POLICY ON CONFIDENTIALITY AND PROTECTION OF PERSONAL
DATA CONCERNING CUSTOMERS AND USERS
Approved by the data protection officer
1. General purpose
This policy aims to inform you about the practices of Dile Solutions Inc. (hereinafter
« Dipôle ») and our subsidiaries and affiliated companies (including, but not limited to,
« Cognito Coach
mc
» (including « Cognito
mc
» et « Cognito-app
mc
» regarding the
governance and privacy of personal data (hereinafter « data ») of its clients. It applies
to all Users and all our services, including our websites (collectively, the « Websites
»), our web applications Web Applications »), our mobile applications Mobile
Applications »), and all associated services (collectively, the « Services »).
It also aims to ensure the security and protection of the data collected, processed,
used, communicated, and retained by Dipôle against unauthorized access, use, or
disclosure. It also aims to protect this data against any infringement of its integrity.
Furthermore, this policy is intended to determine the rules related to the processing of
this data, including access, communication, use, retention, and destruction, as well as
the rights of access, portability, rectification, withdrawal, erasure, and objection, as
applicable.
2. Foundation
Dipôle is a private company subject to, among other things, the Act on the Protection
of Personal Information in the Private Sector (R.S.Q. P-39.1), the Act respecting the
legal framework for information technology (R.S.Q., c. C-1.1), the Civil Code of
Quebec (R.S.Q., 1991, c. 64), the Personal Information Protection and Electronic
Documents Act (S.C. 2000, c. 5), and the General Data Protection Regulation (GDPR)
of the European Union.
3. Applicable laws
Data processing practices may vary depending on the jurisdictions in which Dipôle
operates.
Considering that all of Dipôle's customers are businesses, this policy is more inspired
by the GDPR.
However, should a natural person residing in Quebec become a customer of Dile,
this policy will also apply in Quebec. This policy applies to all users of the website,
regardless of where they are located.
Dipôle recognizes the importance of privacy protection, security, and data protection.
Therefore, it is committed to respecting the provisions, values, and fundamental
principles established by all applicable legislation, including updates to it.
Dipôle ensures to implement the necessary physical, computer, and technological
security measures to guarantee compliance with the confidentiality of the data
communicated to it in the course of its activities.
4. Scope
This policy applies to all employees, agents, suppliers, and partners of Dipôle who
may have access, in the performance of their duties, to data.
This policy concerns the data of customers and users of Dipôle's website. The
customer and the user of Dipôle's website are hereinafter referred to as the
"customer".
5. Objectives This policy aims to define the type of data collected by Dipôle and how
Dipôle protects this data.
It also specifies the standards for the collection, use, communication, retention, and
destruction of this data, as well as the rights of access, portability, rectification,
withdrawal, erasure, and objection, where applicable, of the data by the company or
by a third party, regardless of the nature of their medium and regardless of the form in
which they are accessible: written, graphic, sound, visual, computerized, or other.
6. Definition of data Any factual or subjective information concerning an individual that
allows identification directly or indirectly and that is not publicly available under the
law.
Applicable in Quebec: However, data does not include the coordinates of
businesses, such as a name and a position, as well as business postal address, email
address, and workplace telephone number, if these coordinates are used to
communicate with an individual in the course of their professional duties.
7. General principles
Dipôle takes security measures to ensure the protection of data collected, processed,
used, communicated, retained, or destroyed, and which are reasonable in light of their
sensitivity, the purpose of their use, their quantity, their distribution, and their medium,
by ensuring the following:
o The integrity of the data, so that it is not destroyed or altered, in any way,
without authorization and in compliance with applicable laws, and that the
medium of this data provides the desired stability and durability;
o The confidentiality of the data, by limiting its communication to only those
persons authorized to access it;
o Identification and authentication, in order to confirm, when required, the identity
of a person or the identification of a document or device;
o Compliance with legal, regulatory, or business requirements to which Dipôle is
subject.
