Privacy Policy

Victorium Law is responsible for personal information under our control. Our Privacy Officer is responsible for compliance with this Policy and the Personal Information Protection and Electronic Documents Act (PIPEDA). All requests, complaints, and inquiries should be directed to the Privacy Officer:

We collect personal information only for purposes that are identified to you at or before the time of collection. Typical purposes include:

• Establishing and managing the lawyer–client relationship
• Providing legal services (immigration, sponsorship, appeals, etc.)
• Communicating with you and on your behalf with government bodies (IRCC, CBSA, courts)
• Billing, payment processing, and trust accounting (Law Society By-Law 9)
• Compliance with our regulatory obligations under the Law Society of Ontario
• Detecting and preventing fraud, abuse, and security incidents

We obtain your knowledge and express consent for the collection, use, and disclosure of your personal information, except where the law requires or permits otherwise. By engaging our services or by checking the consent box on our intake forms, you give express consent for the purposes listed above.

You may withdraw your consent at any time, subject to legal and contractual restrictions. To withdraw consent, contact our Privacy Officer. Withdrawing consent may limit our ability to provide you with legal services.

We limit the amount and type of personal information collected to what is necessary for the identified purposes. We do not collect personal information indiscriminately.

Categories of personal information we typically collect include: identification (name, date of birth, passport, national ID), contact (address, email, phone), immigration history, family relationships, employment and education history, medical information where required by IRCC, and financial information for billing and trust accounting.

Personal information is used and disclosed only for the purposes for which it was collected, except with your consent or as required by law (e.g., responding to lawful subpoenas, court orders, or regulatory inquiries from the Law Society).

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, or as required by law. The Law Society of Ontario By-Law 9 requires retention of client files for a minimum of 15 years from the date the file is closed.

We make reasonable efforts to keep personal information as accurate, complete, and up-to-date as necessary for the purposes for which it is used. You may request that we correct any inaccurate information by contacting our Privacy Officer.

We protect personal information with security safeguards appropriate to its sensitivity, including:

• Encryption in transit (TLS 1.3 for all web traffic)
• Encryption at rest for sensitive fields (AES-256-GCM, NIST SP 800-38D)
• Multi-factor authentication for all staff and client portal access
• Role-based access control with the principle of least privilege
• Audit logging of every modification to personal information
• Quarterly review of access permissions
• Cybersecurity training for all staff
• Regular vulnerability scanning and penetration testing

This Privacy Policy and our internal privacy practices are available to you on request. The current version is always posted at /privacy.

On written request, we will inform you of the existence, use, and disclosure of your personal information and provide access to it. We will respond within 30 days as required by PIPEDA, unless an extension is necessary and permitted by law (in which case we will notify you in writing).

To exercise your right of access, correction, deletion, or portability, email [email protected] with the subject line "PIPEDA Access Request". We may verify your identity before fulfilling the request.

You may challenge our compliance with this Policy by contacting the Privacy Officer above. We will investigate every complaint and respond in writing. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Our website uses essential cookies required for login, security, and basic site function. With your consent (recorded via the cookie banner shown on first visit), we may also use functional, analytics, and marketing cookies as described in the banner.

You may withdraw or modify your cookie consent at any time by clearing the vl_consent cookie/localStorage entry in your browser, which will trigger the consent banner on your next visit.

Personal information may be processed by our service providers in the United States (e.g., Vercel for hosting, Neon for database, Stripe for payments). We require all providers to implement equivalent safeguards through contractual and technical means. Data may be subject to lawful access by foreign authorities.

We may amend this Policy from time to time. The effective date at the top of this page indicates when the current version took effect. Material changes will be communicated to active clients via email.