Privacy Policy – Flashpoint SHSM Solutions

Last Updated July 16, 2025 – Flashpoint Training Inc

The following terms are used throughout this privacy policy:

· “Personal Information” refers to information about an identifiable individual, as defined under PIPEDA. This may include names, email addresses, school affiliation, or other identifiers.

· “Students” refers to minors (under 18) who may be served indirectly through our services, but who are not direct users or customers of Flashpoint Training.

· “Educators” or “Users” refer to teachers, administrators, facilitators, and other authorized adults who access and use Flashpoint’s products or services.

· “Service Providers” refers to third-party organizations contracted to perform functions on our behalf, such as web hosting or payment processing.

· “Cookies” are small text files stored on your browser that track or enhance website interactions.

We, Us, Our, Flashpoint, FPT and Company all refer to Flashpoint Training Inc.

When we refer to customers, we are not referring to students, but rather, the institutions, educators, facilitators and other stakeholders that purchase our services to serve students.

Website refers to flashpointtraining.com, flashpointtraining.ca, and any other websites designated by us as being governed by this Privacy Policy and Terms of Use.

We are committed to maintaining the accuracy, confidentiality and security of Personal Information. Our privacy policy governs our actions as they relate to the collection, use and sharing of Personal Information. Our policy is based upon the values set by the Canadian Standards Association’s Model Code for the Protection of Personal
Information and Canada’s Personal Information Protection and Electronic Documents Act. Flashpoint Training Inc. complies with PIPEDA and MFIPPA.

INTRODUCTION

We are responsible for maintaining and protecting Personal Information under our control. Compliance with this Privacy Policy is managed by designated staff members who receive appropriate training to uphold our privacy and security standards.

IDENTIFYING PURPOSES

We collect and use Personal Information and limit those details necessary to provide you with the product or service. The purposes for which we collect Personal Information will be identified before or at the time we collect the information. The purposes for which information is collected will be clear, and consent implied, such as where your name, address and payment information is provided as part of the order process.

CHANGES TO THE PRIVACY POLICY

We encourage you to revisit this URL regularly in order to be aware of our latest privacy policy. It is your responsibility to be familiar with these terms.

CHILDREN’S PRIVACY

Flashpoint Training is committed to protecting the privacy of students and other minors. We do not collect personal information directly from children under the age of 18.

All student-related information is provided to us by authorized educators or school boards, who are responsible for obtaining all necessary consents, in accordance with the Education Act and applicable privacy laws.

Student data is limited to first and last name, school name, and SHSM program type, and is used exclusively for issuing certificates.

We do not create or manage student accounts, track student activity, or engage in any profiling or advertising related to minors.

PERSONAL DATA AND CONSENT

Personal Data is information that can be used to identify you specifically, including your name, shipping address, email address, telephone number.
Knowledge and consent are required for the collection and use of Personal Information except where required or permitted by law. Providing us with your Personal Information is always your choice. However, your decision not to provide certain information may limit our ability to provide you with products or services. We will not require you to consent to the collection or use of information as a condition to purchase the product or service, except as required to be able to supply the product or service.

BREACH RESPONSE PROTOCOL

In the event of a security breach, affected users will be notified directly within 8 business hours of Flashpoint Training becoming aware of the incident. While we are committed to transparency and prompt response, Flashpoint Training does not assume liability for any damages resulting from the use, misuse, or unauthorized access of personal data.

DERIVATIVE DATA

Derivative data is information that our servers automatically collect about you when you access the Company website, such as your IP address, browser type, the dates and times that you access Company website, and the specific pages you view. Derivative data may also include data collected by third-party service providers such as analytics providers, and may
include cookies, log data, or web beacons. Cookies are discussed more fully below. Derivative data collected by third-party service providers generally does not identify a specific individual.

FINANCIAL DATA

Financial data is data that is related to your payment methods, such as credit card or bank transfer details. We collect financial data in order to allow you to purchase, order, return, or exchange products or services. We store no financial data. Financial data is securely transferred to third party payment processors, and you should review these processors’ Privacy Policy to determine how they use, disclose, and protect your financial data.

SOCIAL NETWORKING DATA

We do not collect social networking data information.

MOBILE DEVICE DATA

If you use our website via a mobile device or app, basic information about your mobile device may be collected for metrics, to maintain the security and integrity of our site, and to deliver mobile designed services to you.

