Privacy Policy

1. Who We Are

9467-8711 Québec inc., operating as Factero (hereinafter "we," "us," or "our"), provides exclusively B2B services, including IT consulting and management, cybersecurity assessments, IT governance, and support.

This designation was made in writing pursuant to section 3.1 of the Act respecting the protection of personal information in the private sector (RLRQ c P-39.1).

Under this Act, information related to the exercise of a function within an enterprise (e.g., name, title, work email, work phone number) is not considered personal information for the purposes of sections II and III of the Act. We nonetheless treat such information with care and confidentiality.

2. Applicable Laws

This Privacy Policy is designed to comply with:

• The Act respecting the protection of personal information in the private sector (RLRQ c P-39.1), as modernized by the Act to modernize legislative provisions as regards the protection of personal information (2021, c. 25, commonly known as "Law 25"), including all three implementation phases (September 2022, September 2023, September 2024);
• The Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5;
• Canada's Anti-Spam Legislation (CASL), S.C. 2010, c. 23;
• Articles 35 to 41 of the Civil Code of Québec (right to privacy).

3. Definitions

• Personal Information: Any information about a natural person that allows that person to be identified, directly or indirectly.
• Confidentiality Incident: As defined in section 3.6 of the Act — (1) unauthorized access to personal information; (2) unauthorized use of personal information; (3) unauthorized communication of personal information; or (4) loss of personal information or any other breach of its protection.
• Commercial Electronic Message (CEM): As defined under CASL — any electronic message, including SMS/text messages and emails, that encourages participation in a commercial activity.
• EFVP (Privacy Impact Assessment): An evaluation of factors relating to privacy (évaluation des facteurs relatifs à la vie privée), conducted before certain projects or cross-border transfers, as required by the Act.

4. Information We Collect

Depending on the context of your interaction with us, we may collect the following categories of personal information:

Information We Do Not Collect

Based on our current B2B activities, we do not intentionally collect personal information that is sensitive within the meaning of section 12 of the Act, including medical, biometric, or otherwise intimate information. Our services are intended for persons aged 18 and over. We do not knowingly collect personal information from minors under 14 years of age. If we become aware that we have collected personal information from a minor under 14 without the consent of a person exercising parental authority, we will promptly delete that information in accordance with section 4.1 of the Act. Should the nature of our services or the context of collection change such that sensitive personal information may be collected, we will obtain express consent and update this Policy accordingly.

5. How We Collect Information

We collect personal information through:

• Email — in the course of exchanges with us;
• Web forms on factero.ca — contact forms and appointment booking forms;
• Online booking system (Calendly, Inc.) — when you schedule an appointment;
• Payment processing (Stripe, Inc.) — when you make a payment;
• SMS/Text messaging (RingCentral, Inc.) — when you opt in to receive text messages or when you initiate a text conversation with us;
• Cookies and similar technologies — analytics and, where you consent, marketing-related tracking technologies. No non-essential cookies or tracking technologies are deployed before you have given your active, informed consent through our consent management banner;
• Secure cloud tools (Microsoft Corporation) — for internal communications and document management.

6. Purposes of Collection and Use

We use the information we collect strictly for the following purposes:

1. Service delivery. Respond to your requests, schedule and confirm appointments, send reminders, process payments, and execute and administer B2B mandates (IT consulting, cybersecurity, governance).
2. Communication. Communicate with you by email, telephone, or SMS regarding your services or inquiries.
3. Legal and regulatory compliance. Comply with applicable tax, accounting, anti-spam, and privacy laws, including incident reporting and record-keeping obligations.
4. Website improvement. Secure and improve our website through aggregated, anonymized statistics, subject to your cookie consent preferences.
5. Promotional communications (express consent only). Send updates and promotional information about our services, only where you have provided express consent in compliance with CASL.

We do not sell, rent, lease, trade, or otherwise disclose your personal information for marketing or promotional purposes.

We do not currently use automated decision-making technology that produces decisions with legal effects or decisions that significantly affect individuals. Should we implement such technology in the future, we will inform you in advance and provide an opportunity to request a review of any such decision by a competent person, in accordance with section 12.1 of the Act.

