Privacy Policy
Last updated · 2026-06-14
The Boreal Codex (sole proprietorship) (“The Boreal Codex,” “we,” “us”) is a Canadian fantasy & TTRPG art marketplace. This policy explains what personal information we collect, why we collect it, and the rights you have over it under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)and Quebec’s Law 25.
1. Who is accountable
We have designated a Privacy Officer accountable for our compliance with this policy and with applicable Canadian privacy law:
- Privacy Officer, The Boreal Codex
- Email: privacy@borealcodex.ca
- Mail: PO Box 17, Tancook Island, Nova Scotia B0J 3G0, Canada
2. What we collect and why (purpose of collection)
We collect only what we need, and we tell you why at the point we ask for it:
- Account sign-up — name, email, password (hashed). Purpose: to create and secure your account.
- Artist onboarding — display name, province, bio, social links, payout details. Purpose: to operate your storefront and pay you.
- Checkout — name, email, billing/shipping address. Purpose: to fulfil and deliver your order and meet tax obligations.
- Payments — processed by our payment processor (Helcim). We do not store full card numbers on our servers.
- Newsletter — email and your express opt-in. Purpose: to send you updates you asked for (see Section 6).
3. Consent
We rely on your express consent to collect and use your personal information for the purposes above. You may withdraw consent at any time (subject to legal or contractual limits) by contacting our Privacy Officer. Marketing email is strictly opt-in and separate from the consent needed to run your account.
4. Disclosure & third-party processors
We never sell your personal information. We share it only with processors that help us operate:
- Helcim (Canadian payment processor) — to process payments.
- Web Hosting Canada — hosting and storage, within Canada.
5. Where your data lives (residency)
Your personal information is stored on servers located in Canada (Web Hosting Canada — Montréal / Toronto data centres). If this ever changes such that data is processed outside Canada, we will disclose it here before doing so.
6. Commercial email & CASL
Under Canada’s Anti-Spam Legislation (CASL), we send marketing email only to people who have given express consent, recorded with a timestamp. Every marketing message identifies us, includes our mailing address, and carries a working unsubscribe link that stays active for at least 60 days and is honoured within 10 business days. You can unsubscribe here at any time. Transactional messages (order confirmations, password resets) are not marketing and are sent as needed to operate your account.
7. Cookies
We use a single strictly-necessary cookie to keep you signed in. We do not run advertising or analytics trackers. If we introduce any non-essential cookies, we will ask for your explicit opt-in first (defaulted off), as required by PIPEDA and Quebec Law 25.
8. Your rights
You may, at any time:
- Access the personal information we hold about you;
- Correct it if it is inaccurate;
- Delete your account and associated personal data;
- Withdraw consent or unsubscribe from marketing.
To exercise any of these, email privacy@borealcodex.ca or use the privacy controls in your account settings. We respond within 30 days.
9. Safeguards & retention
Passwords are hashed (bcrypt). Sessions use signed, http-only cookies. We keep personal information only as long as needed for the purposes above or as required by law (e.g. tax records), then delete or anonymise it.
10. Quebec Law 25 & forthcoming federal reform
For Quebec residents, Law 25 grants additional rights including data portability and privacy-by-default; our Privacy Officer is your point of contact for these. We are also preparing for Canada’s incoming Consumer Privacy Protection Act (Bill C-27).
11. Changes
We will post any changes to this policy here and update the “last updated” date. Questions? Contact our team or Privacy Officer.