OTHER DATA

On occasion, you may give us additional data in order to enter into a contest or giveaway or to participate in a survey. You will be prompted for this information and it will be clear that you are offering this kind of information in exchange for an entry into such a contest or giveaway.

HOW WE USE YOUR INFORMATION

Customer information allows us to offer you certain products and services, including the use of our website, to fulfill our obligations to you, to customize your interaction with us and to allow us to suggest other products and services we think might interest you. We process your data only to serve legitimate business interests (such as providing you with the opportunity to purchase our goods or services).

Specifically, we may use the information and data described above to:
● Deliver any products or services purchased by you;
● Correspond with you;
● Process payments or refunds;
● Contact you about new offerings that we think you will be interested in;

●Interact with you via social media;

● Send you a newsletter or other updates about us or our website;

●Deliver targeted advertising;
● Request feedback from you;
● Notify you of updates to our product and service offerings;
● Resolve disputes and troubleshoot any problems;
● Administer contests or giveaways;
● Assist law enforcement as necessary;
● Prevent fraudulent activity on our website or mobile app;

Analyze trends to improve our website and offerings.

GROUNDS FOR USING AND PROCESSING YOUR DATA

The information which we collect and store is used primarily to allow us to offer goods and services for sale. In addition, Flashpoint Training Inc. may collect, use, and process your information based on the following grounds:

● LEGITIMATE BUSINESS INTERESTS- We may use and process your data for
legitimate business interests which include, among other things,
communicating with you, improving your goods or services, improving our website, and providing you with the information or products that you have requested.

Performance of a Contract: We may use and process your information to enter into a contract with you and to perform our contractual obligations to you.

Consent: We may use your data, or based on your consent, use and share that data. You may withdraw your consent at any time, but doing so may affect your ability to use our website or other offerings.

As required by law: We may also use or process your data as required to comply with legal obligations.

By Law: We may share your data as required by law or to respond to legal process, including a subpoena, or as necessary to protect the rights, property, and safety of others. This includes sharing information with other parties to prevent or address fraud and to avoid credit risks.

To Protect You: We may use your information to protect you, including to investigate and remedy any violations of your rights or policies. We may also disclose your information as reasonably necessary to acquire and maintain insurance coverage, manage risks, obtain financial or legal advice, or to exercise or defend against legal claims.

Business Transfers: In the unlikely event the company engages in a merger, acquisition, bankruptcy proceedings, dissolution, reorganization, or similar transaction or proceeding, it may transfer or share your data as part of that proceeding. In such transitions, customer information is one of the business assets that is acquired by a third party. You acknowledge that such business transfers may occur and that your personal information can continue to be stored, used, or processed as otherwise set forth in this privacy policy. Users will be notified of such a transaction and have the right to opt out.

External Links: Our website may include hyperlinks to other websites not controlled by us. We suggest you exercise caution when clicking on a hyperlink. Although we use reasonable care in including a hyperlink, we do not regularly monitor the websites of these third parties and are not responsible for any damage or consequences you suffer by using these hyperlinks. We are not bound by the Privacy Policies of any third-party website that you access by a hyperlink, nor are we bound by any third party. We encourage you to read the Policies of those third-party websites before interacting with them or making purchases. They may collect different information by different methods than we do.

Other Purposes: We may disclose your personal data as necessary to comply with any legal obligation or to protect your interests, or the vital interests of others or Flashpoint Training Inc.

TRACKING TECHNOLOGIES

Log Files: Like many other websites, we make use of log files. These files log visitors to the site. The information inside the log files includes internet protocol (IP) addresses, browser
type, Internet Service Provider (ISP), date/time stamp, referring/exit pages, and other behavioural data, such as the number of clicks. This information is used to analyze trends, administer the site, track user’s movement around the site, and gather demographic information. IP addresses and other such information are not linked to any information that is personally identifiable.

Embedded content from other websites on this site may include embedded content (e.g. videos, images, articles, etc.). We do not assume any responsibility for the integrity or continued availability of third party content, and we do not accept any liability for any damage caused by embedded content, regardless of the type, extent, or how it may occur.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.

Cookies: When customers using our website note our Website also use cookies — small text files sent to us by your computer — and web beacons to store certain information. We may use cookies to authenticate your identity, to determine if you are logged onto our website, for personalization, for security, for targeted advertising, or for analysis of the performance of our website, advertising and services. For example, cookies allow us to recommend blog posts to you based on what you have read on our site in the past. We use cookies that are not specific to your account but unique enough to allow us to analyze general trends and use, and to customize your interaction with our website.
This information helps us to understand the use of our site and to improve our website and service offerings.

