Privacy Policy

Personal information
Means any factual or subjective information, recorded or not, about an identifiable individual, including, for example, age, name, identification numbers, income, opinions or evaluations, employee files, credit and loan records, medical records, and information about intentions (such as to acquire goods or services or change jobs).

Business contact information
Means an employee’s name, title, business address, business telephone number or business email address that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession; this type of information is generally not covered by PIPEDA when used only in that way.

Commercial activity
Means any particular transaction, act or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

Organization / we / us / Orbit
Means Orbit International Moving Logistics, a private‑sector organization that collects, uses and discloses personal information in the course of its moving and logistics services in Canada.

Individual / you
Means any identifiable person whose personal information we collect, use or disclose in the course of a commercial activity, including customers, prospective customers, employees of business clients, suppliers, and, where PIPEDA applies, our own employees.

Consent
Means an individual’s knowledge and agreement to the collection, use or disclosure of their personal information. Under PIPEDA, consent must be meaningful: it is only considered valid if it is reasonable to expect that the individual understands the nature, purposes and consequences of how their information will be handled.

Breach of security safeguards
Means the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of our security safeguards, or from a failure to establish those safeguards, as required by PIPEDA.

Real risk of significant harm
Refers to the threshold for reporting a breach of security safeguards to the Office of the Privacy Commissioner of Canada and notifying affected individuals. In assessing whether this threshold is met, organizations must consider the sensitivity of the personal information involved and the probability that it could be misused. “Significant harm” can include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record, and damage to or loss of property.

Orbit is committed to complying with both the letter and the spirit of PIPEDA and other applicable Canadian privacy laws, and places high importance on the correct, lawful and fair handling of personal information, respecting the privacy and legal rights of all individuals with whom we deal.

This Policy applies to all personal information we collect, use or disclose in the course of our commercial activities in Canada, including information about customers, prospective customers, employees of business clients, suppliers and, where PIPEDA applies, our own employees.

Orbit has appointed a Privacy Officer who is accountable for our compliance with PIPEDA’s 10 fair information principles and for overseeing our privacy management program. The Privacy Officer is responsible for:

• developing, implementing and maintaining our privacy policies, procedures and training
• advising on new initiatives that involve personal information
• responding to privacy‑related questions, access requests, complaints and incidents.

All Orbit employees, and any contractors or service providers acting on our behalf, must comply with this Policy and with PIPEDA when handling personal information. Employees are expected to consult the Privacy Officer promptly in situations including, for example:

• uncertainty about why particular personal information is being collected, used or disclosed, or whether the purpose is appropriate
• questions about how to obtain meaningful consent, or how individuals may withdraw consent
• questions about how long personal information should be retained and how it should be securely destroyed
• responding to requests from individuals to access or correct their personal information, or to challenge our compliance
• any actual or suspected breach of security safeguards involving personal information
• plans to share personal information with third‑party service providers, or to transfer personal information outside Canada
• significant changes to how we handle personal information, including new uses or disclosures not originally identified

This Policy is designed to ensure that Orbit complies with PIPEDA and follows the 10 fair information principles that govern how private‑sector organizations in Canada collect, use and disclose personal information and provide individuals with access to their information. Orbit is responsible for, and must be able to demonstrate, compliance with these principles.

Orbit commits to the following:

