Draftrow
Back to resources

Privacy Compliance Quick Guide

Plain English. No legalese. For solo service business operators.

Not legal advice. Last updated: June 3, 2026

The short version

If you are a solo or small service business operator using Draftrow, you need to:

  1. Have a basic privacy notice telling customers how you handle their information (use our free template)
  2. Use customer information only for the original purpose they shared it for
  3. Honor customer requests for access, correction, or deletion
  4. Use reasonable security (Draftrow provides this for the data you process through it)

That is it. Privacy compliance for a small service business is not as complex as compliance for a hospital or a bank.

What laws apply to you

If you are in Canada:

PIPEDA (Personal Information Protection and Electronic Documents Act) is the federal law. Plus any provincial law if your province has one (Quebec, BC, Alberta have provincial privacy laws).

If you serve customers in the United States:

State-specific laws may apply (CCPA in California, others in various states). HIPAA only applies if you are processing health information for healthcare providers.

If you serve customers in the EU or UK:

GDPR applies (more complex, may require additional steps). Consider consulting a privacy lawyer if EU customers are a meaningful part of your business.

For most Draftrow operators (Canadian solo service businesses serving Canadian customers), PIPEDA is the main framework.

What PIPEDA requires

PIPEDA has ten fair information principles. The ones that matter most for a solo operator:

Identifying purposes: Tell customers why you collect their information (use our privacy notice template)

Consent: Customers must consent to your collection (their voluntary inquiry is implied consent for reasonable business use)

Limiting collection: Only collect what you need for the service

Limiting use: Use information only for the original purpose

Accuracy: Keep information accurate (let customers correct it)

Safeguards: Protect information appropriately (Draftrow encrypts at rest)

Openness: Be transparent about practices (have a privacy notice)

Individual access: Let customers see their information on request

Challenging compliance: Let customers complain if needed

Of these, the practical actions for you are: have a privacy notice, use information only for the original purpose, respond to access/deletion requests within 30 days.

What you do NOT need to do

You do not need a per-customer consent form.

Implied consent from their voluntary business inquiry is sufficient for standard business processing.

You do not need to register with a privacy regulator.

PIPEDA does not require registration.

You do not need a Data Protection Officer.

This is a GDPR requirement that only applies to large organizations or specific types of data.

You do not need expensive privacy certifications.

SOC 2, ISO 27001, etc., are for enterprise vendors, not solo operators.

You do not need lawyers reviewing every customer interaction.

Standard practices and templates cover the common cases.

When to get a lawyer

Consult a privacy lawyer ($300-500 for a one-hour consultation) if:

  • You regularly serve customers in the EU, UK, or California
  • You handle health information, financial information, or government data
  • You have a data breach
  • You receive a regulatory complaint or inquiry
  • You are acquiring or being acquired by another business
  • A customer threatens legal action over privacy

For routine operations, our templates and Draftrow's built-in features should cover the standard cases.

Draftrow's role

Draftrow handles (technical side):

  • PII encrypted at rest
  • Conversations processed in memory only
  • Subprocessor disclosure published
  • Data export for portability requests
  • Soft delete and hard delete on request
  • Audit log of all PII access
  • Breach notification within 72 hours

You handle (customer-facing side):

  • Have a privacy notice
  • Respond to customer requests
  • Use information only for original purpose
  • Document significant decisions

Together, this is solid PIPEDA compliance for a solo operator.

When to ask questions

Email security@draftrow.com if:

  • You receive a customer request you do not know how to handle
  • You discover what looks like a security incident
  • You need help responding to a regulator
  • You have specific compliance questions about how Draftrow handles data

We respond within 24 hours during business days.

Related resources

Privacy notice templateDPA templateDraftrow privacy policy
Privacy Compliance Quick Guide for Service Businesses | Draftrow