Privacy Policy

SecuAAS processes personal information in accordance with the Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1), as amended by the Act to modernize legislative provisions as regards the protection of personal information (S.Q. 2021, c. 25, known as "Law 25"). Where it applies to inter-provincial or international commercial activity, the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5, "PIPEDA") also applies. Where several Canadian regimes coexist, SecuAAS applies the most protective standard.

In accordance with section 3.1 of the Act respecting the protection of personal information in the private sector, SecuAAS has designated Mr. Olivier Lange as the person in charge of the protection of personal information, who oversees compliance with the law and these policies. He can be reached at dpo@secuaas.com.

In accordance with sections 4, 5 and 8 of the Act respecting the protection of personal information in the private sector, SecuAAS determines the purposes of collection before collecting and limits collection to necessary information. The information processed on the Site is the following:

In accordance with section 14 of the Act respecting the protection of personal information in the private sector, consent to the collection and use of personal information is clear, free and informed, and is given for specific purposes, in plain language, separately from any other information. Consent to receive the newsletter may be withdrawn at any time via the unsubscribe link in each mailing or by request to the person in charge.

Aggregate audience measurement and Site security rely on SecuAAS's legitimate interest in operating and securing the Site, in accordance with the Act respecting the protection of personal information in the private sector.

Where SecuAAS uses AI-assisted processing (for example, newsletter personalization), it complies with sections 8.1 and 12 of the Act respecting the protection of personal information in the private sector. The Site makes no decision based exclusively on automated processing producing legal effects within the meaning of section 12.1 of that Act; should this occur, the User would be informed and could submit observations.

Before any disclosure of personal information outside Quebec, including to a supplier established outside Quebec acting on SecuAAS's behalf, SecuAAS carries out a privacy impact assessment in accordance with section 17 of the Act respecting the protection of personal information in the private sector. The assessment takes into account the sensitivity of the information, the purpose of its use, the protective measures - including contractual - that would apply, and the legal framework of the destination jurisdiction. Disclosure occurs only if the assessment establishes that the information would receive adequate protection and is governed by a written agreement.

In accordance with section 23 of the Act respecting the protection of personal information in the private sector, once the purposes of collection or use are accomplished, SecuAAS destroys the personal information or anonymizes it to use it for serious and legitimate purposes, subject to a retention period provided by law. Under that Act, information is anonymized when it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified, directly or indirectly, according to generally accepted best practices and applicable regulatory criteria.

Users may, in accordance with sections 27 (access), 28 (rectification), 28.1 (cessation of dissemination and de-indexing) and 40 of the Act respecting the protection of personal information in the private sector, request access to the personal information concerning them, its rectification or, where applicable, the cessation of its dissemination. SecuAAS responds within the thirty (30)-day period provided in section 32 of that Act.

In accordance with sections 3.5 to 3.8 of the Act respecting the protection of personal information in the private sector, SecuAAS takes reasonable measures to reduce the risk of injury and to prevent new incidents. Where a confidentiality incident presents a risk of serious injury, SecuAAS promptly notifies the Commission d'accès à l'information and the persons concerned, subject to statutory exceptions, and records the incident in a register kept for at least five (5) years. The allocation of responsibilities for incidents relating to the SaaS products is set out in the product agreements.

The Site favours a tracking-cookie-free approach. The Plausible Analytics audience-measurement solution sets no cookies and uses no cross-site tracking. Only cookies strictly necessary for the Site to function (for example, remembering language or essential preferences) may be used, which do not require consent. Any non-essential cookie subsequently deployed would be subject to a prior consent request, in accordance with section 14 of the Act respecting the protection of personal information in the private sector.

SecuAAS hosts the Site and its primary infrastructure with OVHcloud in Beauharnois (Quebec, Canada). Data associated with the Site remains in Canada, except with explicit consent or where necessary as described in this policy.

Certain SaaS product features, in particular those relying on artificial intelligence, may however use subprocessors located outside Quebec. Any such use is subject to the required consent and to the privacy impact assessment under section 17 of the Act respecting the protection of personal information in the private sector, and is governed by the product agreements. SecuAAS favours suppliers and architectures that reduce exposure to extraterritorial compelled-disclosure laws and, where possible, processing within Quebec; it cannot, however, guarantee absolute immunity from any foreign law, in particular where a subprocessor is subject to such a law.

For any question regarding this policy or to exercise your rights: SecuAAS, by email at dpo@secuaas.com (personal information) or info@secuaas.com (general). Any person may contact the Commission d'accès à l'information du Québec.

Effective June 1, 2026