1. Accountability
   We are responsible for personal information under our control and have designated a Privacy Officer who is accountable for our compliance with PIPEDA and this Policy.
2. Identifying purposes
   Before or at the time we collect personal information, we identify and document the purposes for which it is being collected and explain those purposes to individuals.
3. Consent
   We obtain meaningful consent for the collection, use and disclosure of personal information, except where the law allows or requires otherwise. Consent is only valid where it is reasonable to expect that the individual understands the nature, purposes and consequences of how their information will be handled.
4. Limiting collection
   We limit the collection of personal information to what is necessary for the purposes we have identified, and we collect it by fair and lawful means.
5. Limiting use, disclosure and retention
   We do not use or disclose personal information for purposes other than those for which it was collected, except with the individual’s consent or as required or permitted by law, and we retain personal information only as long as necessary to fulfill those purposes or to meet legal requirements.
6. Accuracy
   We keep personal information as accurate, complete and up to date as necessary for the purposes for which it is to be used, particularly where it is used to make a decision about an individual.
7. Safeguards
   We protect personal information with security safeguards appropriate to its sensitivity, including physical, organizational and technological measures, and we address breaches of security safeguards in accordance with PIPEDA.
8. Openness
   We make readily available to individuals specific information about our policies and practices relating to the management of personal information in clear and understandable terms.
9. Individual access
   Upon request, and subject to limited exceptions in law, we inform individuals of the existence, use and disclosure of their personal information and provide them with access to that information. Individuals may challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging compliance
    We provide simple and accessible procedures for individuals to challenge our compliance with these principles, and we investigate and respond to all privacy‑related complaints. Individuals may also complain to the Office of the Privacy Commissioner of Canada.

These principles guide all of our practices relating to personal information and are reflected in the more detailed sections of this Policy.

As an individual whose personal information we handle in the course of our commercial activities, you have important rights under PIPEDA.

In particular, you have the right to:

• Be informed about our purposes and practices
  You have the right to know why we are collecting, using or disclosing your personal information, and to receive clear, understandable information about our privacy policies and practices, including how to contact our Privacy Officer.
• Provide or withhold meaningful consent
  Subject to limited exceptions in the law, you have the right to decide whether to consent to the collection, use and disclosure of your personal information for identified purposes, and to withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice.
• Access your personal information
  You have the right to request access to the personal information we hold about you, to be informed how it has been used and to whom it has been disclosed, and to receive this information at minimal or no cost, subject to the limited exceptions set out in PIPEDA.
• Request correction of your personal information
  If you believe that personal information we hold about you is inaccurate or incomplete, you have the right to challenge its accuracy and completeness and to request that it be corrected or amended as appropriate. Where appropriate, we will also send the corrected information to third parties who have access to it.
• Challenge our compliance and make a complaint
  You have the right to challenge our compliance with PIPEDA’s fair information principles and with this Policy, using our internal complaint procedures. You also have the right to file a complaint with the Office of the Privacy Commissioner of Canada if you are not satisfied with our response or if you prefer to go directly to the Commissioner.
• Ask questions about our collection, use, disclosure and retention of your information
  You may contact us at any time to ask what personal information we hold about you, why we have it, how long we keep it, and how it is protected.
• Be notified of certain privacy breaches
  Where a breach of our security safeguards involving your personal information creates a real risk of significant harm to you, we are required to notify you and report the breach to the Office of the Privacy Commissioner of Canada, and to keep records of all such breaches.

Information about how to exercise these rights, including how to submit an access request or complaint, is provided in the “How to contact us” and “Requests and complaints” sections of this Policy.

PIPEDA requires that organizations collect, use and disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances, and that they do so in a fair and transparent manner. Orbit will only collect, use or disclose personal information for purposes that we have identified and explained, and that relate to our moving and logistics services or other activities a reasonable person would expect in the context of our relationship with you.

Except where PIPEDA allows an exception, we will obtain your meaningful consent before collecting, using or disclosing your personal information, as described in section 7 of this Policy. We will not handle personal information for purposes that are inappropriate, including purposes that would be unlawful, are likely to cause significant harm, or involve profiling or categorizing individuals in a way that leads to unfair, unethical or discriminatory treatment contrary to human rights law. Where we rely on exceptions to consent permitted under PIPEDA (for example, for certain investigations, emergencies or where required by law), we will limit the information handled to what is reasonably necessary and will document these uses or disclosures where appropriate.

