Skip to content
salenza
Features How it works Integrations Pricing
Canada ▾
Netherlands Nederlands Canada English
Login Book a demo
Features How it works Integrations Pricing Login Book a demo
Legal centre
Data processing

Data Processing Addendum

Terms for personal information Salenza handles on behalf of a Canadian business customer.

Effective date: June 15, 2026
On this page
Scope and rolesInstructionsPeople and dataSecurityIncidents and requestsProviders and locationsReturn and deletionAnnexes
01

Scope and Canadian privacy roles

This addendum is intended to form part of the customer agreement where Salenza handles personal information on the customer's instructions. The customer remains accountable for determining lawful purposes, providing required notices, obtaining necessary consents and deciding which information is placed in the service.

Salenza acts as a service provider to the customer for that information. Canadian laws do not always use GDPR controller/processor terminology, so the final agreement will describe the actual responsibilities required under the applicable federal, provincial and health-information rules.

02

Documented instructions and purpose limits

Salenza will handle customer-controlled personal information only to provide, configure, secure and support the contracted service, follow documented instructions, comply with law or address a threat to the service. If an instruction appears unlawful or materially unsafe, Salenza may pause the affected activity and request clarification.

Customer-controlled end-client content will not be used for Salenza's own marketing. Any permitted use for service improvement, analytics or model-related purposes must be expressly defined, appropriately de-identified where applicable, and supported by the final agreement and provider settings.

03

Individuals, data and processing

The processing annex will identify the customer types, affected individuals, data categories, purposes, channels, frequency, duration and any sensitive or health-related information. Potential categories include contact details, messages, booking information, intake responses, submitted files or images, communication preferences, conversation metadata, audit records and human-review outcomes.

Regulated health information, information about minors, treatment images and suitability-related intake require a separate onboarding assessment. A standard DPA may not satisfy health-information laws or custodian requirements.

04

Confidentiality and safeguards

Personnel and approved providers with access will be subject to confidentiality and access restrictions appropriate to their role. Salenza will maintain documented administrative, technical and organizational measures proportionate to the processing risks.

The final security annex will state the controls actually operating in production, such as identity and access management, encryption configuration, logging, backup handling, vulnerability management, change control, provider assessment and incident response. See the current Security Overview.

05

Security incidents and individual requests

Salenza will notify the customer without undue delay after confirming a security incident involving customer-controlled personal information and will provide available information reasonably needed for assessment, notice and remediation. Exact notification timing and cooperation duties will be fixed in the signed DPA.

Salenza will reasonably assist with verified access, correction, consent-withdrawal, complaint and regulatory requests relating to the service. The customer normally remains responsible for responding to its end clients and determining legal exceptions.

06

Subprocessors and cross-border processing

Salenza may use approved subprocessors to provide parts of the service and will contractually require suitable confidentiality, security and data-use restrictions. The customer will receive the current provider and location information before production.

The Subprocessor and Data Location Register will identify legal provider names, services, data categories, purposes, storage and support locations, retention and training status. The objection and change-notice process remains to be finalized in the signed DPA.

07

Export, return and deletion

During the term, the customer should be able to retrieve information through supported exports or integrations. Following termination or a valid instruction, Salenza will return or delete customer-controlled information according to the signed retrieval period, retention schedule, backup cycle and legal obligations.

Deletion cannot be described as instantaneous or absolute where limited backup copies, security records or legally required records remain. Any retained copy will stay protected and isolated from ordinary use until deletion or expiry.

08

Required annexes before production

  • Annex A: processing details, individuals, categories, purposes, channels and duration.
  • Annex B: verified technical and organizational measures.
  • Annex C: subprocessors, legal entities, data and processing locations.
  • Annex D: retention, export, deletion and backup schedule.
  • Annex E: province- or sector-specific requirements, including any HIA information-manager terms and PIA cooperation.

Contact legal@salenza.ai about contracting and privacy@salenza.ai about privacy operations.

Terms of ServicePrivacy NoticeSubprocessors
salenza

The multilingual AI front desk for beauty and aesthetics businesses.

Product

  • How it works
  • Features
  • Integrations
  • Pricing

Company

  • About
  • Contact

Legal

  • Legal hub
  • Privacy Notice
  • Cookie Notice
  • Terms of Service
© 2026 Salenza
Canada / English Nederland / Nederlands