.

10. Sensitive Data Protection

Social Insurance Numbers are encrypted using AES-256-GCM with a dedicated encryption key and are never stored in plain text, never included in emails or exports, and never visible in full in the OfficeEaze interface.

Direct deposit banking details are encrypted separately with their own encryption key and are only decrypted server-side when generating direct deposit files.

Dates of birth and medical information are encrypted with category-specific keys.

Access to any encrypted field requires re-authentication and is logged in an immutable audit trail with timestamp and IP address.

Employee clock-in QR tokens are unique identifiers assigned to each employee for use with the kiosk time clock. These tokens are stored in the employee record and are regenerated if an employee is offboarded. QR tokens are not transmitted to any third party and are not used for any purpose other than time clock authentication.

11. Account Security

We protect access to your account through:

Strong password requirements — account passwords must be at least 12 characters and include uppercase, lowercase, a number, and a special character. Passwords are hashed and never stored in plain text.

Two-factor authentication — all employer accounts must verify with a 6-digit code from an authenticator app. Passkey (biometric) sign-in is also supported.

Self-serve account recovery — if you lose access to your authenticator app, you can recover your account by verifying the mobile phone number on file via SMS, after which you are required to set up two-factor authentication again. Password resets also require SMS verification of the phone number on file before a new password can be set.

Session controls — sessions expire after a period of inactivity, active sessions and trusted devices can be reviewed and revoked, and repeated failed authentication attempts trigger a temporary lockout and email alert.

12. Data Retention

After account cancellation, OfficeEaze begins deletion of account data within 30 days. The following data is retained longer as required by law:

Payroll records and T4 slips: minimum 6 years after the tax year they relate to (Income Tax Act requirement).

Invoices and financial records: 6 years.

Audit logs of sensitive data access: 3 years.

You can download a complete export of all your data at any time from Settings → Export Your Data before cancellation.

After each retention period, data is securely deleted or anonymized.

Document retention flagging: OfficeEaze includes a retention management system that flags documents in your Filing Cabinet that have passed recommended Canadian retention periods — 7 years for CRA financial records, 10 years for workplace safety records, 4 years after an employee's last day for former-employee HR documents, and permanent retention for corporate records (such as articles of incorporation, bylaws, and minutes). Documents are never automatically deleted. Flagged documents are presented to the account holder for manual review, and the account holder retains full control over what is deleted and when.

Employee personal information stored in OfficeEaze — including Social Insurance Numbers, banking details, dates of birth, payroll records, and HR documents — is deleted on the same schedule as employer account data. Former employees cannot independently request their personal data directly from OfficeEaze. Any such requests should be directed to the employer, who retains responsibility for employee records as data controller. Where an employer cannot be reached following account cancellation, OfficeEaze will respond to verified employee requests to the extent permitted by law and consistent with our retention obligations.

13. Children's Privacy

OfficeEaze is a business-to-business service intended for use by adults operating or employed by a business. We do not knowingly collect personal information from individuals under the age of 18 as account holders. If you believe a minor's personal information has been entered into the Service inappropriately, please contact privacy@officeeaze.ca and we will work with the account holder to address the situation promptly.

Note: Provincial employment standards legislation permits the employment of young workers (under 18) in certain circumstances. Where an employer has lawfully hired a young worker and enters that worker's information into OfficeEaze, that data is processed on the employer's instructions as data controller. The employer is responsible for ensuring they have the necessary consents and legal basis to collect and process that young worker's personal information.

14. Your Rights Under PIPEDA

You have the right to:

(a) Know what personal information we hold about you.

(b) Access and obtain a copy of that information.

(c) Correct inaccurate information.

(d) Request deletion of your information subject to legal retention requirements.

(e) Withdraw consent for non-essential processing.

(f) Data portability — export your data at any time from Settings → Export Your Data.

(g) File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca

Employee Rights: If you are an employee whose personal information has been entered into OfficeEaze by your employer, your PIPEDA rights regarding that information should be directed to your employer, who is the data controller for your records. OfficeEaze is a data processor acting on your employer's instructions and cannot independently fulfill access, correction, or deletion requests for employee records without employer authorization. If you believe your employer has mishandled your personal information, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

15. CASL — Canada's Anti-Spam Legislation

OfficeEaze complies with Canada's Anti-Spam Legislation (CASL).

Commercial electronic messages — including marketing emails, product updates, and feature announcements — are sent only to users who have provided express consent at account creation.

Transactional messages — including security alerts, pay stub notifications, CRA deadline reminders, document signing requests, and account administration messages — are exempt from CASL consent requirements and are sent regardless of marketing preferences.

Every marketing email includes a one-click unsubscribe link. You can also withdraw consent at any time by emailing hello@officeeaze.ca or updating your notification preferences in Settings.

16. Cookies and Tracking Technologies

We use the following categories of cookies:

Essential cookies — required for the Service to function and cannot be declined: Session authentication cookie, CSRF protection token, and cookie consent record.

Analytics cookies — non-essential and require your consent before loading: Usage analytics to understand which features are used and error monitoring to capture technical issues.

We do not use advertising cookies, tracking pixels, or third-party marketing cookies of any kind.

When you first visit OfficeEaze we ask for your consent before loading any non-essential cookies. You can withdraw consent at any time by clearing your browser cookies or contacting privacy@officeeaze.ca

17. Security Breach Notification

In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will notify affected individuals and report to the Office of the Privacy Commissioner of Canada as soon as feasible, as required by PIPEDA's mandatory breach reporting requirements. We will also maintain records of all breaches of security safeguards as required by PIPEDA. Notification will describe the nature of the breach, the information affected, and the steps taken to mitigate harm.

18. Privacy Impact Assessment

OfficeEaze has conducted a Privacy Impact Assessment (PIA) covering our data flows, third-party processors, cross-border transfers, and security controls. The PIA is available to enterprise customers and regulators on request. Contact privacy@officeeaze.ca

19. Accessibility

OfficeEaze is committed to making this Privacy Policy and our Service accessible. This policy is provided in a screen-reader-friendly format. If you require this policy in an alternative format, contact privacy@officeeaze.ca

20. How to Exercise Your Rights

Contact our Privacy Officer:

Nadine Leduc — Privacy Officer privacy@officeeaze.ca

We respond to all verified privacy requests within 30 days as required by PIPEDA.

To file a complaint with the federal privacy regulator: Office of the Privacy Commissioner of Canada priv.gc.ca

21. Changes to This Policy

We will notify you of material changes to this Privacy Policy by email with at least 14 days notice. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

22. Governing Law

This Privacy Policy is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, including the Personal Information Protection and Electronic Documents Act (PIPEDA). Any dispute arising from this policy shall be subject to the exclusive jurisdiction of the courts of Ontario.

23. Contact

Privacy Officer: Nadine Leduc — Co-Founder and Privacy Officer Email: privacy@officeeaze.ca Mailing address: 18 Joe Taylor Lane, Carbonear, NL A1Y 1A9

General inquiries: hello@officeeaze.ca Support: support@officeeaze.ca Security concerns: security@officeeaze.ca Legal matters: legal@officeeaze.ca

Lou Squared Systems Inc. (operating as OfficeEaze) — Canada

Privacy requests: privacy@officeeaze.ca · Lou Squared Systems Inc. (operating as OfficeEaze) · Canada

HarrisHarris · OfficeEaze AI
Never done payroll before? I'll teach you as you go.
Click to ask →