We may use any or all of the following types of cookies:
● Essential Cookies: These cookies help us run our website and improve your experience with our website. These cookies may allow content to load more quickly or allow you to access “members only” or repeat-users sections of our website.
● Functionality Cookies: These cookies allow us to remember your preferences from earlier visits to our website, including login information, so that you do not have to input the same information multiple times.

More detailed information about cookie management with specific web browsers can be found at the browsers’ respective websites. By continuing to use our website and not disabling cookies on your browser, you are consenting to the use of cookies in accordance with the terms of this policy.

Email Confirmations: We may receive email confirmations when you open an email from us. This allows us to determine if users are responding favorably to email communications and to improve those communications.

Other Technologies: Other data technologies may be used that collect comparable information for security, fraud detection, and similar purposes, to give us information about your use of our website, and to improve our website and service offerings to you.

WEBSITE ANALYTICS

We may partner with third-party analytic companies, including Google, who may also use cookies (described above) or other tracking technologies to analyze visitors’ use of our website or mobile app to determine the popularity of the content, and better understand online activity. We do not transfer personal information to these third-party vendors.
If you do not want any information to be collected and used by tracking technologies, then it is your responsibility to seek out appropriate solutions.

Google Analytics: you can opt-out of having your activity on our website made available to Google by installing the Google Analytics opt-out browser add-on. This add-on prevents Google from retrieving information about your visits to our
website. For more information, we encourage you to seek and review Google’s Privacy Policy.

PROCESSING YOUR INFORMATION

We process customer data internally. The legal basis for this processing is both your consent to the processing, our need to conduct legitimate business interests and to comply with legal obligations. Our purposes in processing this information, if we do, is to enter into contracts with you, to fulfill the terms of those contracts, to keep records of transactions and interactions, to be able to provide you with goods and services, to comply with legal obligations, to obtain professional advice, and to protect our rights and interests, our customers (including you), and any third parties. We may process the
following data:

Data associated with customer accounts, such as name, address, email address, and payment information. Data about usage of our website, such as your IP address, geographical information, and how long you accessed our website and what you viewed.

Data that you provide us while using Flashpoint services.
Data that you submit to us when you make an inquiry regarding our offerings.

Data related to your transactions with us, including your purchase of our goods or services. This information may include contact details and payment information.

Data that you provide to us when subscribing to our emails or newsletters, including your email address and contact information.
Data that you submit to us via correspondence, such as when customers email us with questions.

Any other data identified in this policy, for the purpose of complying with our legal obligations, or to protect the vital interests of you or any other natural person.

The transmission of data via the internet is never completely secure, and we cannot guarantee the security of data that is sent to us electronically. Transmission of data to us is at your own risk.

Where data that you have transmitted to us is password protected, you are responsible for keeping the password confidential. You are exclusively responsible for any breaches of your data that results from your own disclosure of or failure to protect your password.

We use website hosting servers/third-party processors/subcontractors located in the Canada or in jurisdictions with comparable data protection standards, which has received an Adequacy Determination from the European Commission, meaning that the European Commission has determined that appropriate safeguards are in place to protect data once it is transferred to that country.

DATA RETENTION

We retain data until June 30th of each year or until you ask us to delete your data. Data that is no longer needed by us for any of the purposes listed above will be permanently deleted.

We will honor requests to delete data, as described more fully below unless we are required by law to retain access to the data.

SECURITY OF YOUR INFORMATION

We take all reasonable steps to protect your personal data and keep your information secure.

We use trusted online payment systems and apply industry-standard security measures to protect personal data from loss, misuse, or unauthorized access. However, no security system can offer absolute protection, and no method of data transmission over the internet is entirely secure. As such, we cannot guarantee the complete security of any information transmitted to us.

We will notify you as promptly as possible, of any known breach of our security systems which result in your personal data being exposed.

SENSITIVE DATA

We request that you do not submit any sensitive data to us via public postings, email correspondence with us, or any other method, including social insurance number, health data, genetic data, or information related to your ethnic origin, religious beliefs, or criminal history. If you do send us this information, it will be immediately deleted from all records.

YOUR RIGHTS

You have certain rights with respect to your personal data, as outlined below. In addition, we reserve the right to request that you provide us with evidence of your identity before we take any action with respect to the exercise of your data rights. Further, your rights may be restricted or nullified to the extent they conflict with our compelling business interests, the public interest, or the law.

