Contents
- Who We Are
- Scope and Applicable Law
- Personal Information We Collect
- How We Collect Personal Information
- How We Use Your Personal Information
- Consent
- Cookies and Tracking Technologies
- Third-Party Service Providers
- Disclosure of Personal Information
- Retention of Personal Information
- Security Safeguards
- Your Rights and Choices
- Children's Privacy
- Data Breach Notification
- Changes to This Policy
- Contact Our Privacy Officer
1. Who We Are
Sherlock Publishing Ltd. ("Sherlock Maps", "we", "us", or "our") is a Canadian corporation that has produced professional city maps since 1990. We publish and sell spiral-bound city maps, wall maps, and custom maps of Winnipeg, Calgary, Manitoba, and surrounding regions through our website at sherlockmaps.com (the "Website") and through our Shopify-powered online store.
We are headquartered in Winnipeg, Manitoba, and conduct business across Canada, primarily in Manitoba and Alberta.
2. Scope and Applicable Law
This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with our Website and our sale of map products. It applies to all individuals whose personal information we handle, including customers, prospective customers, and visitors to our Website.
Governing Legislation
We are committed to compliance with the following privacy laws, as they apply to our business activities:
- Federal: Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), which governs the collection, use, and disclosure of personal information in the course of commercial activities across provincial and national borders.
- Alberta: Alberta's Personal Information Protection Act (PIPA), which applies to the collection, use, and disclosure of personal information by private-sector organizations in respect of activities wholly within Alberta. Alberta PIPA has been recognized by the federal government as substantially similar to PIPEDA.
- Anti-Spam: Canada's Anti-Spam Legislation (CASL), which governs the sending of commercial electronic messages.
We follow the ten Fair Information Principles established under Schedule 1 of PIPEDA: Accountability; Identifying Purposes; Consent; Limiting Collection; Limiting Use, Disclosure, and Retention; Accuracy; Safeguards; Openness; Individual Access; and Challenging Compliance.
If there is any conflict between this Policy and the requirements of applicable law, the requirements of applicable law will govern.
3. Personal Information We Collect
"Personal information" means any information about an identifiable individual. It does not include aggregated or anonymized data that cannot be associated with a specific individual, nor does it include business contact information used solely for business-to-business communications.
3.1 Information You Provide Directly
When you place an order, make an inquiry, or otherwise interact with us, we may collect:
- Identity information: First and last name, company name (if applicable).
- Contact information: Shipping and billing addresses, email address, telephone number.
- Order and transaction information: Products purchased, quantities, order dates, shipping preferences, order history, and correspondence related to orders.
- Payment information: Credit or debit card details, billing address. Note: payment card data is processed directly by Shopify Payments and our payment processors — we do not store full card numbers on our own systems.
- Communications: Content of emails or inquiries you send to us, including any personal information you voluntarily include.
3.2 Information Collected Automatically
When you visit our Website, certain information is collected automatically through cookies and similar technologies, including:
- Device and technical information: IP address, browser type and version, operating system, screen resolution, and device type.
- Usage information: Pages visited, time and duration of visits, referring website or URL, clickstream data, and other interactions with the Website.
- Location information: General geographic region inferred from your IP address (city/region level; we do not collect precise GPS location).
- Cookie and session identifiers: Unique identifiers stored in cookies or browser storage by our analytics and e-commerce platforms.
4. How We Collect Personal Information
We collect personal information through the following means:
- Directly from you when you place an order, complete a checkout form, contact us by email or telephone, or otherwise communicate with us voluntarily.
- Automatically through cookies, web beacons, and similar technologies when you browse our Website (see Section 7 — Cookies).
- From third-party platforms that process transactions or provide services on our behalf, such as Shopify (our e-commerce platform) and Google Analytics (our web analytics service).
We collect only the personal information that is necessary to fulfil the purposes identified in this Policy, consistent with the principle of limiting collection under PIPEDA.
5. How We Use Your Personal Information
We use the personal information we collect for the following purposes:
5.1 Order Fulfillment and Customer Service
- To process, fulfill, and ship your orders for Sherlock Maps products.
- To communicate with you about the status of your order, shipping updates, and delivery confirmations.
- To respond to inquiries, complaints, or requests for information.
- To process returns, exchanges, or refunds where applicable.
5.2 Transactional Communications
- To send you order confirmation emails, receipts, and shipping notifications.
- To send you important service notices, such as changes to our policies or terms.
5.3 Website Operation and Improvement
- To operate, maintain, and improve the Website and our product offerings.
- To analyze how visitors use the Website, identify popular content and products, diagnose technical problems, and understand aggregate browsing patterns through anonymized and aggregated analytics data.
- To detect, investigate, and prevent fraudulent transactions and other illegal activities.
5.4 Legal and Compliance Purposes
- To comply with applicable laws, regulations, court orders, and lawful requests from public authorities.