Orbit does not rely on automated decision‑making or profiling that produces legal or similarly significant effects about individuals without human involvement. If we introduce such processes in the future, we will ensure they are consistent with PIPEDA’s requirement that purposes be appropriate in the circumstances and that individuals can access and challenge the accuracy and completeness of the personal information used in those decisions.

Orbit generally obtains an individual’s meaningful consent for the collection, use and disclosure of personal information, except where PIPEDA permits an exception (for example, certain legal, security or investigative purposes). Consent is only valid where it is reasonable to expect that the individual understands the nature, purposes and consequences of how their information will be handled, taking into account the sensitivity of the information and the individual’s reasonable expectations.

We apply the following principles to consent:

• Form of consent
  Consent may be express (for example, written, electronic or verbal agreement) or implied (for example, where it is reasonably inferred from an individual’s actions or the context), depending on the circumstances and the sensitivity of the personal information. We will generally seek express consent for practices that involve sensitive information, that fall outside individuals’ reasonable expectations, or that create a meaningful residual risk of significant harm.
• Clarity and separation
  When we request consent, we will explain in clear and understandable language: what personal information we collect, for what purposes, with which types of third parties it may be shared, and any material risks of harm or other consequences that are not obvious. Where consent is requested as part of another document (for example, a service agreement), the consent language will be presented in a way that draws attention to it and is not obscured by other terms.
• Ability to refuse or withdraw
  Individuals may refuse to consent to our collection, use or disclosure of their personal information for non‑essential purposes, and may withdraw their consent at any time, subject to legal or contractual restrictions and reasonable notice. We will make it reasonably easy to withdraw consent and will explain any implications of doing so (for example, where certain services cannot be provided without specific information).
• New purposes
  If we wish to use or disclose personal information for a new purpose that we did not identify at the time of collection and that a reasonable person would not expect in the circumstances, we will identify that new purpose and obtain the individual’s consent again before proceeding, unless an exception in PIPEDA applies.
• Children and capacity
  Where we collect personal information about individuals who may not be able to provide meaningful consent themselves (for example, younger children), we will obtain consent from a parent or legal guardian, and design our consent process in a way that reasonably considers the individual’s level of maturity.
• Record‑keeping
  Orbit will maintain appropriate records of when and how consent was obtained, the information provided at the time, and any withdrawals of consent, so that we can demonstrate compliance with PIPEDA’s consent requirements.

Consent does not relieve Orbit of its other obligations under PIPEDA, including limiting collection, limiting use, disclosure and retention, ensuring accuracy, implementing safeguards, and ensuring that purposes are appropriate in the circumstances.

Orbit collects, uses and discloses personal information only for purposes that a reasonable person would consider appropriate in the circumstances, and that relate to our moving and logistics services and associated business activities.

We may collect personal information:

• directly from you (for example, when you request a quote, book a move, or contact us)
• from our business clients, where they provide information about their employees or customers in connection with a move or related services
• from third parties, where permitted by law and necessary for our services (for example, agents or service providers involved in your move)

Before or at the time we collect personal information, we will identify and document the specific purposes for which it is being collected and will explain those purposes to you in clear and understandable language. We will limit the information we collect to what is necessary for those purposes.

Examples of purposes for which Orbit may collect, use and disclose personal information include:

• providing quotes and planning moves and related logistics
• performing and managing moving, packing, storage and delivery services
• communicating with you about your move, including confirmations, updates and follow‑up
• arranging services with third‑party providers involved in your move (for example, local agents, customs brokers, storage providers), where needed
• handling billing, payments, collections and account management
• managing our relationship with business clients, suppliers and partners
• meeting legal, regulatory, insurance, security and audit requirements

Types of personal information we collect:
Depending on the services we provide, the personal information we collect may include: contact details; move‑related information (origin, destination, dates, inventory); identification and documentation needed for customs clearance (for example, passport details, proof of residence or registration); and communications with you about your move.

If we intend to collect, use or disclose your personal information for a new purpose that we did not identify at the time of collection, and that a reasonable person would not expect in the circumstances, we will identify that new purpose and obtain your consent again before using or disclosing the information, unless an exception in PIPEDA applies.

