Privacy policy


This Privacy Policy is effective as of March 6, 2025.

At the Heart and Stroke Foundation of Canada, including its affiliates Heart and Stroke Foundation of B.C. and Yukon, Heart and Stroke Foundation of Ontario, Heart and Stroke Foundation of Quebec, Heart and Stroke Foundation of Nova Scotia, and Heart and Stroke Foundation of Prince Edward Island Inc., and the Heart and Stroke Foundation of New Brunswick (collectively, “Heart & Stroke”, "we," "our," or "us"), we are committed to protecting your privacy and safeguarding your personal information. This Privacy Policy outlines our practices regarding the collection, use, and disclosure of your personal information in compliance with Canada's federal, provincial, and other applicable privacy laws. By interacting with our organization, you consent to the practices outlined in this policy.

At Heart & Stroke, safeguarding your privacy is a priority. This Privacy Policy details how we collect, use, and disclose your personal information when you engage with our website (the “Site”), as well as our products and services, including but not limited to tools, eTools, apps, forums, event and course registration pages, electronic publications, newsletters, announcements, contest entries, lottery ticket purchases, and donations made online or by mail (collectively, the Site and services being, the “Services”). This Privacy Policy also applies to information collected through applications for employment, research funding, grants, or volunteer opportunities.

This Privacy Policy forms part of our Terms of Use, outlining the terms and conditions governing your use of our Services. We will only collect, use, and disclose your personal information in accordance with this Privacy Policy. By using our Services or otherwise engaging with Heart & Stroke, you acknowledge that you have read and understood this Privacy Policy, and you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy.

If you do not agree with this Privacy Policy, please do not use the Services, or supply your personal information to us.

1. When do we collect personal information?

Personal information means any information about an identifiable individual. We may collect your personal information when you voluntarily provide it to us by using the Services or otherwise engaging with us. This includes, but is not limited to, the following circumstances:

  • When you use our services 
    • When you create or sign into your user account on our Site or other Heart & Stroke online platforms.
    • When you participate in Heart & Stroke programs, trainings, or events.
    • When you post comments, messages, or other content on our Site (e.g., blogs, contact forms, or eTools features).
    • When you participate in other Site activities that request personal information.
  • During financial transactions
    • When you donate to Heart & Stroke or pay registration fees for our programs.
    • When you purchase items from our Site, including lottery tickets.
    • As part of our resuscitation program, when you pay annual certification fees, certification card processing fees, or certification card replacement fees.
  • When you communicate with us
    • When you send a question, comment, or request to Heart & Stroke or a Heart & Stroke representative by email, phone, fax, or through our Site.
    • When you register to receive electronic communications, such as our e-newsletters, research updates, or event invitations.
  • During program and event participation
    • When you participate in an event organized by or associated with Heart & Stroke.
    • When you register for user accounts, programs, or activities requiring personal information.
    • When you provide input during surveys, focus groups, or program evaluations.
  • During media spokesperson outreach
    • When you engage with Heart & Stroke as a potential spokesperson, as a medical expert or an individual with lived experience
  • Voluntary information sharing
    • When you provide unsolicited personal information, such as emails, personal stories, or comments.
    • When you share stakeholder expertise or contribute content relevant to our mission
  • For researchers, during program, research, and peer review stages
    • During peer review recruitment, the review process, and post-review phases.
    • At the award notification and post-award stages for research grants and funding.
    • During and after participation in programs, focus groups, or interviews.
  • During applications, registration, and onboarding
    • When you apply for employment, programs, courses, events, or research awards/grants.
    • During the application stage and profile creation process.
    • During onboarding for employees, volunteers, or people with lived experience.
    • When you sign up for newsletters, conference invitations, or training programs.
  • For compliance, security, and eligibility verification
    • When we verify your identity or eligibility for funding opportunities, programs, or services.
    • When legal, compliance, or fraud prevention measures require information collection.

Any personal information posted, used, or disclosed on X (formerly Twitter), Facebook page or other social networking page or site is subject to that website’s privacy policy, and is not subject to this Privacy Policy.