UPDATE ACCOUNT INFORMATION

You have the right to update or change any information you have provided to us. To update or delete your information, please email us at contactus@flashpointtraining.com or contact us via telephone.

CONFIRM PERSONAL DATA AND ITS USE

You have the right to request that we confirm what data we hold about you, and for what purposes. We will supply you with copies of your personal data unless doing so would affect the rights and freedoms of others.

Change Consent: you have the right to change your consent to our use of your information. In such cases notify us at contacus@flashpointtraining.com

Request a Copy of Data: you have the right to request a digital copy of the data that we hold about you. Your first request for a copy of your personal data will be provided free of charge; subsequent requests will incur a reasonable fee.

Delete All Data: you have the right to request that we delete all data that we hold about you, and we must delete such data without undue delay. There are exceptions to this right, such as when keeping your data is required by law, is needed to provide service to you, is necessary to exercise the right of freedom of expression and information, is required for compliance with a legal obligation, or is necessary for the exercise or defense of legal claims. Such a request may result in termination of your account with us and you may have limited or no use of our website.

Emails and Communications: you may opt-out of receiving future email correspondence from us by checking the appropriate box when you register for the account or make a purchase. All newsletters also include an unsubscribe link.

Marketing Communications: you may opt-out of receiving any marketing communications by contacting us.

Processing: you may, in some circumstances, restrict the processing of your data, such as when you contest the accuracy of your data or when you have objected to processing, pending the verification of that objection. When processing has been restricted, you may opt-out of any processing of your data altogether. Note, however, that doing so may result in the termination of your access to our services.

PRIVACY BREACH PROTOCOL

Flashpoint has created a privacy breach protocol to follow should a privacy breach occur. This protocol is a companion document to the Privacy Policy and details how the breach will be handled and documentation that is required in response to a privacy breach.

Appendix A

A privacy breach occurs when there is the intentional or unintentional unauthorized collection, use, disclosure, disposal, modification, reproduction, access or storage of personal information, that is in violation of the Personal Information International Disclosure (PIIDPA) Act and (MFIPPA).

A privacy incident occurs when personal information is mishandled or incorrectly collected, used or disclosed in a limited or controlled environment. In these instances, the situation can be easily and quickly corrected without any harm to the individual. They are usually resolved immediately by the employees who become aware of them but if not addressed can escalate into a full-scale breach.

Users will be promptly and directly notified in the event of a security breach. Flashpoint does not assume liability for any damages arising from use or misuse of data.

SEVERABILITY

If any part of these terms, conditions and privacy policy is deemed unlawful and/or unenforceable, all other provisions contained herein will remain in full force and effect.

PRIVACY NOTICES AND CONTACT INFORMATION

Privacy policies and notices are communicated on our website and users will be directly notified if a breach occurs.

Flashpoint will notify users when changes are made to policies and terms of use. We may provide names and contact information to third parties for technical support.

ADDITIONAL POLICIES RELATED TO SHSM AND SCHOOL BOARD
PRODUCTS

Below are additional policy items related to the use of SHSM and School Board
products.

Students are not Flashpoint customers. Flashpoint does not have direct access to students. Flashpoint works with Teachers and information is distributed by Teachers to students.

Flashpoint does not have or use student accounts. Student data may be deleted from the Teacher file at the students request, as this is the only place student information is held.

Teachers have the ability to delete their data by contacting us at
contactus@flashpointtrainig.com to have any or all information removed from our system.

Users are not required to surrender their copyright to their own work they provide it to Flashpoint.

Student email addresses are never collected and not required for any student services.

Flashpoint Training only collects the student’s first and last name to add to their certificate of completion. Other information collected regarding school name and SHSM program is to ensure that teachers are delivering the certificate to the correct student. Certificate data is archived until the end of the school year at which point it is deleted.

Flashpoint is committed to adhering to the highest standards to ensure student privacy. See Student Digital Privacy Standards and Flashpoint measures in Appendix B.

A privacy/security policy and procedure has been put in place for data breaches and backup.

Subcontractors are bound by confidentiality through their agreements with us. We do not provide user information to third parties.

The privacy/security policy includes a comprehensive security program, Digital Privacy Security System Procedures and Privacy Breach Protocol in Appendix A.

ENTIRE AGREEMENT

The information contained herein constitutes the entire agreement between site users and the Company relating to the use of this website.