We explain our purposes in this Policy and, where appropriate, in more detailed notices provided at the time of collection (for example, on forms or online pages where you enter your information).

Orbit will only collect personal information that is necessary for the specific, identified purposes described in this Policy or in notices provided at the time of collection. We will not collect personal information indiscriminately or for purposes that a reasonable person would not consider appropriate in the circumstances.

Employees and any contractors or service providers acting on Orbit’s behalf may collect personal information only to the extent required to carry out their assigned responsibilities and only in accordance with this Policy and our internal procedures. They must not collect more information than is reasonably needed for the identified purposes.

Similarly, employees and service providers may use or disclose personal information only when this is necessary to fulfill the purposes for which the information was collected, or as required or permitted by law.

Orbit will keep personal information as accurate, complete and up to date as necessary for the purposes for which it is to be used, particularly where it is used to make a decision about an individual.

We will take reasonable steps to verify the accuracy of personal information at the time of collection and before using or disclosing it, having regard to the nature of the information and how it will be used. If we learn that personal information is inaccurate or incomplete, we will take appropriate steps to correct or update it, or, where necessary, to delete it.

Individuals have the right to challenge the accuracy and completeness of the personal information we hold about them and to request corrections or amendments as appropriate. When we correct personal information, we will, where appropriate, send the corrected information to third parties who have access to the information.

Orbit will not retain personal information longer than necessary to fulfill the purposes for which it was collected, or to meet legal, regulatory, insurance or audit requirements.

When personal information is no longer required for these purposes, we will take reasonable steps to securely destroy, erase or anonymize it, in a manner that prevents unauthorized access, use or disclosure. This may include shredding paper records and using appropriate technical measures to delete or irreversibly anonymize electronic records, including from devices and media that are being disposed of or repurposed.

Orbit maintains internal retention and destruction schedules that set out typical retention periods for key categories of personal information (for example, customer files, billing records and complaint files) and the secure destruction methods to be used.

Orbit will protect personal information with security safeguards appropriate to its sensitivity, regardless of the form in which it is held. We will safeguard personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
​
We use a combination of physical, organizational and technological measures, such as locked premises or storage areas, access controls and role‑based permissions, secure disposal methods, passwords, encryption, and up‑to‑date security software and practices. The nature of the safeguards we apply will depend on factors including the sensitivity and amount of personal information, the format and location in which it is held, the extent of its distribution, and the types and levels of risk our organization faces.

Orbit will regularly review its security safeguards to ensure they remain appropriate and effective in light of evolving risks, technologies and business practices, and will address known vulnerabilities through testing, monitoring and updates. We will also ensure that employees and service providers are aware of the importance of maintaining the security and confidentiality of personal information and receive appropriate training.

Access to personal information is limited to individuals who have a legitimate need to know the information to perform their duties and who are subject to confidentiality obligations. When personal information is provided to third‑party service providers, we will require them, through contractual or other means, to provide a level of protection comparable to that required by PIPEDA and by this Policy.

Orbit is responsible for personal information under its control and has designated a Privacy Officer who is accountable for our compliance with PIPEDA and this Policy. The Privacy Officer administers this Policy and oversees the development, implementation and maintenance of related policies, procedures and guidelines.

Orbit maintains a privacy management program designed, at a minimum, to comply with PIPEDA’s 10 fair information principles (see above Section 4.)

All employees, and any contractors or service providers acting on Orbit’s behalf, receive appropriate training on our privacy policies and procedures and their responsibilities for protecting personal information. We expect them to follow this Policy and to bring any privacy‑related questions, concerns or incidents to the attention of the Privacy Officer.