2. Purposes for collecting your personal information

We may use the personal information collected for the following purposes:

  • Service delivery and site features
    • To provide you with our Services.
    • To manage our business and operations.
    • To facilitate and process your registration for courses, events, and services.
    • To grant you access to special features or areas of the Site, such as forums, tools, or courses, where you have applied for access or posted information.
    • To administer and provide you with eTools, including health assessments and lifestyle support emails.
  • Customer relationship management
    • To manage our relationship with you and provide customer service.
    • To identify you in our system.
    • To respond to questions or inquiries submitted through the site, email, or phone.
  • Communication and outreach
    • To send communications, including by email, with mission-related content or information about programs and events.
    • To contact you for fundraising purposes.
  • Transactional activities
    • To process payments for donations, registration fees, online purchases, lottery tickets, annual certification fees, certification card processing or replacement fees.
    • To issue tax receipts where applicable.
  • Health-related purposes
    • To deliver and evaluate registered health programs and activities.
    • To provide tools and resources to help manage health conditions and achieve health goals.
    • To measure risk information and offer customized risk reduction tools (e.g., risk screening tools).
  • Marketing and targeting
    • For marketing segmentation to identify target populations.
    • To develop digital campaigns, including audience building and retargeting.
  • Compliance and legal obligations
    • To comply with legislative training requirements.
    • To track AED deployment for safety and compliance purposes.
  • Research, advocacy, and public awareness
    • To support mission activities such as participation in media, advocacy, research reviews, and focus groups.
    • To develop best practices, mission planning events, and public awareness initiatives.
    • To advance public awareness and health equity.
    • To measure the impact of programs and activities.
    • To create and improve resources and programs.
    • To understand the burden of disease and identify gaps or inequities in healthcare access and outcomes, particularly among people living in Canada and across different communities and demographics.
  • Research recruitment and application processing (only where applicable)
    • To process your application for research positions or funding opportunities.
    • To verify your identity and eligibility as an applicant.
    • To assign your application to appropriate reviewers based on expertise and qualifications.
    • To allocate applications to reviewers based on research interests and qualifications.
    • To manage and track application submissions and provide updates.
    • To inform you of competition results and manage post-grant requirements like progress reports and financial documentation.
    • To send reminders, research updates, newsletters, and invitations to join committees.
    • To survey you on the application/review process and overall experience.
    • To report on equity, diversity, and inclusion (EDI).
  • Employment purpose (only where applicable)
    • To assess qualifications for job applications and positions.
    • To match candidates with suitable roles.
    • To evaluate staffing needs, team alignment, and project assignments.
    • To monitor and manage employee absences, workplace incidents, and fitness for duty.
    • To improve and personalize user and employee experiences.
    • To identify opportunities for employee growth, training, and career advancement.
    • To analyze workplace incident data for improving safety measures and ensuring compliance with regulatory standards.
    • To safeguard against unauthorized access and fraudulent activities in workplace systems.
  • Media and public engagement (only where applicable)
    • To secure media interviews and manage the media spokesperson list.
    • To understand public perceptions, brand awareness, and site engagement.
3. What personal information do we collect?

The types of personal information that you may provide us with, and we may collect include, but are not limited to:  

  • Basic identification information: 
    • Your name, date of birth, age, marital status, sex at birth and reported gender.
  • Contact information: 
    • Your residential address, mailing address, postal code, email address and telephone number(s). 
  • Financial information: 
    • Your credit card details, money order or cheque information, banking information (e.g., for monthly donor withdrawals or EFT payments for Ontario Lottery winners).
  • Health information: 
    • The state of your physical and/or mental health that you provide us with in connection with your use of our services, such as your weight, height, body mass index, waist circumference, medical symptoms and conditions, health screenings, exercise and other health habits, family history of chronic illness, access to care, medical experience and lived experience. 
  • Other socio-demographic information: 
    • Your race, ethnicity, sexual orientation, disability status, Indigeneity, minority group membership, language(s) spoken, education, income, marital status, country of birth, time spent living in Canada, and other details related to equity-deserving populations.
  • Program specific information: 
    • Child’s name, grade, school and teacher’s name when participating in the Jump Rope for Heart. 
  • Interaction information: 
    • Any information voluntarily provided when contacting us, such as inquiries, requests or correspondence, other personal information voluntarily provided (e.g., emails, letters, comments, or applications submitted through our site or other means).
  • Employment information: 
    • Your résumé, cover letter, reference letters, job title, place of work, hire date, employment history, volunteer positions, work address, spousal/partner information, work status, department or group, information concerning workplace incidents, including injuries, absences, short and long-term leaves, and fitness for duty.
  • Research grant applicant information: 
    • Your institutional affiliation, the Canadian Common CV (CCV), bio sketch, publications, research proposals, ethics approval.
  • Other information: 
    • Information about spokespeople (including medical experts or individuals with lived experience), additional information’s such as personal narratives, storytelling contributions, stakeholder expertise and any publicly shared information relevant to Heart & Stroke’s mission.
4. Limiting collection of personal information

