Privacy Policy

Updated: November 1st, 2022


  1. Data Transfer

    Transfer and storage of data within Lux Insights takes place only on our cloud server which is accessible only via OpenVPN to provisioned users.

    All of Lux’s workstations and file server access require staff to login using a provisioned user account that is secured with strong passwords (including upper and lower case letters, a number and a symbol). Passwords require changing every three months.

    User access to our cloud server is managed by our IT administrators (President and IT consultant, Simply Computing) that grants workstation and server access at various levels for read only or read/write privileges.

    Similarly, Lux’s email system is administered with the same principles for identity management. The email system is hosted securely via Office365.

    Employees and service providers are restricted from taking personal information off-site on USBs and laptops. If the transfer of personal data is required directly to or from clients or to a trusted research partner, Lux’s policy is to transfer the data using secured OneDrive file shares that are password protected, access controlled and expire after 10 days.  Lux can also use secured file share applications/sites specified by our clients.

    Lux has strict security protocols governing the transfer and storage of data to our sub-contractors. Lux’s policy is not to disclose any personal information to any sub-contractors unless it is absolutely necessary for the sub-contractor to complete their work (such as contacting opted-in participants to recruit for qualitative interviews). For example, we strip personal information out of data files sent for coding. The sub-contractors to whom we do disclose personal information (e.g., for recruitment purposes) comply with FIPPA regulations.

    Transfer of data between Lux Insights and sub-contractors happens in the following ways:

    • Preference for secured OneDrive file shares with password protection, user access control and links that expire.
    • Encrypted and password protected files via email. Lux’s email system is hosted Microsoft Office 365 on their Canadian Servers. Any files sent are encrypted and password protected. Passwords used are all strong passwords requiring at least 8 characters, numbers and letters, upper and lower case and a symbol. Passwords as always sent separately from original data files. Lux’s email system and its data security are outlined above.

  2. Storage and access to personal information as defined in the Freedom of Information and Protection of Privacy Act (BC)
    Lux adheres closely to ESOMAR codes and guidelines. This includes 100% compliance with PIPEDA (Personal Information Protection and Electronic Documents Act) and FIPPA (Freedom of Information and Protection of Privacy Act) in Canada.

    All data stored by Lux are held on our Cloud Server which is hosted at a data centre in Western Canada and remotely backed up to a data centre in Eastern Canada.

    Sensitive customer/client data (such as contact lists with personally identifiable information) are destroyed at Lux within 6 months to a year of project completion or as soon as requested by a client. Lux requests only information required from our clients for recruitment or analysis purposes, and also provides the minimum amount of data required to our sub-contractors for recruitment or data analysis. Data analysis typically strips out all personally identifiable information and responses are connected only to a unique, anonymous identifier.


  3. Security attestations for both your application and/or hosting platform.

    Lux maintains and reviews on a semi-annual basis an internal and external security policy that governs the organization of information security, information asset management, human resources security and access control to all information assets.

    The data centre which houses our file server has the following attestations:

    • SOC 1, SOC 2, HIPAA and PCI-DSS as well as ISO 27001 certified.
    • The data center is protected by CCTV, Biometric and badge access with security personnel 25/7/365.

  4. Privacy Breach

    In its operation since 2009, Lux has not been involved with any privacy breaches. Should a privacy breach occur, our process is as follows and has been communicated to all staff:

    1. Privacy breach is escalated immediately and directly to our President (and Chief Privacy Officer). Our senior leadership team is also informed.
    2. Affected clients are notified within 24 hours and updated on details as the investigation of a breach is conducted