Son güncelleme: 2026-05-16
Canada — Privacy Notice (PIPEDA and Quebec Law 25)
This page is the Canadian-specific privacy notice Gila publishes for Canadian residents, including residents of Quebec. It supplements — and does not replace — our main Privacy Policy and Health Data Notice. Where this notice and the main Privacy Policy diverge for a Canadian or Quebec resident, this notice controls.
If anything is unclear, email dpo@gila.coach and we will explain it. A French-language translation will be published at /fr-CA/confidentialite before our Canadian app-store launch; until then, this English master controls.
1. Two layers of law that apply to you
Canadian privacy compliance for an app like Gila is a two-layer obligation:
- Federal PIPEDA — the Personal Information Protection and Electronic Documents Act applies to organisations that collect, use, or disclose personal information in the course of commercial activities. PIPEDA applies in all provinces and territories, except where a province has enacted "substantially similar" private-sector legislation (Alberta PIPA, British Columbia PIPA, and Quebec's Private Sector Act). Even in those provinces, PIPEDA continues to apply to inter-provincial and international transfers of personal information.
- Quebec's Private Sector Act, as modernised by Law 25 — applies to organisations that collect, hold, use, or communicate personal information about Quebec residents in the course of carrying on an enterprise. Law 25 introduced staged amendments effective September 2022, September 2023, and September 2024; all stages are now in force.
For a Gila user in Vancouver, PIPEDA applies (BC's PIPA is substantially similar, but for an international transfer to the US, PIPEDA still governs). For a Gila user in Montreal, Quebec's Private Sector Act with Law 25 amendments applies, and PIPEDA continues to govern the international leg.
Where Law 25 imposes a stricter standard than PIPEDA, the Quebec standard applies for Quebec residents.
2. Controller and Privacy Officer
Controller
| Field | Value |
|---|---|
| Legal entity | Sezen Soykut, sole-trader (şahıs şirketi) registered in the Republic of Türkiye |
| Trade name | Gila |
| Registered address | Karya Evleri 3/18, Ataşehir Mahallesi, Çiğli, İzmir, Türkiye |
| General mailbox | hello@gila.coach |
Privacy Officer (PIPEDA Principle 1) / Person in charge of the protection of personal information (Quebec Law 25 Art. 3.1)
| Field | Value |
|---|---|
| Privacy Officer / Personne responsable | Sezen Soykut |
| Contact | dpo@gila.coach |
| Disclosure | Published in this notice and at /privacy#contact. The title and contact information of the Person in charge are published on our website per Quebec Private Sector Act Art. 3.1, second paragraph |
3. Accountability for personal information transferred outside Canada
PIPEDA Schedule 1, clause 4.1.3 (Principle 1 — Accountability) makes Gila accountable for the personal information of Canadian users even when that information is transferred to a third party for processing, including a third party outside Canada. We remain accountable for the information's protection by contract or other means.
Quebec Law 25 (Art. 17) goes further: before communicating personal information outside Quebec, the controller must conduct an assessment of the privacy-related factors of the proposed transfer (a "PIA" in Law 25 terminology), considering the sensitivity of the information, the purposes, the protections that will be afforded, and the legal regime of the destination jurisdiction. Communication may proceed only if the assessment establishes that the information will receive adequate protection in light of generally recognised principles.
Gila's primary database (Supabase Postgres) is hosted in the United States (us-east-2, Ohio, AWS). Our AI features call Google Gemini in the United States. Push notifications transit Firebase Cloud Messaging in the United States. Email transits Resend in the United States. The full processor list is at /subprocessors.
For each US-bound transfer, our Transfer Impact Assessment documents the destination-jurisdiction legal regime, the technical and contractual safeguards in place (encryption in transit and at rest, RLS on every Supabase table, the "no training" flag on Google Gemini, written processor agreements with confidentiality and security obligations), and our risk verdict. This document is intended to satisfy both the PIPEDA accountability transfer standard and the Quebec Law 25 Art. 17 privacy-factors assessment requirement.
You should also be aware — per the Office of the Privacy Commissioner's longstanding position following the Supreme Court of Canada decision in R. v. Spencer (2014 SCC 43) — that personal information transferred to another jurisdiction may be subject to lawful access by foreign governments under their own law (for the United States, this includes FISA Section 702 and the CLOUD Act). Our TIA addresses how we mitigate that exposure.
4. Consent (PIPEDA Principle 3 and Quebec Law 25 Art. 12, 14)
4.1 Federal PIPEDA — meaningful consent
Under PIPEDA Principle 3 and the OPC's 2018 Guidelines for Obtaining Meaningful Consent, consent is valid only if it is meaningful — the individual must understand what personal information is collected, with whom it is shared, for what purposes, and the risks of harm. The OPC requires emphasis on:
- The categories of personal information collected
- The third parties with whom it is shared
- The purposes for which it is used
- The risk of harm and other consequences
For sensitive information — which clearly includes health data — PIPEDA requires express consent. Implied consent is acceptable only for less sensitive information where the purposes would be obvious.