We limit the collection of personal information to what is necessary to fulfill the purposes identified in this Privacy Policy and we collect, use, and disclose your personal information in accordance with this Privacy Policy. 

5. Use, disclosure and retention of personal information

Your personal information will not be used without your consent for purposes other than those for which it was collected or in accordance with applicable laws. From time to time, we may wish to use personal information for new or additional purposes, in which case we will amend the Privacy Policy to include these new or additional purposes and will obtain your consent through your continued use of our Services. 

We retain your personal information only for as long as we need it to fulfill the purposes for which it was collected and to comply with our legal obligations. 

We may also use and disclose your personal information to third parties under the following limited circumstances:

  • to provide you with Services, we may use service providers, data processors and other third parties (“Third Parties”) to perform services on our behalf and to help with Heart & Stroke’s operations and Services including, without limitation, for customer services, monitoring and analyzing Site activity, marketing services, data hosting services and operating and maintaining the Site. Service providers and partner companies may only use your personal information for the purposes described in this Privacy Policy. 
  • when necessary to protect the safety, property or other rights of Heart & Stroke, its representatives, and users of the Services, including to detect and protect against fraud. 
  • if we sell or transfer all or a portion of our business or assets to a related company or a third party. Your personal information will remain subject to any pre-existing privacy policy unless you agree to the privacy policy of the company or third party that acquires your personal information.
  • with your consent; or
  • when otherwise required or permitted by law.

If you voluntarily submit or post any information, photographs, or other content to any Heart & Stroke forums, eTools, X (formerly Twitter), Facebook pages or other social networking pages/sites, your personal information may be automatically included in the posting, including without limitation, your username and email address. This information may be collected and used by others. 

6. Data processors in other countries

Heart & Stroke and its Third Parties may store, process, and transfer personal information on servers located outside of your province of residence in jurisdictions whose data protection laws may differ from those of Canada or your province of residence, which may include the United States of America.  As a result, personal information may be subject to access requests from governments, courts, or law enforcement in those jurisdictions according to the laws in those jurisdictions. For example, information may be shared in response to valid demands or requests from government authorities, courts, and law enforcement officials in those countries. Subject to applicable laws in such other jurisdictions, we will use reasonable efforts to ensure that appropriate protections are in place to require our Third Parties to maintain protections on personal information that are equivalent to those that apply in Canada.

7. Links to other sites

The Site may contain links to other websites or Internet resources, notably those belonging to our sponsors, partners, or collaborators. When you click on one of those links you are contacting another website or Internet resource that may collect information about you voluntarily or through cookies or other technologies. We are not responsible for the privacy practices, or the content of any sites owned and operated by any third parties. Other sites may collect and treat information collected differently, so we encourage you to carefully read and review the privacy policy of each site you visit. 

8. Providing credit card information on our site

If you make a credit card payment through Heart & Stroke, we request the information reasonably needed by us to complete the processing of the transaction. For one-time payments, when you provide payment information, such as credit card numbers, credit card security codes, name on your credit card and expiration dates, we transmit this data directly from you to the credit card processing company; Heart & Stroke only stores the credit card type, the last four digits of the credit card number and the expiration date in the event an incorrect payment needs to be refunded. Heart & Stroke will send you a confirmation email to confirm successful credit card charges. For pre-authorized debits for recurring payments, all information is stored by Heart & Stroke or Third Parties acting on our behalf, in an encrypted manner (i.e., coded data) such that only those who require access to update financial information can see the credit card number. The encrypted data is provided at the appropriate intervals to the credit card processing company. We may also share your personal information with Third Parties including credit card processing companies to bill you, but we do not provide any more information than reasonably necessary for this purpose. 

