GDPR Compliance

Last Updated: April 28, 2026

Introduction

Primal Ledger Advisors is committed to protecting the personal data of individuals in the European Economic Area (EEA) in accordance with the General Data Protection Regulation (GDPR). This document outlines our data protection practices and your rights under GDPR.

Data Controller Information

Data Controller: Primal Ledger Advisors
Address: 1247 Wellington Street West, Suite 420, Ottawa, ON K1Y 2X4, Canada
Email: [email protected]

Legal Basis for Processing

We process personal data under the following legal bases:

1. Contractual Necessity

Processing is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract. This includes:

• Providing accounting and advisory services
• Responding to service inquiries
• Managing client relationships

2. Legal Obligation

Processing is necessary to comply with legal obligations, including:

• Tax reporting and compliance requirements
• Regulatory reporting obligations
• Professional standards and codes of conduct
• Record retention requirements

3. Legitimate Interests

Processing is necessary for our legitimate interests or those of a third party, provided your rights do not override these interests:

• Website analytics and improvement
• Fraud prevention and security
• Marketing communications (where consent is not required)
• Business development and operations

4. Consent

For certain processing activities, we rely on your explicit consent, including:

• Marketing communications (where required by law)
• Non-essential cookies and tracking technologies
• Special categories of personal data (when applicable)

Your Rights Under GDPR

If you are located in the EEA, you have the following rights regarding your personal data:

Right to Access

You have the right to request confirmation of whether we process your personal data and, if so, to access that data along with information about the processing.

Right to Rectification

You have the right to request correction of inaccurate personal data and to have incomplete data completed.

Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data in certain circumstances, including when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

This right is subject to legal and professional retention requirements.

Right to Restriction of Processing

You have the right to request restriction of processing in certain situations, including when:

• You contest the accuracy of the data
• Processing is unlawful but you oppose erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller where technically feasible.

Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, workplace, or where an alleged infringement occurred.

Exercising Your Rights

To exercise any of your rights under GDPR, please contact us at [email protected] with the subject line "GDPR Request."

We will respond to your request within one month. In complex cases, we may extend this period by two additional months, and we will inform you of any extension.

We may request additional information to verify your identity before processing your request.

Data Protection Measures

Security Safeguards

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and multi-factor authentication
• Employee training on data protection
• Incident response and breach notification procedures

Data Minimization

We collect and process only the personal data necessary for the specified purposes and retain it no longer than required.

Privacy by Design and Default

We integrate data protection considerations into our business processes and systems from the design stage.

International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

• European Commission adequacy decisions
• Standard contractual clauses approved by the European Commission
• Binding corporate rules
• Other legally compliant transfer mechanisms

Data Retention

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

For client data, our retention periods are determined by:

• Professional standards and codes of conduct
• Tax and accounting regulations
• Limitation periods for legal claims
• Business and operational needs

Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects individuals without human intervention.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay, and in any case within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in such risk.

Third-Party Processors

We engage third-party service providers who process personal data on our behalf. These processors are contractually bound to:

• Process data only on our documented instructions
• Implement appropriate security measures
• Maintain confidentiality
• Assist with data subject requests
• Delete or return data upon termination

Contact for Data Protection Matters

For questions about our GDPR compliance or to exercise your rights, please contact:

Primal Ledger Advisors
Attention: Data Protection Officer
Email: [email protected]
Address: 1247 Wellington Street West, Suite 420, Ottawa, ON K1Y 2X4, Canada

Updates to This Statement

We may update this GDPR compliance statement to reflect changes in our practices or legal requirements. Material changes will be communicated through our website or direct notification where appropriate.