Privacy Policy
Procedure for the Retention, Destruction and Anonymization of Personal Information
1. Overview
It is important to implement a procedure for the retention, destruction and anonymization of personal information in order to protect individuals’ privacy, comply with privacy legislation, prevent confidentiality incidents involving personal information and security breaches, maintain customer trust, and protect the organization’s reputation.
2. Objective
The purpose of this procedure is to ensure the protection of individuals’ privacy and to comply with legal obligations regarding the protection of personal information.
3. Scope
The scope of this procedure should cover the entire life cycle of personal information, from its collection to its destruction. It applies to all employees and stakeholders involved in the collection, processing, retention, destruction and anonymization of personal information, in accordance with legal requirements and best practices in privacy protection.
4. Definitions
Personal information: any information that allows a natural person to be identified, directly or indirectly.
Retention: secure storage of personal information for the required period.
Destruction: permanent deletion, elimination or erasure of personal information.
Anonymization: a process of modifying personal information so that it no longer allows, at any time and irreversibly, the direct or indirect identification of the individuals concerned.
5. Procedure
4.1 Retention Period
4.1.1 Personal information has been categorized as follows:
-
information concerning company employees;
-
information concerning members of the organization;
-
information concerning clients.
4.1.2 The retention period for each of these categories has been established as follows:
Company employees: 7 years after the end of employment.
Members: variable depending on the type of personal information.
Clients: variable depending on the type of personal information.
For more details, refer to the complete inventory of personal information held.
Please note that specific retention periods may apply.
4.2 Secure Storage Methods
4.2.1 Personal information is stored in the following locations:
OneDrive, Wix
4.2.2 The sensitivity level of each of these storage locations has been established.
4.2.3 These storage locations, whether paper-based or digital, are adequately secured.
4.2.4 Access to these storage locations has been restricted to authorized persons only.
4.3 Destruction of Personal Information
4.3.1 Paper-based personal information must be completely shredded.
4.3.2 Digital personal information must be completely deleted from devices, including computers, phones, tablets and external hard drives, as well as from servers and cloud-based tools.
4.3.3 A destruction schedule based on the retention period established for each category of personal information must be created. It is essential to document the planned destruction dates.
4.3.4 It will be necessary to ensure that destruction is carried out in such a way that the personal information cannot be recovered or reconstructed.
4.4 Anonymization of Personal Information
4.4.1 The anonymization of personal information should only be carried out if the organization wishes to retain and use it for serious and legitimate purposes.
4.4.2 The chosen method for anonymizing personal information is as follows:
The information will be deleted after the retention period.
4.4.3 It will be necessary to ensure that the remaining information no longer allows, irreversibly, the direct or indirect identification of the individuals concerned. It will also be necessary to regularly assess the risk of re-identification of anonymized data by conducting tests and analyses to ensure its effectiveness.
Please note that, as of the date this template was drafted, the anonymization of personal information for serious and legitimate purposes is not possible. A government regulation must be adopted to determine the criteria and procedures.
4.5 Staff Training and Awareness
4.5.1 Regular training must be provided to employees on the procedure for the retention, destruction and anonymization of personal information, as well as on the risks related to privacy breaches.
4.5.2 This also includes raising staff awareness of data security best practices and the importance of complying with established procedures.
Last updated: February 1, 2026
Procedure for Requesting Access to Personal Information and Handling Complaints
1. Overview
Since an individual may request access to the personal information that an organization holds about them, or may also file a complaint, it is important to have predefined guidelines in place to respond to this type of request.
2. Objective
The purpose of this procedure is to ensure that all access requests are handled confidentially, promptly and accurately, while respecting the rights of the individuals concerned.
3. Scope
This procedure applies to the internal parties responsible for processing access requests and handling complaints, as well as to individuals wishing to access their own personal information.