9. Cookies and online tracking tools

As you interact with our Services, we may use automatic data collection technologies that record and collect information to identify your computer, track your use of our Site, and gather other information about your browsing habits. This data collection may include cookies, web beacons, and similar devices to enhance functionality and navigation.

A cookie is a small data file placed on your computer’s hard drive so that your computer will “remember” information when you visit a site. Web beacons and tags are small strings of code used with cookies to record activity on our Site. Internet tags and graphic tags count users who visit a page or access certain cookies. These technologies allow us to personalize the Site and improve your experience. We may also include web beacons in HTML-formatted emails to determine which emails were opened.

Information tracked through these mechanisms includes, but is not limited to:

  • Your IP address.
  • The type of web browser and operating system being used.
  • The pages of the Site you visit.
  • Other sites visited before ours.

You can reject or disable cookies by managing your browser settings. However, disabling cookies may limit access to customized features. Cookies and web beacons do not collect personal information.

10. Google Analytics

We use third-party tools, such as Google Analytics, to collect data and analyze usage patterns on our Site. Google Analytics uses cookies to generate information about your Site usage (including your IP address). This information is sent to and stored on Google servers, where it is used to:

  • Evaluate how you use the Site.
  • Compile reports for us on Site activity.
  • Provide additional internet-related services.

Google may transfer information to third parties if required by law or for processing on Google’s behalf. Importantly, Google does not link your IP address to any other data. To protect your privacy, we use Google Analytics’ "Anonymize IP" function, which processes IP addresses in shortened form to prevent direct identification.

To learn more about Google’s data collection practices and how to control them, visit:

You can opt out of data collection by Google Analytics at any time by visiting this link.

11. Robocalls and automated communications  

At Heart & Stroke, we may contact you via robocalls or automated dialing systems for service updates, promotions, reminders, or account-related communications. By providing your phone number, you consent to receive these automated calls. Third Parties may deliver these calls, in adherence with this Privacy Policy and Canadian laws, 

You can opt out of robocalls by following instructions in the automated message, contacting us at privacyoffice@heartandstroke.ca, or registering your number with the National Do Not Call List (DNCL) at Canada.ca.

12. Browsing information

We want to make your experience with Heart & Stroke as supportive and as customized as possible, and to do this, we, with the help of one or more third party service providers, may use cookies on your computer to trace your online browsing habits on our Site. We and/or our third-party service providers may then use the information collected from the cookies to provide you with suitable Heart & Stroke advertisements when you visit our Site and other websites, such as social media sites, Google, and Yahoo. If you do not want to receive this type of customized advertising, you may set your browser to block third party cookies or clear your cache after each use. 

13. Security

To help protect the confidentiality of your personal information, Heart & Stroke employs security safeguards appropriate to the sensitivity of the information. We maintain reasonable technical, physical, and administrative security safeguards to protect your personal information against loss, theft, and unauthorized access. Any personal information you provide to us is exchanged on a secure server. Unfortunately, no data transmission over the Internet can be guaranteed to be 100% secure. As a result, while we are committed to protecting your personal information, we cannot ensure or warrant the security of any information you provide to us.

We take reasonable steps to verify your identity before granting you access to your account on our Site; however, you are solely responsible for maintaining the secrecy of your username, password, and any other account information. We also take reasonable steps to ensure that Heart & Stroke employees and volunteers are aware of the importance of maintaining the confidentiality of personal information and that unauthorized persons do not gain access to personal information that we have disposed of or destroyed. 