Orbit will periodically review and assess its compliance with PIPEDA, which may include internal audits or other evaluations of our privacy policies, practices and safeguards. We maintain internal records appropriate to our size and activities that describe, among other things:

• the types of personal information we collect, use, disclose and retain, and the categories of individuals to whom it relates;
• the purposes for which personal information is handled
• the general retention periods and secure destruction methods applied to key categories of information
• the types of third‑party service providers with whom personal information is shared and the measures used to ensure they provide comparable protection
• our key physical, organizational and technological safeguards

Information about how to contact the Privacy Officer is set out in the “How to contact us” section below.

Orbit applies privacy by design principles when developing new services, systems or initiatives that involve personal information, and when making significant changes to existing practices. This means we consider privacy and PIPEDA requirements at the planning stage and throughout the life cycle of a project, rather than treating privacy as an afterthought.
​

For new or significantly changed activities that may have a material impact on how we collect, use, disclose or safeguard personal information, the Privacy Officer (or a delegate) will oversee an appropriate privacy risk assessment. Depending on the nature and scale of the activity, this assessment may consider:

• the nature, scope, context and purposes of the personal information handling, including what types of personal information will be collected, from whom, and how it will be used and disclosed
• whether the purposes are ones that a reasonable person would consider appropriate in the circumstances
• the sensitivity and volume of the personal information involved
• the parties (internal and external) who may access the information, including any third‑party service providers or organizations outside Canada
• the foreseeable risks to individuals (for example, risk of financial loss, identity theft, damage to reputation or relationships, or other significant harms) and to Orbit if personal information is misused, lost or inappropriately accessed
• the physical, organizational and technological measures that can be used to reduce these risks, having regard to available safeguards, their effectiveness and proportionality, and the costs of implementing them

Orbit will use the results of such assessments to:

• confirm that proposed collections, uses and disclosures are appropriate and compliant with PIPEDA
• design or adjust processes so that the collection of personal information is limited to what is necessary for identified purposes
• ensure that meaningful consent can be obtained and that individuals are properly informed
• select and implement safeguards that are appropriate to the sensitivity of the personal information and the risks identified

The Privacy Officer may recommend changes to or cancellation of proposed initiatives where the privacy risks cannot be reduced to a level consistent with PIPEDA and with Orbit’s obligations under this Policy.

Orbit is committed to being open about its privacy practices and to providing individuals with clear, understandable information about how we collect, use and disclose personal information.

When and how we provide privacy information
We will inform individuals of the purposes for which their personal information is being collected and how it will be used or disclosed:

• When we collect personal information directly from you
  We will explain the purposes for collection at or before the time we collect your information (for example, on our forms, online pages or during our interactions with you).
• When we receive personal information from a customer or third party
  Where we receive personal information about you from a business client or another third party in connection with our services, and where it is reasonable and appropriate to do so, we will explain the purposes for which we handle your information:
  • when we first communicate with you; or
  • before we disclose your information to another organization; or
  • as soon as reasonably possible in the circumstances

​

What information we provide
We will make available, in this Policy and, where appropriate, in specific privacy notices, clear information about our privacy practices, including:

• the name or title and contact information of Orbit’s Privacy Officer, who is accountable for our compliance with PIPEDA and this Policy
• the purposes for which we collect, use and disclose personal information, and examples relevant to our moving and logistics services
• the types of personal information we collect and the main sources of that information (for example, directly from you, from our business clients, or from third‑party service providers involved in your move)
• the types of third‑party organizations (such as agents, service providers or partners) to whom we may disclose personal information, the purposes of such disclosures, and, where applicable, when information may be transferred outside Canada and how it will be protected
• an overview of how long we typically retain personal information and how we securely destroy or anonymize it when it is no longer needed
• a description of the safeguards we use to protect personal information, appropriate to its sensitivity
• information about your rights under PIPEDA, including the right to access and request correction of your personal information, to withdraw consent (subject to legal or contractual restrictions), and to challenge our compliance
• information on how to contact us with questions or complaints, and how to contact the Office of the Privacy Commissioner of Canada if you are not satisfied with our response.