4. Access Request Procedure
4.1 Submission of the Request
4.1.1
An individual who wishes to access their personal information must submit a written request to the organization’s Privacy Officer. The request may be sent by email or by postal mail.
4.1.2
The request must clearly state that it is a request for access to personal information and must provide sufficient information to identify the individual and the information being requested.
4.1.3
This information may include the name, address and any other relevant information required to reliably identify the individual making the request.
4.2 Receipt of the Request
4.2.1
Once the request has been received, an acknowledgement of receipt is sent to the individual to confirm that their request has been taken into consideration.
4.2.2
The request must be processed within thirty (30) days of its receipt.
4.3 Identity Verification
4.3.1
Before processing the request, the individual’s identity must be reasonably verified. This may be done by requesting additional information or by verifying the individual’s identity in person.
4.3.2
If the identity cannot be satisfactorily verified, the organization may refuse to disclose the requested personal information.
4.4 Response to Incomplete or Excessive Requests
4.4.1
If a request for access to personal information is incomplete or excessive, the Privacy Officer contacts the individual to request additional information or clarification.
4.4.2
The organization reserves the right to refuse a request if it is clearly abusive, excessive or unjustified.
4.5 Processing of the Request
4.5.1
Once the identity has been verified, the Privacy Officer responsible for processing access requests proceeds with the collection of the requested information.
4.5.2
The Privacy Officer consults the relevant records to collect the requested personal information, while ensuring compliance with any applicable legal restrictions.
4.6 Review of the Information
4.6.1
Before disclosing personal information to the individual, the Privacy Officer carefully reviews the information to ensure that it does not contain confidential third-party information or information that could infringe upon other rights.
4.6.2
If third-party information is present, the Privacy Officer assesses whether it can be separated or whether it must be excluded from disclosure.
4.7 Disclosure of the Information
4.7.1
Once the verifications have been completed, the personal information is disclosed to the individual within a reasonable timeframe, in accordance with applicable legal requirements.
4.7.2
Personal information may be disclosed to the individual electronically, by secure postal mail or in person, depending on the individual’s preferences and the appropriate security measures.
4.8 Follow-up and Documentation
4.8.1
All steps in the process of handling a request for access to personal information must be recorded accurately and completely.
4.8.2
The details of the request, the actions taken, the decisions made and the corresponding dates must be recorded in an access request tracking register.
-
Date the request was received;
-
Date of the acknowledgement of receipt;
-
Date of identity verification;
-
Method used to verify identity;
-
Decision — access request accepted or refused;
-
Date the information was disclosed, if applicable.
4.9 Protection of Confidentiality
4.9.1
All staff involved in processing requests for access to personal information must respect confidentiality and data protection requirements.
4.10 Management of Complaints and Remedies
4.10.1
If an individual is dissatisfied with the response to their request for access to personal information, they must be informed of the complaint procedures and available remedies before the Commission d’accès à l’information.
4.10.2
Complaints must be handled in accordance with the organization’s internal complaint management policies and procedures, as described in the following section.
5. Complaint Handling Procedure
5.1 Receipt of Complaints
5.1.1
Complaints may be submitted in writing, by telephone, by email or through any other official communication channel. They must be recorded in a centralized register accessible only to designated staff.
5.1.2
The employee must immediately inform the person responsible for receiving complaints.
5.2 Preliminary Assessment
5.2.1
The designated person reviews each complaint to assess its relevance and seriousness.
5.2.2
Frivolous, defamatory or clearly unfounded complaints may be rejected. However, a justification must be provided to the complainant.
5.3 Investigation and Analysis
5.3.1
The person responsible for the complaint conducts an investigation by collecting evidence, interviewing the parties concerned and gathering all relevant documents.
5.3.2
The person responsible must be impartial and have the necessary authority to resolve the complaint.
5.3.3
The person responsible must maintain the confidentiality of information related to the complaint and ensure that all parties involved are treated fairly.
