Privacy Policy

Last updated: May 3, 2026

Farlain Advisory ("we," "us," "our," or "Farlain") is committed to protecting your privacy and handling your personal information with transparency and care. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights under Canadian privacy law, specifically the Personal Information Protection and Electronic Documents Act (PIPEDA).

Who We Are

Farlain Advisory is a business advisory firm based in Ontario, Canada. We help growth-focused companies identify constraints, build scalable operations, and improve financial performance. When we say "Farlain," "we," or "us" in this policy, we are referring to Farlain Advisory and any of its representatives, contractors, or delegated operators who process personal information on our behalf.

• Contact: andrew@farlain.ca
• Location: Ontario, Canada
• Website: farlain.ca

What We Collect

We collect different types of information depending on how you interact with us. Here is the full list of data we collect:

Business Assessment Questionnaire

If you complete our free business diagnostic assessment, we collect the following:

Data Point	Description
Personal Information	Your full name, email address, phone number, and LinkedIn profile URL
Business Information	Business name, location, industry, and business type
Role and Ownership	Your role in the business and ownership stake
Financial Data	Annual revenue, gross margin percentage, cash runway (months), and historical revenue growth rate
Operational Data	Current team size, team composition, age of business, and growth trajectory
Qualitative Responses	Open-ended answers to questions about business challenges, priorities, and goals
Assessment Scores	Computed diagnostic scores across multiple business dimensions
Session Metadata	Date and time of submission, session identifier, device type, browser type, and IP address

Website Analytics (If Consented)

If you consent to analytics tracking via our cookie consent banner, Google Analytics 4 (GA4) collects:

• Pages you visit and how long you spend on them
• Browser type, operating system, and device type
• Referral source (how you arrived at our site)
• Interaction events (button clicks, form submissions)
• Approximate geographic location (country and city level)
• Anonymized user identifier for session correlation

Cookie Consent Preference

We store your cookie consent choice (accepted or rejected) in your browser using localStorage. This allows us to respect your preference on future visits without re-prompting you.

Communication Data

If you contact us via email or other means, we collect:

• Your email address and name
• The content of your message and any attachments
• Date and time of communication

How We Collect It

We collect your information through the following methods:

• Assessment Form: You voluntarily submit information through our business diagnostic questionnaire form on farlain.ca/diagnostic
• Website Tracking: Google Analytics 4 automatically tracks your interactions with our website, but only if you consent via our cookie consent banner
• Cookie Consent Banner: When you interact with our cookie consent banner, we record your choice in localStorage
• Direct Communication: You may voluntarily email us or provide information through other direct channels
• Server Logs: Our hosting provider (Netlify) may automatically log basic request information such as IP address, request time, and browser user agent

Why We Collect It

We collect and use your information for the following business purposes:

• Deliver Assessment Results: To analyze your responses, compute diagnostic scores, and generate a personalized assessment report that you can review immediately or download
• Engagement Qualification: To understand whether we can help your business and to identify opportunities for potential paid advisory engagements
• Follow-up Communication: To contact you with assessment insights, business advice, or consulting opportunities (subject to your consent preferences and CASL requirements)
• Site Improvement: To analyze how visitors use our site, identify technical issues, and improve our user experience and content
• Customer Service: To respond to your inquiries, support your use of our services, and resolve issues
• Legal Compliance: To comply with applicable laws (PIPEDA, CASL, Ontario law) and to maintain records for business and legal purposes

Your Consent

How we obtain your consent varies by the type of data and use:

Assessment Form Submission

When you submit the business assessment form, you are providing explicit, informed consent for us to:

• Collect and process the personal and financial information you enter
• Generate and deliver your assessment results
• Contact you regarding your results and potential advisory opportunities

This consent is obtained at the point of form submission. You can withdraw this consent at any time by contacting andrew@farlain.ca.

Analytics and Cookies

Analytics tracking is off by default. Google Analytics will only collect data about your site usage if you explicitly accept analytics cookies via our cookie consent banner. Your choice is stored in localStorage using the key "farlain_cookie_consent" and will be respected across future visits.

Marketing Follow-up (CASL Compliance)

In accordance with Canada's Anti-Spam Legislation (CASL):

• Assessment Results: We may send you your assessment results and related insights because you have submitted the form, which constitutes implied consent to receive these communications
• Marketing Messages: Any follow-up marketing emails (e.g., promotional offers, consulting packages, educational content) require your express, opt-in consent. We will include a clear unsubscribe mechanism in every marketing email

Third-Party Processors

To operate our website and deliver our services, we use third-party service providers that may access or process your information. Each processor has been selected based on their security practices and data handling standards.