4.2 Quebec Law 25 — express, granular, separate consent
For Quebec residents, Law 25 (Art. 14) requires that consent be clear, free, informed, and given for specific purposes. Consent for the collection or use of personal information must be requested separately from any other information that is provided to the person concerned. Consent for sensitive information — including health information — must be express. Consent is invalid if it has been requested through a means that obscures it or that conflates it with other consents.
4.3 How Gila collects consent for Canadian users
Before any health field is written to our database, we present an in-app consent gate (LegalConsentGate in lib/widgets/legal/):
- Health-data consent is express, separate from the terms-of-service acceptance, and granular by purpose (health tracking, AI features, community sharing each have their own affirmative action)
- The screen states the categories of personal information collected, the purposes, the categories of recipients (Supabase US; Google Gemini US for AI features when applicable; Apple Health or Health Connect on-device only), and the cross-border destination
- A link to this notice is rendered above the consent control
- Withdrawal is reachable from Settings → Privacy → Consents and is as easy to perform as giving consent was (Quebec Law 25 Art. 14, fourth paragraph)
A consent receipt is persisted in the public.consent_log table for every acceptance — policy version, accepted categories, jurisdiction, timestamp, source surface — satisfying the PIPEDA accountability obligation and Quebec Law 25's burden-of-proof rule.
4.4 Withdrawal
You can withdraw consent at any time. Withdrawal stops future processing of the affected category. Withdrawal does not retroactively invalidate processing that was lawful when performed. You may also request deletion of personal information processed on the basis of consent — see §6.
5. What we collect and what we use it for
The full categorisation lives in the main Privacy Policy §3 and in the Data Inventory. In short, for Canadian users we collect:
- Account identifiers (email, name, OAuth subject ID, push device token, profile photo URL) — purpose: account creation, authentication, push delivery
- Health information (body weight, GLP-1 medication name and dose, injection zone, side effects, mood, food intake including calories and macronutrients, Apple Health / Health Connect signals, AI-derived health insights, journal entries) — purpose: providing the Gila tracking and coaching service you have requested
- Subscription information (when paywall enabled — tier, status, transaction reference) — purpose: subscription management
- Pseudonymised technical telemetry (screen names, event names, app version, OS, locale) — purpose: product analytics and error tracking
- Marketing engagement (email, signup source, opens / clicks) — only if you have separately opted in to marketing emails or the newsletter
Health information is sensitive personal information under PIPEDA and sensitive personal information under Quebec Law 25 Art. 12, second paragraph. We treat it accordingly: express separate consent, encryption at rest and in transit, RLS on every Supabase table that holds it, and no sale or sharing for advertising.
6. Your rights
6.1 Federal PIPEDA — Principle 9 (Individual Access) and Principle 4.6 (Accuracy)
PIPEDA Principle 9 entitles a Canadian individual, upon request, to be informed of the existence, use, and disclosure of their personal information and to be given access to that information. The individual is entitled to challenge the accuracy and completeness of the information and have it amended as appropriate (Principle 4.6 — Accuracy).
| Right | Source | What it means at Gila |
|---|---|---|
| Right to know about existence, use, disclosure | PIPEDA Principle 9 (clause 4.9) | We confirm what personal information we hold about you and tell you how it has been used and to whom it has been disclosed |
| Right to access | PIPEDA Principle 9 | We provide a copy of the personal information we hold about you, in a generally understandable form |
| Right to correct (challenge accuracy) | PIPEDA Principle 4.6 | If the information is inaccurate or incomplete, we correct it or attach a notation if we disagree |
| Right to withdraw consent | PIPEDA Principle 3 (clause 4.3.8) | You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice |
| Right to complain | PIPEDA section 11, Principle 10 | You may complain to our Privacy Officer or directly to the OPC |
6.2 Quebec Law 25 — additional rights
Quebec residents have additional rights under the Quebec Private Sector Act as amended by Law 25:
| Right | Source | What it means at Gila |
|---|---|---|
| Right to information about the use of automated decision-making | Art. 12.1 | If a decision based exclusively on automated processing of your personal information is made, we must inform you and, on request, tell you the personal information used and the principal factors and parameters that led to the decision, and allow you to submit observations to a member of personnel for review |
| Right to access and rectification | Art. 27, Art. 28 | Same as PIPEDA, with stricter formality requirements |
| Right to portability | Art. 27, third paragraph (in force since September 2024) | Receive a copy of the computerised personal data you have provided to us in a structured, commonly-used technological format |
| Right to de-indexation / cessation of dissemination ("right to be forgotten") | Art. 28.1 | In specific circumstances (information is causing serious injury or constitutes an unjustified breach of fundamental rights), request that we cease disseminating personal information about you or de-index a link to that information |
| Right to withdraw consent | Art. 14, fourth paragraph | As easy to perform as giving consent; effective immediately for future processing |
6.3 Automated decision-making
Gila's AI features (food vision, AI coaching, weekly briefing, activity-goal AI, habit suggestions) are decision-support features under your direct control — you can accept, edit, or reject every AI output. They do not make decisions about you exclusively on the basis of automated processing within the meaning of Quebec Law 25 Art. 12.1. If you nonetheless want a human review of an AI-generated output, file a request and we will respond.