8. Data collection
Dipôle is a professional software development company. In the course of its activities,
Dipôle collects data about its customers directly from them or from third parties. Where
applicable, Dipôle informs its customers about the data collected from these third
parties. In all cases, it informs the customer of the purposes for which the data is
processed, the categories of persons who have access to the data within the
company, the duration of data retention, and the contact information of the data
processor. This information is provided within a reasonable time after data collection,
but no later than one (1) month, considering the particular circumstances in which the
data is processed. However, if this data is processed for the purpose of
communicating with the customer, this information is provided no later than at the first
communication with the said customer. Furthermore, if it is contemplated to
communicate this data to another recipient, this information is provided no later than at
the first communication of the data. Dipôle may collect the following data:
o Contact information, such as name and surname, postal address, email
address, IP address, telephone number;
o Billing information, such as a billing address, banking information, credit card
details, or payment system data;
o Data related to the use of Dipôle's services, including technical data on visits or
any other data collected through cookies;
o Any other data requested and provided in the context of the services offered.
The extent of the data collected depends on customers’ interactions with
Dipôle and their use of its services.
9. Sensitive data
Dipôle does not knowingly collect sensitive personal data, such as health information,
ethnic origin, or biometric data.
10. Consent to collect data
Data collection by Dipôle is carried out transparently and with the prior, free, and
informed consent of the customer, which is obtained through one or more detailed
consent forms expressed in simple and clear terms or through a pop-up window upon
arrival on the site.
In compliance with applicable laws, when Dipôle collects data, it requires the
customer's consent by communicating in advance the purposes for which this data is
collected and will be used.
Dipôle will seek to obtain new distinct consent before using the data held for purposes
that are not compatible with those for which they were initially collected and will inform
the customer of the importance and the anticipated consequences of this processing
for them.
11. Mode of collection Data collection may be performed directly by Dipôle or by a third
party, including in person, by email, through forms, telephone interviews,
questionnaires, social media, text messages, electronically via the website, or through
a Dipôle application.
Dipôle collects data from the customer with their prior consent and immediately
provides in simple and clear terms, including the following information during collection
and subsequently upon request:
The name of Dipôle;
The purposes for which this data is collected;
The means by which the data is collected;
The rights to access, portability, rectification, withdrawal, erasure, and objection, as
applicable, provided by applicable laws;
The name of the third party for whom the collection is carried out, if applicable;
The name of the third parties to whom it will be necessary to communicate the data;
The possibility that the data may be communicated outside Quebec or outside the
European Union, as applicable.
Upon request, Dipôle will inform the customer of the data collected from them, the
categories of persons who have access to this data within the company, the duration
of the data retention, as well as the contact information of the data protection officer.
12. Use
Dipôle collects, uses, and retains client data notably to:
To verify their identity;
To communicate with them;
To personalize its services;
To provide a quote;
To send notifications and newsletters;
To ensure customer service;
To improve the services offered;
To provide services in a personalized way;
To provide assistance and resolve technical issues;
To generate invoices, account statements, and reports;
To manage various customer accounts;
To generate reports containing statistical data;
To share data with third parties for retention;
To enhance, personalize, and develop its website;
To ensure customer service on its website;
To provide updates and other information regarding its website;
To conduct marketing and promotion;
To perform profiling;
As permitted or required, for any applicable legal or regulatory obligation or provision;
Any other compatible purpose;
To assert its rights, if applicable.
Dipôle uses the data collected solely for the purposes for which consent has been
obtained. Thus, unless specific consent is provided, Dipôle does not communicate,
sell, rent, give, exchange, share, or disclose any data to third parties.
This data is accessible only to employees and to suppliers or agents of Dipôle who
necessarily need it to perform their duties, and they are required to respect the
confidentiality of this data.
13. Data retention and security
All collected data, regardless of their medium, are retained in a secure environment
against unauthorized access, communication, copying, use, modification, or
destruction, as well as against loss or theft.
These security measures include, where applicable, the use of firewalls and secure
servers, encryption, deployment of appropriate access rights management systems
and processes, careful selection of processors, adequate training of Dipôle personnel
who have access to data in the course of their duties, and other necessary measures
to ensure appropriate protection of data against any unauthorized use or
dissemination.
Dipôle uses information technologies to support its business processes in order to
offer better service delivery and appropriate data security. Dipôle implements
adequate security and access management measures to ensure the confidentiality,
integrity, and availability of the data it holds, based on the sensitivity of these data, the
risks they are exposed to, and the obligations Dipôle is subject to.
14. Communication of data to third parties
Dipôle requires the customer's consent before communicating their data to a third
party, unless applicable laws authorize communication without such consent.