LAW AND JURISDICTION

These terms, conditions, and this privacy policy are governed by and interpreted in accordance with the laws of Canada and the Province of Ontario. Any disputes arising from or related to this policy or the use of Flashpoint Training Inc. goods and services shall be resolved exclusively through binding arbitration, conducted in English and in accordance with the laws of Ontario. Arbitration shall be the sole and final remedy for any claims or damages, to the exclusion of court proceedings.

Appendix A
Digital Privacy Security System Procedures and Privacy Breach Protocol

The following protocol has been developed to mitigate potential for privacy breaches.

Administrative Safeguards
• Employees and other information users must be authorized to access, maintain, change, use or distribute information. Authorization for each information user is directed by Flashpoint Training Inc. and based on the ‘need to know’ of that individual.
• Security checks are completed for all employee positions before hire and bi-annually thereafter. This includes background checks and signing oaths of confidentiality. Criminal record checks are required of all presenting partners and facilitation subcontractors who will be present at a school event or who may interact with students.
• Flashpoint laptops require the installation of security software to protect from security threats to our systems, including malware, phishing attacks, spam, and evolving threats.
• Information access privileges are reviewed, modified or revoked as necessary as directed by the Owners on a regular basis, including when:
– an employee is transferred by appointment, assignment or secondment;

– an employee commences an extended period of absence, including maternity, medical, military or community service;
– access privileges have not been exercised for a period of time; or
– the employment or contract of the individual has been terminated.

Upon termination:
• the individual is be debriefed with respect to ongoing responsibilities for the confidentiality of information;
• access privileges (system passwords, user IDs, tokens, etc.) to systems, restricted access zones, and IT facilities is revoked; and
• all security related items (documents, etc.) issued to the individual is retrieved.
• To ensure that only authorized individuals access sensitive information, all users must be properly verified and authenticated before access is granted. Safeguards include the use of secure passwords, proof of identification, one-time passcodes, digital signatures, and certification authorities to confirm identity and prevent unauthorized access.

Authentication passwords or codes must be:
– generated, controlled and distributed in a manner which maintains the
confidentiality and integrity of the code or password;
– known only to the user of the identifier;
– either pseudo-random in nature or verified by an automated process designed to counter triviality and repetition;
– at least 8 characters in length;
– one-way encrypted for storage in the computer system subject to a history
check to preclude reuse;
– prompted for manual user entry when using automatic or scripted log-on
processes;
– changed periodically; and – a mixture of characters, both upper and lower case, numbers, punctuation and special symbols.
• The organization maintains detailed records of all instances where personally identifiable student or user data is accessed, modified, shared, or deleted, in order to support accountability, transparency, and compliance with applicable education privacy regulations.
•Records are kept of all instances of unauthorized access, use, change, deletion/disposition or disclosure of information.
• Policies, procedures, practices and other safeguards are available to all employees and periodically reviewed and adjusted as needed to comply with any changes to applicable laws, through annual review at team meetings. Non-compliance, measure and remedies are outlined in our employment and contractor agreements.

Physical Safeguards

• In addition to limiting who may access personal information, we implement strict controls on access to systems, equipment, and data storage environments. These controls ensure that only authorized individuals can retrieve or manage information and include safeguards at the operating system, hardware, and software levels.
• Employees are responsible for securing their workspaces and safeguarding any sensitive information when working from a home office.
• Highly sensitive information that could cause harm if disclosed or accessed without authorization must not be printed and is securely stored within our digital systems using password protection.

Technical Safeguards

• See also Administrative Safeguards and Physical Safeguards for related information about access controls and authentication passwords and codes and other forms of user verification.
All communication methods are subject to safeguards intended to reduce the risk of unauthorized access, including interception, eavesdropping, or diversion. This applies to verbal discussions, written documents, telephone and cellular calls, faxes, emails, and video or audio communications. Staff are expected to take reasonable precautions—such as working in a private space, using headphones, conducting verbal conversations through secure platforms (e.g., chat systems), and using a company phone number for external communications.
• Authentication safeguards to monitor security systems and procedures are in place, including virus scanners, firewalls, monitoring operating system logs, software logs, version control and document disposition certification.
• The use of portable media, such as external drives, is restricted. All data is stored securely in cloud-based systems that comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Files are encrypted end-to-end and during transfer, ensuring that even the service provider cannot access their contents. These platforms also include built-in protections against common threats such as spam, phishing, and malware.
• All hardware and software systems are secured with password protection. Confidential information is further safeguarded using access controls such as “view-only” permissions and restrictions that prevent downloading or saving, reducing the risk of unauthorized access, accidental disclosure, data misappropriation, or system compromise.