7. SMS/Text Messaging

7.1 — Program Description

If you provide your mobile telephone number and consent to receive text messages from Factero, you may receive the following types of SMS communications:

• Appointment confirmations;
• Appointment reminders (typically 24 hours and 1 hour before your scheduled appointment);
• Appointment cancellation or rescheduling notifications;
• Responses to text messages you initiate with us (two-way conversational messaging).

We do not send promotional or marketing messages by SMS unless you have provided separate express consent for such communications.

7.2 — Message Frequency

Message frequency varies. You may receive up to approximately six (6) text messages per appointment (confirmation, reminders, and follow-ups). If you communicate with us by text, additional messages may be exchanged as part of that conversation.

7.3 — Message and Data Rates

Standard message and data rates may apply, depending on your mobile carrier and plan. Factero is not responsible for any messaging or data charges imposed by your carrier.

7.4 — Opt-Out

You may opt out of receiving text messages from Factero at any time by replying STOP (English) or ARRÊT (French) to any message you receive from us. Upon receipt of your opt-out request, we will send you a single confirmation message and will not send you any further text messages unless you opt in again at a later date.

7.5 — Help

For assistance with our text messaging service, reply HELP or AIDE to any message, or contact us at confidentialite@factero.ca or 514-556-7795.

7.6 — SMS Data Sharing Policy

We do not share, sell, or provide your mobile telephone number, SMS opt-in data, or SMS consent information to any third parties or affiliates for marketing or promotional purposes.

All categories of information described in this Privacy Policy exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Your mobile number is disclosed to our telecommunications service provider (RingCentral, Inc.) strictly for the technical purpose of delivering text messages on our behalf. This provider is contractually bound to use your information solely for message delivery and is prohibited from using it for any other purpose.

7.7 — SMS Consent

By providing your telephone number on our booking form or any other form on our website and checking the SMS consent checkbox, you authorize Factero to send you text messages related to your appointments and services as described above. This consent is optional — you may use our services without opting in to SMS communications. Your consent is recorded with a timestamp and the method of collection, in accordance with our record-keeping obligations.

Where appointments are booked through our booking platform (Calendly, Inc.), the SMS consent question is presented directly within the booking form as a custom field with an explicit opt-in/opt-out choice, in accordance with the disclosure requirements set out in Appendix A. This custom field serves as the consent mechanism and is distinct from the information required to complete the booking.

8. Third-Party Service Providers and Cross-Border Transfers

8.1 — Service Providers

We use the following third-party service providers to operate our business. These providers process personal information on our behalf, under written contractual agreements requiring them to protect your information in accordance with applicable privacy laws:

8.2 — Cross-Border Transfers

Your personal information may be communicated outside Quebec, including to the United States, for processing by the service providers listed above.

Before any such communication, we have conducted a Privacy Impact Assessment (EFVP) for each provider, as required by section 17 of the Act, taking into account:

1. The sensitivity of the personal information communicated;
2. The purposes for which the information will be used;
3. The protective measures in place, including contractual clauses requiring the provider to protect the information in accordance with principles substantially equivalent to those under Quebec law;
4. The legal regime applicable in the receiving jurisdiction, including any legislation that may compel disclosure to government authorities.

These assessments concluded that the personal information will benefit from adequate protection. These EFVPs were first conducted prior to the commencement of data transfers to each provider and are reviewed at least annually, or upon any material change in the provider's services, data location, applicable legal regime, or contractual terms. The EFVP documentation, including the date of each assessment and review, is maintained on file and is available for inspection by the Commission d'accès à l'information du Québec (CAI) upon request.

8.3 — Contractual Safeguards

All third-party service providers are bound by written agreements that require them to:

• Use personal information solely for the purposes specified by Factero;
• Implement technical and organizational security measures at least equivalent to those required by Quebec law;
• Notify Factero promptly of any confidentiality incident involving the personal information entrusted to them;
• Return or securely destroy the personal information upon termination of the contractual relationship;
• Refrain from communicating the personal information to any other third party without Factero's prior written authorization.

9. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. We categorize them as follows:

You may withdraw your consent to non-essential cookies at any time by accessing our consent management settings or by configuring your browser to block or delete cookies. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

10. Data Retention and Destruction

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The following retention periods apply:

Destruction. Once the applicable retention period has expired, personal information is securely destroyed — electronic files are permanently deleted using secure overwrite or cryptographic erasure methods; paper records, if any, are cross-cut shredded. We will initiate the destruction process within thirty (30) days of the expiry of the applicable retention period. Where the destruction of personal information held by a third-party service provider depends on that provider's technical capabilities and contractual deletion timelines, we will submit the deletion request within the 30-day period and take reasonable measures to confirm that the destruction has been completed. In all cases, the information will be rendered inaccessible as promptly as reasonably practicable.

Anonymization. As an alternative to destruction, personal information may be anonymized in accordance with generally accepted best practices and the criteria established by regulation, so that it can no longer, directly or indirectly, allow the identification of the person concerned. Anonymized information may be used for statistical or analytical purposes (section 23 of the Act). In the absence of an applicable government regulation prescribing the specific criteria and modalities for anonymization, we will opt for destruction.

11. Security Measures

We protect personal information using reasonable technical and organizational measures proportionate to the sensitivity of the information, including:

• Encryption in transit (TLS 1.2+) and at rest where technically feasible;
• Multi-factor authentication (MFA) for all administrative access, enforced via Microsoft Entra ID;
• Role-based access controls limiting access to personal information to authorized personnel on a need-to-know basis;
• Secure password storage using cryptographic hashing (original passwords cannot be recovered);
• Periodic security assessments, vulnerability scanning, and reviews;
• Written confidentiality undertakings signed by all personnel with access to personal information.

No method of electronic transmission or storage is perfectly secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at confidentialite@factero.ca.

Categories of Personnel with Access. Within our organization, access to personal information is limited to the following categories of personnel: (a) the Person Responsible for the Protection of Personal Information (Sébastien Robert); (b) any employee, contractor, or collaborator expressly authorized in writing and bound by a written confidentiality undertaking. No other person has access to your personal information. Upon request, we will inform you of the specific categories of persons who have had access to your personal information, in accordance with section 8 of the Act.

12. Confidentiality Incidents

In the event of a confidentiality incident, we undertake to:

1. Take immediate measures to reduce the risk of harm to the persons concerned and to prevent similar incidents from recurring;
2. Assess whether the incident presents a risk of serious prejudice to the persons concerned, considering the sensitivity of the information, the anticipated consequences of its use, and the likelihood that it will be used for harmful purposes;
3. Notify the CAI and all affected persons if the incident presents a risk of serious prejudice, as soon as practicable after becoming aware of the incident, in accordance with sections 3.5 to 3.8 of the Act;
4. Record the incident in our confidentiality incident register, which documents all incidents, regardless of whether they present a risk of serious prejudice.

Our confidentiality incident register is maintained for a minimum period of five (5) years in accordance with the Règlement sur les incidents de confidentialité (RLRQ c P-39.1, r. 1), and a copy is provided to the CAI upon request.

Register of Communications Without Consent. In the event that personal information is communicated without the consent of the person concerned, under an exception permitted by law (e.g., communication required to prevent an act of violence or for the purposes of detecting or preventing fraud), such communication is recorded in a dedicated register maintained in accordance with section 18.2 of the Act.

13. Communications and CASL Compliance

We may communicate with you by email, telephone, or SMS in the following contexts:

Transactional and service-related messages. Appointment confirmations, invoices, service notifications, and account-related communications are sent on the basis of an existing business relationship or a contractual obligation. These messages do not contain promotional content and do not require separate consent under CASL.

Promotional messages. Updates about new services, newsletters, or invitations to events are only sent with your express, prior consent in compliance with CASL. Each promotional message:

• Clearly identifies Factero as the sender;
• Includes our contact information (name, mailing address, and one of: telephone number, email address, or web address);
• Provides a clear, prominently displayed, and easily accessible unsubscribe mechanism.