Dipôle may, in the course of the services offered, communicate, in compliance with
applicable legal requirements, data to third parties located in Quebec, outside Quebec,
and outside the European Union, as applicable. These suppliers include governmental
authorities, financial institutions, and IT service providers. In this case, external service
providers of Dipôle are subject to confidentiality agreements and legal restrictions
prohibiting the use of the communicated data for purposes other than those for which
Dipôle collected them. Dipôle may also agree to service agreements with its external
suppliers, in compliance with the law, to facilitate the communication of data between
them and other stakeholders.
When data is communicated to third parties outside Quebec or outside the European
Union, Dipôle conducts a privacy factor assessment. In doing so, Dipôle considers the
sensitivity of the data, as well as the nature, scope, context, and purposes of the
intended processing. The communication of this data can take place outside the
European Union when appropriate safeguards are provided for the intended purpose,
such as standard contractual clauses for data protection approved by the European
Commission following advice from the European Data Protection Board unless it has
been determined by these entities that the country offers an adequate level of
protection. The transfer of this data may occur outside Quebec when appropriate
safeguards are provided by contract for the intended purpose.
Dipôle and its suppliers may be required to provide retained data due to a court order,
an administrative investigation, or other situations stipulated by law. In the event of a
sale, buyout, acquisition, or any other restructuring of
Dipôle's activities, it may be required to communicate data to potential or existing
buyers and their advisors for the purpose of the said transaction.
Dipôle will ensure compliance with the requirements of applicable laws before any
communication.
15. Customer rights
The rights identified below can be exercised by contacting the data protection officer
identified in paragraph 26 of this policy.
a) Right of Access and Right to Portability The customer has the right to access
their data held by Dipôle, unless exceptions provided by applicable laws apply.
Applicable in Quebec: Unless there are serious practical difficulties, the
computerized data collected directly or indirectly from the customer will be provided in
a structured, commonly used technological format.
Applicable only under the GDPR: The customer may request that their data be
returned to them or transferred to another company under certain circumstances and
subject to the requirements of applicable laws. This data must be provided in a
commonly used and machine-readable format.
b) Right to Rectification The customer may request that their data be corrected,
rectified, or updated.
c) Right to Withdraw and Right to Erasure (Right to be Forgotten)
The customer may request that their data be destroyed or that they no longer be used
for the purposes for which they were collected.
The customer may also withdraw their consent to use their data at any time. This
withdrawal of consent will only take effect for the future, upon receipt by Dipôle. Upon
receipt of the notice of withdrawal of consent, Dipôle commits to cease any use of the
data in question and to proceed with their destruction, subject to any legal or
regulatory obligations regarding their retention.
However, it may be possible that Dipôle cannot meet its obligations in the event of a
request for withdrawal of consent or early destruction. In this case, Dipôle cannot be
held liable for any damages that the customer may suffer.
Dipôle will also notify any individual or entity to whom this data may have been
communicated in accordance with the consent obtained to cease their use as well as
their destruction, if applicable.
d) Right to Object Applicable only under the GDPR: The customer may object to the
processing of their data for a specific use.
16. Destruction
Data is retained for the period necessary to achieve the purposes for which it was
collected and is then destroyed. Data may be retained beyond the achievement of the
purposes for which it was collected when another retention period provided by another
law applies. They will be destroyed in accordance with applicable laws or, if
applicable, processed in a way that it can no longer be attributed to the customer, for
example through anonymization.
17. Customer responsibility
The customer who transmits data to Dipôle is responsible for its accuracy.
Any customer who transmits data to Dipôle must also ensure that the system or
equipment with which they transmit or receive information from Dipôle is sufficiently
secure and must act with vigilance. Dipôle cannot be held responsible for
unauthorized access to data resulting from negligence or vulnerabilities present on the
client’s equipment or system.
In the event that the confidentiality of their data is compromised or their identity is
usurped, the customer is required to notify Dipôle as soon as possible by contacting
the designated data protection officer identified below.
18. Data breach and measures to be taken
A data breach refers to unauthorized access to data, unauthorized use of data,
unauthorized communication of data, data loss, or any other violation of data
protection. In the event of a data breach, Dipôle will take prompt measures to mitigate
the risks of harm to the customer and to prevent further breaches of the same nature
from occurring.
Applicable in Quebec: In case of serious harm risk, Dipôle will inform the customer
and the Commission d'acs à l'information.
Applicable under the GDPR: Should the breach pose a risk to the rights and
freedoms of the customer, Dipôle will notify the data protection authority as soon as
possible, and if feasible, 72 hours at the latest after becoming aware of it.