• Disaster recovery safeguards are put in place including the use of cloud storage for all information.

PRIVACY BREACH PROTOCOL
Responding to a Privacy Breach

Step 1: Contain the Privacy Breach

The following steps are initiated promptly when a privacy breach is suspected or has been identified.

1.1 Any staff member who becomes aware of a potential privacy breach must immediately notify a manager or technical support contact. The designated personnel will lead the response, assess the situation, and determine the appropriate next steps. The initial assessment will focus on addressing the following questions:
• Did an inappropriate collection, use or disclosure of personal information occur?
• Does personal information continue to be at risk?
• Do clients or employees continue to be concerned?
• Is there a possible violation of policy or law?
The answers to these questions will determine whether a privacy breach or privacy incident has occurred.

1.3 In coordination with the response team, staff must take immediate action to contain the breach. This includes taking steps to prevent further disclosure and to secure or recover any personal information that may have been exposed. Containment measures will vary depending on the nature of the breach. Examples of possible actions include:
• For a misdirected email, try to retract the email or contact the recipient and ask them to delete the email from their system and confirm that there was no further disclosure of the email
• If a document, file, portable storage device, was misplaced, attempt to locate.
• In the event of a lost or stolen electronic device (such as a mobile phone, laptop, or tablet), System Support must be notified immediately so that the device can be remotely located and/or wiped to protect sensitive information.
• If a system appears to be compromised, immediately contact the System Support Service to discuss taking the system off-line until further investigation can take place to fix security risks/weaknesses.
• If a user-id or password to a system has been compromised, immediately change the password.

1.4 Flashpoint will action the escalation protocol below:
Based on the initial information about the breach, notify all employees. Flashpoint will work with identified team members to respond to the breach. The team will determine what other notifications will be necessary (i.e. police, legal counsel).

Step 2: Assess the Extent and Impact

The team will evaluate potential risks to affected individuals and understand the scope of the breach, who is affected and how they may be affected. We will record information about all the following factors:

2.1 Assess the Personal Information Involved in Breach
• Once information that is part of the breach is known, assess it for risk level based on what type of personal information it is.
• Consider context when evaluating a breach.

2.2 Cause and Extent of the Breach
• How did the breach occur or what was the cause of the breach?
• What programs and systems are involved?
• Is there a risk of ongoing further exposure of the information?
• How much information was collected, used or disclosed without authorization?
• How many individuals are likely to receive or have access to the information that was breached?
• What steps have been taken already to minimize the harm?
• How many people are likely to have access to the breached information and what is the likelihood of disclosure online or through the media?
• Has the information been recovered?
• Is the information encrypted or not easily accessible?
• Is there a risk for further breaches due to systemic problems or is this a one-time incident?
• How can the breached information be used?

2.3 Affected Individuals
• Is it employees, public, contractors, clients, service providers or other organizations?
• How many individuals are, or are estimated to be, affected by the breach?

2.4 Foreseeable Harm
• What possible use is there for the personal information? Can the information be used for exploitation, fraud, identity theft or other harmful purposes?
• Who is in receipt of the personal information?
• Is there a relationship between the unauthorized recipient and the individual whose personal information was breached?
• Is there a risk of significant harm to the individual such as: security risks (such as physical safety) identity theft or fraud access to assets or financial loss loss of employment or business opportunities to hurt, humiliation or damage to reputation/relationships breach of contractual obligations
• Is there a risk of significant harm to the organization because of the breach such as: loss of government assets (financial or otherwise), financial exposure loss of contracts/business/opportunity legal proceedings (e.g. class action lawsuits)
• Is there a risk overall to the broader public such as:
● risk to public health
● risk to public safety

Step 3: Notify and Report the Breach where Necessary

3.1 Determining if Notification is Necessary
Notification may allow affected individuals to reduce potential harm to themselves caused by the breach. To decide if notification is necessary the response team may consider the following:
• Contractual obligations – is there a contractual obligation to notify the affected individuals?
• Risk of identity theft – is there a possibility based on the type of information lost that this or other type of fraud could occur?
• Risk of physical harm – is there a possibility that the loss could result in stalking, harassment or physical harm to the individual?
• Risk of hurt, humiliation, damage to reputation – loss of employment, disciplinary records or medical information could contribute to this.
• Risk of loss of business or employment opportunities – job performance information or other types of personal evaluation documents would contribute to this.
• Effect on the organization – is there a possibility of loss of confidence in the organization or an impact on client relations?