- To enforce our terms and conditions and protect the rights, property, or safety of Sherlock Publishing Ltd., our customers, or others.
- To maintain records as required by Canadian tax and business law (including records of commercial transactions).
6. Consent
We rely on the following bases for collecting and using your personal information:
- Implied consent through transaction: When you place an order with us, you provide implied consent for us to use your personal information to process and fulfill that order, communicate with you about it, and maintain related business records.
- Express consent: We will seek express consent before using your personal information for any purpose not identified at the time of collection, or for sending promotional electronic messages.
- Legitimate business necessity: In limited circumstances, we may collect or use personal information without consent where permitted by PIPEDA, such as where obtaining consent would compromise the accuracy of the information or where collection is clearly in the interest of the individual and consent cannot be obtained in a timely way.
You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting our Privacy Officer (see Section 16). Withdrawal of consent may mean that we are unable to provide certain products or services to you. We will inform you of the implications of withdrawing consent before you do so.
7. Cookies and Tracking Technologies
Our Website uses cookies and similar tracking technologies. A cookie is a small text file placed on your device by a website you visit. We use the following categories of cookies:
7.1 Strictly Necessary Cookies
These cookies are essential for the Website and our online store to function. They enable core features such as shopping cart functionality, session management, and secure checkout. These cookies do not require your consent as they are technically necessary. They are set by our e-commerce platform, Shopify.
7.2 Analytics Cookies
We use Google Analytics 4 (GA4), a web analytics service provided by Google LLC. GA4 uses cookies to collect information about how visitors use our Website, including pages visited, time spent on the site, and general geographic origin (at city/region level). This information is used in aggregate and anonymized form to improve our Website and understand our audience. Google Analytics may transmit this data to servers in the United States and other countries.
Google Analytics cookies set on our Website include identifiers such as _ga, _ga_[ID], and _gid. These cookies typically persist for up to 2 years (_ga) or 24 hours (_gid).
You can opt out of Google Analytics tracking across all websites by installing the Google Analytics Opt-out Browser Add-on. You can also control Google's use of advertising and analytics cookies through Google's Ad Settings.
7.3 E-Commerce Platform Cookies
Our store is powered by Shopify Inc. Shopify sets cookies to enable shopping cart functionality, prevent fraud, track checkout sessions, and provide related e-commerce features. For details on Shopify's cookie practices, please refer to Shopify's Privacy Policy.
7.4 How to Control Cookies
You can control and/or delete cookies through your browser settings. Most browsers allow you to refuse new cookies, delete existing cookies, and receive a warning before a cookie is stored. Please note that disabling or deleting certain cookies may affect the functionality of our Website, including your ability to complete a purchase.
For instructions on managing cookies in your browser, visit www.allaboutcookies.org.
8. Third-Party Service Providers
We use the following third-party service providers who may receive or process personal information on our behalf. We require all service providers to maintain appropriate confidentiality and security practices and to use personal information only to perform the services we have engaged them to provide:
| Service Provider | Purpose | Data Location | Privacy Information |
|---|---|---|---|
| Shopify Inc. | E-commerce platform; order processing, payment facilitation, checkout, customer account management, fraud prevention, and shipping integrations. | Canada and United States (Shopify is headquartered in Ottawa, Ontario) | Shopify Privacy Policy |
| Google LLC (Google Analytics 4) | Web analytics; anonymized analysis of website traffic, visitor behaviour, and product engagement. | United States and other countries where Google operates servers | Google Privacy Policy |
| Payment Processors (via Shopify Payments) |
Secure payment card processing. Card data is tokenized and handled directly by the processor — we do not receive or store full card numbers. | Canada and United States | Facilitated through Shopify's payment infrastructure |
| Shipping Carriers (Canada Post, Purolator, and others) |
Delivery of physical map products. We share your name and shipping address with carriers to fulfill your order. | Canada | Subject to carrier's own privacy policies |
When our service providers are located outside Canada (particularly in the United States), your personal information may be subject to the laws of that jurisdiction, including laws permitting government authorities to access personal information. We take reasonable contractual steps to ensure that service providers outside Canada provide protection comparable to Canadian standards.
9. Disclosure of Personal Information
We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. We disclose personal information only in the following circumstances:
- To fulfill your order: We share your name, address, and order details with shipping carriers to deliver your purchase.
- To our service providers: As described in Section 8 above, to the extent necessary for them to perform services on our behalf.
- With your consent: For any purpose to which you have consented.
- As required by law: In response to a court order, subpoena, or other lawful request from a government authority, or to comply with applicable legislation, including Canada Revenue Agency requirements.
- To protect safety or investigate wrongdoing: Where we believe disclosure is necessary to prevent, detect, or investigate fraud, security breaches, or other illegal activity, or to protect the rights, property, or safety of Sherlock Publishing Ltd., our customers, employees, or the public.
