CAFE Information and Data Protection Policy

The Canadian Association of Financial Educators (CAFE) is committed to protecting personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal privacy law governing private-sector organizations engaged in commercial activities. This policy outlines how CAFE collects, uses, discloses, retains, and protects personal information, ensuring compliance with PIPEDA’s 10 Fair Information Principles.

1. Scope and Accountability

The Canadian Association for Financial Empowerment collects personal information for certification, membership, subscriptions, system access(s), CAFE CONNECT and other such educational services. We are accountable for all personal information under our control, including data transferred to third parties (e.g., Association for Financial Counseling and Planning Education, AFCPE). Our Compliance and Standards Department, reachable at compliance@cafe-acaf.org, oversees PIPEDA compliance, responds to inquiries, and handles complaints.

Categories of Personal Information:

  • Certification: Name, contact details, employment history, exam results, continuing education records, annual fee payments, and Code of Ethics attestations for 2025.

  • Membership: Name, contact details, payment information, and membership status.

  • Educational Services: Registration details, course participation records, and payment information for Learning Labs and Education Events.

  • Consumer Inquiries for Industry Referral: Name, email, and inquiry details submitted via CAFE’s website or events, consumer support or submitted forms to ConsumerSupport@cafe-acaf.org.

2. PIPEDA Compliance Principles

CAFE adheres to PIPEDA’s 10 Fair Information Principles:

  1. Accountability: CAFE designates the Compliance and Standards Department to ensure compliance, train staff, and maintain policies.

  2. Identifying Purposes: We collect personal information for certification, membership, educational services, and consumer inquiries, specified at or before collection.

  3. Consent: We obtain meaningful consent (express or implied) for collection, use, and disclosure, except where permitted by PIPEDA (e.g., legal obligations).

  4. Limiting Collection: We collect only what is necessary for identified purposes, using fair and lawful means.

  5. Limiting Use, Disclosure, and Retention: Personal information is used/disclosed only for stated purposes and retained only as long as necessary (see Section 4).

  6. Accuracy: We strive to keep personal information accurate and update it upon request.

  7. Safeguards: We protect personal information with security measures (e.g., encryption, access controls) proportional to its sensitivity.

  8. Openness: This policy is publicly available at www.cafe-acaf.org.

  9. Individual Access: Individuals can request access to their personal information (see Section 5).

  10. Challenging Compliance: Individuals can challenge CAFE’s compliance by contacting compliance@cafe-acaf.org.

3. Management, Audit, and Fulfillment of Certification and Membership Requirements

  • Certification (CFC™):

    • Management: CAFE collects name, contact details, may include the receipt of employment verification (1,000 hours), exam results, and continuing education records (30 hours every two years) to administer the certification program. Prior to August 11, 2025 most certification data is managed by AFCPE (contact: support@afcpe.org).

    • Audit: CAFE conducts annual reviews of compliance. CAFE may audits certification records, and CAFE retains related data for two years post-agreement or dissolution.

    • Fulfillment: CAFE processes enrollments, ships study materials, and may support the coordination of exams, while validating certifications and issuance of electronic certificates within 30 days.

  • Membership (By-Law No. 1, Section 3. Membership Classes):

    • Management: CAFE collects name, contact details, and payment information for membership administration.

    • Audit: Membership data is audited annually to ensure compliance with CAFE’s standards and PIPEDA’s accuracy principle.

    • Fulfillment: Membership services include access to CAFE resources and events.

  • PIPEDA Compliance: Data collection is limited to identified purposes, with consent obtained at enrollment. Data is securely stored on Canadian data services, and third-party disclosures (e.g., to AFCPE) are documented.

4. Purge Rules

CAFE retains personal information only as long as necessary for its identified purposes or legal obligations, per PIPEDA’s Principle 5:

  • Meetings: If recorded (e.g., via Microsoft Teams), recordings are non-essential and automatically purged within 30 days unless specific to an existing membership issue, Board of Directors request or concern, or required for oversight and governance for the organization. Recordings intended for Learning Labs and Education Events are maintained for the duration agreed upon for the lifecycle of the event (typically 90 days post-event for evaluation and reporting) or where applicable, only hosted as OnDemand for our Learning Labs/Empowerment CAFÉ.

  • Certification Data: Retained for two years post-agreement, dissolution of the AFCPE License Agreement (August 11, 2025), or until no longer needed for certification purposes (per Section IV.I of the License Agreement).

  • Membership Data: Retained for the duration of active membership plus two years for audit purposes, unless legally required longer (e.g., tax records).

  • Consumer Inquiries for Industry Referral: Purged at resolution (end of communication).

  • CAFE CONNECT: As a free service for Canadians, CAFE CONNECT collects limited personal information (e.g., name, email for registration). Data is purged after 180 days of inactive account activity, ensuring compliance with PIPEDA’s limiting retention principle. White-label licensing follows a separate use-case and outlined in CAFE CONNECTs policies for data retention from a CAFE to customer relationship.

  • Purge Process: Data is securely deleted (e.g., overwritten using secure deletion tools) or anonymized to prevent recovery.

  • Survey Results: Surveys conducted externally, survey data is maintained in the aggregate and no consumer information is identifiable or maintained.

5. Submitting a Request for Personal Information

Individuals can request access to their personal information or inquire about its use, disclosure, or absence:

  • Submission: Email compliance@cafe-acaf.org with your name, contact details, and request specifics (e.g., certification records, membership data).

  • Verification: Provide government-issued ID to confirm identity.

  • Response: CAFE responds within 30 days, providing:

    • Existence, use, and disclosure details of your personal information.

    • Access to your data at no cost or minimal cost.

    • Information on third-party sharing (e.g., AFCPE for certification as applicable).

    • Right to request corrections if data is inaccurate.

    • Explanation if no data exists (e.g., purged per 30-day or 180-day policy).

  • Complaints: Address compliance challenges to compliance@cafe-acaf.org. We will investigate and respond as promptly as possible, informing you of outcomes and remedies.

6. Data Storage

CAFE hosts all personal information on secure Canadian data services compliant with PIPEDA, using encryption and access controls. Data transferred to third parties (e.g., AFCPE in the U.S.) is protected by contractual safeguards, GDPR compliant, respects the Indigenous Data Sovereignty under OCAP, and individuals are notified of potential foreign jurisdiction access.

7. Contact Information

For inquiries, requests, or complaints:

  • Email: compliance@cafe-acaf.org

  • Mail: Compliance and Standards Department, Canadian Association of Financial Educators, 1155 North Service Rd W, Unit #11, Oakville, Ontario L6M 3E3

  • Phone: (905) 945-5644 ext. 222

8. Compliance and Oversight

CAFE’s Compliance and Standards Department, in conjunction with our Board of Director’s Governance Committee and Legal Counsel, conducts regular audits, maintains transparent policies, and ensures staff training.

We comply with the Office of the Privacy Commissioner of Canada (OPC) and address complaints promptly. Non-compliance may lead to OPC investigations or Federal Court action, but CAFE is committed to resolving issues internally first.