3.2 When and How to Notify
Flashpoint or their delegate will be responsible for promptly notifying the affected individuals. This notification is given directly to those affected, either on the phone, in person or via email.

3.3 What to Include
The notification to the affected individual provides information so that they can understand the scope and severity of a breach. This notification is include:
• Date of the breach
• Description of the breach (extent)
• Description of the information breached
• Risk to the individual caused by the breach
• Steps taken to contain the breach and any harms
• Future steps planned or any long-term plans to prevent further breaches
• Steps the individual can take to further mitigate their own risk. For example, how to contact credit reporting agencies or how to change a driver’s license

Step 4 Investigation and Mitigation to Prevent Further Breaches

4.1 Investigation:
Once a breach has been contained, the root cause must be reviewed to ensure the underlying issue is fully understood and addressed. Privacy breach investigations are led by Flashpoint and may involve designated staff or contractors. The investigation will examine relevant business practices, administrative and technical safeguards, access controls, and include interviews with involved personnel.

The purpose of the investigation is to determine what occurred, identify any vulnerabilities, and recommend corrective actions to prevent recurrence. Recommendations may include updates to physical, administrative, or technical controls, modifications to internal procedures, or additional staff training.

An investigation plan should be documented, outlining sources of information (e.g., policies, procedures), questions for stakeholders, and any necessary access to system or audit logs.

4.2 Implement Change:
Based on the findings and recommendations of the investigation, the team will evaluate the recommendations and develop a plan for implementation and follow-up.

4.3 Logging and Reporting
Each privacy breach will be documented to track the breaches that have occurred. The log will contain a brief description of the event, organization name, date of occurrence, outcome and recommended mitigations.

Appendix B
STUDENT DIGITAL PRIVACY STANDARD & FLASHPOINT COMPLIANCE

Specifying Purposes

1.1 Providers must state all data elements that their classroom web apps or services collect and provide reasons for the collection/processing of each element. Flashpoint collects student data for the purposes of distributing certifications only.

Consent

2.1 Schools are responsible for obtaining and maintaining verifiable parental consent for the collection, use, and disclosure of personal information for students under the age of 18, unless a legal basis for such processing has been established by applicable laws or regulatory guidance. Flashpoint does not interact directly with students, and all matters related to parental consent fall under the authority and responsibility of the school.

2.2 In the absence of valid consent, service providers must ensure that students retain ownership and control over any content they create or upload to classroom web applications or software. Flashpoint does not engage directly with students; it is the responsibility of the school to obtain the necessary consent for any data collection or use.

2.3 Providers must offer consent options that allow users—or their parents or guardians—to agree to the collection and use of personal information solely for the purpose of delivering the service, without requiring consent for disclosure to third parties for unrelated purposes such as marketing. Flashpoint does not disclose personal information to third parties.

Collection

3.1 Providers must limit data collection to only the personal information necessary to operate the classroom web application or service. This means avoiding access to browser history, contact lists, search queries, preferences, device identifiers, location data, or similar information unless it is directly required to deliver the service. Flashpoint collects only the minimum student information needed to issue certificates and does not access or collect any additional data.

3.2 When applications require installation on mobile devices, providers must give users clear options regarding the disclosure of device data such as location, unique identifiers, and contact information. Flashpoint does not use or offer any applications that require downloading to a device.

3.3 Providers must not collect personal information without the user’s knowledge or consent, including audio or video data captured through the user’s own device. Flashpoint does not use any downloadable applications and does not collect personal information covertly.

3.4 Student profiles and activity within a web application or service must remain private and inaccessible to others, unless the platform is specifically designed for collaborative use and such sharing is essential to its function. Flashpoint does not require students to create individual profiles.

3.5 Educators should have the option to create generic accounts or use minimal personal information (e.g., “Student 1,” “Student 2”) to reduce the amount of data collected from students. Flashpoint does not create or manage student accounts.

Use, Retention, Disclosure

4.1 Providers must use, disclose, and retain personal information solely for the purpose of delivering the classroom web application or service. Flashpoint collects only student names, and solely for the purpose of issuing certificates.

4.2 Providers must not share, benefit or profit from student personal information.

4.3 Providers must not profile children for marketing purposes or in ways that lead to unfair, unethical or discriminatory treatment. Flashpoint does not have or use student profiles.