14. Individual access and accuracy of personal information

You may request access to your personal information which we may hold by contacting us at the contact information set forth below, and we will respond within the time periods provided for under applicable laws. We will need to verify your identity before providing you with the personal information we hold about you. There is no cost for such an access request unless you require copies of records. We may not be able to provide you with access to your personal information if the information cannot be separated from the personal information of others, cannot be disclosed for reasons of security or commercial confidentiality, or is protected by legal privilege. If we cannot provide you with access to your personal information, we will advise you of the reasons access is being denied, unless we are prohibited by law from doing so. 

You may request to update and change your personal information at the contact information set forth below. We shall endeavor to correct or complete any personal information which you advise us to be inaccurate or incomplete. Where appropriate, the amended information shall be transmitted to third parties having access to such information.

15. Children’s privacy

We are committed to protecting the privacy of children and we do not knowingly solicit personal information from children under 14 years of age without parental or guardian consent. Certain portions of our Site provide services and programs for children, such as Jump, for which we may collect a child’s personal information with parental or guardian consent in accordance with this Privacy Policy. If a child has provided us with personal information without consent, his or her parent or guardian may contact us for the purpose of deleting this information. 

16. E-mail communications

Heart & Stroke complies with Canada’s anti-spam legislation (CASL), and we will not send you electronic communications in contravention of this law. 
We will ensure that each e-mail includes an opt-out feature and instructions on how to unsubscribe if you no longer wish to receive future e-mails from Heart & Stroke. You can unsubscribe using the link included in the e-mail or by sending an e-mail to privacyoffice@heartandstroke.ca or by telephoning us at 416-489-7111. If you do not expressly consent to receiving electronic communications, we will only communicate with you for the limited purposes permitted under CASL. 

17. User content in comments, chat rooms and message boards

If you post comments on the Site (such as commenting on a recipe or blog) or if you use chat rooms and message boards that may be available on our Site from time to time, you should know that when you voluntarily disclose your personal information on our message boards, chat rooms, comment boxes or other interactive areas where personal information can be posted, the information can be collected and used by other internet users. This may result in unsolicited messages from other posters or parties. We undertake no obligations as to the security of information you voluntarily post in our chat rooms, on our message boards, in comment sections of our Site or in other interactive features of our Site. Please refer to our Terms of Use to understand your obligations when providing your own content (referred to as “User Content” in our Terms of Use) 

18. Changes to this privacy policy

This Privacy Policy may be amended by Heart & Stroke from time to time in Heart & Stroke’s sole discretion and without any prior notice to you. The collection, use and disclosure of your personal information by Heart & Stroke will be governed by the version of this Privacy Policy in effect at that time. We will post the most current version on our Site and will indicate at the top of this page the date this Privacy Policy was last revised. Please check back from time to time to ensure that you are aware of any updates or changes in this Privacy Policy. By continuing to access or use this Site after any such changes constitutes your acceptance of the Privacy Policy as revised. 

19. Your consent to the terms of this privacy policy

By using our Services and providing us with your personal information, you agree that Heart & Stroke may collect your personal information, and you voluntarily consent to the collection, use, disclosure, and transfer of your personal information in accordance with this Privacy Policy. If you do not agree with any terms of this Privacy Policy, please do not use our Services, or provide us with any personal information. If you do not understand the nature, purpose and consequences of collecting, using and disclosing personal information to Heart & Stroke, please do not use our Services or provide us with any personal information, and contact us at the contact information set forth below so that we can address your questions or concerns.  

Subject to legal and contractual requirements, you may refuse or withdraw your consent to certain of the purposes identified in this Privacy Policy at any time by contacting us at the contact information set forth below. If you refuse or withdraw your consent, you acknowledge that Heart & Stroke may not be able to provide you or continue to provide you with certain services or information which may be of value to you. 

20. How to contact us

We welcome your feedback. If you have questions, comments, or concerns about this Privacy Policy, or would like to do any of the following: 

  • see your personal information that you have already sent us so that you can correct, update or delete it from our files
  • if your child under 14 has used this Site and sent us personal information, delete that personal information from our files
  • ask that we not send you electronic communications or otherwise contact you; or 
  • report any violation of this Privacy Policy.

Please contact our Privacy Officer at privacyoffice@heartandstroke.ca and we will try to get back to you as soon as possible. We are committed to responding to anyone who contacts us with questions or concerns about the policy.