Netlify (Hosting and Form Storage)

• Purpose: Hosts our website and stores form submissions from the diagnostic assessment
• Data Accessed: All data submitted through the assessment form (personal information, business details, financial data, qualitative responses)
• Location: Netlify servers located in the United States (Virginia)
• Retention: Form data is stored by Netlify as long as we maintain the form on our site
• Security: Netlify uses industry-standard encryption and security practices. Data Protection Agreements are being established.

Google Analytics 4 (GA4)

• Purpose: Tracks website traffic, user behavior, and engagement metrics to help us understand how our site is used and where we can improve
• Data Accessed: Pages visited, time on site, referral source, browser/device information, and anonymized user identifiers (only if you consent)
• Location: Google's servers located in the United States
• Retention: Per Google's standard data retention policy (up to 14 months for aggregated event data)
• Configuration: We have configured GA4 to anonymize IP addresses and disable advertising features (no demographic targeting, no interest-based advertising)
• Security: Data Protection Agreements are being established.

Google Fonts

We have moved from using Google Fonts CDN to self-hosting our fonts (Cormorant Garamond and Inter), so Google Fonts no longer receives requests from our website.

Anthropic (AI-Assisted Website Scan)

• Purpose: When you submit your business website on the diagnostic page, we use Anthropic's Claude AI to read public content from that website and prepare context that informs your diagnostic. This avoids us asking you for information that is already publicly available on your site.
• Data Accessed: The URL you provide and the public web pages it points to. Your questionnaire answers, email address, business name, and any non-public information you submit are NOT sent to Anthropic.
• Location: Anthropic's servers, located in the United States.
• Retention: Anthropic processes the request and returns the result. Per Anthropic's enterprise terms, inputs and outputs are not used to train their models and are retained according to their data policies.
• Security: Anthropic is SOC 2 Type II certified. Data Protection Agreements are being established.
• Your control: If you prefer your website not be sent to Anthropic for processing, email info@farlain.ca and we will manually prepare your diagnostic without the AI-assisted scan.

No Other Third-Party Access

We do not share your assessment data with any other third parties, including advertisers, data brokers, or marketing platforms, without your explicit consent. We do not sell your personal information.

Cross-Border Data Transfers

Some of your information is transferred to and processed by service providers in the United States:

Netlify (Form Data)

Assessment form data is stored on Netlify's servers in Virginia, USA. This transfer is necessary for us to operate our diagnostic tool and deliver your results.

Anthropic (Website Scan Processing)

The website URL you provide on the diagnostic page is sent to Anthropic's Claude AI on US-based servers for the limited purpose of reading public content from that URL. Your questionnaire answers, email address, and business name are not sent to Anthropic. See the Anthropic section above under Third-Party Processors for full detail.

Google Analytics (Traffic Data)

Website usage data is processed by Google on servers in the United States. This transfer is necessary for us to measure site performance and user engagement.

Legal Disclosures

Important: When data is processed in the United States, it may be accessible to US law enforcement authorities under US legal process (e.g., subpoena, court order) as authorized under US federal law, including the Foreign Intelligence Surveillance Act (FISA). We have no control over such legal process and cannot notify you of it without violating US law.

Contractual Safeguards

We are establishing Data Protection Agreements (DPAs) with Netlify and Google that include standard contractual clauses and commitments to comply with PIPEDA principles regarding the security and confidentiality of your data. We will update this policy when DPAs are finalized.

Cookies and Analytics

What Cookies Are We Using?

We use the following types of cookies and similar tracking technologies:

Cookie / Identifier	Category	Purpose	Duration
farlain_cookie_consent	Necessary	Stores your cookie consent choice (localStorage)	Until you clear browser storage
GA4 Session ID	Analytics	Tracks your session on our website (only if you consent to analytics)	30 minutes of inactivity
GA4 User ID	Analytics	Identifies you across sessions for analytics (only if you consent)	Up to 2 years

Cookie Consent Banner

When you first visit our site, a cookie consent banner appears. You can:

• Accept All: Enable both necessary and analytics cookies
• Reject All: Only essential cookies (your consent preference) are stored; analytics are disabled
• Manage Preferences: Choose which categories of cookies you allow

Your choice is stored in localStorage and will be respected across all future visits. You can change your preference at any time by clearing your browser cookies or returning to the banner.

Necessary vs. Analytics Cookies

• Necessary Cookies: The consent preference itself is stored as a necessary cookie so we can honor your choice. These cannot be disabled.
• Analytics Cookies: GA4 tracking cookies are only set if you explicitly consent. If you do not consent, GA4 will not collect any data about your site usage.

Full Cookie Policy

For detailed information about cookies, including how to manage them, please see our Cookie Policy.

