Privacy Policy

This privacy policy describes how Conformaze (“Conformaze”, “we”, “our”) collects, uses, shares and protects the personal information you entrust to us when you visit our public website or use the platform.

Conformaze is designed to help Quebec and Canadian organizations document their compliance with the Quebec Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1, “Law 25”) and, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”). We hold ourselves to the same standards we help our clients meet.

1. Identity of the controller

The controller of your personal information is:

• Conformaze, operating the Conformaze platform, with its head office in Montreal, Quebec, Canada.
• Privacy Officer (DPO) contact: dpo@conformaze.com.

Our Privacy Officer also acts as data protection officer (DPO) under article 37 GDPR for our European users. They are your point of contact for any question or rights request.

2. Personal information we collect

We collect only the information necessary for our purposes:

2.1 Information you provide directly

• User account: first name, last name, email, hashed password, preferred language, organization, role, optional phone number.
• Company profile: legal name, NEQ, industry, size, address, primary contact details.
• Content created in the platform: processing registers, EFVPs, documents, DSAR requests, incidents, contracts, information assets and related communications.
• Communications: messages sent through the contact form, support or transactional emails.

2.2 Information collected automatically

• Access and audit logs: IP address, session ID, browser type, timestamp, actions performed in the platform. These logs are retained for security and audit (evidence) purposes.
• Cookies: see our cookie policy.
• Application telemetry: pseudonymized technical metrics (latency, errors) collected through Application Insights to ensure service availability and performance.

2.3 Information obtained from third parties

• Federated authentication: when you sign in via Google or Microsoft, we receive your email and name based on your consent with these providers.
• Payments: Stripe shares transaction metadata with us (status, ID) without disclosing your full card number.

3. Purposes and legal bases

In line with article 8 of Law 25 and article 6 GDPR, every processing activity has an explicit purpose and a defined legal basis.

4. Disclosure of information

We never sell your personal information. We share it only:

• with our subprocessors (hosting, payment, email, AI), all bound by a written agreement compliant with article 18.3 of Law 25 / article 28 GDPR. The full list is available on our Subprocessors page;
• with your organization (tenant administrators) when you act on its behalf in the platform;
• with a public authority when required by law or court order (CAI, courts, tax authorities).

5. Transfers outside Quebec / Canada

Most of your information is hosted in Canada (Azure Canada Central and Canada East regions). Some subprocessors may process information outside Quebec or Canada (notably Stripe and Mailgun in the United States). Pursuant to article 17 of Law 25, these transfers are subject to a documented privacy impact assessment and are governed by contractual clauses ensuring an adequate level of protection. The list of these transfers is available on our Subprocessors page.

6. Retention and destruction

We retain your personal information only as long as necessary for the purposes described above. At the end of the retention period, the information is:

• securely destroyed; or
• anonymized following industry best practices so that it no longer can identify a natural person (article 23 of Law 25).

7. Security measures

We implement reasonable organizational and technical safeguards, proportional to the sensitivity of the data, including:

• encryption in transit (TLS 1.2+) and at rest (AES-256);
• multi-factor authentication (TOTP, email) for accounts;
• role-based access control (RBAC) and multi-tenant isolation;
• immutable audit logging signed by hash chain;
• periodic restore tests (PITR) and continuity plan;
• continuous security and dependency reviews.

8. Your rights

Under Law 25 and the GDPR, you have the following rights:

• Access to personal information we hold about you;
• Rectification of inaccurate or incomplete information;
• Erasure (“right to be forgotten”) under applicable conditions;
• Portability of your information in a structured format;
• De-indexation and ceasing of dissemination (art. 28.1 of Law 25);
• Withdrawal of consent at any time, without affecting the lawfulness of prior processing;
• Information about automated decision-making producing legal effects (art. 12.1 of Law 25).

To exercise your rights, write to dpo@conformaze.com. We will respond within 30 days as required by Law 25.

If you are not satisfied with our response, you may file a complaint with the Commission d’accès à l’information du Québec (CAI) or, for European users, the supervisory authority of your country of residence.

9. Confidentiality incident notification

In the event of a confidentiality incident presenting a risk of serious harm, Conformaze notifies the CAI and the affected individuals as soon as possible, in accordance with article 3.5 of Law 25. Client organizations have a dedicated module in the platform to manage their own notification obligations.

10. Changes to this policy

Any substantial change is announced through an in-app notice and an email to account holders. The applicable version is always the latest one published on this page, identified by its version number and effective date (top of page). Version history is available on request from the Privacy Officer.

11. Contact us

For any question, access request or complaint about the processing of your personal information:

• Privacy Officer (DPO) email: dpo@conformaze.com
• Postal address: Conformaze, Attn: Privacy Officer / DPO, Montreal, Quebec, Canada
• Law 25 transparency page: /en/legal/transparency