Furthermore, should the breach present a high risk to the rights and freedoms of the
customer, Dipôle will inform them, in addition to the data protection authority.
19. Obligations in the event of access to third-party data
Any person who has accessed data not concerning them, for any reason, is required
to maintain its confidentiality. They are strictly prohibited from disclosing, using,
distributing, or reproducing this data. They are also required to immediately inform the
designated data protection officer identified below and to securely destroy this data
and any copy of it in compliance with applicable laws.
20. Maintenance of a data breach register
Dipôle maintains a record of all data breaches it has experienced, where applicable,
including those that do not present a serious risk of harm to the customer.
Dipôle will allow access to this register to the Commission d'accès à l'information or
the data protection authority, as applicable, and may provide them with a copy upon
request.
21. Cookies and privacy settings
In order to offer certain services, Dipôle, through its website, may also collect data by
utilizing the following technologies:
Cookies: When a customer visits its website, it sends one or more cookies to their
computer as well as related service cookies such as Google Analytics, Google
Adwords, Google Adsense, or Facebook. These cookies contain identification
information that enables Dipôle to know how customers interact with the services,
target customers with relevant offers, their browsing history on the site, and
summarize their user experience with the services.
Log Files: Each time a customer uses Dipôle’s services through the website, the
servers automatically record the connection information that their browser sends when
connecting to a website. These server logs may contain information such as their
Internet search, IP address, type and language of their browser, Internet service
provider, date and time of their connection, the pages visited, one or more cookies
identifying their browser, and the number of clicks.
To the extent required, the information provided by a customer as part of their use
may be combined with information from other Dipôle services or third parties such as
Google Analytics, Google Adwords, Google Adsense, or Facebook, in order to
improve the quality of services.
For certain services, the customer may choose whether or not to allow the
combination of this information. If a customer wishes to disable Google Analytics,
Google Adwords, Google Adsense, or Facebook advertising features, including
through ad settings, mobile app ad settings, or any other available means, they can
visit the internet to access Google Analytics Opt-out Browser Add-on. The customer
can also consult one of the following resources to learn more about the use of cookies
by third parties and how to disable its use: Google Advertising and Privacy, Google Ad
Settings, DAA Page.
A consent banner is automatically displayed upon arrival on the website to allow the
customer to enable cookies. The effectiveness of certain services offered by the
website may be affected if the customer refuses to activate cookies. The cookies used
are divided into four (4) distinct categories:
Necessary cookies;
Functionality cookies;
Performance and security cookies;
Tracking cookies.
Any customer who provides data pursuant to this article consents to their use and
communication for the purposes for which this data was collected.
22. Affiliated Sites
Some of Dipôle’s services may be offered in connection with other websites. The data
a customer communicates to these sites may be sent to Dipôle for the service to be
provided. This data is processed in accordance with this policy. Affiliated sites may
have different privacy practices, which is why Dipôle recommends reviewing their
applicable policies and practices.
23. Links
Dipôle may display links in a format allowing it to determine whether these links have
been followed. This information is used to improve the quality of the content and
personalized ads.
24. Complaint Management
Any customer wishing to file a complaint regarding the collection, retention, use,
communication, destruction, or rights of access, portability, rectification, withdrawal,
erasure, and objection, as applicable, to their data by Dipôle should address it to the
designated data protection officer of Dipôle. The designated data protection officer will
analyze it and produce a response within thirty (30) days of receiving the complaint.
25. Dissemination of this Policy
Dipôle publishes this policy on its website and disseminates it by any means reaching
customers. Dipôle does the same with the notice of any changes to this policy.
26. Data Protection Officer
Mr. Dominic Crousset, President of Dipôle, is the Data Protection Officer. He can be
reached at the following email address: curité@dipolesolutions.ca or by phone at 1-
877-812-1580, extension 101. By mail at 7380, Boulevard Allard, Drummondville,
Quebec, Canada J2A 2S8.
The data protection officer is a member of Dipôle's staff and holds roles and
responsibilities throughout the data lifecycle within the company.
27. General Provision
This contract is drafted in French and may be translated into other languages for
practical purposes. In case of discrepancies in interpretation between the French
version and any other translated version of this contract, the French version shall
prevail.
Effective Date
This policy will take effect on the day of its adoption by the Board of Directors of Dipôle.
April 25, 2025