Legal · Juridique
Politique de confidentialité
PrivQC Inc. ("PrivQC", "we", "us") operates a privacy-compliance platform that enables Quebec businesses (our "Merchants") to manage data subject access and portability requests under An Act to modernize legislative provisions as regards the protection of personal information, commonly known as Law 25 (Loi 25). This policy explains what personal information we collect, why we collect it, how we protect it, and the rights you may exercise.
The person responsible for the protection of personal information (responsable de la protection des renseignements personnels) at PrivQC is:
Any request, complaint, or question regarding the handling of your personal information may be directed to the above contact.
This policy applies to personal information collected by PrivQC in connection with:
When PrivQC processes personal information on behalf of a Merchant (acting as a service provider / sous-traitant), that Merchant's own privacy policy governs the underlying data. PrivQC processes such information solely on the Merchant's documented instructions.
Merchant Account Data
When a business registers with PrivQC, we collect: business name, business email address, website URL, and billing information (processed by our payment provider; we do not store full card details). We associate an account identifier with the Clerk authentication service.
Data Subject Request Data
When an individual submits a data access or portability request through a Merchant's PrivQC widget, we collect: the requester's email address, request type (access or portability), a description of the request (optional), identity verification status (via Stripe Identity — see §7), and timestamps. This information is collected solely to facilitate the Merchant's legal obligation to respond within 30 days.
Usage and Technical Data
We collect standard server logs (IP address, browser type, pages visited, timestamps) for security monitoring and platform reliability. These logs are retained for a maximum of 90 days.
Communications
If you contact us by email, we retain the content of that communication and your contact details to respond and for our records.
We collect and use personal information only for the following specific, explicit, and legitimate purposes:
Providing the platform: Creating and managing Merchant accounts; routing data subject requests to the correct Merchant dashboard.
Identity verification: Confirming a data subject's identity before a Merchant processes a sensitive privacy request, using Stripe Identity.
Transactional email: Sending magic-link authentication emails and request confirmation emails to data subjects; sending new-request alert emails to Merchants who have enabled notifications.
Legal compliance: Maintaining records necessary for PrivQC to demonstrate compliance with Law 25 and respond to regulatory inquiries.
Security and fraud prevention: Detecting and preventing unauthorized access, abuse of the platform, or fraudulent requests.
Platform improvement: Analysing aggregate, de-identified usage patterns to improve reliability and features. No individual profiling is performed for this purpose.
We do not sell personal information, use it for targeted advertising, or share it with third parties for their own marketing purposes.
Collection is based on the freely given, informed, and unambiguous consent of the individual, except where another legal basis applies (e.g., legal obligation, legitimate interest proportionate to the privacy impact). Consent may be withdrawn at any time by contacting us at privacy@privqc.ca; withdrawal does not affect the lawfulness of processing prior to withdrawal.
Data subjects who submit a request through the widget consent to PrivQC processing their email address and request details solely for the purpose of facilitating the Merchant's Law 25 response obligation.
| Category | Retention | Destruction |
|---|---|---|
| Merchant account data | Duration of the business relationship + 3 years | Secure deletion within 30 days of account closure |
| Data subject request records | 3 years from request submission (audit trail) | Secure deletion at end of retention period |
| Identity verification data (Stripe) | Retained by Stripe per their policy; PrivQC stores verification status only | Deleted with the associated request record |
| Server logs | 90 days | Automated deletion |
| Transactional emails | Not stored by PrivQC beyond delivery confirmation | N/A |
Destruction is carried out in a manner that makes recovery of the information impossible, using secure deletion for database records and S3 object lifecycle policies for files.
Several of our service providers are located outside Quebec and Canada (see §7). Before communicating personal information outside Quebec, PrivQC carries out a privacy impact assessment (évaluation des facteurs relatifs à la vie privée — EFVP) as required by Law 25, s. 17. We ensure that the recipient provides a level of protection equivalent to that required by Quebec law through contractual clauses and/or adequacy findings.
A summary of completed privacy impact assessments is available upon request to privacy@privqc.ca.
We implement technical and organizational measures proportionate to the sensitivity of the information and the risks identified, including:
In the event of a confidentiality incident (incident de confidentialité) that presents a risk of serious injury to an individual, PrivQC will:
To report a suspected incident, contact privacy@privqc.ca immediately.
Subject to applicable exceptions, individuals whose personal information we hold have the following rights:
Right of Access
You may request a copy of the personal information we hold about you, along with information about how it has been used and communicated.
Right of Rectification
You may request that we correct inaccurate, incomplete, or ambiguous information, or that we add comments or clarifications where rectification is refused.
Right to Portability
You have the right to receive a copy of personal information you have provided to us in a structured, commonly used, technological format (CSV), and to have it transmitted to any person or body you designate, where technically feasible. This right applies to computerized personal information collected with your consent or under a contract.
Right to De-indexation / Deletion
You may request that we cease disseminating your personal information or de-index any hyperlink attached to your name where its dissemination causes you injury or violates the law. You may also request deletion where the information is no longer necessary for the purposes for which it was collected, consent has been withdrawn, and no other legal basis justifies retention.
Right to Withdraw Consent
Where processing is based on consent, you may withdraw at any time. Withdrawal does not affect prior processing.
Automated Decision-Making
PrivQC does not currently use your personal information to make decisions solely by automated means that produce legal or similarly significant effects on you. Should this change, we will update this policy and provide the disclosures required by Law 25.
If your personal information has been processed through a Merchant's PrivQC widget, the fastest way to submit a formal data access or portability request is directly through that widget on the Merchant's website. The widget:
For requests relating to information held by PrivQC itself (your Merchant account, or PrivQC's own processing), or if no widget is available, send a written request to:
We will acknowledge your request within 5 business days and respond within 30 days of receipt. We may request proof of identity before proceeding. If we are unable to respond within 30 days, we will notify you of the delay and the reasons for it, as permitted by law.
The PrivQC platform is not directed at individuals under the age of 14. We do not knowingly collect personal information from children under 14 without verifiable parental consent. If you believe we have inadvertently collected such information, please contact us immediately at privacy@privqc.ca.
We may update this policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify Merchants by email at least 30 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
You may always find the current version at privqc.ca/privacy.
If you believe your privacy rights have been violated, you may file a complaint with PrivQC's Privacy Officer at privacy@privqc.ca. We will investigate and respond within 30 days.
You also have the right to file a complaint with the Commission d'accès à l'information du Québec (CAI):
This policy was last reviewed and updated on April 17, 2026 and is effective as of that date. It supersedes all previous versions. The English version governs in the event of any conflict with the French translation.