​

Format and accessibility
We will present privacy information in a manner that is easy to find, easy to understand and appropriate for the context, using plain language and avoiding unnecessary legal or technical jargon. This may include:
​

• this Privacy Policy, available on our website and on request
• notices on specific forms, webpages or communications where personal information is collected
• responses from our staff to questions about our privacy practices, supported by internal guidance and training

​
Where an individual requests more detail about our privacy practices, we will provide additional information explaining our policies and procedures relating to personal information, subject to legal and confidentiality constraints.

You have the right to request access to the personal information that Orbit holds about you and to obtain information about how that personal information has been used and to whom it has been disclosed, subject to the limited exceptions set out in PIPEDA.

If you wish to request access to your personal information:

• You may submit a request in writing to Orbit’s Privacy Officer using the contact details provided in the “How to contact us” section of this Policy.
• To help us locate the personal information you are seeking, we may ask you to provide enough detail about the nature of your interactions with us (for example, your relationship to Orbit and the time period involved).

Orbit will respond to access requests as quickly as possible and, in any case, no later than 30 days after receiving the request, except where PIPEDA allows an extension. We may extend the response time by up to an additional 30 days (or longer with the approval of the Office of the Privacy Commissioner of Canada) if:

• responding within 30 days would unreasonably interfere with our operations
• we need additional time to conduct consultations; or
• we need additional time to convert records to an alternative format

If we extend the time, we will notify you within the initial 30‑day period, explain the reason for the extension, and inform you of your right to complain to the Office of the Privacy Commissioner of Canada.

Access will be provided at minimal or no cost. If there may be a reasonable cost associated with your request (for example, for copying or transmission), we will advise you of the approximate cost before proceeding and ask you to confirm whether you still wish to proceed. If we refuse access to some or all of the personal information requested, we will provide you with written reasons for the refusal and inform you of any recourse you may have, including the right to complain to the Office of the Privacy Commissioner of Canada.

Before providing access, we will take reasonable steps to verify your identity.

If you believe that personal information we hold about you is inaccurate or incomplete, you may request that it be corrected or amended. Where appropriate, we will also send the corrected information to third parties who have access to the information.

In some cases, personal information may be transferred to service providers or partners in other provinces or countries in connection with our services (for example, destination agents or storage providers). When we transfer personal information to third parties, we remain responsible for it and will use contractual or other means to ensure a level of protection comparable to that required by PIPEDA. We will also be transparent about such practices and, where appropriate, inform you that your information may be processed in another jurisdiction and may be accessible to courts, law enforcement and national security authorities in that jurisdiction.

A breach of security safeguards occurs when there is a loss of, or unauthorized access to or disclosure of, personal information resulting from a breach of our security safeguards or a failure to establish those safeguards.

All suspected or actual breaches of security safeguards must be reported immediately to Orbit’s Privacy Officer. Employees and service providers must not attempt to investigate a breach themselves; instead, they must preserve any relevant information so that the incident can be properly assessed.

Orbit will assess reported incidents to determine whether the breach poses a real risk of significant harm to any individual, taking into account the sensitivity of the personal information involved and the probability that the information could be misused. “Significant harm” can include bodily harm, humiliation, damage to reputation or relationships, loss of employment or business opportunities, financial loss, identity theft, negative effects on a credit record, or damage to or loss of property.

Where a breach of security safeguards creates a real risk of significant harm, Orbit will:

• report the breach to the Office of the Privacy Commissioner of Canada
• notify affected individuals as soon as feasible, with sufficient information to allow them to understand the significance of the breach and to take steps, where possible, to reduce the risk of harm
• notify any other organization or government institution that may be able to reduce the risk of harm or mitigate its impact, where appropriate.

​
Orbit will also keep records of all breaches of security safeguards in accordance with PIPEDA and applicable regulations.

This Privacy Policy is effective as of February 1, 2026 and applies to our handling of personal information from that date forward.

Our Anti Bribery and Corruption Policy
Our Anti Trust Policy

This Policy has been approved and authorised by: