Privacy Policy

We collect information you provide directly: name, email address, phone number, province of practice, and message content via our contact form. We also collect standard web analytics data: IP address (anonymized after 30 days), browser type, pages visited, time on site, and referring URL.

For members using our portal, we collect professional credentials, licensing information, CE completion records, and practice data you voluntarily provide for benchmarking purposes. We never collect data we don't have a documented use for.

Contact form data: to respond to your inquiry within 24 hours and route you to the correct team — policy, research, member services, CE, or CDCP navigation support.

Web analytics: to understand how visitors use our site and improve the experience. We track aggregate patterns, not individual behaviour.

Member portal data: to deliver CE tracking, provincial licensing board reporting, overhead benchmarking, and personalized practice support. Every data point we collect maps to a specific service you've opted into.

We do not sell, rent, or trade personal information. Full stop.

We share data only in these circumstances:

• 1. With your explicit, documented consent.
• 2. With provincial licensing boards for CE credit reporting — only at your request and with your authorization.
• 3. With our data processor (hosted exclusively on Canadian servers in compliance with PIPEDA).
• 4. When required by Canadian law — and we will notify you unless legally prohibited from doing so.

We have never sold data. We have never shared data with advertisers. We have never monetized member information.

All data is stored on Canadian servers — located in Ontario and Québec. Here's the technical layer:

• TLS 1.3 — encryption for all data in transit
• AES-256 — encryption for all data at rest
• RBAC — role-based access controls limit data access to authorized personnel only
• Annual audits — third-party security assessments every 12 months

Our cybersecurity framework is the same PIPEDA-compliant framework we publish as a member resource — we use what we recommend. Our most recent third-party security audit (June 2026, conducted by Deloitte Canada) found zero critical vulnerabilities and two low-severity findings, both remediated within 14 days.

We keep this simple:

Essential cookies (session management, security tokens) — these are necessary for the site to function. They cannot be disabled.

Optional analytics cookies (anonymized usage data) — these help us understand traffic patterns and improve the site experience. You can decline them via our consent banner when you first visit. If you decline, we respect that choice — no nagging, no dark patterns, no degraded experience.

We do not use advertising cookies. We do not use tracking cookies. We do not participate in cross-site tracking networks. We do not use retargeting pixels.

Every category of data has a defined retention period. No exceptions, no ambiguity:

• Contact form submissions: 24 months from date of submission, then permanently deleted.
• Web analytics: IP addresses anonymized after 30 days. Aggregated trend data retained indefinitely (no personally identifiable information).
• Member portal data: retained for the duration of active membership plus 7 years, in compliance with CRA record-keeping requirements for professional organizations.
• CE records: retained permanently at member request, for licensing verification purposes. Members may request deletion at any time.

When we say "deleted," we mean it — securely wiped from primary storage and all backups within 90 days of the retention period ending.

Under PIPEDA, you have clear, enforceable rights:

• Access: You can request a copy of all personal information we hold about you.
• Correction: You can request corrections to inaccurate or incomplete data.
• Withdrawal of consent: You can withdraw consent for non-essential data processing at any time, without penalty.
• Deletion: You can request the deletion of your personal data, subject to legal retention requirements.

To exercise any of these rights, email [email protected] with the subject line "Privacy Request." We respond within 30 calendar days. In practice, we typically respond within 5 business days — because respecting your time is a core value, not a slogan.

Jean-François Lalonde, MBA, CPA, Chief Operating Officer, serves as the CDA's Privacy Officer. He has held this role since 2012 and oversees all data governance, breach response protocols, and third-party audit coordination.

Direct inquiries:

Email: [email protected]
Phone: 514-986-8377
Mail: Canadian Dental Association, 1815 Alta Vista Drive, Ottawa, Ontario K1G 3Y6

If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

This is the question we get most often — and it deserves a thorough answer.

The National Dental Data Repository (NDDR) contains 87 million+ anonymized patient records. This is aggregate dental service utilization data used for research, policy development, and benefits design. Here's what matters:

• De-identification: All records are de-identified in compliance with PIPEDA and the Canadian Institute for Health Information's (CIHI) data de-identification standards. No personally identifiable health information is stored or accessible.
• No reverse-engineering: Our de-identification methodology has been independently validated to prevent re-identification, even when cross-referenced with external datasets.
• Access governance: Research access is governed by formal data-sharing agreements requiring ethics board approval — either from the researcher's institution or from our independent review panel.
• No commercial exploitation: NDDR data is never provided to product manufacturers, pharmaceutical companies, or dental supply corporations for marketing purposes.

We built the NDDR to serve Canadian dentistry and Canadian public health — not to monetize patient data. That principle is non-negotiable.

We update this policy when our practices change — not as a routine legal exercise. When we make substantive changes, we do three things: update the "Last Updated" date at the top of this page, post a summary of changes on our member portal, and (for active members) send a direct email notification at least 30 days before changes take effect.

Minor clarifications and formatting changes are reflected in the date but don't trigger email notifications. If you're ever unsure, this page is the authoritative source.