Privacy policy

JM Consulting – Privacy Policy

Last Updated: September 2025

JM Consulting (“JM Consulting”, “we”, “us”, “our”) respects your privacy. This Policy explains what personal information we collect, how we use and protect it, and the rights available to you under applicable laws (including BC PIPA/PIPEDA, CASL, GDPR/UK-GDPR, CCPA/CPRA, and certain U.S. state laws).

By using our website, forms, or services (the “Services”), you consent to this Policy.

1) Who We Are (Controller)

Controller: JM Consulting
Business Location: British Columbia, Canada
Contact: Jessina@jessinamureseanu.com

If you are in the EU/UK, we act as the data controller for your personal data.

2) What We Collect

We collect the following categories of information:

  • Identifiers & Contact Data: name, company, role, email, phone, mailing address (if provided).

  • Commercial & Billing Data: invoices, payment confirmations (payment processing handled by PCI-compliant providers; we do not store full card numbers).

  • Professional/Project Data: project briefs, brand assets, feedback, meeting notes, KPIs, deliverables.

  • Usage/Technical Data: pages viewed, timestamps, session length, device/browser type, approximate location (city-level), cookies/pixels (see §12).

  • Communications: emails, messages, call notes.

  • Sensitive Data: not intentionally collected; if you voluntarily provide sensitive data, you consent to our processing it to deliver Services.

We do not knowingly collect data from children under 13 (US) or under the minimum age of consent in your jurisdiction (see §13).

3) Sources of Data

  • Directly from you (forms, calls, emails, contract onboarding).

  • Automatically via cookies/analytics when you use our site.

  • From service providers you authorize (e.g., calendar, payment, CRM tools).

4) Why We Use Your Data (Purposes) & Legal Bases

  • Provide and improve Services (performance of contract; legitimate interests).

  • Client communication & support (contract; legitimate interests).

  • Billing & accounting (contract; legal obligation).

  • Security, fraud prevention, and compliance (legal obligation; legitimate interests).

  • Marketing with consent (consent under CASL/GDPR; opt-out any time).

  • Analytics and site performance (legitimate interests/consent where required).

5) Sharing & Disclosures

We do not sell your personal information. We may share with:

  • Service Providers/“Processors” under contract (hosting, email, analytics, payment, project tools).

  • Professional advisors (legal/accounting) under confidentiality.

  • Authorities when required by law or to protect rights/safety.

  • Business transfers (merger, acquisition) with notice.

We require processors to use appropriate safeguards and process data only on our instructions.

6) International Transfers

Your data may be transferred to and processed in countries outside your own (including the U.S. and Canada). For EU/UK residents, we rely on SCCs or other lawful transfer mechanisms. We take steps to ensure equivalent protection consistent with GDPR/UK-GDPR.

7) Retention

  • Website inquiries/lead forms: up to 2 years.

  • Client files & project records: engagement duration + 7 years (audit/compliance).

  • Billing/financial records: 7 years (or longer if legally required).
    We may retain de-identified/aggregated data for analytics.

8) Security

We implement reasonable technical and organizational measures, including encryption in transit, access controls, password policies, and least-privilege access. No method is 100% secure; we cannot guarantee absolute security.

9) Your Choices & Rights

Canada (PIPEDA/PIPA BC): access, correction, withdrawal of consent (subject to legal limits).
EU/UK (GDPR/UK-GDPR): access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent.
California (CCPA/CPRA) & certain U.S. states: right to know, access, delete, correct, and limit use of sensitive data; opt-out of certain sharing. We do not “sell” or “share” personal information as defined by CPRA. If that changes, we will update this Policy and provide a “Do Not Sell/Share” link.

How to exercise: email Jessina@jessinamureseanu.com.

We may verify identity before acting. We aim to respond within the time frames required by law (e.g., 30–45 days). EU/UK residents may lodge a complaint with a supervisory authority; Canada residents may contact the Office of the Privacy Commissioner of Canada or BC OIPC.

Appeals: If you disagree with our response, reply to our decision email and state “Appeal.” We will review and respond within applicable timelines.

10) Marketing & CASL Compliance

We send commercial electronic messages only with consent (express or implied) and include an unsubscribe link or instructions. You can opt out at any time; we may still send transactional/service messages.

11) De-Identified & Aggregated Data

We may create and use aggregated or de-identified data for analytics, benchmarking, and service improvement. We will not attempt to re-identify such data.

12) Cookies & Tracking

We use minimal cookies and similar technologies to:

  • Essential: site functionality, security.

  • Analytics: understand usage and improve content.

  • (Optional) Advertising/retargeting: only if enabled with consent.

You can manage cookies in your browser. Where required, we present a consent banner. We honor Global Privacy Control (GPC)/universal opt-out signals where applicable.

13) Children’s Privacy

Our Services are not directed to children. We do not knowingly collect data from children under 13 (US) or under the applicable age of consent elsewhere. If you believe a child provided data, contact us to delete it.

14) Automated Decision-Making

We do not engage in automated decision-making that produces legal or similarly significant effects. If this changes, we will disclose the logic involved and your rights.

15) Third-Party Links

Our site may link to third-party sites. We are not responsible for their privacy practices. Review their policies.

16) Confidentiality & IP

All JM Consulting strategies, frameworks, and deliverables are confidential and protected by intellectual property laws. Clients receive internal-use rights unless otherwise agreed in writing. See our Terms for details.

17) Data Breach Response

If a security incident occurs, we will investigate promptly and notify affected individuals and authorities as required by law (e.g., 72 hours under GDPR where applicable; reportable breaches under PIPEDA/PIPA).

18) Changes to This Policy

We may update this Policy from time to time. The “Last Updated” date shows the current version. Material changes will be posted on this page; continued use constitutes acceptance.

19) Contact

Questions or requests: Jessina@jessinamureseanu.com