6.4 How to exercise these rights
Two channels, both free:
- Self-service web form — visit
/dsarand select Canada (PIPEDA) or Quebec (Law 25) as your jurisdiction. We will email a verification link. - Email — write to dpo@gila.coach stating the right you are exercising and a contact email associated with your Gila account.
6.5 Response window
- Acknowledgement: within 5 business days of receipt
- Substantive response under PIPEDA: within 30 days of receipt (Schedule 1, clause 4.9.4). An extension is permitted in limited circumstances and you must be notified within the 30-day window
- Substantive response under Quebec Law 25: within 30 days of receipt (Art. 32). Same extension rule
If we deny your request (in whole or in part), we will tell you the reasons in writing within the response window and explain how to file a complaint with the OPC (federal) or the CAI (Quebec). We will also tell you whether we are denying the request under a specific PIPEDA section 9 ground or an equivalent Quebec ground.
6.6 Cost
Access requests are processed at minimal or no cost to the individual (PIPEDA Principle 9, clause 4.9.4; Quebec Law 25 Art. 33 — fee may apply only for transcription, reproduction, or transmission with prior notice).
7. Breach notification
7.1 Federal PIPEDA — Division 1.1 (sections 10.1, 10.2, 10.3)
PIPEDA requires us to report to the OPC, and notify affected individuals, of any breach of security safeguards involving personal information under our control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm ("RROSH") to an individual. "Significant harm" includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.
Reports to the OPC and notifications to individuals must contain the information specified in the Breach of Security Safeguards Regulations (SOR/2018-64). We are also required to keep a record of every breach of security safeguards involving personal information under our control for 24 months (section 10.3).
7.2 Quebec Law 25 — Art. 3.5–3.7
For Quebec residents, Law 25 imposes a parallel obligation: if a confidentiality incident involving personal information of a Quebec resident presents a risk of serious injury, we must promptly notify the CAI and the affected individuals, and keep a register of confidentiality incidents.
Our Breach Response Playbook is built to satisfy both obligations and to discharge them within the regulatory expectations.
8. Complaints
Federal PIPEDA
Office of the Privacy Commissioner of Canada (OPC):
- Website: https://www.priv.gc.ca
- Complaint portal: https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/
- Telephone: 1-800-282-1376
- Address: 30 Victoria Street, Gatineau, Quebec K1A 1H3
Quebec
Commission d'accès à l'information du Québec (CAI):
- Website: https://www.cai.gouv.qc.ca
- Complaint portal: https://www.cai.gouv.qc.ca/citoyens/protection-des-renseignements-personnels/comment-porter-plainte/
- Telephone: 1-888-528-7741
- Address: Bureau 2.36, 525 boul. René-Lévesque Est, Québec (Québec) G1R 5S9
We ask that you give us an opportunity to resolve the issue first (see §6.4), but you are not required to do so before filing a complaint.
9. Children
PIPEDA does not set a fixed age threshold but the OPC's longstanding position is that meaningful consent cannot be obtained from young children. Quebec Law 25 (Art. 4.1) provides specific safeguards for children under 14 whose personal information is collected by an enterprise (consent must be given by the holder of parental authority, and the law restricts processing of children's personal information to clear and direct purposes).
Gila has a 16-and-over self-attested age gate that exceeds both standards — see Privacy Policy §11. We do not knowingly serve users under 16. If we learn that we have collected personal information from a person under 16, we will delete it promptly.
10. Security (PIPEDA Principle 7, Quebec Law 25 Art. 10)
We maintain administrative, technical, and physical safeguards appropriate to the sensitivity of the personal information we hold:
- TLS 1.3 for all data in transit
- AES-256 at-rest encryption for the Supabase Postgres database and storage objects
- Row-level security on every Supabase table that holds personal or sensitive data, scoped to the authenticated user
- OAuth state + PKCE for Google / Apple sign-in
- "Do not train" flag set on every Google Gemini API request
- Scrubbing of sensitive fields at the analytics / error-tracking boundary
- Push payload minimisation
- Written processor agreements with security and confidentiality obligations
- Append-only consent receipts for accountability
11. Contact
For any Canadian privacy question or request:
- Email: dpo@gila.coach
- Self-service:
/dsar(select Canada (PIPEDA) or Quebec (Law 25)) - OPC: https://www.priv.gc.ca
- CAI (Quebec): https://www.cai.gouv.qc.ca
- Mailing address: Karya Evleri 3/18, Ataşehir Mahallesi, Çiğli, İzmir, Türkiye
12. Updates to this notice
We update this notice whenever:
- PIPEDA, the Quebec Private Sector Act, or any binding OPC or CAI guidance changes in a way that affects our practices
- Federal Bill C-27 (the Consumer Privacy Protection Act and the Artificial Intelligence and Data Act) is enacted in any form that affects this notice — we will refresh the notice within 90 days of any such enactment
- Our processing of Canadian personal information materially changes
- A material processor change occurs
We will give you at least 30 days' notice before any change that reduces your PIPEDA or Quebec Law 25 protections takes effect, by email (if you have an account) and by an in-app banner. The effective_date in the frontmatter above is the current version date.