5.4 Resolution of the Complaint
5.4.1
The person responsible for the complaint proposes appropriate solutions to resolve the complaint as quickly as possible.
5.4.2
The solutions may include corrective measures, financial compensation or any other action necessary to resolve the complaint satisfactorily.
5.5 Communication with the Complainant
5.5.1
The person responsible for the complaint communicates regularly with the complainant to keep them informed of the progress of the investigation and the resolution of the complaint.
5.5.2
All communications must be professional, empathetic and respectful.
5.6 Closing of the Complaint
5.6.1
Once the complaint has been resolved, the person responsible for the complaint must provide a written response to the complainant summarizing the measures taken and the proposed solutions.
5.6.2
All information and documents relating to the complaint must be kept in a confidential file.
Last updated: February 1, 2026
Procedure for Requesting the De-indexing and Deletion of Personal Information
1. Overview
This procedure is intended to address our clients’ privacy and personal information protection concerns.
2. Objective
The purpose of this procedure is to provide a structured mechanism for handling requests from our clients for the de-indexing and deletion of personal information.
3. Scope
This procedure applies to our internal team responsible for managing requests for the de-indexing and deletion of personal information. It covers all information published on our online platforms, including our website, mobile applications, databases or any other digital medium used by our clients.
4. Definitions
Deletion of personal information: the act of completely erasing data, making it unavailable and unrecoverable.
De-indexing of personal information: the removal of information from search engines, making it less visible while still directly accessible.
Deletion permanently eliminates the data, whereas de-indexing limits its online visibility.
5. Procedure
5.1 Receipt of Requests
5.1.1
Requests for the de-indexing and deletion of personal information must be received by the designated responsible team.
5.1.2
Clients may submit their requests through specific channels such as the online form, the dedicated email address or the telephone number.
5.2 Identity Verification
5.2.1
Before processing the request, the individual’s identity must be reasonably verified.
5.2.2
This may be done by requesting additional information or by verifying the individual’s identity in person.
5.2.3
If the identity cannot be satisfactorily verified, the organization may refuse to proceed with the request.
5.3 Assessment of Requests
5.3.1
The responsible team must carefully review the requests and the personal information concerned in order to determine their eligibility for de-indexing or deletion.
5.3.2
Requests must be handled confidentially and within the prescribed timeframes.
5.4 Reasons for Refusal
5.4.1
There are also perfectly valid reasons why we may refuse to delete or de-index personal information:
-
To continue providing goods and services to the client;
-
To comply with employment law requirements;
-
For legal reasons in the event of a dispute.
5.5 De-indexing or Deletion of Personal Information
5.5.1
The responsible team must take the necessary measures to de-index or delete personal information in accordance with eligible requests.
5.6 Follow-up Communication
5.6.1
The responsible team is responsible for communicating with applicants throughout the process by providing acknowledgements of receipt and regular updates on the progress of their request.
5.6.2
Any delay or issue encountered during the processing of requests must be communicated to applicants with clear explanations.
5.7 Follow-up and Documentation
5.7.1
All requests for the de-indexing and deletion of personal information, as well as the actions taken in response, must be recorded in a dedicated tracking system.
5.7.2
Records must include the details of the requests, the measures taken, the dates and the outcomes of the actions performed.
Last updated: February 1, 2026
Security Incident and Personal Information Breach Management Procedure
1. Overview
An incident response plan is essential for managing cyber incidents effectively. During a crisis, it is not always easy to know how to act or how to prioritize actions. An incident response plan helps reduce the stress of forgetting important aspects.
2. Objective
The purpose of this procedure is to ensure that the organization is prepared to respond to a cyber incident so that it can quickly resume its activities.
3. Scope
The scope of this procedure includes all networks and systems, as well as stakeholders, including clients, partners, employees, subcontractors and suppliers, who access these systems.