Data Retention

We retain your information for different periods depending on the type of data and the reason we collected it:

Assessment Form Data

• Retention Period: 24 months after completion of the assessment, or 24 months after the end of any paid advisory engagement, whichever is longer
• Reason: To provide ongoing insights, support billing and invoicing, and fulfill legal and contractual obligations
• After Retention: We will securely delete or de-identify your assessment data

Website Analytics Data

• Retention Period: Per Google Analytics 4 defaults, data is automatically aggregated and deleted after 14 months
• Reason: To maintain trend data and site performance metrics within a reasonable timeframe

Email Correspondence

• Retention Period: For the duration of our business relationship plus 12 months after the relationship ends
• Reason: To maintain records of communications, support dispute resolution, and comply with legal obligations

Cookie Consent Preference

• Retention Period: Until you clear your browser cookies or localStorage
• Reason: To remember and respect your consent choice across visits

Server Logs

• Retention Period: Per Netlify's standard log retention policy (typically 30 days)
• Reason: For website troubleshooting, security monitoring, and abuse prevention

Your Rights Under PIPEDA

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the following rights:

Right to Access

You have the right to request access to all personal information we hold about you. We will provide this information in a form that is simple to understand, without excessive cost or delay.

Right to Correction

You have the right to request correction of any personal information that is inaccurate, incomplete, or misleading. We will correct the information and notify any third parties (if applicable) that have received the incorrect information.

Right to Deletion

You have the right to request deletion of your personal information. We will delete your data unless we have a legal or contractual obligation to retain it (e.g., for billing records or compliance with law).

Right to Withdraw Consent

You have the right to withdraw your consent to the collection, use, or disclosure of your personal information at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to Opt Out of Marketing

You have the right to opt out of receiving marketing communications from us at any time. Every marketing email will include a clear unsubscribe link.

How to Exercise Your Rights

To exercise any of these rights, please contact us using the information in the Contact and Complaints section below. We will respond to your request within 30 days. If we need more time, we will provide an explanation and timeline for our response.

Data Breach Notification

In the event of a data breach or security incident that creates a real risk of significant harm to an individual, we are committed to:

• Conducting a prompt investigation to determine the scope and nature of the breach
• Notifying affected individuals without unreasonable delay, and in any case without unreasonable delay after determining that a breach has occurred
• Providing affected individuals with relevant information about the breach, including the type of information compromised and steps they can take to protect themselves
• Notifying the Office of the Privacy Commissioner of Canada as required by law

We maintain industry-standard security practices to prevent unauthorized access to your data, including encryption, access controls, and regular security assessments.

Children's Privacy

Our website and services are not directed to anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected information from a child under 18 without parental consent, we will take steps to delete such information and terminate the child's participation in our services.

CASL Compliance

We comply with Canada's Anti-Spam Legislation (CASL), which regulates commercial electronic messages (emails, text messages, etc.).

Assessment Results and Implied Consent

When you submit the business assessment form, you provide implied consent to receive your assessment results. We may send you your completed results, diagnostic summary, and related insights without additional consent.

Marketing Messages and Express Opt-In

Any follow-up marketing emails from us (e.g., consulting service offerings, educational content, promotional materials) require your express, affirmative consent. We will obtain this consent before adding you to any marketing list.

Identification and Unsubscribe

Every email from us will include:

• Clear identification of Farlain Advisory as the sender
• A valid and functional unsubscribe mechanism (link or email address)
• A way to contact us to update your communication preferences

Unsubscribe Honor

If you unsubscribe from our marketing list, we will remove your email address within 10 business days and will not send you further marketing messages. You may still receive transactional messages (e.g., order confirmations, password resets) that are not considered commercial messages under CASL.

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Modified" date at the top of this page
• Post a notice on our website describing the changes
• Obtain your consent again, if required by law, before the new practices apply to previously collected information

Your continued use of our website after changes become effective constitutes your acceptance of the updated policy. We encourage you to review this policy periodically to stay informed about how we protect your privacy.

Contact and Complaints

If you have questions about this privacy policy, wish to exercise your rights, or have a complaint about our privacy practices, please contact us:

• Email: andrew@farlain.ca
• Address: Ontario, Canada
• Website: farlain.ca

We will acknowledge receipt of your request within 5 business days and will provide a substantive response within 30 days. If we need additional time, we will explain why and provide a timeline.

Filing a Complaint with the Privacy Commissioner

If you are not satisfied with our response to your privacy concern, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC). The OPC is Canada's federal privacy regulator and can investigate your complaint independently.

• Website: www.priv.gc.ca
• Phone: 1-800-282-1376
• Mailing Address: Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, QC K1A 1H8

Governing Law

Legislation: This privacy policy is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal private sector privacy legislation in Canada. We also comply with Canada's Anti-Spam Legislation (CASL) and acknowledge that PIPEDA will be succeeded by the Consumer Privacy Protection Act (CPPA) upon its coming into force; we will update our practices accordingly.

Jurisdiction: This policy and our privacy practices are subject to the laws of Ontario, Canada. Any dispute regarding this policy or our privacy practices shall be governed by and construed in accordance with the laws of Ontario.