4.4 Providers must not repurpose student data or use it for research without express consent, unless authorized by statute or anonymized.

4.5 Providers must securely delete or anonymize all personal information that is no longer necessary for delivering the application or service, and must clearly define data retention timelines. Flashpoint deletes all student information at the end of each school year.

Security Safeguards
5.1 Providers must implement a comprehensive security program designed to reasonably protect the privacy, confidentiality, and integrity of student personal information. This includes safeguarding against risks such as unauthorized access, misuse, or unintended disclosure, using appropriate administrative, technical, and physical measures based on the sensitivity of the data. Flashpoint maintains such a security program.

5.2 Providers must implement safeguards that are equal to the standards set by Flashpoint.

5.3 Providers must ensure that all vendors they use to provide the service implement adequate security safeguards. Flashpoint vendors do not have access to student information.

5.4 Providers must ensure that any successor organizations are contractually required to uphold the same security safeguards for previously collected personal information. Flashpoint’s Security Program includes provisions to maintain these protections in the event of a transfer or change in ownership.

5.5 Providers must have breach protocols in place. Flashpoint has breach protocols in place under its Security Program.

Openness and Transparency

6.1 Providers must communicate privacy notices, terms of use, contracts etc., in clear, specific and unambiguous language that explains to users how their personal information is being used, processed, disclosed and retained by the provider and any third parties. Privacy policies and notices are communicated on the Flashpoint Website and users will be directly notified if a breach occurs.

6.2 Providers must make links to privacy policies and terms of use, etc., easy to find after the account has been created. Flashpoint does not have or use student accounts.

6.3 Providers must identify the third parties to which they disclose personal information for processing, the specific data elements involved, and a summary of protections/assurances in place. Flashpoint does not provide student information to third parties.

6.4 Where providers use data for statistical analysis and profiling, for making subjective assessments, for predicting behavior or as part of a decision-making process it should be clearly communicated by providers to users along with a mechanism to challenge these assessments. Flashpoint does not use student information for statistical analysis and profiling.

6.5 Providers must state whether or not the classroom app/service allows users to make personal information publicly available online.
Student information is not available publicly on line by anyone.

6.6 Providers must directly inform users before changes are made to policies and terms of use, etc., before data is used in a manner inconsistent with the terms they were initially provided. Flashpoint will notify users directly before changes are made to policies and terms of use.

6.7 Providers must disclose the presence and use of third party cookies and provide options for managing them. Flashpoint does not share student information with third parties and therefore cookies are not applicable.

6.8 Provider must confirm that they are in compliance with all laws.
Flashpoint confirms compliance with all laws.

Access and Correction
7.1 Providers must make available the name and contact information of an operator who will respond to inquiries and challenges from users or parents/ guardians about privacy policies, data handling practices, accuracy, completeness and use of personal information. Flashpoint provides the name and contact information for tech support and privacy available on our website

7.2 Providers must have a mechanism for users to access, correct, erase, and
download content they created in a usable format. Flashpoint allows users to correct, erase and download content they create in a useable format by contacting us at contactus@flashpoint training.com

7.3 Users have the right to erasure of their data, including metadata inferences, assessments and profiles (if not required for administrative purposes by the provider or the school board) and providers will not charge a fee for this service. Users have the right to erase their data for no fee.

7.4 Providers must ensure that when a student deletes their work in their account created by an educator where the educator maintains exclusive administrative rights, the copies in the educator account must disappear, also. Flashpoint does not have or use student accounts. Data may be deleted in the Teacher file as this is the only place information is held at student request.

7.5 Providers must ensure that educators have the ability to delete their own accounts and virtual classrooms. Teachers have the ability to delete their data by contacting us at contactus@flashpointtrainig.com and have all information removed from our system. Flashpoint does not have web accounts.

7.6 Providers must not require users to surrender their copyright to their own work if they post it to the application or service’s site. Users are not required to surrender their copyright to their own work they provide to Flashpoint.

CONTACTING US AND PRIVACY COMPLAINTS

f you have any questions, requests, or concerns regarding this Privacy Policy, or wish to file a privacy-related complaint, please contact our Privacy Officer:

Privacy Officer
Flashpoint Training Inc.
90 Optimist Drive, St. Thomas, Ontario N5P0G3
contactus@flashpointtraining.com

We will respond to all inquiries in accordance with applicable laws. If your concern is not resolved to your satisfaction, you have the right to contact the Office of the Privacy Commissioner of Canada or your local privacy authority.