4. Recognizing a Cyber Incident
A cybersecurity incident may not be recognized or detected immediately. However, certain indicators may be signs of a security breach, that a system has been compromised, unauthorized activity, etc. It is important to always remain alert to any sign that a security incident has occurred or is ongoing.
Some of these indicators are described below:
Excessive or unusual login and system activity, including activity from any inactive user ID or user account.
Excessive or unusual remote access within your organization. This may involve staff or third-party suppliers.
The appearance of any new visible or accessible wireless network, Wi-Fi.
Unusual activity related to the presence of malware, suspicious files, or new or unapproved executable files and programs.
Lost, stolen or misplaced computers or devices containing payment card data, personal information or other sensitive data.
5. Contact Information for Resource Persons
Company: Karine Boto Consultante
Person responsible: Kerine Boto
Address: 948 rue des Amarantes, Laval, H7Y 2G9, QC, Canada
Email: info@karineboto.com
Telephone: 514 267 1583
Website: karineboto.com
6. Personal Information Breach — Specific Response
If it has been confirmed that a security incident involving a personal information breach has occurred, the following steps must be taken:
Complete the confidentiality incident register to document the incident.
Review the personal information breach to determine whether personal information was lost due to unauthorized access or use, unauthorized disclosure, or any breach of the protection of this personal information, and whether there is a risk of serious harm to the individuals concerned.
In such a case, report it to the Commission d’accès à l’information du Québec.
Also report it to the individuals whose personal information is affected by the incident.
7. Ransomware — Specific Response
If it has been confirmed that a ransomware security incident has occurred, the following steps must be taken:
Immediately disconnect the devices affected by ransomware from the network.
Do NOT DELETE ANYTHING from your devices, including computers, servers, etc.
Examine the ransomware and determine how it infected the device. This will help you understand how to remove it.
Contact local authorities to report the incident and cooperate with the investigation.
Once the ransomware has been removed, a full system scan must be performed using the most recent antivirus, anti-malware and any other available security software to confirm that it has been removed from the device.
If the ransomware cannot be removed from the device, which is often the case with stealth malware, the device must be reset using the original installation media or images.
Before resetting from backup media or images, verify that they are not infected with malware.
If the data is critical and must be restored, but cannot be recovered from unaffected backups, search for available decryption tools on nomoreransom.org.
The policy is not to pay the ransom, subject to the issues involved. It is also strongly recommended to use the services of a breach coach, an expert project manager specializing in cyberattacks.
Protect systems to prevent reinfection by implementing patches or updates to prevent any further attack.
8. Account Hacking — Specific Response
If it has been confirmed that an account has been hacked, the following steps must be taken:
Notify our clients and suppliers that they may receive fraudulent emails from us, and specify that they should not reply to or click on links in these emails.
Check whether we still have access to the online account.
If not, contact the platform’s support team to try to recover access.
Change the password used to log in to the platform.
If the password is reused elsewhere, change all those passwords as well.
Enable two-factor authentication for the platform.
Remove illegitimate logins and devices from the login history.
9. Loss or Theft of a Device — Specific Response
If it has been confirmed that equipment has been lost, the following steps must be taken:
The theft or loss of property, such as a computer, laptop or mobile device, must be reported immediately to the local police authorities. This includes losses or thefts outside normal business hours and during weekends.
If the lost or stolen device contained sensitive data and was not encrypted, perform a sensitivity analysis of the type and volume of stolen data, including any potentially affected payment card numbers.
Where possible, lock or disable lost or stolen mobile devices, such as smartphones, tablets, laptops, etc., and perform a remote data wipe.
Last updated: February 1, 2026
Legislation
We are committed to complying with the legislative provisions set out in:
Québec
Law 25 Amendments
This privacy policy may be amended from time to time in order to maintain compliance with the law and to reflect any changes to our data collection process. We recommend that our users review our policy from time to time to ensure that they are informed of any updates. If necessary, we may notify users by email of any changes made to this policy.
Updated: February 2026