Unsubscribe. From promotional emails: use the "unsubscribe" link included in every message. From promotional SMS: reply STOP or ARRÊT to any message. We will process your unsubscribe request within ten (10) business days, as required by CASL (s. 11(3)).

14. Your Rights

Under the Act respecting the protection of personal information in the private sector, PIPEDA, and other applicable legislation, you have the following rights:

Response Timeline. We will acknowledge receipt of your request within ten (10) business days and provide a substantive response within thirty (30) days of receipt. If an extension is required, we will notify you in writing, with reasons, before the initial thirty-day period expires (s. 32 of the Act). Access to personal information is provided free of charge; reasonable fees may be charged for the reproduction or transmission of information, of which you will be informed in advance.

How to Exercise Your Rights. Please direct any request to our Person Responsible for the Protection of Personal Information at confidentialite@factero.ca. We may require reasonable verification of your identity before processing your request.

15. Privacy Impact Assessments

In accordance with section 3.3 of the Act, we conduct a Privacy Impact Assessment (EFVP) before undertaking:

• Any project involving the acquisition, development, or redesign of an information system or electronic service delivery system that involves the collection, use, communication, retention, or destruction of personal information;
• Any communication of personal information outside Quebec (see Section 8.2).

Each EFVP is proportionate to the sensitivity of the information concerned, the purposes of its use, the volume of information involved, and the manner in which it is distributed and stored. Assessment records are maintained on file and are available to the CAI upon request.

16. Business Transfer

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, personal information may be among the assets evaluated in the context of such transaction and may be transferred to the acquiring party. In such circumstances:

• A Privacy Impact Assessment will be conducted before any transfer of personal information;
• Affected individuals will be notified in accordance with applicable law;
• The acquiring party will be required, by contract, to handle personal information in accordance with this Privacy Policy and all applicable privacy legislation;
• Where the acquiring party intends to use personal information for purposes not described in this Policy, new consent will be obtained before such use.

17. Third-Party Links

Our website may contain hyperlinks to third-party websites or services not operated by us. We exercise no control over, and assume no responsibility for, the content, privacy policies, or practices of third-party websites. We recommend that you review the applicable privacy policy of each external website before providing any personal information.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, in applicable law, or in the guidance issued by the CAI. When we do:

• We will update the "Last Updated" date and the version number at the top of this page;
• For material changes affecting the manner in which we collect, use, or disclose personal information, we will publish a prominent notice on our website and, where appropriate, notify affected persons directly (e.g., by email);
• A timestamped PDF copy of each previous version is archived and remains accessible upon request by contacting confidentialite@factero.ca;
• Material changes to the purposes of collection or to the categories of recipients of personal information will require renewed consent where applicable. Non-material amendments (e.g., clarifications, formatting changes) take effect upon publication.

Version History

19. Governing Law and Jurisdiction

This Privacy Policy is governed by and shall be construed in accordance with the laws of the Province of Quebec and the applicable federal laws of Canada. Any dispute arising under or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of the judicial District of Iberville, Province of Quebec.

20. Contact

For any questions about this Privacy Policy, to exercise your rights regarding your personal information, or for any privacy-related concern, please contact:

This Privacy Policy (Version 3.1) is published in accordance with the obligations set out in sections 3.2 and 8.2 of the Act respecting the protection of personal information in the private sector (RLRQ c P-39.1). A French version of this Policy is available at factero.ca/fr/confidentialite. This document does not constitute legal advice. For specific legal questions regarding your rights, please consult qualified legal counsel or contact the Commission d'accès à l'information du Québec.

Appendix A — SMS Consent Disclosure for Web Forms

The following disclosure must appear on any page of factero.ca where a telephone number is collected (contact forms, booking forms), as well as within the booking form of our appointment scheduling platform (Calendly) as a custom field. The checkbox must be unchecked by default, optional, and visually separate from any other consent request or required booking information.

Appendix B — Compliance Cross-Reference