Effective date: February 26, 2026 (update as needed)
Organization: Guardian Parking Authority (“Guardian”, “we”, “us”)

Overview

We provide private parking enforcement services on behalf of property owners and property managers. This notice explains:
 

• what personal information we collect in parking and enforcement contexts,

• why we collect it,

• who we share it with,

• how long we keep it,

• how we protect it, and

• how you can access or correct your information or raise a concern.

This policy applies to personal information we handle through our enforcement operations, customer support channels (including payment and appeal workflows), and any Guardian websites or portals that link to this policy.

What information we collect

We collect information that is reasonably needed to manage parking compliance and enforcement. Depending on how you interact with us, this may include:

Parking and enforcement records - vehicle licence plate number, - photos of a vehicle and its surrounding area (for example, to document location and signage context), - date/time and location of a parking event, - the parking notice number and related enforcement notes, - records of repeat violations associated with the same vehicle plate or account.

Information you provide during payment, appeals, or customer support - name, email address, phone number, mailing address (as provided by you), - payment confirmation details (for example, transaction identifiers and timestamps), - written correspondence and attachments you submit (for example, an appeal explanation or proof of payment).

Surveillance and facility systems (where used) - CCTV footage in a parking facility or managed area (typically used for safety, security, and incident investigation), - licence plate images or plate scans captured by equipment at entrances/exits or patrol vehicles (manual or automated), where deployed.

Information from third parties (limited circumstances) - property owner/manager instructions and authorizations relating to enforcement rules, - if permitted by applicable law, registered owner contact information obtained from an appropriate authority for collection of unpaid parking fees (for example, to pursue an unpaid debt) where notice is provided.

We do not request driver’s licence numbers or government-issued identification for routine enforcement. If we must verify identity for an access request or a dispute, we will use the least intrusive method that is reasonable in the circumstances.

Why we collect and use personal information

We use personal information to:
 

• document parking compliance and administer private parking notices,

• process payments and issue receipts,

• review and decide appeals or disputes,

• detect repeat violations and manage enforcement escalation steps that are authorized (including towing where permitted and authorized),

• respond to customer service inquiries and prevent fraud or misuse of our systems,

• investigate safety or security incidents (for example, vandalism or vehicle damage) where relevant evidence exists,

• meet legal requirements and defend or pursue legal claims when necessary.

Example: If you submit an appeal, we will use the information you provide plus the enforcement record (time/location, photos, and any relevant facility records) to review the appeal and respond to you.

How we provide notice and obtain consent

Because parking enforcement happens in physical spaces, our notice and consent approach uses multiple channels:

Signage at parking locations

Where we operate enforcement on private property, we expect clear signage to be posted that explains the parking rules and that enforcement activities occur. Where higher-sensitivity tools are used (for example, CCTV or licence plate recognition), signage should also indicate that those technologies may be in use and provide a way to contact us.

Payment, portal, and appeal submissions

When you submit information to pay a notice or file an appeal (for example, through a portal), you are providing information directly to us for those purposes.

Optional uses

If we introduce a new purpose that is not integral to parking enforcement (for example, marketing), we will offer a clear choice before using your information for that purpose. Guardian does not use enforcement information for marketing.

Withdrawing consent

Where consent applies and withdrawal is feasible, you can request withdrawal by contacting us (see “Contact us”). Withdrawing consent may limit our ability to respond to an appeal, provide receipts, or resolve a dispute.

When we disclose personal information

We do not sell personal information. We disclose personal information only for purposes connected to parking enforcement and administration, including:
 

• Property owners or authorized property managers (to report on enforcement activity, respond to disputes, and fulfill contractual obligations),

• Towing providers (where towing is authorized and needed to carry out enforcement),

• Licensed collection agencies (where an unpaid debt is referred for collection in accordance with applicable law),

• Service providers that help us deliver services (for example, payment processing, secure hosting, customer-support tooling, fraud prevention, or IT support), who are required to protect the information and use it only to provide services to us.

We may also disclose information where required or permitted by law (for example, to legal counsel, insurers, or law enforcement in connection with an incident, claim, or legal process).

Cross-border processing

We may use service providers that store or process information in jurisdictions outside Canada (for example, cloud hosting, customer support, or payment-related services). When we do, we remain responsible for the personal information in our control and require appropriate contractual and organizational safeguards to protect it.

If you want to know whether a particular service involves processing outside Canada, contact us and we will provide available details relevant to your request.

How we protect personal information

We use safeguards appropriate to the sensitivity of the information and the risks involved. These safeguards may include:
 

• role-based access controls (limiting access to staff/contractors with a legitimate need),

• encryption for data in transit and at rest where appropriate,

• secure authentication and logging/monitoring of access to enforcement systems,

• segmentation of systems (for example, separating payment-related systems from enforcement systems where feasible),

• vendor security requirements and confidentiality obligations,

• training and internal procedures for staff and contractors.

Breach response and notification

A privacy breach can happen if personal information is lost, accessed without authorization, or disclosed without authorization.
If we experience a breach involving personal information, we will: - contain and investigate the incident, - assess the risk of harm to individuals, - notify affected individuals and the appropriate regulator when required, - notify other organizations (where appropriate) if they may help reduce harm (for example, a payment provider), - keep records of breaches as required.

Retention and disposal

We keep personal information only as long as needed for the purposes described above, and then securely delete it, de-identify it, or retain it in a restricted archive where we must keep it for legal or operational reasons.
 

• Routine enforcement records for a resolved notice (paid, cancelled, or denied appeal): 7 years after final resolution

• Enforcement records for an unresolved notice sent to collections or legal process: up to 7 years after final resolution of the process

• CCTV footage (where used) with no incident flagged: 7–30 days

• CCTV footage linked to a reported incident, dispute, or legal claim: keep until the matter is resolved, then apply the relevant records retention period

• Portal/account access logs and security logs: 90 days to 1 year, depending on security needs

• Breach records: at least 2 years

If you are involved in an active appeal, dispute, or access request, we may suspend deletion of relevant records until the matter is resolved.

De-identification and aggregated data

When appropriate, we may create aggregated or de-identified data sets (for example, counts of violations by location or time period) to improve operations, detect patterns, or produce reports for property owners. We do this to reduce reliance on identifiable information where possible.

We do not treat data as “anonymous” if it can reasonably be linked back to an identifiable individual.

Privacy impact assessments and privacy by design

When we introduce a new technology or a significant change that could increase privacy risk (for example, deploying or materially expanding CCTV or licence plate recognition, adding new third-party processors, or linking data sets in new ways), we will perform a documented privacy risk assessment (a privacy impact assessment or equivalent) and adopt mitigations proportionate to the risk.

Your rights: access and correction

You can request access to the personal information we have about you in connection with a parking notice (and information about how it has been used and disclosed). You can also request correction of factual inaccuracies.

To protect your information, we will take reasonable steps to verify identity before releasing records.

How to submit a request

Submit your request through the Guardian Support Portal or by contacting us at the email below. Include enough information to let us locate the record (for example, notice number, licence plate number, date/location of the event).

Questions, complaints, and how to contact us

Privacy Officer
Guardian Parking Authority
Email: [email protected]