- In connection with a business transaction: In the event of a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred to the successor organization. We will notify you by posting a notice on our Website before any such transfer and before personal information becomes subject to a different privacy policy.
10. Retention of Personal Information
We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our general retention practices are as follows:
- Order and transaction records: We retain order records (including your name, contact information, and purchase history) for a minimum of seven (7) years to comply with the record-keeping requirements of Canada's Income Tax Act and applicable tax legislation in Manitoba and Alberta.
- Customer communications: Emails and other written correspondence are retained for up to three (3) years from the date of last contact, unless longer retention is required for a legal or business purpose.
- Website analytics data: Google Analytics retains data associated with our property according to the retention period we have configured (up to 14 months for user-level and event-level data). Aggregated, anonymized reports may be retained indefinitely.
- Payment records: Tokenized payment information is managed and retained by Shopify Payments and our payment processors in accordance with Payment Card Industry Data Security Standards (PCI-DSS).
When personal information is no longer required for its original purpose and no legal obligation requires its retention, we will securely destroy, delete, or anonymize it.
11. Security Safeguards
We take the security of your personal information seriously. We use safeguards appropriate to the sensitivity of the information collected, including:
- Encryption in transit: Our Website is served exclusively over HTTPS (TLS encryption), ensuring that information transmitted between your browser and our server is encrypted.
- Secure payment processing: Payment transactions are handled by Shopify Payments and are PCI-DSS compliant. We do not store credit card numbers on our servers.
- Access controls: Access to customer personal information is restricted to authorized personnel who need access to perform their job functions.
- Third-party security: We use reputable, industry-standard platforms (Shopify, Google) that maintain their own robust security programs.
Despite our safeguards, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, and you provide personal information at your own risk. If you have reason to believe your interaction with us is no longer secure, please contact us immediately.
12. Your Rights and Choices
Subject to applicable law, you have the following rights with respect to your personal information held by us:
12.1 Right of Access
You have the right to request access to the personal information we hold about you, and to information about how it has been or may be used or disclosed. We will respond to your access request within 30 days. In certain circumstances permitted by law, we may decline to provide access (for example, where providing access would reveal personal information about another individual).
12.2 Right to Correction
If you believe personal information we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete it. We will correct information that is demonstrably inaccurate or incomplete. Where we disagree with a correction request, we will note your request alongside the personal information in question.
12.3 Right to Withdraw Consent
You may withdraw consent to our collection, use, or disclosure of your personal information at any time, subject to legal or contractual limitations. Please note that withdrawal of consent for certain uses (such as processing your order) may prevent us from delivering products or services to you.
12.4 Right to Complain
You have the right to challenge our compliance with PIPEDA or applicable provincial privacy legislation by contacting our Privacy Officer (see Section 16). If you are not satisfied with our response, you may file a complaint with:
- Office of the Privacy Commissioner of Canada: www.priv.gc.ca | 1-800-282-1376
- Office of the Information and Privacy Commissioner of Alberta (for Alberta matters): www.oipc.ab.ca | 1-888-878-4044
12.5 Opting Out of Analytics Tracking
You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on, or by adjusting your browser's cookie settings to block analytics cookies.
13. Children's Privacy
Our Website and products are intended for general audiences and are not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete that information from our records. If you believe we may have inadvertently collected information from a child, please contact our Privacy Officer.
14. Data Breach Notification
In the event of a breach of security safeguards involving personal information under our control that creates a real risk of significant harm to an individual, we will:
- Notify the affected individual(s) as soon as feasible, in a manner that is meaningful (directly, unless direct notification would cause further harm, in which case we will use a public notice).
- Report the breach to the Office of the Privacy Commissioner of Canada, as required under PIPEDA's breach reporting provisions (in force since November 1, 2018).
- Maintain an internal record of all security breaches for a minimum of 24 months, as required by the Breach of Security Safeguards Regulations under PIPEDA.
"Real risk of significant harm" is assessed based on the sensitivity of the personal information involved, the probability that it was or is being misused, and other relevant factors specified in PIPEDA.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our business practices, technology, legal requirements, or for other reasons. When we make material changes, we will update the "Last Reviewed" date at the top of this page. We encourage you to review this Policy periodically. Your continued use of our Website after a revised Policy has been posted constitutes your acceptance of the changes to the extent permitted by law. For significant changes, we may provide additional notice by posting a notice on our homepage or contacting you by email.
16. Contact Our Privacy Officer
Sherlock Publishing Ltd. has designated a Privacy Officer responsible for overseeing compliance with this Policy and applicable privacy legislation. If you have questions, concerns, or requests relating to the handling of your personal information, or if you wish to exercise any of the rights described in Section 12, please contact our Privacy Officer:
Sherlock Publishing Ltd.
215 Montrose St, R3M 3L9
Winnipeg, Manitoba, Canada
We will acknowledge receipt of your request within five (5) business days and will respond substantively within thirty (30) days of receipt, or advise you if additional time is required as permitted by law.